安全分析报告:
安全分数
安全分数 47/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
1
用户/设备跟踪器
调研结果
高危
2
中危
11
信息
2
安全
1
关注
0
高危 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: com/flutter_webview_plugin/WebviewManager.java, line(s) 53,51
高危 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/bumptech/glide/BuildConfig.java, line(s) 2,5 com/bumptech/glide/gifdecoder/BuildConfig.java, line(s) 2,5
中危 应用程序存在Janus漏洞
应用程序使用了v1签名方案进行签名,如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞的攻击。在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。
中危 应用程序可以安装在有漏洞的已更新 Android 版本上
Android 5.0-5.0.2, [minSdk=21] 该应用程序可以安装在具有多个未修复漏洞的旧版本 Android 上。这些设备不会从 Google 接收合理的安全更新。支持 Android 版本 => 10、API 29 以接收合理的安全更新。
中危 应用程序数据存在被泄露的风险
未设置[android:allowBackup]标志 这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/example/imagegallerysaver/ImageGallerySaverPlugin.java, line(s) 95,96 com/flutter_webview_plugin/WebviewManager.java, line(s) 271 com/leeson/image_pickers/AppPath.java, line(s) 21,33,45,57,90,111,123,135,24,36,48,60,66,93,99,114,126,138 com/luck/picture/lib/PictureExternalPreviewActivity.java, line(s) 394,398,514,518,392,396,512,516 com/luck/picture/lib/compress/Luban.java, line(s) 87 com/luck/picture/lib/crash/PictureSelectorCrashUtils.java, line(s) 133 com/luck/picture/lib/tools/AndroidQTransformUtils.java, line(s) 15,84 com/luck/picture/lib/tools/MediaUtils.java, line(s) 21,38 com/luck/picture/lib/tools/PictureFileUtils.java, line(s) 76,78,80,147,266,277,279,281,293,307,315,323,334,43,43,149,284 com/yalantis/ucrop/PictureMultiCuttingActivity.java, line(s) 724 com/yalantis/ucrop/util/FileUtils.java, line(s) 89 io/flutter/plugins/DeviceUtils.java, line(s) 86,87 io/flutter/plugins/FileUtils.java, line(s) 99,110 io/flutter/plugins/imagepicker/ImagePickerPlugin.java, line(s) 189 io/flutter/plugins/pathprovider/PathProviderPlugin.java, line(s) 190,225
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/dooboolab/fluttersound/FlutterSoundPlugin.java, line(s) 452 com/example/flutternativeimage/MethodCallHandlerImpl.java, line(s) 54,114 com/flutter_webview_plugin/WebviewManager.java, line(s) 271 io/flutter/plugins/imagepicker/FileUtils.java, line(s) 23 io/flutter/plugins/imagepicker/ImagePickerDelegate.java, line(s) 279 xyz/luan/audioplayers/WrappedSoundPool.java, line(s) 251
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/amplitude/api/AmplitudeClient.java, line(s) 34,36,37,38,39,40,41,43 com/bumptech/glide/load/Option.java, line(s) 73 com/bumptech/glide/load/engine/DataCacheKey.java, line(s) 33 com/bumptech/glide/load/engine/EngineResource.java, line(s) 89 com/bumptech/glide/load/engine/ResourceCacheKey.java, line(s) 79 com/bumptech/glide/manager/RequestManagerRetriever.java, line(s) 33 com/dexterous/flutterlocalnotifications/FlutterLocalNotificationsPlugin.java, line(s) 90 com/dexterous/flutterlocalnotifications/models/NotificationDetails.java, line(s) 47,61 com/luck/picture/lib/config/PictureConfig.java, line(s) 17,23 com/mcxiaoke/packer/common/PackerCommon.java, line(s) 15 com/tekartik/sqflite/Constant.java, line(s) 43 io/flutter/app/FlutterActivityDelegate.java, line(s) 32 io/flutter/embedding/android/FlutterActivityAndFragmentDelegate.java, line(s) 22,23 io/flutter/embedding/android/FlutterActivityLaunchConfigs.java, line(s) 13,14,3,12 io/flutter/embedding/engine/loader/ApplicationInfoLoader.java, line(s) 14 io/flutter/embedding/engine/loader/FlutterLoader.java, line(s) 23,24,25,27 io/flutter/plugins/imagepicker/ImagePickerCache.java, line(s) 19,20,10,21,22,23,24,25
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: io/flutter/plugins/DeviceUtils.java, line(s) 14
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/amplitude/api/DatabaseHelper.java, line(s) 6,7,8,9,10,81 com/tekartik/sqflite/SqflitePlugin.java, line(s) 6,367
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: io/flutter/plugins/webviewflutter/FlutterWebView.java, line(s) 488,473
中危 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 VGhpcyBpcyB0aGUgcHJlZml4IGZvciBCaWdJbnRlZ2Vy 16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/amplitude/api/AmplitudeClient.java, line(s) 506,1314,1216 com/amplitude/api/AmplitudeLog.java, line(s) 30,37,44,51,62,69,73,84,91,98,105,112,119,126,133 com/amplitude/api/DatabaseHelper.java, line(s) 117 com/baseflow/permissionhandler/AppSettingsManager.java, line(s) 16 com/baseflow/permissionhandler/PermissionManager.java, line(s) 54,112,115,146,152,155 com/baseflow/permissionhandler/PermissionUtils.java, line(s) 417,421,426 com/baseflow/permissionhandler/ServiceManager.java, line(s) 22 com/befovy/fijkplayer/FijkPlayer.java, line(s) 120,373,346 com/befovy/fijkplayer/FijkPlugin.java, line(s) 565,636,379,531,623,509,560 com/befovy/fijkplayer/FileMediaDataSource.java, line(s) 19,36,57 com/befovy/fijkplayer/RawMediaDataSource.java, line(s) 30,40,53 com/bumptech/glide/Glide.java, line(s) 203,212,131,130,202,209,237,238 com/bumptech/glide/gifdecoder/GifHeaderParser.java, line(s) 235,267,234,266 com/bumptech/glide/gifdecoder/StandardGifDecoder.java, line(s) 152,168,182,150,166,180,203,212 com/bumptech/glide/load/data/AssetPathFetcher.java, line(s) 35,34 com/bumptech/glide/load/data/HttpUrlFetcher.java, line(s) 54,134,53,57,62,69,133,66,70 com/bumptech/glide/load/data/LocalUriFetcher.java, line(s) 37,36 com/bumptech/glide/load/data/mediastore/ThumbFetcher.java, line(s) 51,50 com/bumptech/glide/load/data/mediastore/ThumbnailStreamOpener.java, line(s) 61,60 com/bumptech/glide/load/engine/DecodeJob.java, line(s) 335,381,442 com/bumptech/glide/load/engine/DecodePath.java, line(s) 56,57 com/bumptech/glide/load/engine/Engine.java, line(s) 27,94 com/bumptech/glide/load/engine/GlideException.java, line(s) 81 com/bumptech/glide/load/engine/SourceGenerator.java, line(s) 66,67 com/bumptech/glide/load/engine/bitmap_recycle/LruArrayPool.java, line(s) 89,143,90,144 com/bumptech/glide/load/engine/bitmap_recycle/LruBitmapPool.java, line(s) 127,157,165,189,72,79,126,136,156,164,178,188,197,73,80,137,203,179 com/bumptech/glide/load/engine/cache/DiskLruCacheWrapper.java, line(s) 52,62,76,82,112,123,53,77,63,83,113,124 com/bumptech/glide/load/engine/cache/MemorySizeCalculator.java, line(s) 64,48 com/bumptech/glide/load/engine/executor/GlideExecutor.java, line(s) 42,39 com/bumptech/glide/load/engine/executor/RuntimeCompat.java, line(s) 37,36 com/bumptech/glide/load/engine/prefill/BitmapPreFillRunner.java, line(s) 69,68 com/bumptech/glide/load/model/ByteBufferEncoder.java, line(s) 20,19 com/bumptech/glide/load/model/ByteBufferFileLoader.java, line(s) 59,58 com/bumptech/glide/load/model/FileLoader.java, line(s) 63,62 com/bumptech/glide/load/model/ResourceLoader.java, line(s) 39,40 com/bumptech/glide/load/model/StreamEncoder.java, line(s) 39,38 com/bumptech/glide/load/resource/bitmap/BitmapEncoder.java, line(s) 62,61,78,79 com/bumptech/glide/load/resource/bitmap/DefaultImageHeaderParser.java, line(s) 119,126,142,149,182,192,204,218,232,238,242,247,253,257,118,125,141,148,181,191,203,217,231,237,241,246,252,256 com/bumptech/glide/load/resource/bitmap/Downsampler.java, line(s) 172,289,326,130,146,171,251,288,325,131,252,353 com/bumptech/glide/load/resource/bitmap/DrawableToBitmapConverter.java, line(s) 44,49,45,50 com/bumptech/glide/load/resource/bitmap/HardwareConfigState.java, line(s) 51,52 com/bumptech/glide/load/resource/bitmap/TransformationUtils.java, line(s) 161,105,114,121,138,143,160,106,115,122,123,124,128,139,144 com/bumptech/glide/load/resource/bitmap/VideoDecoder.java, line(s) 129,128 com/bumptech/glide/load/resource/gif/ByteBufferGifDecoder.java, line(s) 80,85,90,99,81,86,91,100 com/bumptech/glide/load/resource/gif/GifDrawableEncoder.java, line(s) 25,26 com/bumptech/glide/load/resource/gif/StreamGifDecoder.java, line(s) 55,56 com/bumptech/glide/manager/DefaultConnectivityMonitor.java, line(s) 23,22,52,70,53,71 com/bumptech/glide/manager/DefaultConnectivityMonitorFactory.java, line(s) 15,14 com/bumptech/glide/manager/RequestManagerFragment.java, line(s) 122,123 com/bumptech/glide/manager/RequestManagerRetriever.java, line(s) 314,315 com/bumptech/glide/manager/RequestTracker.java, line(s) 24,25 com/bumptech/glide/manager/SupportRequestManagerFragment.java, line(s) 122,123 com/bumptech/glide/module/ManifestParser.java, line(s) 22,29,40,45,21,28,33,39,44,34 com/bumptech/glide/request/SingleRequest.java, line(s) 400,60,484,433 com/bumptech/glide/request/target/CustomViewTarget.java, line(s) 293,294,308,309 com/bumptech/glide/request/target/ViewTarget.java, line(s) 283,284,298,299 com/bumptech/glide/signature/ApplicationVersionSignature.java, line(s) 45 com/bumptech/glide/util/ContentLengthInputStream.java, line(s) 28,27 com/bumptech/glide/util/pool/FactoryPools.java, line(s) 89,90 com/dooboolab/fluttersound/FlutterSoundPlugin.java, line(s) 325,337,348,405,421,432,439,519,520,313,373,399,474,489,506 com/example/flutternativeimage/MethodCallHandlerImpl.java, line(s) 179 com/example/imagegallerysaver/ImageGallerySaverPlugin.java, line(s) 120 com/leeson/image_pickers/MethodCallImpl.java, line(s) 92 com/luck/picture/lib/broadcast/BroadcastManager.java, line(s) 149,155,41,52,63,74,85,96,107,118,129,140 com/luck/picture/lib/compress/Checker.java, line(s) 54,74,80,96,113 com/luck/picture/lib/compress/Luban.java, line(s) 95,94 com/luck/picture/lib/tools/PictureFileUtils.java, line(s) 118 com/luck/picture/lib/widget/longimage/SubsamplingScaleImageView.java, line(s) 1883,1309,1395,1399,1474,1478,1619,541,835,1566,1573,1602,1607,2248 com/rhyme/r_scan/ImageScanHelper.java, line(s) 64,72,125,133,165,173 com/rhyme/r_scan/RScanCamera/RScanCamera.java, line(s) 205 com/rhyme/r_scan/RScanView/FlutterRScanView.java, line(s) 72,87,152,158,195 com/tekartik/sqflite/Database.java, line(s) 50 com/tekartik/sqflite/SqflitePlugin.java, line(s) 111,124,210,373,383,430,445,547,672,678,689,709,713,740,759,785,799,815,836,845,400,571,819,840 com/tekartik/sqflite/SqlCommand.java, line(s) 23,34 com/tekartik/sqflite/dev/Debug.java, line(s) 11 com/yalantis/ucrop/PictureMultiCuttingActivity.java, line(s) 241 com/yalantis/ucrop/UCropActivity.java, line(s) 162 com/yalantis/ucrop/task/BitmapCropTask.java, line(s) 117 com/yalantis/ucrop/task/BitmapLoadShowTask.java, line(s) 72 com/yalantis/ucrop/task/BitmapLoadTask.java, line(s) 124,157,200,87,130,142 com/yalantis/ucrop/util/BitmapLoadUtils.java, line(s) 118,58,89 com/yalantis/ucrop/util/EglUtils.java, line(s) 26 com/yalantis/ucrop/util/FileUtils.java, line(s) 61 com/yalantis/ucrop/util/ImageHeaderParser.java, line(s) 54,61,72,79,112,122,134,148,162,168,172,177,183,187,291,53,60,71,78,111,121,133,147,161,167,171,176,182,186 com/yalantis/ucrop/view/TransformImageView.java, line(s) 215,236,124,77 com/zaihui/installplugin/InstallPlugin.java, line(s) 59,89,129 flutter/plugins/screen/screen/ScreenPlugin.java, line(s) 68,71 io/flutter/Log.java, line(s) 36,40,28,32,44,48 io/flutter/app/FlutterActivityDelegate.java, line(s) 318 io/flutter/embedding/android/AndroidKeyProcessor.java, line(s) 120 io/flutter/embedding/android/FlutterActivity.java, line(s) 156,153 io/flutter/embedding/android/FlutterActivityAndFragmentDelegate.java, line(s) 117,124,140,146,165,172,190,197,210,216,230,236,242,249,262,266,291,301,311,321,331,344,354,226,295,305,315,325,335,350 io/flutter/embedding/android/FlutterFragment.java, line(s) 402 io/flutter/embedding/android/FlutterFragmentActivity.java, line(s) 126,123,182,185 io/flutter/embedding/android/FlutterSplashView.java, line(s) 104,109,115,157 io/flutter/embedding/android/FlutterSurfaceView.java, line(s) 39,48,56,70,97,99,107,116,149,125,135 io/flutter/embedding/android/FlutterTextureView.java, line(s) 34,43,51,74,76,82,91,123,98,108 io/flutter/embedding/android/FlutterView.java, line(s) 292,294,297,300,326,335,432,450,544,547,550,585,587,639,644,714 io/flutter/embedding/engine/FlutterEngine.java, line(s) 88,128,148,143 io/flutter/embedding/engine/FlutterEnginePluginRegistry.java, line(s) 218,233,242,252,262,272,282,292,322,365,392,59,70,124,190,208,224,238,248,258,268,278,288,302,314,328,336,347,359,374,386,67 io/flutter/embedding/engine/FlutterJNI.java, line(s) 341,350,359,368 io/flutter/embedding/engine/dart/DartExecutor.java, line(s) 44,49,62,72,59,69 io/flutter/embedding/engine/dart/DartMessenger.java, line(s) 66,84,24,28,34,41,58,62,71,77,81 io/flutter/embedding/engine/loader/FlutterLoader.java, line(s) 135,163 io/flutter/embedding/engine/loader/ResourceExtractor.java, line(s) 68,112 io/flutter/embedding/engine/plugins/shim/ShimPluginRegistry.java, line(s) 26 io/flutter/embedding/engine/plugins/shim/ShimRegistrar.java, line(s) 154,160,170,177,183,190 io/flutter/embedding/engine/plugins/util/GeneratedPluginRegister.java, line(s) 12 io/flutter/embedding/engine/renderer/FlutterRenderer.java, line(s) 71,75,119,153 io/flutter/embedding/engine/systemchannels/AccessibilityChannel.java, line(s) 27 io/flutter/embedding/engine/systemchannels/KeyEventChannel.java, line(s) 58 io/flutter/embedding/engine/systemchannels/LifecycleChannel.java, line(s) 16,21,26,31 io/flutter/embedding/engine/systemchannels/LocalizationChannel.java, line(s) 20,23 io/flutter/embedding/engine/systemchannels/MouseCursorChannel.java, line(s) 20 io/flutter/embedding/engine/systemchannels/NavigationChannel.java, line(s) 16,21,26 io/flutter/embedding/engine/systemchannels/PlatformChannel.java, line(s) 28 io/flutter/embedding/engine/systemchannels/PlatformViewsChannel.java, line(s) 24 io/flutter/embedding/engine/systemchannels/RestorationChannel.java, line(s) 90 io/flutter/embedding/engine/systemchannels/SettingsChannel.java, line(s) 49 io/flutter/embedding/engine/systemchannels/SystemChannel.java, line(s) 18 io/flutter/embedding/engine/systemchannels/TextInputChannel.java, line(s) 30,221,226,236,241,246,251,256,261,266,271 io/flutter/plugin/common/BasicMessageChannel.java, line(s) 61,83 io/flutter/plugin/common/EventChannel.java, line(s) 68,76,90 io/flutter/plugin/common/MethodChannel.java, line(s) 72,104 io/flutter/plugin/editing/InputConnectionAdaptor.java, line(s) 214 io/flutter/plugin/platform/PlatformPlugin.java, line(s) 262 io/flutter/plugin/platform/PlatformViewsController.java, line(s) 375 io/flutter/plugin/platform/SingleViewPresentation.java, line(s) 292,301,309,320 io/flutter/plugins/FileUtils.java, line(s) 110 io/flutter/plugins/imagepicker/ExifDataCopier.java, line(s) 16 io/flutter/plugins/imagepicker/ImageResizer.java, line(s) 111 io/flutter/plugins/urllauncher/MethodCallHandlerImpl.java, line(s) 65,55 io/flutter/plugins/urllauncher/UrlLauncherPlugin.java, line(s) 28,39,48 io/flutter/plugins/videoplayer/VideoPlayerPlugin.java, line(s) 78,106 io/flutter/plugins/webviewflutter/DisplayListenerProxy.java, line(s) 80 io/flutter/plugins/webviewflutter/FlutterWebViewClient.java, line(s) 77 io/flutter/plugins/webviewflutter/InputAwareWebView.java, line(s) 62,82,90,27 io/flutter/view/AccessibilityBridge.java, line(s) 672 io/flutter/view/AccessibilityViewEmbedder.java, line(s) 293,299,306,313,326,355,358,372,374,381,384,387,400,402,410,441,444 io/flutter/view/FlutterNativeView.java, line(s) 116 io/flutter/view/FlutterView.java, line(s) 638,309 top/zibin/luban/Checker.java, line(s) 68,88,94,110,127 top/zibin/luban/Luban.java, line(s) 84,83 tv/danmaku/ijk/media/player/IjkMediaCodecInfo.java, line(s) 196,198 tv/danmaku/ijk/media/player/IjkMediaPlayer.java, line(s) 159,163,216,154,166,188,230,263,500,562,185,333,1043,1057 tv/danmaku/ijk/media/player/misc/MediaCodecSurface.java, line(s) 46 tv/danmaku/ijk/media/player/pragma/DebugLog.java, line(s) 10,16,22,28,34,40,46,52,58,84,90,96,102,108,114 uk/co/senab/photoview/PhotoViewAttacher.java, line(s) 56 uk/co/senab/photoview/log/LoggerDefault.java, line(s) 17,22,47,52,27,32,7,12,37,42 xyz/luan/audioplayers/WrappedSoundPool.java, line(s) 51,57,60,113,150,156
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/amplitude/eventexplorer/EventExplorerInfoActivity.java, line(s) 5,58 io/flutter/plugin/editing/InputConnectionAdaptor.java, line(s) 4,317,326 io/flutter/plugin/platform/PlatformPlugin.java, line(s) 6,270
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/amplitude/api/PinnedAmplitudeClient.java, line(s) 56,115,51,45,45,103,103