移动应用安全检测报告: TALA v7.183.0

安全基线评分


安全基线评分 48/100

综合风险等级


风险等级评定

  1. A
  2. B
  3. C
  4. F

漏洞与安全项分布(%)


隐私风险

8

检测到的第三方跟踪器数量


检测结果分布

高危安全漏洞 5
中危安全漏洞 30
安全提示信息 4
已通过安全项 3
重点安全关注 1

高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 

如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7

Files:
co/tala/atlas/lps/presentation/agreements/LpsLineAgreementsActivity.java, line(s) 153,8
co/tala/atlas/lps/presentation/borrowingagreements/content/LpsBorrowingAgreementsContentKt$BorrowingAgreementsBodyContent$3$1.java, line(s) 26,3
com/braze/ui/inappmessage/views/InAppMessageHtmlBaseView.java, line(s) 271,17
com/incode/welcome_sdk/ui/user_consent/UserConsentActivity.java, line(s) 513,23
zendesk/support/guide/ViewArticleActivity.java, line(s) 297,21,22

高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 

应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/uxcam/internals/hv.java, line(s) 38
zj/C0580a.java, line(s) 188,283
zj/C6803a.java, line(s) 189,284

高危安全漏洞 使用弱加密算法 

使用弱加密算法
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/incode/welcome_sdk/commons/utils/SecurityUtils.java, line(s) 413,639

高危安全漏洞 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 

不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification

Files:
co/tala/atlas/android/core/webview/presentation/views/TalaWebView.java, line(s) 325,313

高危安全漏洞 应用程序包含隐私跟踪程序 

此应用程序有多个8隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。

中危安全漏洞 Broadcast Receiver (co.tala.global.switchover.SwitchoverTriggerReceiver) 未被保护。 

[android:exported=true]
发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Activity (co.tala.atlas.MoreAboutTalaActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Activity (co.tala.atlas.main.presentation.MainActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Activity (co.tala.atlas.deeplink.DeepLinkActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Activity (co.tala.payment.plans.impl.ui.PaymentPlansDetailsActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Activity (co.tala.payment.plans.impl.create.presentation.CreatePaymentPlanActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Activity (co.tala.atlas.zendesk.tickets.InvisibleZendeskTicketsActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Activity (co.tala.atlas.zendesk.tickets.InvisibleZendeskTicketDetailsActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Activity (com.tala.deeplinking.CommonDeepLinkActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护, 但是应该检查权限的保护级别。 

Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true]
发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护, 但是应该检查权限的保护级别。 

Permission: com.google.android.c2dm.permission.SEND [android:exported=true]
发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。 

Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。 

Permission: android.permission.DUMP [android:exported=true]
发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危安全漏洞 Activity (androidx.compose.ui.tooling.PreviewActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Activity设置了TaskAffinity属性 

(com.braze.push.NotificationTrampolineActivity)
如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名

中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$BootstrapActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$EmptyActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$EmptyFloatingActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。 

Permission: android.permission.DUMP [android:exported=true]
发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危安全漏洞 Service (com.huawei.hms.support.api.push.service.HmsMsgService) 未被保护。 

[android:exported=true]
发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
Bd/Parameters.java, line(s) 74
Eh/C0480b.java, line(s) 73
Eh/C3786b.java, line(s) 78
Fh/C0299e.java, line(s) 42
Fh/C3915e.java, line(s) 85
Fh/w.java, line(s) 54
Hk/Ticket.java, line(s) 17
Io/split/android/client/dtos/KeyImpression.java, line(s) 8
Kc/UxCamKey.java, line(s) 32
Me/g.java, line(s) 73
Mo/C0247g0.java, line(s) 62
Mo/C1560g0.java, line(s) 65
Pe/d.java, line(s) 30
Pe/p.java, line(s) 92
Pe/x.java, line(s) 60
Yd/ImageRequest.java, line(s) 525,525
Yd/Options.java, line(s) 104
Yd/SuccessResult.java, line(s) 72
be/Transformation.java, line(s) 28
co/tala/app/BuildConfig.java, line(s) 30,28,14,15,17
co/tala/atlas/auth/data/requests/PhoneUpdateInitiateUnAuth.java, line(s) 50
co/tala/atlas/auth/data/requests/PhoneUpdateVerifyRequestUnAuth.java, line(s) 70
co/tala/atlas/auth/data/requests/ResetPinRequest.java, line(s) 80
co/tala/atlas/auth/data/requests/SecurityAnswersRequest.java, line(s) 80
co/tala/atlas/cashout/common/data/responses/CashoutData.java, line(s) 223
co/tala/atlas/loans/repayment/common/data/model/DirectDebitIntentDetails.java, line(s) 143
co/tala/atlas/loans/repayment/common/data/model/PaymentCredentialsResponseDataMxDirectDebit.java, line(s) 88
co/tala/atlas/loans/repayment/common/data/model/PaymentCredentialsResponseDataMxOxxo.java, line(s) 108
co/tala/atlas/loans/repayment/directdebit/network/model/DirectDebitGetIntentResponse.java, line(s) 212
co/tala/atlas/sdui/domain/actions/Action.java, line(s) 148
co/tala/atlas/sdui/domain/sections/KeyValueList.java, line(s) 203
co/tala/cashout/domain/common/data/responses/CashoutData.java, line(s) 223
co/tala/common/errorhandling/presentation/fragment/d.java, line(s) 72,215
co/tala/ecp/experiencecontrolplatform/EcpInitializerConfig.java, line(s) 49
co/tala/legacy/webapi/requests/AppInfoData.java, line(s) 154
co/tala/sdui/dto/AnalyticsEvent.java, line(s) 298
co/tala/sdui/dto/UiNodeDTO.java, line(s) 337,1861
coil/memory/MemoryCache.java, line(s) 193
com/braze/configuration/BrazeConfig.java, line(s) 546,546
com/hbisoft/hbrecorder/Constants.java, line(s) 4,5,7,11,13,15,17
com/huawei/location/lite/common/config/ConfigManager.java, line(s) 218
com/statsig/androidsdk/Marker.java, line(s) 458
com/statsig/androidsdk/StatsigClientKt.java, line(s) 8,9
com/statsig/androidsdk/StatsigNetworkKt.java, line(s) 13,15,27,28,31,32
com/statsig/androidsdk/StatsigOptionsKt.java, line(s) 9
com/statsig/androidsdk/StoreKt.java, line(s) 8,10,11,9
com/uxcam/internals/hy.java, line(s) 35
qd/a.java, line(s) 119
td/d.java, line(s) 102
uh/b.java, line(s) 139
wo/C0386a.java, line(s) 114
wo/ImageRequest.java, line(s) 527,527
wo/Options.java, line(s) 107
wo/Parameters.java, line(s) 72
wo/SuccessResult.java, line(s) 76
zendesk/core/Constants.java, line(s) 13
zendesk/core/LegacyIdentityMigrator.java, line(s) 16,13,20,14,21,23,15,17,24,22,18,19
zendesk/core/ZendeskCoreSettingsStorage.java, line(s) 8,9
zendesk/core/ZendeskIdentityStorage.java, line(s) 11,15,16,17,12,13
zendesk/core/ZendeskMachineIdStorage.java, line(s) 7
zendesk/core/ZendeskStorage.java, line(s) 9
zendesk/support/CreateRequest.java, line(s) 10
zendesk/support/LegacyRequestMigrator.java, line(s) 14
zendesk/support/ZendeskArticleVoteStorage.java, line(s) 8
zendesk/support/ZendeskHelpCenterSettingsProvider.java, line(s) 13
zendesk/support/ZendeskRequestStorage.java, line(s) 16,17,18
zendesk/support/ZendeskSupportSettingsProvider.java, line(s) 14,16
zendesk/support/requestlist/RequestListModel.java, line(s) 15,16
zendesk/support/requestlist/RequestListView.java, line(s) 40,41

中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
co/tala/atlas/android/core/synchronization/readers/HardwareInfoReader.java, line(s) 98,251
com/hbisoft/hbrecorder/HBRecorder.java, line(s) 111
com/hbisoft/hbrecorder/ScreenRecordService.java, line(s) 485
com/incode/welcome_sdk/commons/modules/FaceRecogModule.java, line(s) 363
com/incode/welcome_sdk/commons/modules/IdDetectorModule.java, line(s) 175
com/incode/welcome_sdk/data/local/LocalDataSource.java, line(s) 407
com/uxcam/screenaction/utils/FilePath.java, line(s) 15
fk/a.java, line(s) 65

中危安全漏洞 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
Bn/AbstractC2368a.java, line(s) 4
Bn/C2369b.java, line(s) 4
Bo/app/i30.java, line(s) 3
Cn/C0371a.java, line(s) 4
Cn/C2459a.java, line(s) 6
com/braze/support/IntentUtils.java, line(s) 15
com/incode/welcome_sdk/commons/ui/DotAnimation.java, line(s) 16
j$/util/concurrent/ThreadLocalRandom.java, line(s) 10
net/jpountz/xxhash/XXHashFactory.java, line(s) 6
nh/d.java, line(s) 10
wo/C0335a.java, line(s) 3

中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件 

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
Zh/c.java, line(s) 85
co/tala/atlas/android/core/utilities/e.java, line(s) 40
co/tala/common/utils/files/FileCreator.java, line(s) 73
co/tala/dss/download/DocumentsDownloaderImpl.java, line(s) 66
co/tala/kyc/utils/d.java, line(s) 29
co/tala/kyc/utils/f.java, line(s) 164
org/mp4parser/boxes/iso14496/part12/MediaDataBox.java, line(s) 44
td/S.java, line(s) 46

中危安全漏洞 IP地址泄露 

IP地址泄露


Files:
Hj/a.java, line(s) 162
Ip/InterfaceC0598a.java, line(s) 6,7
Ip/InterfaceC4346a.java, line(s) 7,9
Tb/b.java, line(s) 70
Yp/e.java, line(s) 74,75,67,76,77,78,60
com/huawei/location/router/BuildConfig.java, line(s) 9
com/huawei/wisesecurity/ucs/credential/CredentialClient.java, line(s) 178
jp/InterfaceC0603a.java, line(s) 73
jp/InterfaceC4600a.java, line(s) 141
kp/InterfaceC0629a.java, line(s) 13,6,14,15,16,7,8,9,10,11,12,17
kp/InterfaceC4758a.java, line(s) 21,7,23,25,27,9,11,13,15,17,19,29
lp/InterfaceC0645a.java, line(s) 246,270,262,209,210,211,212,213,214,331,330,328,329,307,308
lp/InterfaceC5218a.java, line(s) 400,424,416,363,364,365,366,367,368,485,484,482,483,461,462
pk/z.java, line(s) 31
w9/b.java, line(s) 66
w9/e.java, line(s) 68

中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希 

SHA-1是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
Zh/C0578b.java, line(s) 59
Zh/C6801b.java, line(s) 63
aj/b.java, line(s) 15

中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
Se/g.java, line(s) 6,7,8,9,10,11,141,142,143,144,540,541,542,543,572,584,585
Yf/C6664M.java, line(s) 5,6,98,107,163,356,393,526,580,713
Yf/W.java, line(s) 4,5,152
co/tala/atlas/survey/db/SurveyDbDataSource.java, line(s) 7,162,202,227,249,275,328,330,332,387,435,445,465,495,605,608,717,745,785,804,870
co/tala/atlas/survey/db/SurveyDbOpenHelper.java, line(s) 4,5,6,48,56,64,72,73,81,82,83,84,85,86,87,88,89,90,91,97,98,99,100,101,102,103,104,105,106,107,108

中危安全漏洞 MD5是已知存在哈希冲突的弱哈希 

MD5是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
Ne/C1125g.java, line(s) 58
Ne/C5329g.java, line(s) 57
com/braze/support/StringUtils.java, line(s) 53
com/uxcam/internals/co.java, line(s) 194
k9/l.java, line(s) 18

中危安全漏洞 Firebase远程配置已启用 

Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/63978174224/namespaces/firebase:fetch?key=AIzaSyCENr48YeVY-qfl7Qyj938w9smdDe0zgL4 ) 已启用。请确保这些配置不包含敏感信息。响应内容如下所示:

{
    "entries": {
        "ApplyCard": "New",
        "EnableUxCamMDAlpha": "true",
        "FinCoachCard": "",
        "InformationCard": "",
        "InviteCardLayout": "Treatment",
        "InviteCode": "Treatment",
        "InviteLink": "",
        "KE_ISW_MPESA_Xpress_v3": "Treatment",
        "KE_Match_Cash_Flows": "",
        "KE_Partial_Pay": "",
        "KE_PayBill_Instructions": "",
        "KeHelpingOthers": "",
        "LoanAppBar": "New",
        "LoanNav": "",
        "Lps_Enabled": "true",
        "NewsBannerLearnTab": "",
        "Referral_CTA": "",
        "SduiScreenFlag_homeScreen": "false",
        "SduiScreenFlag_learnScreen": "true",
        "SduiScreenFlag_profileScreen": "true",
        "SkipHome": "Home",
        "UrgentNews": "",
        "UxCamMode": "DISABLED",
        "blacklisted_versions": "[]",
        "ignore_active_loans": "true",
        "minimum_version": "36020"
    },
    "state": "UPDATE",
    "templateVersion": "303"
}

中危安全漏洞 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
"com.google.firebase.crashlytics.mapping_file_id" : "966bc7b2c7d24c6389532421dc6b0235"
"com_braze_image_is_read_tag_key" : "com_appboy_image_is_read_tag_key"
"com_braze_image_lru_cache_image_url_key" : "com_braze_image_lru_cache_image_url_key"
"com_braze_image_resize_tag_key" : "com_appboy_image_resize_tag_key"
"firebase_database_url" : "https://tala-ff8c1.firebaseio.com"
"google_api_key" : "AIzaSyCENr48YeVY-qfl7Qyj938w9smdDe0zgL4"
"google_app_id" : "1:63978174224:android:9f1456092e9a8588"
"google_crash_reporting_api_key" : "AIzaSyCENr48YeVY-qfl7Qyj938w9smdDe0zgL4"
"library_roundedimageview_authorWebsite" : "https://github.com/vinc3m1"
"loc_loan_terms_review_key_loan_amount" : "Amount"
"onboard_sdk_ekyc_country_us_key" : "US"
"onboard_sdk_ekyc_nationality_foreigner_key" : "foreigner"
000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F
e5bbe901a48ea050ddab8263f42e5d71
2428bc15b95c0cdf708d0ea586ee9c43
af49b448c1f5597eb5312f4724bac8b1
b46dd436e453e6a3c470eacfe934d4866d8a7c337ed148df8f1adf2e9cb4f019
534cb5d41ae36425f7f6eace6e67561f
ef5921d5-634f-4f86-bb76-e21a3cc7672e
11bab1d6d12b194fc8b78e840831ac96
5e62d965b14110d5926415b4463287e3d5ba372ad2600491
d31e7998-c298-4b2f-94dc-f837700eb576
A2B55680-6F43-11E0-9A3F-0002A5D5C51B
470fa2b4ae81cd56ecbcda9735803434cec591fa
b05eb80f6716510661632766fe918d97
30d6838a4487d8692955
edef8ba9-79d6-4ace-a3c8-27dcd51d21ed
9A04F079-9840-4286-AB92-E65BE0885F95
8138e8a0fcf3a4e84a771d40fd305d7f4aa59306d7251de54d98af8fe95729a1f73d893fa424cd2edc8636a6c3285e022b0e3866a565ae8108eed8591cd4fe8d2ce86165a978d719ebf647f362d33fca29cd179fb42401cbaf3df0c614056f9c8f3cfd51e474afb6bc6974f78db8aba8e9e517fded658591ab7502bd41849462f
8d7c70069a8e244d61a5a369815ece7c
37a6259cc0c1dae299a7866489dff0bd
31b8f9d92fb345c2b4bbdd222792562c
cb2afec64e8d906c969c31974f6f3b85

安全提示信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
Bg/a.java, line(s) 123,194,206,276,219,291
Cf/d.java, line(s) 28,35,46,51,27,34,39,45,50,40
Cg/C2445d.java, line(s) 79,102
Dj/h.java, line(s) 11,15
Ef/C0974h.java, line(s) 301,23,220,255
Ef/C3781h.java, line(s) 315,23,234,269
Ef/i.java, line(s) 22,21
Ef/n.java, line(s) 78
Fh/e.java, line(s) 72
Gg/C3974b.java, line(s) 12
Gg/d.java, line(s) 12
Gg/f.java, line(s) 12
Gg/h.java, line(s) 12
Hg/p.java, line(s) 22,31,38,30,37,44,45,51,52
Hj/a.java, line(s) 117,126,128,197
Hj/f.java, line(s) 11,15,19,23
Ij/a.java, line(s) 42,45,47
Ij/b.java, line(s) 16,33
Ij/c.java, line(s) 49,56
Io/sentry/b2.java, line(s) 18,27,33
Io/split/android/client/utils/h.java, line(s) 79,90,84,73,87,93
Io/split/android/client/utils/n.java, line(s) 19,21
Jf/C1061a.java, line(s) 52,53
Jf/C4576a.java, line(s) 57,58
Ke/b.java, line(s) 540
Kf/e.java, line(s) 34
Le/d.java, line(s) 74,102,73,101
Mk/C5269b.java, line(s) 28
Mk/b.java, line(s) 27
Mk/c.java, line(s) 8,13,18,23
Ne/b.java, line(s) 41,40
Ne/j.java, line(s) 51,147,50,146,150,156,163,160,164
Ne/l.java, line(s) 42,41
Nf/a.java, line(s) 46,59,146,149
Nf/e.java, line(s) 13
Nf/f.java, line(s) 17,14,14
Nf/q.java, line(s) 36,75,145,35,74,88,144,190,222,252,282,89,191,223,253,283,43,179
Nf/r.java, line(s) 27
Nf/t.java, line(s) 25,32,24,31
Nf/w.java, line(s) 55,54
Nf/x.java, line(s) 45,27,66
Oe/c.java, line(s) 100,99
Oe/e.java, line(s) 59,58
Of/E.java, line(s) 49
Pe/h.java, line(s) 620,357,372,619,465
Pe/i.java, line(s) 51,52
Pe/k.java, line(s) 18,200
Pe/q.java, line(s) 100
Pe/z.java, line(s) 55,56
Pi/f.java, line(s) 76,78,85,95,118,125,132,232,251,262,300,313,329,51,59,72,108,255,284
Pi/g.java, line(s) 34
Pi/i.java, line(s) 33,51,56,83,85,87
Pj/h.java, line(s) 28,46
Pq/C5750a.java, line(s) 49,59,61,53,57
Pq/a.java, line(s) 50,60,62,54,58
Qe/C1193e.java, line(s) 29,41,23
Qe/C5788e.java, line(s) 30,42,24
Qe/i.java, line(s) 102,143,103,144
Qe/j.java, line(s) 102,147,161,173,64,101,111,136,146,160,172,193,200,70,112,194,201,137
Qf/C0392b.java, line(s) 12,20
Qf/C1634b.java, line(s) 12,20
Qf/C1651t.java, line(s) 103,106,109,112,115,118,126,129,132,135,169,177
Qf/I.java, line(s) 33
Qf/T.java, line(s) 103,106,109,112,115,118,126,129,132,135,169,177
Qf/w.java, line(s) 30
Re/e.java, line(s) 43,49,77,87,44,78,50,90
Re/i.java, line(s) 109,93
Rf/k.java, line(s) 35,64,71,74,88,91,94,97,100
Se/a.java, line(s) 235,232
Se/d.java, line(s) 21,28,35,42,49,56
Sg/f.java, line(s) 222,154,158,172
Sk/C6116a.java, line(s) 562
Sp/k.java, line(s) 62
Sq/g.java, line(s) 55
Te/c.java, line(s) 18,17
Te/d.java, line(s) 52,51
Te/f.java, line(s) 143,142
Te/s.java, line(s) 82,85
Te/t.java, line(s) 35,34
Ve/e.java, line(s) 80,81
Vh/B.java, line(s) 206,231,247,253,208
Vh/C1666g.java, line(s) 26
Vh/D.java, line(s) 93,111,184,202,220,229,279,282,305,127,311
Vh/G.java, line(s) 52,64,42,60
Vh/k.java, line(s) 67,95,112,119
Vh/x.java, line(s) 183,124,379
Vj/C0566a.java, line(s) 52,93,102,114,126,142,171,177,196,235,242,55,117,136,145,149,174,210,219,220,74
Vj/C6366a.java, line(s) 68,110,119,131,143,159,190,196,215,254,261,71,134,153,162,166,193,229,238,239,91
Wj/C0571a.java, line(s) 49,56,67
Wj/C6442a.java, line(s) 50,57,68
Xf/b.java, line(s) 62,73
Xg/C0134g.java, line(s) 34,41,44,53,94
Xg/C1676g.java, line(s) 33,40,43,52,93
Xg/o.java, line(s) 56
Yf/g.java, line(s) 19
Yf/s.java, line(s) 21,18
Yf/t.java, line(s) 65,73,102,45,54,116
Yg/C6697a.java, line(s) 68,95,94,45,62
Yg/a.java, line(s) 66,93,92,43,60
Yj/C0576a.java, line(s) 11,15,19
Yj/C6701a.java, line(s) 11,15,19
Yj/d.java, line(s) 17
Yk/j.java, line(s) 75
Zh/C0578b.java, line(s) 63,81
Zh/C6801b.java, line(s) 67,85
ah/c.java, line(s) 94,97,119,127,128,148,150
ah/g.java, line(s) 28,38,15,48,58,68
bf/c.java, line(s) 32,31,54,73,55,74
bf/d.java, line(s) 15,14
bf/j.java, line(s) 92,93
co/tala/atlas/android/core/crash/c.java, line(s) 35,42
co/tala/atlas/android/core/firebase/FirebaseTokenStorage.java, line(s) 41
co/tala/common/utilities/logger/a.java, line(s) 13,20,27,34
com/braze/support/BrazeLogger.java, line(s) 256,259,277,265,268,294,296,274,283,286
com/hbisoft/hbrecorder/ScreenRecordService.java, line(s) 537
com/huawei/location/a.java, line(s) 27
com/huawei/riemann/common/api/location/SdmLocationClient.java, line(s) 31,40,64,69,77,100,108,114,140,148,153,158,172,185,58,91,138,156
com/huawei/riemann/gnsslocation/api/vdr/VdrLocationClient.java, line(s) 39,74,81,110,149,165,174,29,36,47,51,86,94,115,123,156,162,173,179,27,83,103,106,132,148,41,44,62
com/incode/recogkitandroid/BarcodeReaderKitAndroid.java, line(s) 52,55
com/incode/recogkitandroid/FaceAttributesDetectorKitAndroid.java, line(s) 42,49
com/incode/recogkitandroid/FacePadKitAndroid.java, line(s) 42,45
com/incode/recogkitandroid/IdCaptureKitAndroid.java, line(s) 95,98
com/incode/recogkitandroid/IdFaceDetectorKit.java, line(s) 42,49
com/incode/recogkitandroid/ImageProcessingKit.java, line(s) 39,42
com/incode/recogkitandroid/MaskDetectorKitAndroid.java, line(s) 42,49
com/incode/recogkitandroid/RecogKitAndroid.java, line(s) 40,43
com/incode/recogkitandroid/SelfieFaceDetectorKit.java, line(s) 49,52
com/incode/welcome_sdk/IncodeWelcome$Builder.java, line(s) 245
com/incode/welcome_sdk/IncodeWelcomeInitProvider.java, line(s) 342
com/incode/welcome_sdk/commons/modules/NetworkModule.java, line(s) 87,96
com/makeramen/roundedimageview/b.java, line(s) 144
com/makeramen/roundedimageview/c.java, line(s) 136,154
com/rajat/pdfviewer/PdfViewerActivity.java, line(s) 195
com/uxcam/internals/ii.java, line(s) 15
com/uxcam/screenaction/utils/Util.java, line(s) 127
df/a.java, line(s) 25,39,48,58
dh/C3699s.java, line(s) 193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211
ff/AbstractC0996i.java, line(s) 57,98,99,58
ff/AbstractC3899i.java, line(s) 67,108,109,68
ji/FragmentC0507f.java, line(s) 34,44,68
ji/FragmentC4590f.java, line(s) 36,46,70
nh/C5342e.java, line(s) 112
ni/c.java, line(s) 144,434,439,191,195,451,459
org/joda/time/tz/DateTimeZoneBuilder.java, line(s) 355
org/mp4parser/muxer/container/mp4/FragmentedMp4SampleList.java, line(s) 213
org/mp4parser/muxer/tracks/DTSTrackImpl.java, line(s) 96,147,242
org/mp4parser/muxer/tracks/encryption/CencDecryptingSampleList.java, line(s) 124
org/mp4parser/muxer/tracks/h263/H263TrackImpl.java, line(s) 120
org/mp4parser/muxer/tracks/h264/parsing/Debug.java, line(s) 15,18,29,32,40,43,50,52
org/mp4parser/muxer/tracks/h265/H265TrackImpl.java, line(s) 88,95,100,116
org/mp4parser/muxer/tracks/h265/SEIMessage.java, line(s) 16
org/xms/f/analytics/ExtensionAnalytics.java, line(s) 27,42,55,67,75,83
org/xms/f/crashlytics/ExtensionCrashlytics.java, line(s) 17,24,34,37,44,47,54,57,64,67
org/xms/f/dynamiclinks/ExtensionDynamicLinks.java, line(s) 30,37,88,95,71,73,75,77,79
org/xms/f/dynamiclinks/PendingDynamicLinkData.java, line(s) 17,20
org/xms/f/messaging/ExtensionMessaging.java, line(s) 46,56,63,81
org/xms/f/messaging/RemoteMessage.java, line(s) 39,42,48,51,67,70,76,83,94,97
org/xms/f/remoteconfig/ExtensionRemoteConfig.java, line(s) 28,35,68,73,83,86,92,95,101,104,112
org/xms/f/remoteconfig/ExtensionRemoteConfigSettings.java, line(s) 18,21,31,34
org/xms/f/remoteconfig/ExtensionRemoteConfigValue.java, line(s) 20,23,30,33
org/xms/g/ads/identifier/AdvertisingIdClient.java, line(s) 25,28,34,37,48,56
org/xms/g/auth/api/phone/SmsRetriever.java, line(s) 24,34,37,43,46,52,55
org/xms/g/auth/api/phone/SmsRetrieverClient.java, line(s) 28
org/xms/g/common/ConnectionResult.java, line(s) 29,32,43,46,52,55,66,69
org/xms/g/common/ExtensionApiAvailability.java, line(s) 20,23,29,36,46,49,55,58,64,67,73,76
org/xms/g/common/UserRecoverableException.java, line(s) 64,67,71,74
org/xms/g/common/api/ApiException.java, line(s) 79,82,86,89,96,99,103,106
org/xms/g/common/api/CommonStatusCodes.java, line(s) 16,19,25,28,34,37,43,46,52,55
org/xms/g/common/api/Response.java, line(s) 23,26,41,46,53,57
org/xms/g/common/api/Status.java, line(s) 55,58,64,67,73,76,82,85,92,95
org/xms/g/location/FusedLocationProviderClient.java, line(s) 23,30,40,47
org/xms/g/location/LocationAvailability.java, line(s) 15,18,24,27,33,36
org/xms/g/location/LocationCallback.java, line(s) 62,66,72,75,83,87,93,96
org/xms/g/location/LocationRequest.java, line(s) 29,36,46,49,60,63,69,72,78,85,95,102,112,119,129,136,146,149,156,159
org/xms/g/location/LocationResult.java, line(s) 35,38,44,47,53,56,62,65,72,75
org/xms/g/location/LocationServices.java, line(s) 17,24
org/xms/g/security/ProviderInstaller.java, line(s) 51,54,62,65,85,95,108
org/xms/g/tasks/Continuation$XImpl.java, line(s) 28,31
org/xms/g/tasks/OnCanceledListener.java, line(s) 49,52
org/xms/g/tasks/OnFailureListener$XImpl.java, line(s) 25,28
org/xms/g/tasks/OnSuccessListener$XImpl.java, line(s) 27,31
org/xms/g/tasks/Task.java, line(s) 20,27,45,52,76,83,94,101,112,115,122,125,132,135,142,145,152,159,170,177
org/xms/g/tasks/TaskCompletionSource.java, line(s) 20,27,37,40,48,52
org/xms/g/tasks/Tasks.java, line(s) 25,28,34,41,57
org/xms/g/utils/Utils.java, line(s) 660,662,663,721,804,724,733,735,737,830,832,834,836,857,995,997,1058,1060,1062,1080,1082,1084,1115,683,694,701,707,711,715,745,752,811,816,819,823,894,897,922,925,950,956,967,973,979,983,985,990,1006,1024,1045,1068,1090,1109,755,1096,1100,1104
org/xms/g/utils/XObject.java, line(s) 18,20,28,30
org/xms/g/utils/XmsLog$1.java, line(s) 11,31,16,36,21,41,26,46
org/xms/installreferrer/api/InstallReferrerClient.java, line(s) 35,42,54,57,63,66,79,82,90,97,112,115,122,125,138,145
org/xms/installreferrer/api/InstallReferrerStateListener$XImpl.java, line(s) 25,28,35,38
org/xms/installreferrer/api/ReferrerDetails.java, line(s) 19,22,26,29,36,39,43,46,53,56,60,63
qo/d.java, line(s) 16,18
sh/e.java, line(s) 40,56
tf/a.java, line(s) 43,48,35
timber/log/a.java, line(s) 77,96
tm/C0784c.java, line(s) 139
tm/C6244c.java, line(s) 176
uf/C6298a.java, line(s) 15,22,29,14,21,28,42,43,49,50
uk/r.java, line(s) 167
wh/a.java, line(s) 58,64,83,87
wo/C0122g.java, line(s) 26
wo/C0137c.java, line(s) 138
wo/C0140f.java, line(s) 50
wo/D.java, line(s) 217
wo/K.java, line(s) 58,65
wo/X.java, line(s) 166,114,305
xh/c.java, line(s) 146,481,501,172,363,468
xh/f.java, line(s) 54
ze/a.java, line(s) 78,84,91,100,79,85,92,101
ze/d.java, line(s) 24,25
ze/j.java, line(s) 37,40
zendesk/belvedere/BelvedereFileProvider.java, line(s) 27
zendesk/belvedere/q.java, line(s) 55,62,76,69
zendesk/belvedere/w.java, line(s) 176

安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 

此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard

Files:
co/tala/atlas/loans/repayment/instruction/presentation/PaymentOverlayService.java, line(s) 5,92,93
co/tala/common/payments/instruction/domain/models/PaymentOverlayService.java, line(s) 8,91,92
x9/C1389b.java, line(s) 5,23,30
x9/C6552b.java, line(s) 4,21,28

安全提示信息 应用程序可以写入应用程序目录。敏感信息应加密 

应用程序可以写入应用程序目录。敏感信息应加密


Files:
Bo/app/ar.java, line(s) 30,30
Bo/app/br.java, line(s) 12,12
Bo/app/bu.java, line(s) 14,14
Bo/app/dd0.java, line(s) 29,29
Bo/app/dn.java, line(s) 145,148,145,148
Bo/app/gg0.java, line(s) 100,103
Bo/app/jy.java, line(s) 35,35
Bo/app/k60.java, line(s) 18,18
Bo/app/lf0.java, line(s) 20
Bo/app/oe0.java, line(s) 84
Bo/app/pc.java, line(s) 40,43
Bo/app/ps.java, line(s) 35
Bo/app/q.java, line(s) 28,28
Bo/app/q40.java, line(s) 14,14
Bo/app/rx.java, line(s) 56,59,62
Bo/app/sq.java, line(s) 53,56,53,56
Bo/app/u60.java, line(s) 16,16
Bo/app/xu.java, line(s) 20
Bo/app/z80.java, line(s) 16,16
com/braze/configuration/RuntimeAppConfigurationProvider.java, line(s) 29,29
com/braze/managers/BrazeGeofenceManager.java, line(s) 196
com/statsig/androidsdk/StatsigClient.java, line(s) 676,676

安全提示信息 应用与Firebase数据库通信 

该应用与位于 https://tala-ff8c1.firebaseio.com 的 Firebase 数据库进行通信

已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
Im/t.java, line(s) 39,25,38,37,37
com/incode/welcome_sdk/commons/utils/NetworkUtils.java, line(s) 68,65
fj/e.java, line(s) 36,58,79,35,57,78,34,54,75

已通过安全项 此应用程序可能具有Root检测功能 

此应用程序可能具有Root检测功能
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1

Files:
Hg/C0087c.java, line(s) 24
Hg/C1421c.java, line(s) 25
Xj/C0574a.java, line(s) 12
Xj/C6592a.java, line(s) 12
co/tala/atlas/android/core/utilities/s.java, line(s) 18,23
dh/C0282j.java, line(s) 297,297,298
dh/C3691j.java, line(s) 299,299,300

已通过安全项 此应用程序使用Safety Net API。 

此应用程序使用Safety Net API。
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#safetynet

Files:
org/xms/g/utils/Utils.java, line(s) 599,600,602,604,605,607,609

重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (appgallery.cloud.huawei.com) 通信。 

{'ip': '121.36.118.136', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}

综合安全基线评分: ( TALA 7.183.0)