安全分析报告:
安全分数
安全分数 44/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
11
用户/设备跟踪器
调研结果
高危
9
中危
28
信息
2
安全
3
关注
1
高危 App 链接 assetlinks.json 文件未找到
[android:name=real.aplixme.preinicio][android:host=http://www.appcreator24.com] App Link 资产验证 URL (http://www.appcreator24.com/.well-known/assetlinks.json) 未找到或配置不正确。(状态代码:404)。应用程序链接允许用户从 Web URL/电子邮件重定向到移动应用程序。如果此文件丢失或为 App Link 主机/域配置不正确,则恶意应用程序可以劫持此类 URL。这可能会导致网络钓鱼攻击,泄露 URI 中的敏感数据,例如 PII、OAuth 令牌、魔术链接/密码重置令牌等。您必须通过托管 assetlinks.json 文件并通过 Activity intent-filter 中的 [android:autoVerify=“true”] 启用验证来验证 App Link 网域。
高危 App 链接 assetlinks.json 文件未找到
[android:name=real.aplixme.preinicio][android:host=https://www.appcreator24.com] App Link 资产验证 URL (https://www.appcreator24.com/.well-known/assetlinks.json) 未找到或配置不正确。(状态代码:404)。应用程序链接允许用户从 Web URL/电子邮件重定向到移动应用程序。如果此文件丢失或为 App Link 主机/域配置不正确,则恶意应用程序可以劫持此类 URL。这可能会导致网络钓鱼攻击,泄露 URI 中的敏感数据,例如 PII、OAuth 令牌、魔术链接/密码重置令牌等。您必须通过托管 assetlinks.json 文件并通过 Activity intent-filter 中的 [android:autoVerify=“true”] 启用验证来验证 App Link 网域。
高危 App 链接 assetlinks.json 文件未找到
[android:name=real.aplixme.preinicio][android:host=http://join-app.net] App Link 资产验证 URL (http://join-app.net/.well-known/assetlinks.json) 未找到或配置不正确。(状态代码:404)。应用程序链接允许用户从 Web URL/电子邮件重定向到移动应用程序。如果此文件丢失或为 App Link 主机/域配置不正确,则恶意应用程序可以劫持此类 URL。这可能会导致网络钓鱼攻击,泄露 URI 中的敏感数据,例如 PII、OAuth 令牌、魔术链接/密码重置令牌等。您必须通过托管 assetlinks.json 文件并通过 Activity intent-filter 中的 [android:autoVerify=“true”] 启用验证来验证 App Link 网域。
高危 Activity (real.aplixme.ExpandedControlsActivity) 的启动模式不是standard模式
Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/appnext/banners/g.java, line(s) 434,13,14 com/appnext/core/result/ResultPageActivity.java, line(s) 206,15,16 com/appnext/core/webview/AppnextWebView.java, line(s) 385,10,11 com/startapp/aa.java, line(s) 430,22 com/startapp/sdk/ads/splash/SplashHtml.java, line(s) 74,7,8 com/startapp/x3.java, line(s) 73,9 com/unity3d/services/core/webview/WebViewApp.java, line(s) 140,10,71,77,91,109 real/aplixme/preinicio.java, line(s) 664,31 real/aplixme/t_html.java, line(s) 260,538,603,27
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/appnext/base/b/h.java, line(s) 96,135,156 com/ironsource/mediationsdk/utils/IronSourceAES.java, line(s) 70,136
高危 已启用远程WebView调试
已启用远程WebView调试 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/ironsource/sdk/controller/w.java, line(s) 2983,31,32
高危 使用弱加密算法
使用弱加密算法 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: p7/h.java, line(s) 581,602
高危 应用程序包含隐私跟踪程序
此应用程序有多个11隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 应用程序已启用明文网络流量
[android:usesCleartextTraffic=true] 应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。
中危 Content Provider (real.aplixme.StickerContentProvider) 未被保护。
[android:exported=true] 发现 Content Provider与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (real.aplixme.SearchableActivity) 未被保护。
存在一个intent-filter。 发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。
中危 Activity (real.aplixme.ExpandedControlsActivity) 未被保护。
存在一个intent-filter。 发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。
中危 Service (real.aplixme.MyFcmListenerService) 未被保护。
存在一个intent-filter。 发现 Service与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Service是显式导出的。
中危 Service (real.aplixme.MyInstanceIDListenerService) 未被保护。
存在一个intent-filter。 发现 Service与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Service是显式导出的。
中危 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Activity (com.facebook.CustomTabActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.google.firebase.messaging.FirebaseMessagingService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Service (com.google.firebase.iid.FirebaseInstanceIdService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.startapp.sdk.adsbase.remoteconfig.BootCompleteListener) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.appnext.base.services.OperationJobService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (com.appnext.base.receivers.AppnextBootReciever) 未被保护。
存在一个intent-filter。 发现 Broadcast Receiver与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Broadcast Receiver是显式导出的。
中危 IP地址泄露
IP地址泄露 Files: com/appnext/ads/fullscreen/Video.java, line(s) 25,254 com/appnext/ads/fullscreen/b.java, line(s) 107,118,313 com/appnext/ads/interstitial/Interstitial.java, line(s) 33,298 com/appnext/ads/interstitial/InterstitialActivity.java, line(s) 279 com/appnext/ads/interstitial/a.java, line(s) 58 com/appnext/banners/BannerAd.java, line(s) 11,66 com/appnext/banners/b.java, line(s) 55 com/appnext/banners/g.java, line(s) 268 com/appnext/core/f.java, line(s) 56,310,312,453 com/appnext/core/i.java, line(s) 9 com/appnext/nativeads/NativeAd.java, line(s) 369 com/appnext/nativeads/NativeAdObject.java, line(s) 12,72 com/appnext/nativeads/c.java, line(s) 92 com/ironsource/adapters/ironsource/IronSourceAdapter.java, line(s) 44,361 com/ironsource/adapters/supersonicads/SupersonicAdsAdapter.java, line(s) 37,180,304 com/ironsource/mediationsdk/E.java, line(s) 172 com/ironsource/mediationsdk/config/VersionInfo.java, line(s) 13 com/startapp/a1.java, line(s) 296 com/startapp/ra.java, line(s) 158 f7/a.java, line(s) 13 p7/k.java, line(s) 52,68,69,87
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/appnext/ads/c.java, line(s) 3 com/appnext/ads/fullscreen/FullscreenActivity.java, line(s) 29 com/appnext/ads/fullscreen/Video.java, line(s) 18 com/appnext/ads/fullscreen/b.java, line(s) 21 com/appnext/ads/interstitial/a.java, line(s) 17 com/appnext/banners/b.java, line(s) 13 com/appnext/banners/j.java, line(s) 3 com/appnext/base/services/a/c.java, line(s) 11 com/appnext/core/f.java, line(s) 43 com/appnext/nativeads/c.java, line(s) 23 com/ironsource/mediationsdk/utils/e.java, line(s) 13 com/ironsource/mediationsdk/utils/g.java, line(s) 6 com/startapp/a1.java, line(s) 28 com/startapp/b7.java, line(s) 22 com/startapp/q0.java, line(s) 23 com/startapp/sdk/ads/banner/BannerBase.java, line(s) 29 com/startapp/u0.java, line(s) 5 com/startapp/v6.java, line(s) 19 m7/g.java, line(s) 8 q3/a.java, line(s) 12 real/aplixme/config.java, line(s) 149 real/aplixme/t_card.java, line(s) 58 real/aplixme/t_qr.java, line(s) 55 real/aplixme/t_radio.java, line(s) 60
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: a3/b0.java, line(s) 5,6,343,355,431 a3/f0.java, line(s) 4,19 a3/h0.java, line(s) 4,5,97 com/adcolony/sdk/k.java, line(s) 5,150,275 com/adcolony/sdk/l.java, line(s) 6,301 com/adcolony/sdk/m.java, line(s) 6,36 com/appnext/base/a/b.java, line(s) 4,5,30,31,32,33,42,43,44,45,53,54,55,56 com/ironsource/b/a.java, line(s) 5,6,120,125 com/ironsource/environment/f.java, line(s) 6,7,21,44,108 com/startapp/k8.java, line(s) 6,47,48,49 com/startapp/s7.java, line(s) 6,101 j1/a.java, line(s) 5,6,7,8,64,84 real/aplixme/cats.java, line(s) 6,119,127 real/aplixme/o.java, line(s) 4,5,14,15,16,21,22,23 real/aplixme/t_buscador_form.java, line(s) 11,400,417 real/aplixme/t_buscador_fr.java, line(s) 8,594,595 real/aplixme/t_detalle_fr.java, line(s) 10,368,430
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/appnext/base/b/c.java, line(s) 9 com/appnext/base/operations/imp/bact.java, line(s) 16 com/appnext/base/operations/imp/bcon.java, line(s) 23 com/appnext/base/operations/imp/caact.java, line(s) 22 com/appnext/base/operations/imp/dvol.java, line(s) 13 com/appnext/base/operations/imp/geo.java, line(s) 20 com/appnext/base/operations/imp/utils.java, line(s) 27 com/ironsource/adapters/facebook/FacebookAdapter.java, line(s) 629 com/ironsource/adapters/ironsource/IronSourceAdapter.java, line(s) 76,77,637,184 com/ironsource/adapters/supersonicads/SupersonicAdsAdapter.java, line(s) 87,269,766 com/ironsource/adapters/supersonicads/SupersonicConfig.java, line(s) 24 com/ironsource/mediationsdk/C0087d.java, line(s) 181,274 com/ironsource/mediationsdk/C0485d.java, line(s) 193,286 com/ironsource/mediationsdk/E.java, line(s) 1314 com/ironsource/mediationsdk/adunit/data/DataKeys.java, line(s) 4 com/ironsource/mediationsdk/utils/IronSourceConstants.java, line(s) 75,84 com/startapp/networkTest/startapp/NetworkTester.java, line(s) 20,22,21 com/unity3d/ads/metadata/InAppPurchaseMetaData.java, line(s) 13
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: a0/b.java, line(s) 99 bin/mt/signature/KillerApplication.java, line(s) 77 com/adcolony/sdk/q0.java, line(s) 357,363,364 com/appnext/base/b/f.java, line(s) 53,58,71,98,103,117 com/ironsource/environment/h.java, line(s) 410,181 com/ironsource/mediationsdk/utils/h.java, line(s) 145 com/ironsource/sdk/utils/SDKUtils.java, line(s) 270 com/startapp/ra.java, line(s) 124 com/startapp/v.java, line(s) 242,338 com/unity3d/services/core/cache/CacheDirectory.java, line(s) 53 real/aplixme/config.java, line(s) 3561,3630
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/adcolony/sdk/s0.java, line(s) 449 com/adcolony/sdk/v0.java, line(s) 30 com/unity3d/services/core/device/Device.java, line(s) 155 f6/p.java, line(s) 37 k6/b.java, line(s) 52 o2/a.java, line(s) 15 p7/h.java, line(s) 377
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/adcolony/sdk/u0.java, line(s) 808,795 com/appnext/banners/g.java, line(s) 420,370 com/appnext/core/result/ResultPageActivity.java, line(s) 310,255 com/appnext/core/webview/AppnextWebView.java, line(s) 387,246,365 com/ironsource/sdk/controller/w.java, line(s) 2520,2521,2502 com/startapp/q2.java, line(s) 277,267 com/startapp/sdk/ads/banner/bannerstandard/BannerStandard.java, line(s) 192,96 com/startapp/sdk/ads/splash/SplashHtml.java, line(s) 69,65 com/unity3d/services/ads/webplayer/WebPlayerView.java, line(s) 331,315 com/unity3d/services/core/webview/WebView.java, line(s) 103,79
中危 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/adcolony/sdk/u0.java, line(s) 804,795 com/ironsource/sdk/controller/w.java, line(s) 2500,2502 com/ironsource/sdk/utils/d.java, line(s) 33,35 com/startapp/sdk/ads/splash/SplashHtml.java, line(s) 66,65 com/unity3d/services/core/webview/WebView.java, line(s) 52,79 real/aplixme/t_html.java, line(s) 248,215
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/appnext/core/f.java, line(s) 238 com/ironsource/mediationsdk/utils/IronSourceUtils.java, line(s) 351 com/ironsource/sdk/controller/t.java, line(s) 24 com/ironsource/sdk/utils/SDKUtils.java, line(s) 189 com/startapp/e4.java, line(s) 53 g2/f.java, line(s) 18 p7/h.java, line(s) 23,550
中危 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/startapp/ua.java, line(s) 4,4,4,4,4,4
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: c1/b.java, line(s) 118 k6/c.java, line(s) 67
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "facebook_app_id" : "134591420545494" "google_api_key" : "AIzaSyCtzGwdiM8t6R6Ff6uCwEYggQECaFdCcFA" "google_crash_reporting_api_key" : "AIzaSyCtzGwdiM8t6R6Ff6uCwEYggQECaFdCcFA" "firebase_database_url" : "https://api-project-751842291101.firebaseio.com" "google_app_id" : "1:751842291101:android:e16864b50a5ea5c8" nCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQ nYW5kcm9pZEBhbmRyb2lkLmNvbTAeFw0wODAyMjkwMTMzNDZaFw0zNTA3MTcwMTMzNDZaMIGUMQsw nEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAHqvlozrUMRBBVEY0NqrrwFbinZaJ6cVosK0TyIU 2F73797374656D2F6C69622F6C69627265666572656E63652D72696C2E736F 5e8f16062ea3cd2c4a0d547876baa6f38cabf625 cc2751449a350f668590264ed76692694a80308a 9b8f518b086098de3d77736f9458a3d2f6f95a37 com/Vo9wbFH89BbDbWFhUezQZOGPKmfkJSAtIbVWk3QxPbvJwcR8I79EVuI0aB41a MIIEqDCCA5CgAwIBAgIJAJNurL4H8gHfMA0GCSqGSIb3DQEBBQUAMIGUMQswCQYDVQQGEwJVUzET 3A757365722F72656C656173652D6B657973 ncm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYT 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 df6b721c8b4d3b6eb44c861d4415007e5a35fc95 3fb1d140df8690d795c035163d71159dfec3c4f7 npIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRh nMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMHQW5k n9gP+pWA7LFQNvXwBnDa6sppCccEX31I828XzgXpJ4O+mDL1/dBd+ek8ZPUP0IgdyZm5MTYPhvVqG nAFY9JyxGrhGGBaR0GawJyowRMIHJBgNVHSMEgcEwgb6AFEhZAFY9JyxGrhGGBaR0GawJyowRoYGa ncm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJAJNurL4H8gHfMAwGA1Ud bb2cf0647ba654d7228dd3f9405bbc6a C38FB23A402222A0C17D34A92F971D1F a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc nCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZIhvcNAQEBBQADggENADCC nFf/azgMJWr+kLfcHCHJsIGnlw27drgQAvilFLAhLwn62oX6snb4YLCBOsVMR9FXYJLZW2+TcIkCR 422de421e0f4e019426b9abfd780746bc40740eb 7bf3a1e7bbd31e612eda3310c2cdb8075c43c6b5 16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a n6pPQp8PcSvNQIg1QCAcy4ICXF+5qBTNZ5qaU7Cyz8oSgpGbIepTYOzEJOmc3Li9kEsBubULxWBjf 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 naW4gVmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5k n58ii0I54JiCUP5lyfTwE/nKZHZnfm644oLIXf6MdW2r+6R8CAQOjgfwwgfkwHQYDVR0OBBYEFEhZ 026ae9c9824b3e483fa6c71fa88f57ae27816141 nCHzzTy3sIeJFymwrsBbmg2OAUNLEMO6nwmocSdN2ClirfxqCzJOLSDE4QyS9BAH6EhY6UFcOaE0=
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a0/b.java, line(s) 62 a4/g.java, line(s) 15 a4/t.java, line(s) 17,16 b0/a.java, line(s) 43 b0/b.java, line(s) 67 b0/f.java, line(s) 83,92 b2/a.java, line(s) 7,13,8,14 bin/mt/signature/KillerApplication.java, line(s) 116,126,161 c0/c.java, line(s) 529,534 c0/e.java, line(s) 84 c0/f.java, line(s) 41,76 c0/g.java, line(s) 56,114 c0/j.java, line(s) 96,99 c0/k.java, line(s) 96 c1/a.java, line(s) 327,367,418,420,200,207,209,215,349,351,361,364,407,113,144,203,211,218,231,240,252,312,330 c1/b.java, line(s) 59,70,72,99,101,119,135,175,217,239,289,301,305,307,312,95,103,112,227,243,258,297 com/adcolony/sdk/AdColonyAppOptions.java, line(s) 66,75 com/adcolony/sdk/b0.java, line(s) 84,102,106,305,90,235,96 com/adcolony/sdk/f.java, line(s) 1026 com/adcolony/sdk/m0.java, line(s) 74,164,86 com/iab/omid/library/adcolony/d/c.java, line(s) 18,11 com/iab/omid/library/ironsrc/d/c.java, line(s) 18,11 com/iab/omid/library/startapp/d/c.java, line(s) 18,11 com/ironsource/a/b.java, line(s) 75 com/ironsource/adapters/facebook/FacebookAdapter.java, line(s) 203,205,213,218,399,406,435,442,466,473,683,685 com/ironsource/adapters/facebook/FacebookInterstitialAdListener.java, line(s) 49,61,65 com/ironsource/adapters/facebook/FacebookRewardedVideoAdListener.java, line(s) 49,64,68 com/ironsource/adapters/ironsource/IronSourceAdapter.java, line(s) 304,176,179,181,184,298,611,637,639 com/ironsource/adapters/supersonicads/SupersonicAdsAdapter.java, line(s) 247,248,249,264,266,269,736,766,768 com/ironsource/b/a.java, line(s) 84,109 com/ironsource/environment/a.java, line(s) 337,376 com/ironsource/environment/e.java, line(s) 175,240,102,107,108 com/ironsource/mediationsdk/C0096q.java, line(s) 55,61,76,81,86,53,70,95 com/ironsource/mediationsdk/C0099w.java, line(s) 66 com/ironsource/mediationsdk/C0490k.java, line(s) 173,179,185,206,215 com/ironsource/mediationsdk/C0494q.java, line(s) 61,67,82,87,92,59,76,101 com/ironsource/mediationsdk/C0497w.java, line(s) 70 com/ironsource/mediationsdk/E.java, line(s) 302,840,841,1314,1318,1322,305,310 com/ironsource/mediationsdk/I.java, line(s) 32,34,81,86,108,113,104 com/ironsource/mediationsdk/M.java, line(s) 147,248,438,568,594,629,67,75,97,104,130,246,424,523,540,544,566,618,636,707,526,573,625,638,715 com/ironsource/mediationsdk/O.java, line(s) 69,340,67,241,296,300,321,332,336,343,436,453,245,446,456 com/ironsource/mediationsdk/adunit/c/d.java, line(s) 42,64,139,143,149,174,220,245,257,48,79,91,159,238,251,263 com/ironsource/mediationsdk/adunit/c/e.java, line(s) 150,142,154,173,203,496,502,528,531,574,613,661,664,163,546,624 com/ironsource/mediationsdk/adunit/c/f.java, line(s) 21,27 com/ironsource/mediationsdk/adunit/d/a/a.java, line(s) 30,38 com/ironsource/mediationsdk/adunit/d/a/c.java, line(s) 128,112,308,318 com/ironsource/mediationsdk/adunit/e/a.java, line(s) 36,38,84,90 com/ironsource/mediationsdk/integration/IntegrationHelper.java, line(s) 105,33,44,63,68,127,141,145,159,164,178,183,191,36,42,59,66,93,118,124,137,155,162,172,173,176,181,189,31 com/ironsource/mediationsdk/logger/a.java, line(s) 29,22,18,24 com/ironsource/mediationsdk/p.java, line(s) 68,72,66,78,85 com/ironsource/sdk/a/d.java, line(s) 39 com/ironsource/sdk/b/b.java, line(s) 44,55,85,124 com/ironsource/sdk/c/c.java, line(s) 53,206 com/ironsource/sdk/controller/w.java, line(s) 181,212,274,294,310,326,512,585,605,649,669,786,794,1321,1655,1983,2403 com/ironsource/sdk/service/Connectivity/a.java, line(s) 55 com/ironsource/sdk/service/Connectivity/e.java, line(s) 92,107 com/ironsource/sdk/service/e.java, line(s) 66 com/ironsource/sdk/utils/Logger.java, line(s) 12,18,24,30,40,48,53,59,65,71 com/startapp/aa.java, line(s) 511,513 com/startapp/d.java, line(s) 701,738 com/startapp/h9.java, line(s) 55,101,104,116,119,62,136,154 com/startapp/o5.java, line(s) 27,33,36 com/startapp/oc.java, line(s) 16,26,35 com/startapp/q2.java, line(s) 435 com/startapp/rc.java, line(s) 58,60,70,160 com/startapp/sdk/ads/banner/bannerstandard/BannerStandard.java, line(s) 566 com/startapp/sdk/ads/video/VideoMode.java, line(s) 872 com/startapp/sdk/adsbase/StartAppSDKInternal.java, line(s) 150 com/startapp/sdk/jobs/SchedulerService.java, line(s) 62 com/startapp/td.java, line(s) 46 com/unity3d/ads/metadata/InAppPurchaseMetaData.java, line(s) 27,40,54 com/unity3d/ads/metadata/MetaData.java, line(s) 30,45 com/unity3d/services/UnityServices.java, line(s) 29,39,44,52,75,60,62,72,34 com/unity3d/services/ads/UnityAdsImplementation.java, line(s) 53,120,169,177,147 com/unity3d/services/ads/adunit/AdUnitActivity.java, line(s) 392,394,56,68,146,205,241,285,319,341,410,246 com/unity3d/services/ads/adunit/VideoPlayerHandler.java, line(s) 17,35 com/unity3d/services/ads/api/AdUnit.java, line(s) 201,207,256,259,263,266,474,477,480,483,506,109,131,154,161,339,430,497,510,515,520 com/unity3d/services/ads/api/VideoPlayer.java, line(s) 60,78,101,153,164,182 com/unity3d/services/ads/api/WebPlayer.java, line(s) 53 com/unity3d/services/ads/configuration/AdsModuleConfiguration.java, line(s) 66,77,83 com/unity3d/services/ads/load/LoadBridge.java, line(s) 26 com/unity3d/services/ads/video/VideoPlayerView.java, line(s) 40,58,93,98,116,150,162,196 com/unity3d/services/ads/webplayer/WebPlayerView.java, line(s) 67,77,306,350,401,416,431,444,649,665 com/unity3d/services/ar/view/ARView.java, line(s) 302,381,198,325,340,214,219,227,372 com/unity3d/services/ar/view/GLSurfaceView.java, line(s) 161,175,275,597,233 com/unity3d/services/ar/view/ShaderLoader.java, line(s) 14,29 com/unity3d/services/banners/BannerView.java, line(s) 77 com/unity3d/services/banners/UnityBanners.java, line(s) 358 com/unity3d/services/core/api/Cache.java, line(s) 159,173,52,125,178 com/unity3d/services/core/api/DeviceInfo.java, line(s) 156,174,195,333,359,373,426 com/unity3d/services/core/api/Intent.java, line(s) 48,62,206,230,245 com/unity3d/services/core/api/Request.java, line(s) 33,45,96,108,126,138 com/unity3d/services/core/api/Sdk.java, line(s) 20,35,42,48,54,60 com/unity3d/services/core/broadcast/BroadcastEventReceiver.java, line(s) 37 com/unity3d/services/core/cache/CacheDirectory.java, line(s) 25,27,64,68,78,101,105,111,114,30,57,73 com/unity3d/services/core/cache/CacheThread.java, line(s) 74 com/unity3d/services/core/cache/CacheThreadHandler.java, line(s) 42,45,49,70 com/unity3d/services/core/configuration/Configuration.java, line(s) 98 com/unity3d/services/core/configuration/EnvironmentCheck.java, line(s) 33,45,36,48,51,54,57 com/unity3d/services/core/configuration/InitializationNotificationCenter.java, line(s) 44 com/unity3d/services/core/configuration/InitializeThread.java, line(s) 95,190,205,296,308,333,387,102,105,133,253,282,391,439,443,66,199,231 com/unity3d/services/core/connectivity/ConnectivityMonitor.java, line(s) 55,83,93,75,123 com/unity3d/services/core/device/AdvertisingId.java, line(s) 127,144,154 com/unity3d/services/core/device/Device.java, line(s) 73,157,233,238,248,257,351,361,374,503,538,547,313 com/unity3d/services/core/device/Storage.java, line(s) 52,45 com/unity3d/services/core/log/DeviceLog.java, line(s) 69,194,201 com/unity3d/services/core/misc/JsonStorage.java, line(s) 154,26,32,51,72,83,95,163,169 com/unity3d/services/core/misc/Utilities.java, line(s) 109,139 com/unity3d/services/core/misc/ViewUtilities.java, line(s) 26,35 com/unity3d/services/core/preferences/AndroidPreferences.java, line(s) 15,27,39,51,63 com/unity3d/services/core/properties/ClientProperties.java, line(s) 73,104,116,118 com/unity3d/services/core/properties/SdkProperties.java, line(s) 127,129 com/unity3d/services/core/request/WebRequest.java, line(s) 69,165,170,179 com/unity3d/services/core/request/WebRequestRunnable.java, line(s) 91,76,95 com/unity3d/services/core/request/WebRequestThread.java, line(s) 63,113,128 com/unity3d/services/core/sensorinfo/SensorInfoListener.java, line(s) 28 com/unity3d/services/core/webview/WebView.java, line(s) 112,32,42,59 com/unity3d/services/core/webview/WebViewApp.java, line(s) 61,73,110,168,203,246,293,54,80,83,86,104,116,131,138,143,239,268,306 com/unity3d/services/core/webview/bridge/Invocation.java, line(s) 67 com/unity3d/services/core/webview/bridge/NativeCallback.java, line(s) 40 com/unity3d/services/core/webview/bridge/WebViewBridge.java, line(s) 59 com/unity3d/services/core/webview/bridge/WebViewBridgeInterface.java, line(s) 20,35 com/unity3d/services/core/webview/bridge/WebViewCallback.java, line(s) 72 com/unity3d/services/monetization/UnityMonetization.java, line(s) 46 com/unity3d/services/monetization/core/utilities/JSONUtilities.java, line(s) 22,36,48 com/unity3d/services/monetization/placementcontent/core/PlacementContent.java, line(s) 32,66 com/unity3d/services/purchasing/core/TransactionDetailsUtilities.java, line(s) 38 com/unity3d/services/purchasing/core/TransactionErrorDetailsUtilities.java, line(s) 23 com/unity3d/services/purchasing/core/api/CustomPurchasing.java, line(s) 69 com/unity3d/services/store/StoreBilling.java, line(s) 58,24,27,31,35 com/zoubac83/C0002zoubac83App.java, line(s) 142 com/zoubac83/C0003zoubac83App.java, line(s) 360 com/zoubac83/C0502zoubac83App.java, line(s) 142 com/zoubac83/C0503zoubac83App.java, line(s) 360 d0/a.java, line(s) 99,108,166,176 d0/e.java, line(s) 31,63 d2/e.java, line(s) 70,80,85,108,131,142,223 d5/h.java, line(s) 58 e2/e.java, line(s) 26 e2/f.java, line(s) 105,121 e4/b.java, line(s) 35,100 f6/d.java, line(s) 36,31 f6/f.java, line(s) 104,144,190,99,142,165,186,226,275,287,305,166,227,276,288,306,133,198 f6/k.java, line(s) 24 f6/m.java, line(s) 28,42,20,34 f6/p.java, line(s) 94,41,82,113 g/a.java, line(s) 103 g2/a.java, line(s) 259 g2/d.java, line(s) 73,92 g2/g.java, line(s) 161 g4/b.java, line(s) 12 g4/d.java, line(s) 12 g4/f.java, line(s) 12 g4/h.java, line(s) 12 i0/d.java, line(s) 19 i0/j.java, line(s) 35 i1/c.java, line(s) 37,40,52,30,44 i2/b.java, line(s) 53 i4/l.java, line(s) 51,57,69,90,97 j3/e.java, line(s) 32 k/g.java, line(s) 152,185,266 k0/b.java, line(s) 36,48,50,62,64,84,87 k6/b.java, line(s) 56,73 l/c.java, line(s) 282 l1/a.java, line(s) 36 l6/c.java, line(s) 92,95,117,125,126 m0/b.java, line(s) 74 m0/c0.java, line(s) 700,718,491,503,510,519,44,63,691 m0/f.java, line(s) 21,30 m0/h.java, line(s) 14,22 m0/u.java, line(s) 793 m0/v.java, line(s) 21,32 m0/x.java, line(s) 20,35,56,83,104,125,146 m2/a.java, line(s) 69 m5/d.java, line(s) 150,183 n0/c.java, line(s) 167 n4/b.java, line(s) 24 n5/b.java, line(s) 75 o6/b.java, line(s) 22,36,99,21,35,92,33,82,89,105 org/lsposed/hiddenapibypass/HiddenApiBypass.java, line(s) 74,313 p1/j.java, line(s) 24,26,35,37,46,48,57,59,68,70 p4/l.java, line(s) 43 p5/h.java, line(s) 210 q0/c.java, line(s) 144 q3/b.java, line(s) 25,31,36,40,44,60,48,52 real/aplixme/FullscreenVideoLayout_pro.java, line(s) 64,119,138,146,162,215,228,243,249,255,278,329,334 u/c.java, line(s) 108 u2/k.java, line(s) 36,65,72,75,88,91,94,97,100 w/f.java, line(s) 122 w0/d.java, line(s) 85 w2/a.java, line(s) 7,11,15,23,27 w4/a.java, line(s) 53,73,71,29,47 w5/c.java, line(s) 211,158,162,173 x0/a.java, line(s) 166,171,178,182,198,208 x3/a.java, line(s) 41,46,33 y5/g.java, line(s) 27,34,37,46,84 y5/n.java, line(s) 76 z3/a.java, line(s) 56,67 z4/a.java, line(s) 114,140,235,154,254 z4/d.java, line(s) 9,16,27,35,8,15,23,26,39,40,46,47
信息 应用与Firebase数据库通信
该应用与位于 https://api-project-751842291101.firebaseio.com 的 Firebase 数据库进行通信
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/startapp/d.java, line(s) 260,457,457,457,457,457,457 com/startapp/v.java, line(s) 259,259,259,259,259,259 real/aplixme/config.java, line(s) 1832,1760,1777,1777,1777,1777,1777,1777
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/startapp/networkTest/net/WebApiClient.java, line(s) 117,68 i7/d.java, line(s) 52,48,51,62,50,50
安全 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/751842291101/namespaces/firebase:fetch?key=AIzaSyCtzGwdiM8t6R6Ff6uCwEYggQECaFdCcFA ) 已禁用。响应内容如下所示: 响应码是 403
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (config.unityads.unitychina.cn) 通信。
{'ip': '180.97.228.82', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '苏州', 'latitude': '31.311365', 'longitude': '120.617691'}