安全分析报告:
安全分数
安全分数 44/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
1
用户/设备跟踪器
调研结果
高危
2
中危
15
信息
3
安全
0
关注
0
高危 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: andhook/lib/BuildConfig.java, line(s) 3,6 com/applisto/appcloner/classes/BuildConfig.java, line(s) 3,6
高危 默认情况下,调用Cipher.getInstance("AES")将返回AES ECB模式。众所周知,ECB模式很弱,因为它导致相同明文块的密文相同
默认情况下,调用Cipher.getInstance("AES")将返回AES ECB模式。众所周知,ECB模式很弱,因为它导致相同明文块的密文相同
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode
Files:
com/applisto/appcloner/classes/util/SimpleCrypt.java, line(s) 17
中危 应用程序已启用明文网络流量
[android:usesCleartextTraffic=true] 应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。
中危 Activity (com.tv.streax.SettingsActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.tv.streax.PlayerActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Content Provider (com.applisto.appcloner.classes.DefaultProvider) 未被保护。
[android:exported=true] 发现 Content Provider与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.applisto.appcloner.service.RemoteService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.applisto.appcloner.classes.DefaultProvider$DefaultReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.applisto.appcloner.classes.DefaultProvider$MyActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.applisto.appcloner.classes.FakeCamera$FakeCameraReceiver) 未被保护。
存在一个intent-filter。 发现 Broadcast Receiver与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Broadcast Receiver是显式导出的。
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/applisto/appcloner/classes/Utils.java, line(s) 346
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: andhook/lib/xposed/XposedHelpers.java, line(s) 607
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/applisto/appcloner/classes/BundleObb.java, line(s) 86 top/canyie/pine/C0043.java, line(s) 130
中危 IP地址泄露
IP地址泄露 Files: com/applisto/appcloner/classes/HostsBlocker.java, line(s) 225
中危 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 njY7OJr0mLOpwiHpt4BgUi6Q3PCZi8h1SSjpR0vaM9LxEkHSMh69dMRHz7agGfUSIhqhzKG50dHiJ n78C8qoIPewXwOcK9V1kHzIi2qlRGLEB3LDSVx3KgP3rEWSlxHzAZt8OgljPjEvkcWGJmr4dyoA/A Y29tLmFwcGxpc3RvLmFwcGNsb25lci5jbGFzc2VzLnNlY29uZGFyeQ== nBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuYPjeE/cdQGHcUBqknhOx42wr1lr1Kaop5BMfmKd nbmhoaGhoaMig8M5S0hTgENxxYMk8kg9v+nAPg34ys79CB6GnkDt8Q5KGon97Er8nPxu1LWU8UsbB nnEP6ewBXAAflTa7oYJUhwJEetmtGlXCvCL+m3LNYblk7NznmCXnpivcDfARoGWQz+wH3PlZaTRjs nkCEHBiv+4MDKWscBL0Mip1pyQjW5x3hQXlCJfYkNIcant7qYsbRL9q9Z3uuCfDQuct5I9Bz2UQ0A wXxSISTiQzB1P8u4Dc2skrZyPHc nbz2PpFXK5obQPvYskh5WPqaG9rXnkDRR0q6cAjxZdP59oQNQA84ADshpO6vozBsB4DAP2/2KzrwR MIICojCCAYoCAQEwDQYJKoZIhvcNAQELBQAwFzEVMBMGA1UECgwMVGVsZXBsYXkgUy5BMB4XDTI0 nGs52f4i0BemqaFrqRlT6QLHbjpPCGYFIn5iREDQDfjZ8433HDrhBwP4sNw75gYJX9gdfojPSfQID nY1FMB0Sb43pSCe7k4P1ObGoK54ilmjQThfcgL0wdiEM49ztOzeKxaO46GTGW4I7xBhjhkJBLQCWp nAP7xsB0qOvNGAL+5kIrOvBGghKD60AgQmEYAONDD9oSiM98ndOlrwNdAPL4fjn7G/UKyedoX+C60 nYfAXeebVnyGCJC3JuHeGh1/vFx2nMjvh++m8iTvax9jMPgHOBv5OMXlE0tICyhR86SYXchted46h nQnGaJMQpc5cjFFPk47BGUQGPBI3REnRyJbz3Oy1QOc25UeIsKBnVi+Z7qLT2tYdWwqZ3fWgE2OX0 nxtAB6Dkkzc+55W9DaF97Fkkv5BBgPHxbUjgkvZgS+F2SbgztX10o9cGJpAXA1cB03BOr94DlZvZT nlwr5ETjezBRsKULS6ZJWAU8xvoIPcBxwGQRaC5I0iNvycX7oSARkPgQQQNKjwHJgQugIBGYiVLwY nAQABMA0GCSqGSIb3DQEBCwUAA4IBAQB0oW7oLBGr767JhzfK5KIU37WhtGOUVEj6XtuSTIqYdptq nCXBIWXMAAC4jAAAuIwF4pT92AAAHk0lEQVR42u2dW6wdUxjHf98pirqURElc6tIihKZOL0rqLiEl n6ILXhSq+P2Ae7qsIh4HV0REDDQ314F/QQmVQhaYmuwAAAABJRU5ErkJggg== nzHYAd4WORoWsA241sxkhgw8jJi6SHgPuC+lQifwMvAu8ZGavhnYmptVM+CLc4RUzgEm42eiehP2E n+AxcP7sT90e4wsx2lRLoVkh6KOeOs1Z8IekeSce3yWOWpL9T0tglaWGb+w/x8OmdyoJXQPCPkDTc XNb7mBRVD8adQ1MLcLV3CbYvW8sQq nJBUhcameExFCkEhow4NEJCIST32oW4TEg3ogbg+NklAaSl1KFG2lNGlJimqU0/P3sGZ0nLNn9qx9 n+ZGkpzrId6ak3RlpLm1xz5kePn0QOrZ5A3H9GIMf80wHeZ+l7OZo6Qh7HwFWh45t3iCsKEiATkXo n4EPbNtXMNgNzgO0pJjfLc54Q9QnnUoOaUIYAPh3VtjxGkQhzM+wXdSDCxzgR/iipbLkIXQNuy2sY nsw0NDQ0NDQ0FUesnYpIOBE4BTsKt2ewLTEyYDCfK0MfeUYzYO8ROjmQsca3o2lrYFJm2AXuAL81s n5cgy1k4ASf3A5cAFuJXKKaF9KpBPgDvM7KP4g1oIIGkCMADcBJwb2p8KOMvMPoUaCCBpALgfmBba 7A8nK5OgbeMEj6PJOCDRt1WIAxc nzEwp8IwhOVTTsMuQy9LsVw3IoylEnYMSMXtYYoe1JgrojMU4C1aAvBragUj8trOsXqENYFOhgOTO nJ2k5MBi65DXhQ6iwE5b0BHBP6FLXhB3AUWa2u5ImSNKdNMFPcp2Z7YYKaoCkmcDa0CWuCVuBu8zs n2olwU2SXZdN1AtzmEfwtI+49oSQRspqj1yT9EUqAMoahx3rYvpW8MLONwFzglxT7WyQ97eOMmX0M nZWtL6D4gxleEjTgRsiZreZ8nNC9qRwx6BC0WIWuyNpCzY/YJalfUgLEw4LPgFs0T+snumNuJ4BOD nEWYD347Bz/VmtmYM96cSWoCWRCLMJVsE38naNXQ+k30gdExyI+kVj3Z1fpu0Jssdnp1GWxEkHSTp nMDQxMTAzNDAxN1oXDTQ5MDQwNTAzNDAxN1owFzEVMBMGA1UECgwMVGVsZXBsYXkgUy5BMIIBIjAN noCasBeYxdhEKpQwBfJ50pb7yY2abgNmki7C4F0QoQ4DC2slIhFm4VchWLJb0nGeaa3F9QicidEUf fCxpryMAAEBTKanWtvNpOTYhRy7G nd7qkHRn2vssMU5VdE3xYVka86jITBsDMNuBGM2mjDa9lhqhj7ifnqmsbvLfG5CH0PGDUkNXMvqV4
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: andhook/lib/AndHook.java, line(s) 63,73 andhook/lib/HookHelper.java, line(s) 49,54,82,103,124,145,156,252,263,277,283,242 andhook/lib/xposed/XposedBridge.java, line(s) 219,215 andhook/lib/xposed/XposedHelpers.java, line(s) 68,81,94,107,518,529,540,555,576,587,598,648,761,772,783,794,805,816,827,838,849,860,892,907,980,991,1002,1013,1024,1035,1046,1057,1068,1079,1090,1101,1112,1123,1134,1145,1156,1167 com/applisto/appcloner/classes/AbstractActivityContentProvider.java, line(s) 29,34 com/applisto/appcloner/classes/AppClonerNative.java, line(s) 12 com/applisto/appcloner/classes/ApplicationWrapper.java, line(s) 47,59,84,96,108,120,132,144,156,177 com/applisto/appcloner/classes/AutoPressButtons.java, line(s) 115,126,131,142,177,182,187,201,94,144,148,152,210 com/applisto/appcloner/classes/AutoRotateControls.java, line(s) 18,19,40,46,38,53 com/applisto/appcloner/classes/BackKeyHandler.java, line(s) 34,43,51,72,74,78,88,25,90 com/applisto/appcloner/classes/BluetoothControls.java, line(s) 18,19,39,42,47,53,61,64,45,67 com/applisto/appcloner/classes/BootReceiver.java, line(s) 14,22 com/applisto/appcloner/classes/BundleFilesDirectories.java, line(s) 18,32,40,48,64,43,68 com/applisto/appcloner/classes/BundleObb.java, line(s) 19,108,111,122,131,162,165 com/applisto/appcloner/classes/CalculatorActivity.java, line(s) 100,191,201,263 com/applisto/appcloner/classes/ClearCacheOnExitProvider.java, line(s) 26,30,47,22,35,52 com/applisto/appcloner/classes/ClearCacheOnExitService.java, line(s) 18,24 com/applisto/appcloner/classes/ClearCacheReceiver.java, line(s) 15 com/applisto/appcloner/classes/CloneSettings.java, line(s) 43,68,77,52,57,74,96 com/applisto/appcloner/classes/Configuration.java, line(s) 22,28,43,47,50,73,83,93,38,67,77,87,97 com/applisto/appcloner/classes/ConfirmExit.java, line(s) 14 com/applisto/appcloner/classes/CrashHandler.java, line(s) 67,71,83,25,55,75,85 com/applisto/appcloner/classes/DefaultFontProvider.java, line(s) 32 com/applisto/appcloner/classes/DefaultProvider.java, line(s) 32,89,150,154,162,166,37,62,69,79,142,173 com/applisto/appcloner/classes/DisableCameras.java, line(s) 26,34,40,58,75,87,106,115,53,70,82,101,110,128 com/applisto/appcloner/classes/DisableClipboardAccess.java, line(s) 52,67,71,75,79,120,124,128,132,136,141,146,164,168,172,176,180,184,190,203,208,219,223,227,231,235,240,245,263,267,271,275,279,283,289,302,307,325,341,350,380,82,155,254,309,327,343,382,398 com/applisto/appcloner/classes/FacebookLoginBehavior.java, line(s) 14,43 com/applisto/appcloner/classes/FacebookMessengerProvider.java, line(s) 34,36 com/applisto/appcloner/classes/FakeCalculator.java, line(s) 14,22,26,32 com/applisto/appcloner/classes/GmailSupport.java, line(s) 38,42,52,54,80,94,110,117,124,131,143,148,166,180,183,195,84,88,105,126,153,161,185 com/applisto/appcloner/classes/HeadphonesEventReceiver.java, line(s) 12,24,29,18,37 com/applisto/appcloner/classes/HostsBlocker.java, line(s) 65,74,85,96,126,194,201,209,217,232,235,246,284,311,319,339,363,382,422,88,116,304,321,377,432 com/applisto/appcloner/classes/InterruptionFilterControls.java, line(s) 21,22,37,48,49,57,61,63 com/applisto/appcloner/classes/LaunchTileService.java, line(s) 16,30,23 com/applisto/appcloner/classes/LogcatViewer.java, line(s) 65,159,207,244 com/applisto/appcloner/classes/NotificationOptions.java, line(s) 142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,197,212,219,291,296,298,348,365,93,184,276,329,337,350,353 com/applisto/appcloner/classes/OnAppExitListener.java, line(s) 17,24 com/applisto/appcloner/classes/OpenLinksWith.java, line(s) 42,58,66 com/applisto/appcloner/classes/PasswordActivity.java, line(s) 86,97,102,197,106,132,141,158,169,205 com/applisto/appcloner/classes/PasswordProvider.java, line(s) 12,14,18,24 com/applisto/appcloner/classes/PenEventReceiver.java, line(s) 12,23,30 com/applisto/appcloner/classes/PersistentApp.java, line(s) 13,21 com/applisto/appcloner/classes/PersistentAppService.java, line(s) 18 com/applisto/appcloner/classes/PictureInPicture.java, line(s) 27,31,41,53,59,71,79,35,81 com/applisto/appcloner/classes/PowerEventReceiver.java, line(s) 12,16,19,22,25,27,35 com/applisto/appcloner/classes/PreferenceEditor.java, line(s) 24,26,29,40,57,65 com/applisto/appcloner/classes/PressBackAgainToExit.java, line(s) 17,43,31 com/applisto/appcloner/classes/SecretDialerCodeReceiver.java, line(s) 15,24 com/applisto/appcloner/classes/SetBrightnessOnStart.java, line(s) 22,23,54,88,95,31,40,49,61,70 com/applisto/appcloner/classes/ShowOnLockScreen.java, line(s) 14,25 com/applisto/appcloner/classes/Signatures.java, line(s) 37,90,93,143,147,158,162,190,47,69,108,131,137,185,194,197,206 com/applisto/appcloner/classes/StartExitAppEventReceiver.java, line(s) 18,34,53,66,24,48,61 com/applisto/appcloner/classes/ToastFilter.java, line(s) 25,29,67,74,83,58,85 com/applisto/appcloner/classes/TrustAllCertificatesProvider.java, line(s) 37,39 com/applisto/appcloner/classes/Utils.java, line(s) 249,252,259,261,542,82,141,182,192,198,212,241,308,336,360,402,411,461,487,547,560,564 com/applisto/appcloner/classes/WhatsAppSupport.java, line(s) 20,49,61,35,52,56,74 com/applisto/appcloner/classes/WifiControls.java, line(s) 18,19,39,42,47,53,61,64,45,67 com/applisto/appcloner/classes/freeform/FreeFormWindow.java, line(s) 38,41,31,45 com/applisto/appcloner/classes/freeform/FreeFormWindowActivity.java, line(s) 48,63,94,110,113,76,116 com/applisto/appcloner/classes/service/RemoteService.java, line(s) 25 com/applisto/appcloner/classes/util/IActivityManagerHook.java, line(s) 17 com/applisto/appcloner/classes/util/IPackageManagerHook.java, line(s) 20 com/swift/sandhook/ClassNeverCall.java, line(s) 10 com/swift/sandhook/HookLog.java, line(s) 10,14,18,22,26,30 com/swift/sandhook/PendingHookHandler.java, line(s) 49,44 com/swift/sandhook/SandHook.java, line(s) 252 com/swift/sandhook/utils/FileUtils.java, line(s) 71,106 com/swift/sandhook/utils/ReflectionUtils.java, line(s) 23 com/swift/sandhook/utils/Unsafe.java, line(s) 88,32 com/tv/streax/EpisodeAdapter.java, line(s) 757,866,882 com/tv/streax/Login.java, line(s) 805,1729,1834,1863,2055 com/tv/streax/MainActivity$$ExternalSyntheticLambda2.java, line(s) 52 com/tv/streax/MainActivity$$ExternalSyntheticLambda5.java, line(s) 89 com/tv/streax/MainActivity$$ExternalSyntheticLambda6.java, line(s) 47 com/tv/streax/MainActivity.java, line(s) 156,261 com/tv/streax/MovieAdapter.java, line(s) 515,696,946,1067,1089,1324,1498 com/tv/streax/MovieFragment.java, line(s) 333,597,649 com/tv/streax/PlayerActivity.java, line(s) 1312,1878 com/tv/streax/R.java, line(s) 169,361,424 com/tv/streax/SearchFragment.java, line(s) 610,680 com/tv/streax/SerieAdapter.java, line(s) 391,1161,1225,1403 com/tv/streax/SettingsActivity$$ExternalSyntheticLambda1.java, line(s) 103 com/tv/streax/SettingsActivity$$ExternalSyntheticLambda7.java, line(s) 63 com/tv/streax/SettingsActivity$$ExternalSyntheticLambda8.java, line(s) 46 com/tv/streax/SettingsActivity$cerrarSesion$1$1$$ExternalSyntheticLambda1.java, line(s) 54 com/tv/streax/SettingsActivity.java, line(s) 681,1318 com/tv/streax/TrackSelectionDialog$$ExternalSyntheticLambda0.java, line(s) 56 com/tv/streax/TrackSelectionDialog$$ExternalSyntheticLambda1.java, line(s) 81 com/tv/streax/TrackSelectionDialog$$ExternalSyntheticLambda3.java, line(s) 58 com/tv/streax/TrackSelectionDialog.java, line(s) 439,928,1566 com/tv/streax/TvFragment$$ExternalSyntheticLambda0.java, line(s) 44 com/tv/streax/activitysplash.java, line(s) 140 java/io/ByteArrayOutputStrean.java, line(s) 20,24,25,37,27 np/protect/assets/p/C0007.java, line(s) 58,547 np/protect/assets/p/C0009.java, line(s) 335 org/lsposed/hiddenapibypass/HiddenApiBypass.java, line(s) 75,314 top/canyie/pine/Pine.java, line(s) 81,157,912
信息 此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改
此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/applisto/appcloner/classes/DisableClipboardAccess.java, line(s) 46,137,142,153,236,241,252,9
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/applisto/appcloner/classes/DisableClipboardAccess.java, line(s) 9,76,396