安全分析报告:
安全分数
安全分数 48/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
1
用户/设备跟踪器
调研结果
高危
2
中危
12
信息
1
安全
1
关注
2
高危 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: B5/b.java, line(s) 9,10,5,22
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: I2/C1845a.java, line(s) 33
中危 应用程序已启用明文网络流量
[android:usesCleartextTraffic=true] 应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: I2/C0046p.java, line(s) 31 N4/AbstractC2102e.java, line(s) 206 Q3/w.java, line(s) 40
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: G4/a.java, line(s) 3 G4/b.java, line(s) 15 G4/c.java, line(s) 4 I2/C0046p.java, line(s) 6 I2/F0.java, line(s) 43 N5/g.java, line(s) 72 Q3/m.java, line(s) 38 Q4/c.java, line(s) 24 Y2/i.java, line(s) 16 h4/a.java, line(s) 4 i0/i.java, line(s) 151 music/downloader/mp3player/downloadmusic/service/MusicPlayerService.java, line(s) 98 org/schabi/newpipe/extractor/services/youtube/YoutubeParsingHelper.java, line(s) 28 org/schabi/newpipe/extractor/utils/RandomStringFromAlphabetGenerator.java, line(s) 3
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: G4/b.java, line(s) 68,70,73,76
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: A5/CountDownTimerC0235d.java, line(s) 93 B/i.java, line(s) 79 J3/AbstractC1888a.java, line(s) 279,282 c4/c.java, line(s) 133,133 music/downloader/mp3player/downloadmusic/service/MusicPlayerService.java, line(s) 484
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: B0/o.java, line(s) 16,172 C0/i.java, line(s) 5,23 E4/C1757c.java, line(s) 4,49 E4/C1758d.java, line(s) 5,21 H2/d.java, line(s) 8,314 N5/ViewOnClickListenerC2104b.java, line(s) 11,51 N5/g.java, line(s) 18,848 Q0/b.java, line(s) 4,5,6,66 u4/a.java, line(s) 5,6,33 u4/b.java, line(s) 4,5,26
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: M1/C2054B.java, line(s) 102 M1/C2060e.java, line(s) 41 M1/t.java, line(s) 90 org/schabi/newpipe/extractor/services/peertube/PeertubeParsingHelper.java, line(s) 37,39 org/schabi/newpipe/extractor/services/soundcloud/extractors/SoundcloudPlaylistInfoItemExtractor.java, line(s) 13,14,15 org/schabi/newpipe/extractor/services/youtube/extractors/YoutubeCommentsExtractor.java, line(s) 31,32
中危 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "@string/app_id" 9a04f079-9840-4286-ab92-e65be0885f95 edef8ba9-79d6-4ace-a3c8-27dcd51d21ed B3EEABB8EE11C2BE770B684D95219ECB c103703e120ae8cc73c9248622f3cd1e aHR0cHM6Ly9hcGkuamFtZW5kby5jb20vdjMuMC90cmFja3M/Y2xpZW50X2lkPWQ2ZjFiNDA3JmZvcm1hdD1qc29ucHJldHR5JmxpbWl0PTIwJm5hbWU9 49f946663a8deb7054212b8adda248c6
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: A/AbstractC0209a.java, line(s) 414,338,128 A/f.java, line(s) 47 A/l.java, line(s) 50,63,76 A0/AbstractServiceC0218i.java, line(s) 29 A0/RunnableC0215f.java, line(s) 55,87 A0/RunnableC0217h.java, line(s) 35,53 A2/C0227b.java, line(s) 59,131 A2/e.java, line(s) 87,169,181,187 A2/j.java, line(s) 2148,2235,2311 A2/q.java, line(s) 71 A3/c.java, line(s) 361,372,376,385,387,408 A5/C0236e.java, line(s) 30,46 A5/CountDownTimerC0235d.java, line(s) 113 B0/f.java, line(s) 48,57,62,67,74,85,95,106,113,145,150,159,165,171,181,188 B0/n.java, line(s) 183,185,193,195,203,205,218,220 B0/o.java, line(s) 517,528,542,556,584,453,463,1041,454,464,1042 B0/v.java, line(s) 464,506 B1/g.java, line(s) 454,26,199,211 C/g.java, line(s) 43 C/j.java, line(s) 49,73,83 C1/e.java, line(s) 27,28 C1/f.java, line(s) 36,37 D/d.java, line(s) 41 D/e.java, line(s) 56 D/f.java, line(s) 44 D/g.java, line(s) 57,115 E/d.java, line(s) 28,31,34,140,152 F1/AbstractC1772j.java, line(s) 44,48,9,53 F1/C1767e.java, line(s) 72 F2/g.java, line(s) 265 G0/d.java, line(s) 40 G2/b.java, line(s) 96,144,256 G2/c.java, line(s) 43,59,69,79 G2/f.java, line(s) 69,106,107 H2/C1812d.java, line(s) 261,1347,1364 H2/j.java, line(s) 60,95,98 H3/C1823a.java, line(s) 71,81 I/C1833h.java, line(s) 92,151,165,173 I/C1834i.java, line(s) 193 I/i.java, line(s) 22 I1/C1842c.java, line(s) 194 I1/F.java, line(s) 39 I1/J.java, line(s) 489 I1/o.java, line(s) 186 I1/q.java, line(s) 54,97 I1/u.java, line(s) 1246,1253,1261,1274,1887,1895,136 I1/y.java, line(s) 186 I2/C1856l.java, line(s) 76,80 I2/C1858n.java, line(s) 205 I5/b.java, line(s) 43 J/ViewOnKeyListenerC1874f.java, line(s) 463 J/l.java, line(s) 556 K/C1902G.java, line(s) 73 K/C1912d0.java, line(s) 295,81,86,278 K/C1918g0.java, line(s) 22 K/C1931q.java, line(s) 53 K/DialogInterfaceOnClickListenerC1896A.java, line(s) 57,62,67,72 K/F0.java, line(s) 94,194 K/J0.java, line(s) 22 K/M.java, line(s) 96,105,185,230 K/r.java, line(s) 190 K/t0.java, line(s) 100,279,438,199,317,331,401,416 K/u0.java, line(s) 33 K1/v.java, line(s) 767,803 K1/x.java, line(s) 495,517,540,1255 K2/e.java, line(s) 121,148,116,143 L0/AbstractC1968F.java, line(s) 193 L0/AbstractC1982U.java, line(s) 211 L0/C2003t.java, line(s) 149,120 L0/g.java, line(s) 245,381 L0/o.java, line(s) 352,96,141 L0/q.java, line(s) 201 L1/C2011b.java, line(s) 118,144,187,223,117,143,186,222 L2/H.java, line(s) 17,19,25,31 L3/AbstractC2026e.java, line(s) 475,495 L3/C2025d.java, line(s) 62,70,570,599,102,117,132,169,215,565,150,67,153,183,186,212,288,346,382,397,405,415,510 M/C0090c.java, line(s) 84 M/C0101n.java, line(s) 29,42,90,156,202,221,245 M/E.java, line(s) 87 M/Q.java, line(s) 259,214,258 M/U.java, line(s) 20,31 M/e0.java, line(s) 30 M/f0.java, line(s) 30,42,49,58 M/j0.java, line(s) 54,73,45 M0/BinderC2047e.java, line(s) 30,43 M0/C2045c.java, line(s) 97,194 M0/C2048f.java, line(s) 67 M1/C2055C.java, line(s) 66,122,65,103,121,105 M1/i.java, line(s) 541,149,192,540,313 M1/j.java, line(s) 140,141 M1/m.java, line(s) 15,60 M1/v.java, line(s) 90 M2/h.java, line(s) 85,87,93,99,111,113,119,125,137,139,145,187,157,159,165,171 N1/C2086f.java, line(s) 89,155,218,233,85,101,107,138,150,157,181,187,194,217,232,51,105,185,202,139 N4/AbstractC2098a.java, line(s) 134 N5/ViewOnClickListenerC2107e.java, line(s) 259 N5/g.java, line(s) 1304,1385,1405,332,469,471,486,1019,1101,1345,1349 O3/a.java, line(s) 22 P1/C2127c.java, line(s) 11,10 P4/AbstractC2139I.java, line(s) 56 P4/f.java, line(s) 14 P4/g.java, line(s) 20 P4/j.java, line(s) 31 P4/n.java, line(s) 54 Q/v.java, line(s) 19,18 Q0/c.java, line(s) 28 Q0/d.java, line(s) 170 Q1/C2169C.java, line(s) 111,110 Q1/C2174b.java, line(s) 70,89,97,111,119,71,90,98,114,122 Q1/C2176d.java, line(s) 57,56 Q1/e.java, line(s) 339,459,1021,1046,1256,1543 Q2/C2181a.java, line(s) 425,132,147,313,390,403,408 Q2/C2182b.java, line(s) 36 Q3/C2199Q.java, line(s) 17,19 Q3/C2207d.java, line(s) 164,168,173,574 Q3/C2210g.java, line(s) 66 Q3/g.java, line(s) 251 Q4/d.java, line(s) 46 Q5/C2227a.java, line(s) 67 Q5/b.java, line(s) 248 R/e.java, line(s) 34 R1/c.java, line(s) 162,257 R2/C2241a.java, line(s) 62,313 R3/BinderC2243b.java, line(s) 27 R3/C2250i.java, line(s) 82 R3/r.java, line(s) 90,77,93,99,124,130 S1/C2256b.java, line(s) 75,76 S1/k.java, line(s) 113,285 S1/m.java, line(s) 60,86,104,114,129,139 S1/o.java, line(s) 691,795,711,1271,1381,1463,1567 S1/q.java, line(s) 74 S2/C2258a.java, line(s) 815,79,90,106,241,268,313,771,777,837 T/C2288c.java, line(s) 413 T/e.java, line(s) 341 T1/C2319F.java, line(s) 99,122,153,98,121,152 T1/C2321b.java, line(s) 56,55,65,95,96 T1/C2322c.java, line(s) 47,48 T1/C2328i.java, line(s) 23,29,24,30 T1/C2333n.java, line(s) 26,33,145,155,170,184,214,242,250,280,288,25,32,144,154,167,183,213,241,245,254,264,268,276,287 T1/l.java, line(s) 305 T1/q.java, line(s) 94,437,736,93,392,436,464,541,646,657,685,708,719,735,759,770,422,480,569 T1/s.java, line(s) 27,36,32,41 T1/w.java, line(s) 87,93,99,105,111,118,124,148,160,88,94,100,106,112,119,125,161,149 T1/z.java, line(s) 54,63,77,55,64,78,79,80,83 U/C2347e.java, line(s) 1151,1181,1206,1231,1257 V/b.java, line(s) 127 V/c.java, line(s) 192,200,246,258,270,282,294,306,318,330,337,348,360,343 V/g.java, line(s) 207,324,331,393,485,505,519,526,719,941,993,1013,1027,1061,1078,1138,1185,1188,1228,1256,1265,1277,1293,1303,1334,1353,1366,1375,1418,1432,1459,1543,1565,1607,1611,1702,60,224,379,920,1558,1639,1653 V1/e.java, line(s) 121 V1/g.java, line(s) 214 V1/s.java, line(s) 66,73 V1/z.java, line(s) 49,53 W/b.java, line(s) 71,115,124 W/f.java, line(s) 49 W/h.java, line(s) 362,389 W/l.java, line(s) 406,555,562,563,564,572,599,612,649,443,450,486 W0/AbstractC2383g.java, line(s) 320,1965 W1/a.java, line(s) 97 X1/C2394a.java, line(s) 61,127,144,150,155,69,128,145,151,156 X1/C2402i.java, line(s) 48,49 X1/a.java, line(s) 231,251,157 X1/c.java, line(s) 495,870 X1/k.java, line(s) 639,645,658,687,443,554 X2/n.java, line(s) 90 X2/o.java, line(s) 147,162,261,158 X2/s.java, line(s) 138,179,185,191 Y2/i.java, line(s) 66,72,86,102,122,127 Z3/b.java, line(s) 35 a1/C0224c.java, line(s) 518,198,379 a1/C0225d.java, line(s) 446 b3/e.java, line(s) 73,135,142 b3/f.java, line(s) 97,34,111,161,172,200,208,233 b3/i.java, line(s) 66,210 b3/k.java, line(s) 38 b3/m.java, line(s) 58 com/gun0912/tedpermission/TedPermissionActivity.java, line(s) 94 com/wang/avi/AVLoadingIndicatorView.java, line(s) 363 d1/AbstractC1719b.java, line(s) 18,27 d3/c.java, line(s) 287,526 d3/j.java, line(s) 327 d3/n.java, line(s) 313,396 d3/v.java, line(s) 178,187,327,336 e3/AbstractC1749e.java, line(s) 331,138,144,150,159,359 e3/C1742B.java, line(s) 39,54 e3/C1751g.java, line(s) 102 e3/E.java, line(s) 44,51 e3/G.java, line(s) 28 e3/o.java, line(s) 87,90,94,98,102,106,118,122,125,128,174,184 e3/r.java, line(s) 20 e3/y.java, line(s) 112,120 e3/z.java, line(s) 67 f0/AbstractC1761a.java, line(s) 157,172 g/f.java, line(s) 624,391,400 g/k.java, line(s) 272 g/m.java, line(s) 70,87,124 g/p.java, line(s) 707,1316,1318,1321,584,593,603,612,619,631,640,366,446,449,1021,1034,920 i3/b.java, line(s) 31 j1/C1886c.java, line(s) 208,236,205,235 j1/d.java, line(s) 159,176,181,158,175,180,200 music/downloader/mp3player/downloadmusic/MainActivityX.java, line(s) 231,233,247,250 music/downloader/mp3player/downloadmusic/MusicApp.java, line(s) 166,237,104 music/downloader/mp3player/downloadmusic/service/MusicPlayerService.java, line(s) 1267,1719,1262 music/downloader/mp3player/downloadmusic/ui/activity/PlayerActivity.java, line(s) 299 music/downloader/mp3player/downloadmusic/ui/activity/search/SearchFromBundl.java, line(s) 105,258 n2/c.java, line(s) 74 n2/f.java, line(s) 99,184,188,675 n3/d.java, line(s) 116 n3/e.java, line(s) 149,519 r4/a.java, line(s) 18 r4/b.java, line(s) 196 r4/c.java, line(s) 28,51,62 u2/h.java, line(s) 259,343,358,361,613 w3/a.java, line(s) 109,114 y4/l.java, line(s) 449,448,109,116,123,183,537 z2/a.java, line(s) 29
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: A5/j.java, line(s) 73,72,71,71 A5/k.java, line(s) 175,174,173,173
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (admob-gmats.uc.r.appspot.com) 通信。
{'ip': '172.217.174.110', 'country_short': 'HK', 'country_long': '中国', 'region': '香港', 'city': '香港', 'latitude': '22.285521', 'longitude': '114.157692'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (dashif.org) 通信。
{'ip': '185.199.109.153', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '台州', 'latitude': '32.492168', 'longitude': '119.910767'}