安全分析报告: hfckdwhmnkqelct v4.54

安全分数


安全分数 53/100

风险评级


等级

  1. A
  2. B
  3. C
  4. F

严重性分布 (%)


隐私风险

1

用户/设备跟踪器


调研结果

高危 2
中危 9
信息 2
安全 2
关注 0

高危 该文件是World Writable。任何应用程序都可以写入文件 

该文件是World Writable。任何应用程序都可以写入文件
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2

Files:
q3/c.java, line(s) 68

高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 

如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7

Files:
com/gxhskihlxzqjdb/nvjmbygajirpx/Mfcllleyjnrnzv.java, line(s) 153,7

中危 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
H3/AbstractC0494a.java, line(s) 3
H3/C0495b.java, line(s) 3
I3/C0508a.java, line(s) 4
R3/C.java, line(s) 31
m1/d.java, line(s) 7
net/ovidea/sounds/activities/MainActivity.java, line(s) 95
net/ovidea/sounds/activities/RecoverActivity.java, line(s) 54
net/ovidea/sounds/views/a.java, line(s) 33

中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
R3/AbstractC0267h.java, line(s) 124,125,169,193
com/gxhskihlxzqjdb/nvjmbygajirpx/Acroszxbxuzv.java, line(s) 63
com/gxhskihlxzqjdb/nvjmbygajirpx/Mfcllleyjnrnzv.java, line(s) 192
com/gxhskihlxzqjdb/nvjmbygajirpx/Tfjhmjfelykg.java, line(s) 81
h4/d.java, line(s) 125,127,132
l3/b.java, line(s) 161
net/ovidea/sounds/activities/MainActivity.java, line(s) 1295,2041,2217,2228,2238,2245,3355,3734,3737,3758,3785,3786
net/ovidea/sounds/fragments/BrowserFragment.java, line(s) 458,600
net/ovidea/sounds/utils/xmltopdf/PdfGenerator.java, line(s) 265,266,272,451,248
net/ovidea/sounds/views/a.java, line(s) 850
q3/c.java, line(s) 165

中危 SHA-1是已知存在哈希冲突的弱哈希 

SHA-1是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
Y1/C0964b.java, line(s) 55

中危 MD5是已知存在哈希冲突的弱哈希 

MD5是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
X3/b.java, line(s) 722

中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
D3/C0213e0.java, line(s) 60
G1/w.java, line(s) 133
f1/C0448b.java, line(s) 81
k/f.java, line(s) 76
t1/b.java, line(s) 154

中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
k0/M.java, line(s) 6,7,74,108,127,136,183,306,323,704
k0/W.java, line(s) 4,5,159
o3/c.java, line(s) 4,5,29
o3/d.java, line(s) 4,5,14

中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件 

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
R3/E.java, line(s) 198
V3/i.java, line(s) 70
Y1/C0965c.java, line(s) 82

中危 应用程序包含隐私跟踪程序 

此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。

中危 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
2LHYpyDYp9mG2KrYrtin2Kgg2qnZhtuM2K8g24zaqSDZgdin24zZhA==
470fa2b4ae81cd56ecbcda9735803434cec591fa
7ZWY64KY7J2YIO2MjOydvOydhCDshKDtg50=
2KfbjNqpINmB2KfYptmEINmF24zauiDYs9uSINin2YbYqtiu2KfYqCDaqdix24zaug==

信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
A/h.java, line(s) 169,19,299,123
A1/g.java, line(s) 31,41,18,51,61,71
A4/b.java, line(s) 114,141,159,295,304,451,489,587,127,319,132,145,165,314,317,345,367,458,471,498,523,539,542,570,576,591,685,686,687,705
A4/g.java, line(s) 157
B4/b.java, line(s) 87,146,156,160
D/b.java, line(s) 20
D1/C0393z.java, line(s) 158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176
E4/AbstractC0439b.java, line(s) 53,90
F/a.java, line(s) 54,55
F3/a.java, line(s) 23
G3/a.java, line(s) 58
H1/c.java, line(s) 28,32,36,40
L/C0600c.java, line(s) 105,104
L/C0602e.java, line(s) 68,67
O/e.java, line(s) 50,71,83,92,51,84,72,93
O/i.java, line(s) 121,106
Q/C0742c.java, line(s) 16,15
Q/C0743d.java, line(s) 40,39
Q/C0746g.java, line(s) 97,96
Q/s.java, line(s) 67,70
Q/t.java, line(s) 64,69,82,98,65,70,85,101
Q/u.java, line(s) 37,36
R3/AbstractC0268i.java, line(s) 16
S3/b.java, line(s) 14
T3/e.java, line(s) 143
T3/o.java, line(s) 73
T3/p.java, line(s) 48
U3/d.java, line(s) 38,48
U3/l.java, line(s) 47,13
U3/n.java, line(s) 57,41
U3/p.java, line(s) 80
U3/r.java, line(s) 41
V3/a.java, line(s) 15
V3/e.java, line(s) 40,63
V3/i.java, line(s) 87,88,93,100,124,75
V3/j.java, line(s) 133
W/C0929a.java, line(s) 86,92,99,108,87,93,100,109
W/C0931c.java, line(s) 22,23
W/a.java, line(s) 205
W/h.java, line(s) 41,44
X0/f.java, line(s) 35,42,45,54,88
X0/n.java, line(s) 140
X3/b.java, line(s) 350
Y1/C0964b.java, line(s) 59,76
Y3/d.java, line(s) 72
Y3/e.java, line(s) 179,225,241
Y3/f.java, line(s) 40,56,161
Z/i.java, line(s) 73,177
Z1/c.java, line(s) 94,97,119,127,128,149,155
b/i.java, line(s) 56,97,98,57
com/arthenica/ffmpegkit/FFmpegKitConfig.java, line(s) 323,326,334,337,356,365,130,132,204,240
com/arthenica/ffmpegkit/b.java, line(s) 86
com/arthenica/ffmpegkit/c.java, line(s) 25,33
com/arthenica/ffmpegkit/d.java, line(s) 28,36
com/arthenica/ffmpegkit/r.java, line(s) 57
com/hbb20/CountryCodePicker.java, line(s) 1164,1173,591,1324,1531
com/hbb20/a.java, line(s) 1489,1491,50
d0/k.java, line(s) 36,65,72,75,92,99,106,111,116
e1/e.java, line(s) 69
g0/AbstractC0458a.java, line(s) 16,23,30,15,22,29,43,44,50,51
h2/k.java, line(s) 81,498,509
h2/t.java, line(s) 66,71,95,232,238,294,317,330,340,342
i/C0498b.java, line(s) 419
j/C0512d.java, line(s) 76,99,75,98
j4/d.java, line(s) 222,378
k2/C0568d.java, line(s) 190,213,218,242,262,281,362,393
k2/C0572h.java, line(s) 249,409,501,406
k2/D.java, line(s) 105
k2/n.java, line(s) 104,79,115,119
k2/o.java, line(s) 25
k2/t.java, line(s) 155,132,148
k2/y.java, line(s) 110,120,72
l2/C0610d.java, line(s) 191
n/i.java, line(s) 109,149,110,150
n/k.java, line(s) 112,158,172,184,75,111,121,147,157,171,183,205,212,81,122,206,213,148
n2/C0646c.java, line(s) 33,37
net/ovidea/sounds/activities/MainActivity.java, line(s) 916,3780,877,2093
net/ovidea/sounds/activities/StatsActivity.java, line(s) 762,765,784
net/ovidea/sounds/services/MyFirebaseMessagingService.java, line(s) 89,48
p/ExecutorServiceC0729a.java, line(s) 163,160
r1/a.java, line(s) 57
r1/e.java, line(s) 43,59
s/j.java, line(s) 72,73
t0/i.java, line(s) 22,31,38,30,37,44,45,51,52
u1/A.java, line(s) 109,111
u1/C0295g.java, line(s) 31
u1/D.java, line(s) 85,103,204,220,229,289,309,112,317
u1/F.java, line(s) 46,58,37,55
u1/l.java, line(s) 64,70
u1/v.java, line(s) 162,107,316
v1/a.java, line(s) 123,142,146
w3/a.java, line(s) 108,112,124,79,84,91,117,321,407
w3/b.java, line(s) 209,320,423,482,495,591,595,645,736,772,792,938,1171,1237,1251,651,944,287,294,447,666,783,825,913,967,1009,1016,1032,1052,1056
w3/e.java, line(s) 75
w3/f.java, line(s) 20
w3/k.java, line(s) 88,97,114,139,153
x1/c.java, line(s) 139
x1/f.java, line(s) 47
y/C0960d.java, line(s) 45,64,69,74,52,44,51,56,63,68,73,57

信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 

此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard

Files:
net/ovidea/sounds/adapters/EmojiTextAdapter.java, line(s) 4,69
net/ovidea/sounds/adapters/MagicTextAdapter.java, line(s) 5,79
net/ovidea/sounds/fragments/TextToEmojiFragment.java, line(s) 5,85

安全 此应用程序可能具有Root检测功能 

此应用程序可能具有Root检测功能
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1

Files:
D1/AbstractC0377i.java, line(s) 307,307,308
t0/v.java, line(s) 30

安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
m4/c.java, line(s) 142,141,140,140

安全评分: ( hfckdwhmnkqelct 4.54)