安全分析报告: JiachieCash v1.0.3

安全分数


安全分数 52/100

风险评级


等级

  1. A
  2. B
  3. C
  4. F

严重性分布 (%)


隐私风险

3

用户/设备跟踪器


调研结果

高危 2
中危 14
信息 2
安全 2
关注 2

高危 基本配置不安全地配置为允许到所有域的明文流量。 

Scope:
*

高危 该文件是World Readable。任何应用程序都可以读取文件 

该文件是World Readable。任何应用程序都可以读取文件
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2

Files:
com/appsflyer/internal/AFb1tSDK.java, line(s) 2942

中危 应用程序数据可以被备份 

[android:allowBackup=true]
这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。

中危 Service (com.jialoan.cahalcsh.Ce) 受权限保护, 但是应该检查权限的保护级别。 

Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。 

Permission: android.permission.DUMP [android:exported=true]
发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护, 但是应该检查权限的保护级别。 

Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true]
发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
com/appsflyer/internal/AFa1zSDK.java, line(s) 16
com/appsflyer/internal/AFc1jSDK.java, line(s) 15
com/jialoan/cahalcsh/Br0.java, line(s) 7
com/jialoan/cahalcsh/C0083Ay.java, line(s) 4
com/jialoan/cahalcsh/C0628Qk.java, line(s) 6
com/jialoan/cahalcsh/C1409eB.java, line(s) 14
com/jialoan/cahalcsh/C1551fa0.java, line(s) 11
com/jialoan/cahalcsh/C1875ia0.java, line(s) 10
com/jialoan/cahalcsh/C2306ma0.java, line(s) 19
com/jialoan/cahalcsh/S20.java, line(s) 31
com/jialoan/cahalcsh/T90.java, line(s) 11

中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
com/jiachiecash/db/ReDataEntityDao.java, line(s) 4,40
com/jialoan/cahalcsh/AH0.java, line(s) 5,36
com/jialoan/cahalcsh/AX.java, line(s) 4,5,37
com/jialoan/cahalcsh/C0646Rb.java, line(s) 6,151
com/jialoan/cahalcsh/C1394e30.java, line(s) 4,46
com/jialoan/cahalcsh/C1474eq.java, line(s) 5,6,146
com/jialoan/cahalcsh/C1826i30.java, line(s) 5,304
com/jialoan/cahalcsh/C1905iq.java, line(s) 3,15
com/jialoan/cahalcsh/C2121kq.java, line(s) 4,5,66
com/jialoan/cahalcsh/C3172uc.java, line(s) 5,6,7,8,71
com/jialoan/cahalcsh/C3383wZ.java, line(s) 6,7,8,9,530
com/jialoan/cahalcsh/C3423wt0.java, line(s) 5,6,17
com/jialoan/cahalcsh/C3639yt0.java, line(s) 5,6,66
com/jialoan/cahalcsh/C3705zX.java, line(s) 6,7,99
com/jialoan/cahalcsh/M20.java, line(s) 12,13,210

中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞 

不安全的Web视图实现。可能存在WebView任意代码执行漏洞
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5

Files:
com/jialoan/cahalcsh/C2334mo0.java, line(s) 151,137

中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
com/jialoan/cahalcsh/ActivityC2865rk0.java, line(s) 427,431
com/jialoan/cahalcsh/C0655Rf0.java, line(s) 39,41,62
com/jialoan/cahalcsh/C0828We0.java, line(s) 31
com/jialoan/cahalcsh/C0862Xe0.java, line(s) 95,172
com/jialoan/cahalcsh/C1040ao0.java, line(s) 777
com/jialoan/cahalcsh/C2102kg0.java, line(s) 100,110,179
com/jialoan/cahalcsh/C2210lg0.java, line(s) 122,129,136,143,150,157,164,171
com/jialoan/cahalcsh/C3019t7.java, line(s) 131
com/jialoan/cahalcsh/C3730zl.java, line(s) 44

中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
com/jialoan/cahalcsh/C0865Xg.java, line(s) 36
com/jialoan/cahalcsh/C1995jh.java, line(s) 37
com/jialoan/cahalcsh/C2858rh.java, line(s) 65
com/jialoan/cahalcsh/C3082tl.java, line(s) 22
com/jialoan/cahalcsh/C3396wg.java, line(s) 53

中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件 

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
com/jialoan/cahalcsh/C0.java, line(s) 122
com/jialoan/cahalcsh/C0923Zb.java, line(s) 112
com/jialoan/cahalcsh/C2377n90.java, line(s) 103
com/jialoan/cahalcsh/X9.java, line(s) 1060

中危 SHA-1是已知存在哈希冲突的弱哈希 

SHA-1是已知存在哈希冲突的弱哈希
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/jialoan/cahalcsh/C1089bC0.java, line(s) 33
com/jialoan/cahalcsh/C2269m90.java, line(s) 115
com/jialoan/cahalcsh/C2651pl.java, line(s) 105

中危 MD5是已知存在哈希冲突的弱哈希 

MD5是已知存在哈希冲突的弱哈希
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/jialoan/cahalcsh/C3082tl.java, line(s) 53
com/jialoan/cahalcsh/S20.java, line(s) 84

中危 应用程序包含隐私跟踪程序 

此应用程序有多个3隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。

中危 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901
3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F
E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1
FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212

信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
com/appsflyer/internal/AFb1tSDK.java, line(s) 217,919
com/appsflyer/internal/AFc1kSDK.java, line(s) 76,76,81
com/appsflyer/internal/AFd1oSDK.java, line(s) 775
com/appsflyer/internal/AFe1bSDK.java, line(s) 36
com/appsflyer/internal/AFe1dSDK.java, line(s) 29,31,150,158
com/appsflyer/internal/AFe1eSDK.java, line(s) 34,58
com/appsflyer/internal/AFe1jSDK.java, line(s) 241,60,239,237
com/appsflyer/internal/AFe1oSDK.java, line(s) 26
com/appsflyer/internal/AFf1dSDK.java, line(s) 244,264,425,432,533,744,1255,1384,1385,1804,1827,1831
com/appsflyer/internal/AFf1rSDK.java, line(s) 78
com/appsflyer/internal/AFf1tSDK.java, line(s) 97,113,129,144,168,183,198,217,233,277,288
com/appsflyer/internal/AFf1uSDK.java, line(s) 28
com/appsflyer/internal/AFf1vSDK.java, line(s) 57,66
com/appsflyer/internal/AFg1ySDK.java, line(s) 73,43,44,45
com/appsflyer/internal/AFg1zSDK.java, line(s) 75,87,109,114
com/appsflyer/internal/AFh1gSDK.java, line(s) 49,150,67,68,73,74,50,151,319
com/jialoan/cahalcsh/A5.java, line(s) 126
com/jialoan/cahalcsh/AbstractC0132Cg.java, line(s) 32
com/jialoan/cahalcsh/AbstractC0481Mg.java, line(s) 34
com/jialoan/cahalcsh/AbstractC2864rk.java, line(s) 100,213
com/jialoan/cahalcsh/C0136Ci.java, line(s) 46,61
com/jialoan/cahalcsh/C0138Cj.java, line(s) 31,53,74
com/jialoan/cahalcsh/C0169Dh.java, line(s) 130,163
com/jialoan/cahalcsh/C0173Dj.java, line(s) 13
com/jialoan/cahalcsh/C0204Eh.java, line(s) 79,86,109,119,153,191,198,212,221
com/jialoan/cahalcsh/C0346Ii.java, line(s) 185,195,205,266,273,287,295,323,341,343,348,357,360,365
com/jialoan/cahalcsh/C0349Ik.java, line(s) 91
com/jialoan/cahalcsh/C0383Jj.java, line(s) 77
com/jialoan/cahalcsh/C0412Kg.java, line(s) 55,57,63,70,158
com/jialoan/cahalcsh/C0416Ki.java, line(s) 176,192,217,297,328,363
com/jialoan/cahalcsh/C0451Li.java, line(s) 40,46
com/jialoan/cahalcsh/C0453Lj.java, line(s) 45
com/jialoan/cahalcsh/C0483Mh.java, line(s) 36,46,57,63
com/jialoan/cahalcsh/C0487Mj.java, line(s) 133
com/jialoan/cahalcsh/C0590Pi.java, line(s) 51
com/jialoan/cahalcsh/C0623Qh.java, line(s) 98
com/jialoan/cahalcsh/C0656Rg.java, line(s) 99
com/jialoan/cahalcsh/C0673Ru.java, line(s) 15
com/jialoan/cahalcsh/C0697Sj.java, line(s) 20,25,28,34,39
com/jialoan/cahalcsh/C0726Tg.java, line(s) 42
com/jialoan/cahalcsh/C0728Th.java, line(s) 40
com/jialoan/cahalcsh/C0800Vi.java, line(s) 91,98,103,117,120
com/jialoan/cahalcsh/C0850Wx.java, line(s) 50
com/jialoan/cahalcsh/C0867Xh.java, line(s) 16
com/jialoan/cahalcsh/C0869Xi.java, line(s) 120
com/jialoan/cahalcsh/C0901Yh.java, line(s) 47
com/jialoan/cahalcsh/C1027ai.java, line(s) 120
com/jialoan/cahalcsh/C1241ch.java, line(s) 60
com/jialoan/cahalcsh/C1456eh.java, line(s) 14
com/jialoan/cahalcsh/C1502f30.java, line(s) 49
com/jialoan/cahalcsh/C1505f5.java, line(s) 364
com/jialoan/cahalcsh/C1778hg.java, line(s) 438
com/jialoan/cahalcsh/C1784hj.java, line(s) 89,94,99,108
com/jialoan/cahalcsh/C1786hk.java, line(s) 15
com/jialoan/cahalcsh/C1826i30.java, line(s) 723
com/jialoan/cahalcsh/C1839iA.java, line(s) 25,32,56
com/jialoan/cahalcsh/C2107kj.java, line(s) 21
com/jialoan/cahalcsh/C2241lw.java, line(s) 32
com/jialoan/cahalcsh/C2425ng.java, line(s) 122,252
com/jialoan/cahalcsh/C2429ni.java, line(s) 94
com/jialoan/cahalcsh/C2476o5.java, line(s) 149
com/jialoan/cahalcsh/C2484o9.java, line(s) 1587
com/jialoan/cahalcsh/C2533og.java, line(s) 130,146,160
com/jialoan/cahalcsh/C2537oi.java, line(s) 37
com/jialoan/cahalcsh/C2755qj.java, line(s) 51
com/jialoan/cahalcsh/C2932sH0.java, line(s) 7,15,11
com/jialoan/cahalcsh/C3074th.java, line(s) 71
com/jialoan/cahalcsh/C3106tx.java, line(s) 17
com/jialoan/cahalcsh/C3327vz0.java, line(s) 10,23,32
com/jialoan/cahalcsh/C3447x5.java, line(s) 47,48
com/jialoan/cahalcsh/ComponentCallbacks2C0897Yf.java, line(s) 160,270,277
com/jialoan/cahalcsh/DZ.java, line(s) 202
com/jialoan/cahalcsh/E6.java, line(s) 936,1078,1098,1194,1195
com/jialoan/cahalcsh/ExecutorServiceC0693Sh.java, line(s) 88
com/jialoan/cahalcsh/F0.java, line(s) 11
com/jialoan/cahalcsh/FragmentC0348Ij.java, line(s) 45
com/jialoan/cahalcsh/H5.java, line(s) 199
com/jialoan/cahalcsh/M20.java, line(s) 444,990,3196
com/jialoan/cahalcsh/P00.java, line(s) 14
com/jialoan/cahalcsh/P9.java, line(s) 35
com/jialoan/cahalcsh/RunnableC1133bh.java, line(s) 281,330,528
com/jialoan/cahalcsh/X9.java, line(s) 60
com/jialoan/cahalcsh/XC.java, line(s) 74

信息 此应用程序使用SQL Cipher。SQLCipher为sqlite数据库文件提供256位AES加密 

此应用程序使用SQL Cipher。SQLCipher为sqlite数据库文件提供256位AES加密


Files:
org/greenrobot/greendao/database/SqlCipherEncryptedHelper.java, line(s) 17,7,8

安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
com/jialoan/cahalcsh/C0759Uf.java, line(s) 46,29,39,39
com/jialoan/cahalcsh/C1990je0.java, line(s) 33,17,26,26
com/jialoan/cahalcsh/UF0.java, line(s) 609,608,607,607

安全 此应用程序可能具有Root检测功能 

此应用程序可能具有Root检测功能
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1

Files:
com/jialoan/cahalcsh/XC.java, line(s) 179

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (pagead2.googlesyndication.com) 通信。 

{'ip': '180.163.151.166', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (app-measurement.com) 通信。 

{'ip': '180.163.150.161', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}

安全评分: ( JiachieCash 1.0.3)