导航菜单
登录 注册

页面标题

页面副标题

移动应用安全检测报告

应用图标

矿海寻金 v1.0.8

Android APK 4aa60fb5...
54
安全评分

安全基线评分

54/100

低风险

综合风险等级

风险等级评定
  1. A
  2. B
  3. C
  4. F

应用存在一定安全风险,建议优化

漏洞与安全项分布

0 高危
15 中危
1 信息
1 安全

隐私风险评估

1
第三方跟踪器

中等隐私风险
检测到少量第三方跟踪器


检测结果分布

高危安全漏洞 0
中危安全漏洞 15
安全提示信息 1
已通过安全项 1
重点安全关注 0

中危安全漏洞 应用已启用明文网络流量 

[android:usesCleartextTraffic=true]
应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。

中危安全漏洞 Service (com.kwad.sdk.api.proxy.VideoWallpaperService) 受权限保护,但应检查权限保护级别。 

Permission: android.permission.BIND_WALLPAPER [android:exported=true]
检测到  Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。 

Permission: android.permission.DUMP [android:exported=true]
检测到  Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Activity (com.huawei.openalliance.ad.activity.PPSLauncherActivity) 未受保护。 

[android:exported=true]
检测到  Activity 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Content Provider (com.huawei.openalliance.ad.provider.PPSECProvider) 未受保护。 

[android:exported=true]
检测到  Content Provider 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 高优先级 Intent(1000) - {1} 个命中 

[android:priority]
通过设置较高的 Intent 优先级,应用可覆盖其他请求,可能导致安全风险。

中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
aegon/chrome/base/PathUtils.java, line(s) 135,188
com/czhj/devicehelper/cnoaid/a.java, line(s) 365,366
com/dmcbig/mediapicker/utils/FileUtils.java, line(s) 23,24,26,51,111
com/kwai/video/hodor/util/FileUtils.java, line(s) 48,59
com/nostra13/dcloudimageloader/utils/StorageUtils.java, line(s) 21,40,40,45

中危安全漏洞 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
com/badlogic/gdx/math/a.java, line(s) 3
com/hjq/permissions/PermissionFragment.java, line(s) 16

中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
aegon/chrome/base/EarlyTraceEvent.java, line(s) 13
com/hjq/permissions/StartActivityManager.java, line(s) 10

中危安全漏洞 IP地址泄露 

IP地址泄露


Files:
aegon/chrome/base/PiiElider.java, line(s) 20
aegon/chrome/net/AndroidNetworkLibrary.java, line(s) 66,65,70,62,61,69
aegon/chrome/net/X509Util.java, line(s) 43,42,45
com/kwai/video/hodor/BuildConfig.java, line(s) 16
com/kwai/video/player/BuildConfig.java, line(s) 13

中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希 

SHA-1是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/czhj/devicehelper/cnoaid/impl/p.java, line(s) 29

中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件 

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
com/dmcbig/mediapicker/TakePhotoActivity.java, line(s) 25
com/dmcbig/mediapicker/utils/FileUtils.java, line(s) 34

中危安全漏洞 MD5是已知存在哈希冲突的弱哈希 

MD5是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/nostra13/dcloudimageloader/cache/disc/naming/Md5FileNameGenerator.java, line(s) 19

中危安全漏洞 应用程序包含隐私跟踪程序 

此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。

中危安全漏洞 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
DCLOUD的 "APPID" : "__UNI__6D5ED47"
凭证信息=> "UNIAD_KS_APPID" : "ks_535908791"
DCLOUD的 "ApplicationId" : "com.qjlm998.app"
DCLOUD的 "AD_ID" : "120014180905"
DCLOUD的 "DCLOUD_STREAMAPP_CHANNEL" : "com.qjlm998.app|__UNI__6D5ED47|120014180905|"
凭证信息=> "UNIAD_GDT_APPID" : "gdt_1207729077"
凭证信息=> "UNIAD_SGM_APPID" : "sgm_50551"
"dcloud_permissions_reauthorization" : "reauthorize"
6214227cd0a1f50c2d7cde0837359bf496afaf3a
50e2326ac25aa75936f45493dea50631eb8bd911
0f958c6964a2661d94474b04c8daba856
0cdcc6158160790658d1f033d3db873603250124-

安全提示信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
aegon/chrome/base/AnimationFrameTimeHistogram.java, line(s) 102
aegon/chrome/base/ApkAssets.java, line(s) 21,27,34,44
aegon/chrome/base/CommandLine.java, line(s) 103
aegon/chrome/base/ContentUriUtils.java, line(s) 103,105,107,172
aegon/chrome/base/EventLog.java, line(s) 8
aegon/chrome/base/FileUtils.java, line(s) 33,117,96,136,144,157,165
aegon/chrome/base/Log.java, line(s) 83,85,145,147,34,125,127,41,43,135,137,155,157
aegon/chrome/base/PathUtils.java, line(s) 74
aegon/chrome/base/TraceEvent.java, line(s) 119,127
aegon/chrome/base/task/AsyncTask.java, line(s) 202
aegon/chrome/net/AndroidKeyStore.java, line(s) 27,39,52,56,68,72
aegon/chrome/net/AndroidNetworkLibrary.java, line(s) 103
aegon/chrome/net/CronetEngine.java, line(s) 122,121
aegon/chrome/net/CronetProvider.java, line(s) 82,77,96,81
aegon/chrome/net/X509Util.java, line(s) 85,87,89,184,188,261,325,305
aegon/chrome/net/impl/CronetBidirectionalStream.java, line(s) 356,501,570,610,617,584
aegon/chrome/net/impl/CronetLibraryLoader.java, line(s) 101
aegon/chrome/net/impl/CronetUploadDataStream.java, line(s) 144,239
aegon/chrome/net/impl/CronetUrlRequest.java, line(s) 338,371,377,466,495,538,543,579,599
aegon/chrome/net/impl/CronetUrlRequestContext.java, line(s) 586,485,488
aegon/chrome/net/impl/JavaUrlRequest.java, line(s) 570,707,833,846,860
aegon/chrome/net/impl/UrlRequestBuilderImpl.java, line(s) 74
aegon/chrome/net/urlconnection/CronetHttpURLConnection.java, line(s) 156,287
androidtranscoder/MediaTranscoder.java, line(s) 75,152,185,72,69
androidtranscoder/engine/MediaTranscoderEngine.java, line(s) 75,83,168,197
androidtranscoder/engine/QueuedMuxer.java, line(s) 96,98,106
androidtranscoder/engine/TextureRender.java, line(s) 50,62,63,78,81,99
androidtranscoder/format/ExportPreset960x540Strategy.java, line(s) 23
com/bun/miitmdid/core/MdidSdkHelper.java, line(s) 57,63
com/bun/miitmdid/core/Utils.java, line(s) 72,75,35,41,46
com/czhj/devicehelper/DeviceHelper.java, line(s) 39,71,123,127
com/czhj/devicehelper/cnoaid/com/qiku/id/b.java, line(s) 32
com/czhj/devicehelper/cnoaid/g.java, line(s) 21
com/czhj/devicehelper/cnoaid/impl/g.java, line(s) 81
com/czhj/devicehelper/cnoaid/impl/h.java, line(s) 43,67,80,107,122,145,148,179
com/czhj/devicehelper/honor/identifier/a.java, line(s) 35,31,40
com/czhj/devicehelper/honor/identifier/b.java, line(s) 33,35,55,57,76,118,39,61,68,72,92,110,112,114,117,129
com/czhj/devicehelper/msaoaId/a.java, line(s) 54,84,90,119,125,145,174
com/czhj/volley/CacheDispatcher.java, line(s) 36,48,67,176,59,87,164
com/czhj/volley/NetworkDispatcher.java, line(s) 58
com/czhj/volley/Request.java, line(s) 150,155
com/czhj/volley/RequestQueue.java, line(s) 91
com/czhj/volley/VolleyLog.java, line(s) 64,67,98,54,103,107,117,122,126
com/czhj/volley/VolleyThreadFactory.java, line(s) 11
com/czhj/volley/toolbox/BasicNetwork.java, line(s) 81,131,125,137,146,168
com/czhj/volley/toolbox/FileDownloadNetwork.java, line(s) 82,105,116,147
com/czhj/volley/toolbox/FileDownloadRequest.java, line(s) 50
com/czhj/volley/toolbox/HttpHeaderParser.java, line(s) 163
com/czhj/volley/toolbox/ImageRequest.java, line(s) 133
com/dmcbig/mediapicker/PreviewActivity.java, line(s) 246
com/kuaishou/aegon/AegonLoggingDispatcher.java, line(s) 22,33,26,28
com/kwad/lottie/LottieAnimationView.java, line(s) 269
com/kwad/lottie/b/a.java, line(s) 23
com/kwad/lottie/b/b.java, line(s) 32,72,82
com/kwad/lottie/c.java, line(s) 20,29
com/kwad/lottie/c/c.java, line(s) 66
com/kwad/lottie/d.java, line(s) 41
com/kwad/lottie/e.java, line(s) 167
com/kwad/lottie/f.java, line(s) 170,444
com/kwad/lottie/k.java, line(s) 105
com/kwai/library/ipneigh/KwaiIpNeigh.java, line(s) 39,42
com/kwai/player/vr/EglUtil.java, line(s) 30
com/kwai/player/vr/KwaiOrientationHelper.java, line(s) 110,115
com/kwai/player/vr/KwaiSensorHelper.java, line(s) 101,104,120,160,98,178
com/kwai/player/vr/KwaiVR.java, line(s) 95,102,108,115,179,223
com/kwai/player/vr/SurfaceTextureRenderer.java, line(s) 218,316,319,342,361,379,404,495,573,605,159,163,172,211,214,451,480,499,512,521,556,153,175,182,225,232,237,253,256,258,266,269,272,275,350,352,442,453
com/kwai/player/vr/SurfaceUtil.java, line(s) 13,25
com/kwai/video/hodor/util/Timber.java, line(s) 521,539
com/kwai/video/ksvodplayerkit/KSVodPlayer.java, line(s) 155
com/kwai/video/ksvodplayerkit/Logger/KSVodLogger.java, line(s) 71,94,117,140,163
com/kwai/video/player/AbstractNativeMediaPlayer.java, line(s) 232,239,226,243,272,93,269
com/kwai/video/player/KsDrm.java, line(s) 18
com/kwai/video/player/KsMediaCodecInfo.java, line(s) 139,141
com/kwai/video/player/KsMediaPlayer.java, line(s) 1632,1647,597,938,1317,1325,1426,1434
com/kwai/video/player/kwai_player/KwaiMediaPlayer.java, line(s) 577,868,1510,879,368,391,1451
com/kwai/video/player/pragma/DebugLog.java, line(s) 50,54,58,14,18,22,26,30,34,62,66,70,38,42,46
com/kwai/video/player/surface/DummySurface.java, line(s) 134,140,59
com/sigmob/windad/Splash/WindSplashAD.java, line(s) 46,166
com/sigmob/windad/WindAds.java, line(s) 72,133,161,360,271,307,334,358,291
com/sigmob/windad/natives/WindNativeUnifiedAd.java, line(s) 82,99,124

已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
aegon/chrome/net/X509Util.java, line(s) 179,178,214,177,177

综合安全基线评分总结

应用图标

矿海寻金 v1.0.8

Android APK
54
综合安全评分
中风险