移动应用安全检测报告: Ultra-SDP v1.0.0

安全基线评分


安全基线评分 48/100

综合风险等级


风险等级评定

  1. A
  2. B
  3. C
  4. F

漏洞与安全项分布(%)


隐私风险

0

检测到的第三方跟踪器数量


检测结果分布

高危安全漏洞 5
中危安全漏洞 18
安全提示信息 2
已通过安全项 3
重点安全关注 9

高危安全漏洞 Activity (com.zta.android.activity.ZtaMainActivity) 的启动模式不是standard模式

Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。

高危安全漏洞 Activity (com.zta.android.news.activity.HomeActivity) 的启动模式不是standard模式

Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。

高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。

应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/cmic/sso/sdk/d/a.java, line(s) 11,23,36,49

高危安全漏洞 该文件是World Writable。任何应用程序都可以写入文件

该文件是World Writable。任何应用程序都可以写入文件
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2

Files:
com/cmic/sso/sdk/d/u.java, line(s) 20,37,54

中危安全漏洞 应用程序存在Janus漏洞

应用程序使用了v1签名方案进行签名,如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞的攻击。在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。

中危安全漏洞 应用程序可以安装在有漏洞的已更新 Android 版本上

Android 4.4W-4.4W.2, [minSdk=20]
该应用程序可以安装在具有多个未修复漏洞的旧版本 Android 上。这些设备不会从 Google 接收合理的安全更新。支持 Android 版本 => 10、API 29 以接收合理的安全更新。

中危安全漏洞 应用程序已启用明文网络流量

[android:usesCleartextTraffic=true]
应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。

中危安全漏洞 Activity (com.zta.android.activity.MainActivity) 未被保护。

存在一个intent-filter。
发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。

中危安全漏洞 Broadcast Receiver (com.zta.android.BootShutdownReceiver) 未被保护。

存在一个intent-filter。
发现 Broadcast Receiver与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Broadcast Receiver是显式导出的。

中危安全漏洞 Service (com.zta.android.backend.GoBackend$VpnService) 受权限保护, 但是应该检查权限的保护级别。

Permission: android.permission.BIND_VPN_SERVICE [android:exported=true]
发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危安全漏洞 Service (com.zta.android.QuickTileService) 受权限保护, 但是应该检查权限的保护级别。

Permission: android.permission.BIND_QUICK_SETTINGS_TILE [android:exported=true]
发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危安全漏洞 Activity (com.xuexiang.xqrcode.ui.CaptureActivity) 未被保护。

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此使其对设备上的任何其他应用程序都可访问。

中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
cn/hutool/cache/impl/CacheObj.java, line(s) 45
cn/hutool/core/lang/Pair.java, line(s) 30
cn/hutool/core/lang/tree/TreeNodeConfig.java, line(s) 14,11,12
com/alibaba/android/vlayout/layout/StaggeredGridLayoutHelper.java, line(s) 20
com/bumptech/glide/load/Option.java, line(s) 74
com/bumptech/glide/load/engine/DataCacheKey.java, line(s) 33
com/bumptech/glide/load/engine/EngineResource.java, line(s) 89
com/bumptech/glide/load/engine/ResourceCacheKey.java, line(s) 80
com/bumptech/glide/manager/RequestManagerRetriever.java, line(s) 36
com/xuexiang/constant/RegexConstants.java, line(s) 23
com/xuexiang/xqrcode/decoding/Intents.java, line(s) 44
com/zta/android/news/adapter/entity/NewInfo.java, line(s) 16,20,33,42,132
com/zta/android/news/util/RsaUtils.java, line(s) 23,24
com/zta/android/news/util/Sm4Util.java, line(s) 5
com/zta/android/util/Constant.java, line(s) 4
com/zta/util/Keys.java, line(s) 15,17,4,14
com/zta/util/ZtaConfig.java, line(s) 128,128

中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
com/xuexiang/xutil/app/PathUtils.java, line(s) 125,129,133,137,141,145,149,153,157,161,165,77,81,85,89,93,97,101,105,109,113,117,291,373
com/xuexiang/xutil/file/CleanUtils.java, line(s) 33
com/xuexiang/xutil/file/FileUtils.java, line(s) 55,43,68
com/yanzhenjie/permission/checker/StorageReadTest.java, line(s) 8
com/yanzhenjie/permission/checker/StorageWriteTest.java, line(s) 8
com/zta/android/news/fragment/AboutFragment.java, line(s) 59
com/zta/android/util/DownloadsFileSaver.java, line(s) 91

中危安全漏洞 IP地址泄露

IP地址泄露


Files:
cn/hutool/core/net/MaskBit.java, line(s) 9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40
cn/hutool/core/net/NetUtil.java, line(s) 118,118,39,118,118,118,118
cn/hutool/crypto/asymmetric/Sign.java, line(s) 125
com/cmic/sso/sdk/auth/AuthnHelper.java, line(s) 31
com/xuexiang/xutil/net/NetworkUtils.java, line(s) 146,146
net/i2p/crypto/eddsa/EdDSASecurityProvider.java, line(s) 25,26,27,28,29,30

中危安全漏洞 应用程序使用不安全的随机数生成器

应用程序使用不安全的随机数生成器
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
cn/hutool/core/img/ImgUtil.java, line(s) 40
cn/hutool/core/util/NumberUtil.java, line(s) 13
cn/hutool/core/util/RandomUtil.java, line(s) 20
com/scwang/smartrefresh/header/FunGameBattleCityHeader.java, line(s) 15
com/scwang/smartrefresh/header/TaurusHeader.java, line(s) 25
com/scwang/smartrefresh/header/storehouse/StoreHouseBarItem.java, line(s) 8
com/xuexiang/xui/utils/ColorUtils.java, line(s) 4
com/xuexiang/xui/widget/button/shinebutton/ShineView.java, line(s) 17
com/xuexiang/xui/widget/textview/badge/BadgeAnimator.java, line(s) 12
com/xuexiang/xutil/display/ColorUtils.java, line(s) 6
java9/util/concurrent/ThreadLocalRandom.java, line(s) 7

中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞

不安全的Web视图实现。可能存在WebView任意代码执行漏洞
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5

Files:
com/zta/android/activity/MainWebViewActivity.java, line(s) 31,39

中危安全漏洞 MD5是已知存在哈希冲突的弱哈希

MD5是已知存在哈希冲突的弱哈希
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
cn/hutool/core/lang/UUID.java, line(s) 63
com/cmic/sso/sdk/d/e.java, line(s) 10,31
com/cmic/sso/sdk/d/n.java, line(s) 13
com/xuexiang/xutil/file/FileUtils.java, line(s) 767
com/xuexiang/xutil/security/CipherUtils.java, line(s) 16
com/xuexiang/xutil/security/EncryptUtils.java, line(s) 85
com/zta/util/DeviceTool.java, line(s) 321

中危安全漏洞 此应用程序可能会请求root(超级用户)权限

此应用程序可能会请求root(超级用户)权限
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1

Files:
com/cmic/sso/sdk/d/f.java, line(s) 18,40,65,15

中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
cn/hutool/core/io/FileUtil.java, line(s) 426
cn/hutool/core/net/multipart/UploadFile.java, line(s) 128
com/yanzhenjie/permission/checker/RecordAudioTest.java, line(s) 17
com/zta/android/util/ModuleLoader.java, line(s) 150
com/zta/android/util/SharedLibraryLoader.java, line(s) 74

中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希

SHA-1是已知存在哈希冲突的弱哈希
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
cn/hutool/core/util/RandomUtil.java, line(s) 38

中危安全漏洞 此应用可能包含硬编码机密信息

从应用程序中识别出以下机密确保这些不是机密或私人信息
"gusturepass_auth" : "手势密码认证"
9778397bd19801ec9210c965cc920e
97bd097bd097c36b0b6fc9210c8dc2
eyJzdWIiOiJ6dGEiLCJpc3MiOiJodHRwOlwvXC93d3cuenRhLmNvbSIsImV4cCI6MTYwODcyODgyMCwidXNlcmlkIjoiM2JmOTQxNmU0MTVmNGExZiJ9
04fff201a34e823e204843835134e8f2e6b122d4521db3ad35daa8e1fe60a343fa6438bc162a5dc9ff33dfec5faf377e54747c42626e9664c1127bfc70d2e5033a
bdee5aafe9cc2e0a618d055117c84139
977837f0e37f14998082b0787b0721
b0a00e4a271beec478e42fad0618432fa7d7fb3d99004d2b0bdfc14f8024832b
7f0e397bd097c36b0b6fc9210c8dc2
7f07e7f0e47f531b0723b0b6fb0721
7f0e397bd07f595b0b6fc920fb0722
7f0e27f0e47f531b0b0bb0b6fb0722
97bcf97c359801ec95f8c965cc920f
665f67f0e37f14898082b0723b02d5
7ec967f0e37f14998082b0787b0721
7f07e7f0e37f149b0723b0787b0721
7f0e397bd097c35b0b6fc9210c8dc2
7f0e37f0e366aa89801eb072297c35
5c6fc0cdf265da2dda694f05
7f0e37f5307f595b0b0bc920fb0722
97b6b7f0e47f531b0723b0b6fb0721
X2ZpgqrBuxwT8M0mv1G7No5ptPM
7f0e397bd07f595b0b0bc920fb0722
665f67f0e37f14898082b072297c35
7f07e7f0e47f149b0723b0787b0721
5b480b79e51d45190905ef44
7ec967f0e37f14998082b0723b06bd
97bd097bd07f595b0b6fc920fb0722
nAoGBAIC5wrkORKug3gw+BwIEk3AEddLYCT+wKqKceaxmTYIxQdGoblPp4AYlqtyd
7f07e7f0e37f14998083b0787b0721
977837f0e37f149b0723b0787b0721
7f0e37f1487f595b0b0bb0b6fb0722
7f07e7f0e47f531b0723b0b6fb0722
nPN6Dzx4OXVx7wYXoXG4rnjD8/qoIutmpS71CuafyhqGhqdsTMKKL7njWvn0KWbdL
9778397bd097c36c9210c9274c91aa
7f0e36665b66aa89801e9808297c35
463930705a844f638433d1b26273a7cf
97b6b97bd19801ec95f8c965cc920f
ne6AxVJJ6wXQRkLEhmVTogfJFmQKXYeAoqNoMHkxtwJCTOQ==
nYv+u4FlvGiJIlKsmLJweIbAqVNOCOmJzP6ycgpxR8qDUSwYBAkEA1USGJq/3CLE4
7f0e27f1487f595b0b0bb0b6fb0722
97bd07f5307f595b0b0bc920fb0722
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/YHP9utFGOhGk7Xf5L7jOgQz5
97b6b7f0e47f531b0723b0b6fb0722
977837f0e37f14998082b0787b06bd
nqDETE6BELpBYKHeS7j3t8PsCFddxI0vgzUMzCP4DDX1Rigv8cAM6yOo9utiGDxwQ
5b6b9b49e51d4576b828978d
977837f0e37f14898082b0723b02d5
97b6b97bd197c36c9210c9274c920e
7f0e26665b66a449801e9808297c35
7f0e36665b66a449801e9808297c35
7f0e37f0e37f14898082b072297c35
7ec967f0e37f14898082b0723b02d5
MIICXgIBAAKBgQCkzAyTd86uiPMkvwGPevdr77TnoCAfpuruO5c6XnbcbaMevG3r
97b6b97bd19801ec9210c965cc920e
noLgqmma+jHAVyT5VzouzKIJNXy+WqahMN3vmLIt7ois7Vpt6131eI5uapWVNUN7+
9778397bd19801ec9210c9274c920e
9778397bd097c36b0b6fc9274c91aa
97b6b97bd19801ec9210c9274c920e
5a77595aec52733a5f54cf078821d21939ae379550ac0654c178d96025bf1c50
a3785913ca4deb75abd841414d0a700098e879777940c78c73fe6f2bee6c0352
977837f0e37f14998082b0723b06bd
97b6b7f0e47f531b0723b0787b0721
nBl6croB68tFbAnIU8Nf95bHm1MW366riPKiN4yOgI+ig9qa4/lFFgH1RjQIDAQAB
b027097bd097c36b0b6fc9274c91aa
nq6s7XEjpZC4iyQhwZ0d4FW7LnyQY+UJg67ECQQCDPKS03+nLnorWPu2aahOBeEfr
ngZlTTem7Pjdm1V9bJgQ6iQvFHsvT+vNgJ3wAIRd+iCMXm8y96yZhD2+SH5odBYS2
nY7XhFbhmr5B4+APsjBNfUWNFHaMGOQJsQlz/lynGNpiEjnLHIfHh7foegdV9AkEA
7f0e397bd097c35b0b6fc920fb0722
7f0e27f1487f531b0b0bb0b6fb0722
665f67f0e37f1489801eb072297c35
97bcf7f1487f531b0b0bb0b6fb0722
7ec967f0e37f14998082b0787b06bd
97bcf97c3598082c95f8c965cc920f
7f0e37f0e37f14898082b0723b02d5
97bcf97c3598082c95f8e1cfcc920f
RWRmHuT9PSqtwfsLtEx+QS06BJtLgFYteL9WCNjH7yuyu5Y1DieSN7If
6438bc162a5dc9ff33dfec5faf377e54747c42626e9664c1127bfc70d2e5033a
9778397bd197c36c9210c9274c91aa
5c3ed1dae51d4543805ea48d
97bcf7f0e47f531b0b0bb0b6fb0722
97b6b97bd19801ec95f8c965cc920e
0123456789ABCDEFGHJKLMNPQRTUWXY
9778397bd097c36b0b6fc9210c91aa
9778397bd097c36c9210c9274c920e
97bd07f1487f595b0b0bc920fb0722
97bd0b06bdb0722c965ce1cfcc920f
9778397bd097c36b0b6fc9210c8dc2
fff201a34e823e204843835134e8f2e6b122d4521db3ad35daa8e1fe60a343fa
7f07e7f0e37f14998082b0787b0721
97bcf7f1487f595b0b0bb0b6fb0722
7f0e37f1487f531b0b0bb0b6fb0722
97bd097bd097c35b0b6fc920fb0722
97b6b7f0e47f149b0723b0787b0721
9778397bd097c36b0b70c9274c91aa
7f0e27f0e47f531b0723b0b6fb0722
49d2147716ff75a9dc3c984f02381780
97bd09801d98082c95f8e1cfcc920f

安全提示信息 应用程序记录日志信息,不得记录敏感信息

应用程序记录日志信息,不得记录敏感信息
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
cn/hutool/core/lang/Console.java, line(s) 90,119,10,39,86
cn/hutool/cron/Scheduler.java, line(s) 93
cn/hutool/cron/listener/TaskListenerManager.java, line(s) 53
cn/hutool/db/Db.java, line(s) 122,132
cn/hutool/db/dialect/DialectFactory.java, line(s) 38
cn/hutool/db/ds/GlobalDSFactory.java, line(s) 14,40
cn/hutool/extra/pinyin/engine/PinyinFactory.java, line(s) 27
cn/hutool/extra/template/engine/TemplateFactory.java, line(s) 33
cn/hutool/extra/tokenizer/engine/TokenizerFactory.java, line(s) 27
cn/hutool/log/dialect/jdk/JdkLogFactory.java, line(s) 30
cn/hutool/setting/Setting.java, line(s) 129
cn/hutool/setting/dialect/Props.java, line(s) 372
cn/hutool/socket/aio/AcceptHandler.java, line(s) 19
cn/hutool/socket/aio/SimpleIoAction.java, line(s) 12
cn/hutool/socket/nio/AcceptHandler.java, line(s) 14,23
cn/hutool/socket/nio/NioServer.java, line(s) 82
com/alibaba/android/vlayout/ExposeLinearLayoutManagerEx.java, line(s) 282,283,284,285,290,899,902,904,908,1102
com/alibaba/android/vlayout/VirtualLayoutManager.java, line(s) 1077,486,576
com/alibaba/android/vlayout/extend/InnerRecycledViewPool.java, line(s) 95,102
com/alibaba/android/vlayout/layout/AbstractFullFillLayoutHelper.java, line(s) 42,117
com/alibaba/android/vlayout/layout/BaseLayoutHelper.java, line(s) 99,120
com/alibaba/android/vlayout/layout/GridLayoutHelper.java, line(s) 239
com/alibaba/android/vlayout/layout/OnePlusNLayoutHelperEx.java, line(s) 71,102
com/alibaba/android/vlayout/layout/RangeGridLayoutHelper.java, line(s) 314,531,538,569,588,611,629,655,718
com/alibaba/android/vlayout/layout/StickyLayoutHelper.java, line(s) 136,230
com/bumptech/glide/Glide.java, line(s) 219,228,142,141,218,225,257,258
com/bumptech/glide/gifdecoder/GifHeaderParser.java, line(s) 235,267,234,266
com/bumptech/glide/gifdecoder/StandardGifDecoder.java, line(s) 153,169,186,151,167,184,207,216
com/bumptech/glide/load/data/AssetPathFetcher.java, line(s) 35,34
com/bumptech/glide/load/data/HttpUrlFetcher.java, line(s) 55,131,169,54,58,63,70,130,168,67,71
com/bumptech/glide/load/data/LocalUriFetcher.java, line(s) 37,36
com/bumptech/glide/load/data/mediastore/ThumbFetcher.java, line(s) 51,50
com/bumptech/glide/load/data/mediastore/ThumbnailStreamOpener.java, line(s) 61,110,60,109
com/bumptech/glide/load/engine/DecodeJob.java, line(s) 343,389,450
com/bumptech/glide/load/engine/DecodePath.java, line(s) 57,58
com/bumptech/glide/load/engine/Engine.java, line(s) 27,110
com/bumptech/glide/load/engine/GlideException.java, line(s) 81
com/bumptech/glide/load/engine/SourceGenerator.java, line(s) 89,90
com/bumptech/glide/load/engine/bitmap_recycle/LruArrayPool.java, line(s) 89,143,90,144
com/bumptech/glide/load/engine/bitmap_recycle/LruBitmapPool.java, line(s) 144,174,182,206,89,96,143,153,173,181,195,205,214,90,97,154,220,196
com/bumptech/glide/load/engine/cache/DiskLruCacheWrapper.java, line(s) 52,62,76,82,112,123,53,77,63,83,113,124
com/bumptech/glide/load/engine/cache/MemorySizeCalculator.java, line(s) 64,48
com/bumptech/glide/load/engine/executor/GlideExecutor.java, line(s) 43,40
com/bumptech/glide/load/engine/executor/RuntimeCompat.java, line(s) 37,36
com/bumptech/glide/load/engine/prefill/BitmapPreFillRunner.java, line(s) 69,68
com/bumptech/glide/load/model/ByteBufferEncoder.java, line(s) 20,19
com/bumptech/glide/load/model/ByteBufferFileLoader.java, line(s) 59,58
com/bumptech/glide/load/model/FileLoader.java, line(s) 63,62
com/bumptech/glide/load/model/ResourceLoader.java, line(s) 39,40
com/bumptech/glide/load/model/StreamEncoder.java, line(s) 39,38
com/bumptech/glide/load/resource/ImageDecoderResourceDecoder.java, line(s) 64,65
com/bumptech/glide/load/resource/bitmap/BitmapEncoder.java, line(s) 62,61,78,79
com/bumptech/glide/load/resource/bitmap/BitmapImageDecoderResourceDecoder.java, line(s) 19,20
com/bumptech/glide/load/resource/bitmap/DefaultImageHeaderParser.java, line(s) 116,123,140,147,180,190,202,216,230,236,240,245,251,255,115,122,139,146,179,189,201,215,229,235,239,244,250,254
com/bumptech/glide/load/resource/bitmap/Downsampler.java, line(s) 216,343,376,165,189,215,299,342,375,166,300,402
com/bumptech/glide/load/resource/bitmap/DrawableToBitmapConverter.java, line(s) 44,49,45,50
com/bumptech/glide/load/resource/bitmap/HardwareConfigState.java, line(s) 76,81,86,91,96,103,108,115,174,77,82,87,92,97,104,109,116,175
com/bumptech/glide/load/resource/bitmap/TransformationUtils.java, line(s) 165,109,118,125,142,147,164,110,119,126,127,128,132,143,148
com/bumptech/glide/load/resource/bitmap/VideoDecoder.java, line(s) 136,135
com/bumptech/glide/load/resource/gif/ByteBufferGifDecoder.java, line(s) 81,86,91,100,82,87,92,101
com/bumptech/glide/load/resource/gif/GifDrawableEncoder.java, line(s) 25,26
com/bumptech/glide/load/resource/gif/StreamGifDecoder.java, line(s) 55,56
com/bumptech/glide/manager/DefaultConnectivityMonitor.java, line(s) 22,21,51,69,52,70
com/bumptech/glide/manager/DefaultConnectivityMonitorFactory.java, line(s) 15,14
com/bumptech/glide/manager/RequestManagerFragment.java, line(s) 123,124
com/bumptech/glide/manager/RequestManagerRetriever.java, line(s) 353,354
com/bumptech/glide/manager/RequestTracker.java, line(s) 25,26
com/bumptech/glide/manager/SupportRequestManagerFragment.java, line(s) 130,139,131,140
com/bumptech/glide/module/ManifestParser.java, line(s) 22,29,40,45,21,28,33,39,44,34
com/bumptech/glide/request/SingleRequest.java, line(s) 411,55,526,456
com/bumptech/glide/request/target/CustomViewTarget.java, line(s) 279,280,294,295
com/bumptech/glide/request/target/ViewTarget.java, line(s) 276,277,291,292
com/bumptech/glide/signature/ApplicationVersionSignature.java, line(s) 45
com/bumptech/glide/util/ContentLengthInputStream.java, line(s) 28,27
com/bumptech/glide/util/pool/FactoryPools.java, line(s) 89,90
com/cmic/sso/sdk/d/k.java, line(s) 165,166,167,168,169,171
com/cmic/sso/sdk/d/m.java, line(s) 27,48,18,42,36,54
com/tbruyelle/rxpermissions2/RxPermissionsFragment.java, line(s) 78,43
com/xuexiang/xpage/AutoPageConfiguration.java, line(s) 31
com/xuexiang/xpage/PageConfig.java, line(s) 41,46
com/xuexiang/xpage/base/XPageActivity.java, line(s) 162,194,202,276,295,477,521,524,114,189,227,248,255,261,268,318,324,331,551,612,672
com/xuexiang/xpage/base/XPageFragment.java, line(s) 110,151,158,167,172,209,216,241,264,281,295,365,371,378,385,391,398
com/xuexiang/xpage/core/CorePageManager.java, line(s) 61,71,74,77,128,131,135,145,150,168,188,197,224,233,65,157
com/xuexiang/xpage/logger/LogcatLogger.java, line(s) 57,66,60,54,72,63,69
com/xuexiang/xpage/utils/ClassUtils.java, line(s) 78,100,111,121,63,151,159
com/xuexiang/xqrcode/XQRCode.java, line(s) 28,32
com/xuexiang/xqrcode/camera/AutoFocusCallback.java, line(s) 26
com/xuexiang/xqrcode/camera/CameraConfigurationManager.java, line(s) 34,38,47,50,56,88,109,126,172,183
com/xuexiang/xqrcode/camera/FlashlightManager.java, line(s) 58,70,81,86,90,15,17
com/xuexiang/xqrcode/camera/PreviewCallback.java, line(s) 36
com/xuexiang/xqrcode/decoding/CaptureViewHandler.java, line(s) 46,49,57,61
com/xuexiang/xqrcode/decoding/DecodeHandler.java, line(s) 61
com/xuexiang/xqrcode/logs/LogcatLogger.java, line(s) 57,66,60,54,72,63,69
com/xuexiang/xqrcode/util/QRCodeProduceUtils.java, line(s) 269
com/xuexiang/xui/XUI.java, line(s) 46,50
com/xuexiang/xui/logs/LogcatLogger.java, line(s) 57,66,60,54,72,63,69
com/xuexiang/xui/utils/SnackbarUtils.java, line(s) 210,313,323,328,345,350,415
com/xuexiang/xui/utils/SpanUtils.java, line(s) 1017,1030
com/xuexiang/xui/widget/banner/widget/banner/base/BaseBanner.java, line(s) 495,504,600,607
com/xuexiang/xui/widget/dialog/bottomsheet/BottomSheet.java, line(s) 137
com/xuexiang/xui/widget/dialog/materialdialog/MaterialDialog.java, line(s) 613
com/xuexiang/xui/widget/dialog/materialdialog/internal/MDTintHelper.java, line(s) 140
com/xuexiang/xui/widget/imageview/edit/ImageFilterView.java, line(s) 91
com/xuexiang/xui/widget/imageview/edit/PhotoEditorView.java, line(s) 71,92
com/xuexiang/xui/widget/imageview/edit/ScaleGestureDetector.java, line(s) 208
com/xuexiang/xui/widget/imageview/nine/NineGridImageView.java, line(s) 762
com/xuexiang/xui/widget/imageview/photoview/PhotoViewAttacher.java, line(s) 328,350,384,832,867,884,60,292,413,526
com/xuexiang/xui/widget/imageview/photoview/gestures/CupcakeGestureDetector.java, line(s) 57
com/xuexiang/xui/widget/imageview/preview/view/BezierBannerView.java, line(s) 388,397,405
com/xuexiang/xui/widget/layout/linkage/LinkageScrollLayout.java, line(s) 61,68,75,81,88,95,214,252,278,389,459,465,472,486,498,572
com/xuexiang/xui/widget/layout/linkage/PosIndicator.java, line(s) 244,251
com/xuexiang/xui/widget/picker/wheelview/WheelView.java, line(s) 327
com/xuexiang/xui/widget/picker/widget/utils/LunarCalendarUtils.java, line(s) 150
com/xuexiang/xui/widget/popupwindow/easypopup/EasyPopup.java, line(s) 362,408
com/xuexiang/xui/widget/progress/materialprogressbar/BaseProgressLayerDrawable.java, line(s) 72
com/xuexiang/xui/widget/progress/materialprogressbar/MaterialProgressBar.java, line(s) 120,298,479
com/xuexiang/xui/widget/spinner/materialspinner/MaterialSpinner.java, line(s) 229
com/xuexiang/xui/widget/statelayout/StatusLoader.java, line(s) 142,167,173,176,179,200
com/xuexiang/xui/widget/tabbar/TabSegment.java, line(s) 434
com/xuexiang/xui/widget/textview/BadgeView.java, line(s) 157
com/xuexiang/xutil/common/logger/LogcatLogger.java, line(s) 57,66,60,54,72,63,69
com/zta/android/Application.java, line(s) 121
com/zta/android/BootShutdownReceiver.java, line(s) 35,38
com/zta/android/QuickTileService.java, line(s) 32
com/zta/android/activity/LoginActivity.java, line(s) 140
com/zta/android/activity/ThemeChangeAwareActivity.java, line(s) 40
com/zta/android/activity/TunnelToggleActivity.java, line(s) 49
com/zta/android/activity/ZtaMainActivity.java, line(s) 119,178,182
com/zta/android/backend/GoBackend.java, line(s) 163,227,278,325,171,186,263,182,266
com/zta/android/backend/WgQuickBackend.java, line(s) 108,55
com/zta/android/configStore/FileConfigStore.java, line(s) 30,57,138,157,149
com/zta/android/fragment/BaseFragment.java, line(s) 142
com/zta/android/fragment/TunnelEditorFragment.java, line(s) 47,131,145,159,243,258,260,53,176,249,275
com/zta/android/fragment/TunnelListFragment.java, line(s) 394,406
com/zta/android/news/activity/HomeActivity.java, line(s) 192,835
com/zta/android/news/fragment/AboutFragment.java, line(s) 205,206
com/zta/android/news/fragment/SetGestureFragment.java, line(s) 76,81,82,86
com/zta/android/news/update/dowload/FileDownloadObservable.java, line(s) 56,60,67,73,80,138
com/zta/android/news/update/util/FileUtils.java, line(s) 70
com/zta/android/news/viewmodel/HomeViewModel.java, line(s) 78,108,142,191
com/zta/android/news/viewmodel/LoginDeviceViewModel.java, line(s) 32,65
com/zta/android/news/viewmodel/ModifyPwdViewModel.java, line(s) 32,68
com/zta/android/news/viewmodel/UserCenterViewModel.java, line(s) 30
com/zta/android/preference/LogExporterPreference.java, line(s) 99
com/zta/android/preference/ZipExporterPreference.java, line(s) 113
com/zta/android/util/RootShell.java, line(s) 74,94,108,117,150,158
com/zta/android/util/SharedLibraryLoader.java, line(s) 37,70,86
com/zta/android/util/ToolsInstaller.java, line(s) 75,78
com/zta/android/viewmodel/ForgetPwdViewModel.java, line(s) 61,66,63
com/zta/android/viewmodel/LoginViewModel.java, line(s) 38,113,118,123,125,127,150,152,156,204,209,214,216,226,228,231,115,206
com/zta/util/DeviceTool.java, line(s) 173
com/zta/util/StartVpnHelper.java, line(s) 257,306
com/zta/util/ZtaSDKManager.java, line(s) 176,177
io/github/inflationx/calligraphy3/ReflectionUtils.java, line(s) 30,32
io/github/inflationx/calligraphy3/TypefaceUtils.java, line(s) 28
io/github/inflationx/viewpump/internal/ReflectionUtils.java, line(s) 47,49
me/samlss/broccoli/util/LogUtil.java, line(s) 16,12

安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它

此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard

Files:
com/zta/android/util/ClipboardUtils.java, line(s) 4,20

已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
com/cmic/sso/sdk/b/c/a.java, line(s) 47,43,44,44
com/cmic/sso/sdk/d/g.java, line(s) 188,303
com/zta/android/news/update/RetrofitHelper.java, line(s) 8,8
com/zta/android/news/viewmodel/BaseViewModel.java, line(s) 74,33

已通过安全项 此应用程序可能具有Root检测功能

此应用程序可能具有Root检测功能
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1

Files:
com/xuexiang/xutil/app/AppUtils.java, line(s) 89,112,598
com/xuexiang/xutil/system/DeviceUtils.java, line(s) 182
com/zta/util/DeviceTool.java, line(s) 167

已通过安全项 此应用程序没有隐私跟踪程序

此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。

重点安全关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (onekey1.cmpassport.com) 通信。

{'ip': '120.197.235.28', 'country_short': 'CN', 'country_long': 'China', 'region': 'Guangdong', 'city': 'Guangzhou', 'latitude': '23.127361', 'longitude': '113.264252'}

重点安全关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (log1.cmpassport.com) 通信。

{'ip': '36.138.255.61', 'country_short': 'CN', 'country_long': 'China', 'region': 'Gansu', 'city': 'Lanzhou', 'latitude': '36.056389', 'longitude': '103.792221'}

重点安全关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (config.cmpassport.com) 通信。

{'ip': '120.232.169.180', 'country_short': 'CN', 'country_long': 'China', 'region': 'Guangdong', 'city': 'Guangzhou', 'latitude': '23.127361', 'longitude': '113.264252'}

重点安全关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (www.cmpassport.com) 通信。

{'ip': '120.197.235.28', 'country_short': 'CN', 'country_long': 'China', 'region': 'Guangdong', 'city': 'Guangzhou', 'latitude': '23.127361', 'longitude': '113.264252'}

重点安全关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (ip.3322.net) 通信。

{'ip': '118.184.169.32', 'country_short': 'CN', 'country_long': 'China', 'region': 'Jiangsu', 'city': 'Changzhou', 'latitude': '31.783331', 'longitude': '119.966667'}

重点安全关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (smsks1.cmpassport.com) 通信。

{'ip': '120.197.235.28', 'country_short': 'CN', 'country_long': 'China', 'region': 'Guangdong', 'city': 'Guangzhou', 'latitude': '23.127361', 'longitude': '113.264252'}

重点安全关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (photocdn.sohu.com) 通信。

{'ip': '180.97.228.140', 'country_short': 'CN', 'country_long': 'China', 'region': 'Jiangsu', 'city': 'Suzhou', 'latitude': '31.311390', 'longitude': '120.618057'}

重点安全关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (49d2147716ff75a9dc3c984f02381780.dd.cdntips.com) 通信。

{'ip': '124.232.162.21', 'country_short': 'CN', 'country_long': 'China', 'region': 'Hunan', 'city': 'Changsha', 'latitude': '28.200001', 'longitude': '112.966667'}

重点安全关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (p6-juejin.byteimg.com) 通信。

{'ip': '42.81.247.47', 'country_short': 'CN', 'country_long': 'China', 'region': 'Tianjin', 'city': 'Tianjin', 'latitude': '39.142220', 'longitude': '117.176666'}

综合安全基线评分: ( Ultra-SDP 1.0.0)