页面标题
页面副标题
移动应用安全检测报告
Chief Mobile v22.50
58
安全评分
安全基线评分
58/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
0
高危
22
中危
2
信息
3
安全
隐私风险评估
3
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
0
中危安全漏洞
22
安全提示信息
2
已通过安全项
3
重点安全关注
0
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 Activity (com.chief.mobile.activity.LoginActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.chief.mobile.service.audio.AudioService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.chief.mobile.service.MyFirebaseMessagingService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.chief.mobile.service.FirebaseDataReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.chief.mobile.util.NotificationSettingsChangedReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.chief.mobile.service.GCMintentService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.messaging.directboot.FirebaseMessagingDirectBootReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$BootstrapActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$EmptyActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$EmptyFloatingActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/chief/mobile/activity/LoginActivity.java, line(s) 45 com/chief/mobile/util/Constants.java, line(s) 51 io/realm/internal/log/obfuscator/ApiKeyObfuscator.java, line(s) 8 io/realm/internal/log/obfuscator/CustomFunctionObfuscator.java, line(s) 8 io/realm/internal/log/obfuscator/EmailPasswordObfuscator.java, line(s) 8,9,10 io/realm/internal/log/obfuscator/TokenObfuscator.java, line(s) 8,9,10,11 io/sentry/TraceState.java, line(s) 21 io/sentry/protocol/User.java, line(s) 28
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: io/realm/mongodb/sync/SyncConfiguration.java, line(s) 633
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/chief/mobile/activity/incidents/commonModules/PolyLinePathDrawingUtil.java, line(s) 23 com/chief/mobile/service/music/MusicRetriever.java, line(s) 11 com/chief/mobile/util/Utils.java, line(s) 126 org/junit/runner/manipulation/Ordering.java, line(s) 7
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/chief/mobile/activity/CustomWebViewActivity.java, line(s) 254,258 com/chief/mobile/util/ImageCompression.java, line(s) 122 com/chief/mobile/util/RealPathUtil.java, line(s) 45 com/chief/mobile/util/Utils.java, line(s) 182 com/github/dhaval2404/imagepicker/util/FileUriUtils.java, line(s) 57,59,97 com/yalantis/ucrop/util/FileUtils.java, line(s) 51 io/sentry/android/core/DefaultAndroidEventProcessor.java, line(s) 272,504
中危安全漏洞 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: io/sentry/android/core/internal/util/RootChecker.java, line(s) 22,22,22,22,22
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/chief/mobile/activity/CustomWebViewActivity.java, line(s) 254,258 com/chief/mobile/library/edmodo/BitmapUtils.java, line(s) 171 com/chief/mobile/library/edmodo/CropImageActivity.java, line(s) 218 io/realm/mongodb/App.java, line(s) 75 org/junit/rules/TemporaryFolder.java, line(s) 79,164
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/chief/mobile/activity/CustomWebViewActivity.java, line(s) 117,116
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个3隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 凭证信息=> "com.google.android.geo.API_KEY" : "@string/google_map_key" "com.google.firebase.crashlytics.mapping_file_id" : "00000000000000000000000000000000" "google_api_key" : "AIzaSyDWyQ2D30H8EG7mCqdYCDa7VouzIv6Jbhc" "google_app_id" : "1:469214560091:android:de969748d0642231d5a47e" "google_crash_reporting_api_key" : "AIzaSyDWyQ2D30H8EG7mCqdYCDa7VouzIv6Jbhc" "google_map_key" : "AIzaSyC1soYSXreu08Ynh9gSf5tP2rEIOdA6dqs" "image_picker_provider_authority_suffix" : ".imagepicker.provider" "login_password" : "$olutionSoftApp!" "password" : "Password" "username" : "Username" Y2hpZWYzNjBtb2JpbGVhbmRyb2lkOm43SnZodGtUYVZGZVllblk3dHlGSiZTbSoyVEdmVGFC E6FED2BB-C57E-4891-ACF2-BEF44D89E5B8
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/chief/mobile/AppInitialization.java, line(s) 131 com/chief/mobile/activity/AllScheduleActivity.java, line(s) 165 com/chief/mobile/activity/BulletinBoardActivity.java, line(s) 118 com/chief/mobile/activity/DashboardActivity.java, line(s) 217,425,426,476,574,577,578,581,582,585,586,589,590,634,635,645,938,1037,1039,1043,1336,1338,1342,1540,1571,605,606,607,614 com/chief/mobile/activity/JoinAgencyActivity.java, line(s) 117 com/chief/mobile/activity/MessageDetailActivity.java, line(s) 130 com/chief/mobile/activity/SettingsActivity.java, line(s) 99,181,188,190,194 com/chief/mobile/activity/incidents/CommonIncidentDetailUtil.java, line(s) 175 com/chief/mobile/activity/incidents/IncidentDetailsPhoneActivity.java, line(s) 643,938,944 com/chief/mobile/activity/incidents/IncidentDetailsTabletActivity.java, line(s) 1039,1138,1155,1178,1205,1339,2608,288,309,340,451,977,1030,1062,1091,1101,1102,1290,1329,1330,1391,1453,1463,1465,1811,1821,2386,2393,2554,2555,2695,2701 com/chief/mobile/activity/incidents/IncidentListingActivity.java, line(s) 270,273,276,281 com/chief/mobile/activity/incidents/PhoneFullMapActivity.java, line(s) 160,572,651,823,927,1029,278,563,589,647,738,766,813,814,873,874,982,992,993,1056,1065,1067 com/chief/mobile/activity/incidents/commonModules/CallerDataPolyLineUtil.java, line(s) 54,105,107 com/chief/mobile/activity/incidents/commonModules/PolyLinePathDrawingUtil.java, line(s) 53 com/chief/mobile/activity/incidents/news/EditNewsDetailsActivity.java, line(s) 126 com/chief/mobile/activity/incidents/news/NewsDetailsActivity.java, line(s) 136 com/chief/mobile/activity/incidents/news/NewsListActivity.java, line(s) 77,85,156 com/chief/mobile/adapter/AgencyListAdapter.java, line(s) 51 com/chief/mobile/adapter/ApparatusAdapter.java, line(s) 43,51 com/chief/mobile/adapter/CompanyScheduleAdapter.java, line(s) 39,51,54 com/chief/mobile/adapter/CustomInfoWindowAdapter.java, line(s) 78 com/chief/mobile/adapter/IncidentsAdapter.java, line(s) 133 com/chief/mobile/adapter/MapProviderAdapter.java, line(s) 66 com/chief/mobile/adapter/MyScheduleAdapter.java, line(s) 49,52,83 com/chief/mobile/adapter/NoteAdapter.java, line(s) 55 com/chief/mobile/adapter/NoteAdaptertablet.java, line(s) 41 com/chief/mobile/adapter/NotificationAgencyAdapter.java, line(s) 56 com/chief/mobile/adapter/NotificationChannelAdapter.java, line(s) 36 com/chief/mobile/adapter/RadioListAdapter.java, line(s) 29,46 com/chief/mobile/adapter/RespondersAdapter.java, line(s) 66 com/chief/mobile/adapter/ScheduleStatusOptionsAdapter.java, line(s) 62 com/chief/mobile/adapter/SoundListAdapter.java, line(s) 53 com/chief/mobile/adapter/ToneAlertsAdapter.java, line(s) 50,85,100 com/chief/mobile/adapter/UpcomingEventsAdapter.java, line(s) 49 com/chief/mobile/adapter/ViewApparatusAdapter.java, line(s) 183,188 com/chief/mobile/fragment/AgencyBottomSheetFragment.java, line(s) 153,162 com/chief/mobile/fragment/ApparatusBottomSheetFragments.java, line(s) 141,169,199,200,238 com/chief/mobile/fragment/ClockedInPersonnelFragment.java, line(s) 105 com/chief/mobile/fragment/FragmentMyAvailability.java, line(s) 158 com/chief/mobile/fragment/FragmentMySchedule.java, line(s) 201 com/chief/mobile/fragment/FragmentSettings.java, line(s) 472,136,170,620,627,629,633 com/chief/mobile/fragment/GeneralNotificationFragment.java, line(s) 169 com/chief/mobile/fragment/HomeFragment.java, line(s) 341,349,365,488,637,643,1101,1260,1551,1556 com/chief/mobile/fragment/NotificationFrag.java, line(s) 125,323 com/chief/mobile/fragment/ScheduleClockInFragment.java, line(s) 182,187 com/chief/mobile/fragment/UnscheduleClockInFragment.java, line(s) 138,139,140,141,157,158,160,166,277,131,134,148,155,177 com/chief/mobile/fragment/ViewEditScheduleFragment.java, line(s) 51,56,61,66,78 com/chief/mobile/library/autoimageslider/SliderPager.java, line(s) 546 com/chief/mobile/library/autoimageslider/SliderView.java, line(s) 516 com/chief/mobile/library/autoimageslider/Transformations/HorizontalFlipTransformation.java, line(s) 25,31 com/chief/mobile/library/edmodo/BitmapUtils.java, line(s) 180,219 com/chief/mobile/library/edmodo/CropImageActivity.java, line(s) 96,253 com/chief/mobile/library/edmodo/CropOverlayView.java, line(s) 683 com/chief/mobile/library/imgPicker/ImagePicker.java, line(s) 131,136,138,157,225 com/chief/mobile/okhttpServcice/CustomRetryInterceptor.java, line(s) 48,67 com/chief/mobile/okhttpServcice/NetworkManager.java, line(s) 160,161,162,173,188,267,293,327 com/chief/mobile/okhttpServcice/newtWorkUtils/AppUrlHelper.java, line(s) 37 com/chief/mobile/service/AlertPushNotification.java, line(s) 118,119,128,154,155,162,163,182,184,187,212,215,229,234,235,236,239,240,243,244,245,249,254,259,263,264,272,315,323,324,332,334,342,343,344,348,349,353,360,361,363,367,368,372,387,391,400,401,408,409,413,414,419,420,427,428,431,432,507,518,532,535,556,567,583,597,606,611,615,655,661,663,667,680,687,698,703,705,714,730,741,763,772,788,804,816,829,335,354,402,421,623,625,635,637,676 com/chief/mobile/service/FirebaseDataReceiver.java, line(s) 267,290,294,306,315,326,333,338,344,346,353,366,385,415,448 com/chief/mobile/service/Foreground.java, line(s) 117,144,111,122,138,149 com/chief/mobile/service/GCMintentService.java, line(s) 30 com/chief/mobile/service/MyFirebaseMessagingService.java, line(s) 83,85,86,124,239 com/chief/mobile/service/audio/AudioService.java, line(s) 320,326,83,239,242,243,245,251,261,330,395,425 com/chief/mobile/service/audio/AudioView.java, line(s) 267 com/chief/mobile/service/audio/AudioView2.java, line(s) 58,80,191,213,324,346,491,534,558,559 com/chief/mobile/service/music/MediaButtonHelper.java, line(s) 34,56 com/chief/mobile/service/music/MusicRetriever.java, line(s) 31,35,26,27,29,38,44,45,47,50 com/chief/mobile/service/music/MusicService.java, line(s) 323,96 com/chief/mobile/service/music/RemoteControlClientCompat.java, line(s) 76,29,32,34 com/chief/mobile/service/music/RemoteControlHelper.java, line(s) 38,48 com/chief/mobile/service/updateLatLongService/UpdateLatLngService.java, line(s) 86,126,60,91,197,198,199,208,220,224,229 com/chief/mobile/service/updateLatLongService/UpdateLatLongServiceHelper.java, line(s) 154,166,168,174,183,184,185,186,187 com/chief/mobile/util/NotificationSettingsChangedReceiver.java, line(s) 12,14 com/chief/mobile/util/ScreenTimeoutUtils.java, line(s) 126 com/chief/mobile/util/SharedPref.java, line(s) 220,366 com/chief/mobile/util/Utils.java, line(s) 457,1040,1059,966,1192,1197,834 com/daimajia/slider/library/Tricks/ViewPagerEx.java, line(s) 465,471,495 com/github/dhaval2404/imagepicker/ImagePickerActivity.java, line(s) 113 com/github/dhaval2404/imagepicker/provider/CropProvider.java, line(s) 101 com/github/dhaval2404/imagepicker/util/ExifDataCopier.java, line(s) 30 com/nineoldandroids/animation/PropertyValuesHolder.java, line(s) 149,178,224,242,244,261,263,299,301,427,429,517,519 com/yalantis/ucrop/UCropActivity.java, line(s) 153 com/yalantis/ucrop/task/BitmapCropTask.java, line(s) 150,117 com/yalantis/ucrop/task/BitmapLoadTask.java, line(s) 122,151,196,83,86,128,137,144 com/yalantis/ucrop/util/BitmapLoadUtils.java, line(s) 103,51,82 com/yalantis/ucrop/util/EglUtils.java, line(s) 23 com/yalantis/ucrop/util/FileUtils.java, line(s) 59 com/yalantis/ucrop/util/ImageHeaderParser.java, line(s) 55,62,73,81,113,123,135,149,163,169,173,178,184,188,291,54,61,72,80,112,122,134,148,162,168,172,177,183,187 com/yalantis/ucrop/view/TransformImageView.java, line(s) 214,231,123,78 io/realm/BaseRealm.java, line(s) 157,164,448 io/realm/DynamicRealm.java, line(s) 256 io/realm/Realm.java, line(s) 775 io/realm/RealmCache.java, line(s) 258,245,255,391 io/realm/RealmObject.java, line(s) 198,219 io/realm/RealmResults.java, line(s) 653 io/realm/internal/FinalizerRunnable.java, line(s) 20 io/realm/internal/RealmCore.java, line(s) 52,48 io/realm/internal/Util.java, line(s) 61,66,71,77 io/realm/internal/async/RealmResultTaskImpl.java, line(s) 86 io/realm/internal/mongodb/Request.java, line(s) 60 io/realm/internal/network/LoggingInterceptor.java, line(s) 43 io/realm/mongodb/App.java, line(s) 106,122 io/realm/mongodb/AppConfiguration.java, line(s) 249,254,259,238,264,240 io/realm/mongodb/ErrorCode.java, line(s) 300 io/realm/mongodb/sync/Progress.java, line(s) 31 io/realm/mongodb/sync/Sync.java, line(s) 45,47,98,102,170,176,198,209,219,278,281,287,202 io/realm/mongodb/sync/SyncConfiguration.java, line(s) 691 io/realm/mongodb/sync/SyncSession.java, line(s) 187,183,197 io/sentry/SystemOutLogger.java, line(s) 14,22,31 io/sentry/android/core/AndroidLogger.java, line(s) 73,69,61,65,71 io/sentry/transport/StdoutTransport.java, line(s) 36 junit/runner/BaseTestRunner.java, line(s) 151 junit/runner/Version.java, line(s) 12 junit/textui/TestRunner.java, line(s) 89,113,138
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/chief/mobile/util/Utils.java, line(s) 10,1105
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: io/sentry/android/core/DefaultAndroidEventProcessor.java, line(s) 84 io/sentry/android/core/internal/util/RootChecker.java, line(s) 40,22,22,22,22,22,22,34
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: io/realm/mongodb/sync/Sync.java, line(s) 297,296,295,295
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/469214560091/namespaces/firebase:fetch?key=AIzaSyDWyQ2D30H8EG7mCqdYCDa7VouzIv6Jbhc ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
Chief Mobile v22.50
Android APK
58
综合安全评分
中风险