应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
StyleSeat v134.6.0
52
安全评分
安全基线评分
52/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
2
高危
15
中危
4
信息
2
安全
隐私风险评估
7
第三方跟踪器
高隐私风险
检测到大量第三方跟踪器
检测结果分布
高危安全漏洞
2
中危安全漏洞
15
安全提示信息
4
已通过安全项
2
重点安全关注
0
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/braze/ui/inappmessage/views/InAppMessageHtmlBaseView.java, line(s) 271,16
高危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个7隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 应用数据存在泄露风险
未设置[android:allowBackup]标志 建议将 [android:allowBackup] 显式设置为 false。默认值为 true,允许通过 adb 工具备份应用数据,存在数据泄露风险。
中危安全漏洞 Broadcast Receiver (nl.xservices.plugins.ShareChooserPendingIntent) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Content Provider (com.facebook.FacebookContentProvider) 未受保护。
[android:exported=true] 检测到 Content Provider 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.appsflyer.MultipleInstallBroadcastReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(com.braze.push.NotificationTrampolineActivity) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.facebook.CustomTabActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: bo/app/k90.java, line(s) 44 com/appsflyer/AppsFlyerProperties.java, line(s) 17 com/appsflyer/cordova/plugin/AppsFlyerConstants.java, line(s) 9,39 com/braze/Constants.java, line(s) 50,56,71,48,49,87,30,31,54,55,32,52,66,47,70,72,80,65,94,78,98,37,46,96,13,14,17,18,19,101,61,63,62,51,64,73,79,93,76,95,58 com/braze/configuration/BrazeConfig.java, line(s) 1191 com/braze/enums/CardKey.java, line(s) 61,62,65,64,63 com/braze/images/DefaultBrazeImageLoader.java, line(s) 60 com/braze/models/inappmessage/InAppMessageHtml.java, line(s) 18,20,21 com/braze/models/outgoing/AttributionData.java, line(s) 18,16,17,20 com/braze/push/BrazeNotificationUtils.java, line(s) 54 com/braze/push/BrazePushReceiver.java, line(s) 42,35,34,45,37,46,39 com/braze/support/StringUtils.java, line(s) 28 com/braze/ui/contentcards/ContentCardsFragment.java, line(s) 55,56,59,60 com/braze/ui/inappmessage/listeners/DefaultInAppMessageWebViewClientListener.java, line(s) 33 com/newrelic/agent/android/SavedState.java, line(s) 35,46,38 com/newrelic/agent/android/distributedtracing/TracePayload.java, line(s) 11,12,14,15,19,22,20,18,23 com/newrelic/agent/android/harvest/AgentHealth.java, line(s) 12 com/newrelic/agent/android/harvest/HarvestConfiguration.java, line(s) 17,367,367 com/newrelic/agent/android/util/PersistentUUID.java, line(s) 28 nl/xservices/plugins/GooglePlus.java, line(s) 52
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/appsflyer/internal/ah.java, line(s) 32 com/braze/support/StringUtils.java, line(s) 59
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/newrelic/agent/android/AndroidAgentImpl.java, line(s) 228 nl/xservices/plugins/SocialSharing.java, line(s) 218,215
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/appsflyer/internal/ah.java, line(s) 20 nl/xservices/plugins/GooglePlus.java, line(s) 285
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: bo/app/w30.java, line(s) 3 com/braze/support/IntentUtils.java, line(s) 17 com/newrelic/agent/android/util/Util.java, line(s) 5 cordova/plugins/Diagnostic.java, line(s) 18
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/newrelic/agent/android/instrumentation/SQLiteInstrumentation.java, line(s) 6,61,63,68,70
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "com_braze_image_is_read_tag_key" : "com_appboy_image_is_read_tag_key" "com_braze_image_lru_cache_image_url_key" : "com_braze_image_lru_cache_image_url_key" "com_braze_image_resize_tag_key" : "com_appboy_image_resize_tag_key" "fb_app_id" : "111891482183773" "fb_client_token" : "not_provided" "firebase_database_url" : "https://styleseat-89a56.firebaseio.com" "google_api_key" : "AIzaSyA26snJuvUPeFyFCIQyNKq1dSlOHuDzhkU" "google_app_id" : "1:1016475266319:android:1a3a98285fb8b23c" "google_crash_reporting_api_key" : "AIzaSyA26snJuvUPeFyFCIQyNKq1dSlOHuDzhkU" c56fb7d591ba6704df047fd98f535372fea00211 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc df6b721c8b4d3b6eb44c861d4415007e5a35fc95 389C9738-A761-44DE-8A66-1668CFD67DA1 FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212 9b8f518b086098de3d77736f9458a3d2f6f95a37 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 27194413-5f9c-4a4e-a5a4-03466edc50b1 FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901 cc2751449a350f668590264ed76692694a80308a E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1 d67afc830dab717fd163bfcb0b8b88423e9a1a3b 37a6259cc0c1dae299a7866489dff0bd
安全提示信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: bo/app/cg0.java, line(s) 76 bo/app/e50.java, line(s) 16,16 bo/app/fv.java, line(s) 23 bo/app/gy.java, line(s) 54,57,60 bo/app/hr.java, line(s) 31,31 bo/app/i70.java, line(s) 19,19 bo/app/jr.java, line(s) 20 bo/app/ju.java, line(s) 14,14 bo/app/kn.java, line(s) 109,112,109,112 bo/app/la0.java, line(s) 18,18 bo/app/q.java, line(s) 156,156 bo/app/rc.java, line(s) 40,43 bo/app/re0.java, line(s) 34,34 bo/app/uh0.java, line(s) 34,37 bo/app/xs.java, line(s) 44 bo/app/xy.java, line(s) 42,42 bo/app/y60.java, line(s) 21,21 bo/app/zg0.java, line(s) 22 bo/app/zq.java, line(s) 61,64,61,64 com/braze/configuration/RuntimeAppConfigurationProvider.java, line(s) 31,31 com/braze/managers/BrazeGeofenceManager.java, line(s) 211
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: by/chemerisuk/cordova/firebase/FirebaseAnalyticsPlugin.java, line(s) 18,81 by/chemerisuk/cordova/firebase/FirebaseCrashPlugin.java, line(s) 14 com/appsflyer/AFLogger.java, line(s) 36,67,113,34,13,56,49 com/appsflyer/cordova/plugin/AppsFlyerPlugin.java, line(s) 52,195,694,722,736,751,766,795 com/braze/support/BrazeLogger.java, line(s) 340,343,361,349,352,378,380,358,367,370 com/ionicframework/cordova/webview/AndroidProtocolHandler.java, line(s) 38,41,44,47,67 com/ionicframework/cordova/webview/IonicWebViewEngine.java, line(s) 35,40,45,93 com/ionicframework/cordova/webview/WebViewLocalServer.java, line(s) 146,230,115,122,197,234,292,339 com/newrelic/agent/android/AndroidAgentImpl.java, line(s) 394,152,161,153,398,401 com/newrelic/agent/android/NewRelic.java, line(s) 165,154 com/newrelic/agent/android/SavedState.java, line(s) 99,91,95 com/newrelic/agent/android/agentdata/AgentDataController.java, line(s) 137 com/newrelic/agent/android/analytics/AnalyticsControllerImpl.java, line(s) 498,241,270,299,329,339,346,402,457,95,87,310,314,394,681 com/newrelic/agent/android/analytics/EventManagerImpl.java, line(s) 143,141 com/newrelic/agent/android/crash/UncaughtExceptionHandler.java, line(s) 62,63 com/newrelic/agent/android/harvest/Harvest.java, line(s) 367,370 com/newrelic/agent/android/hybrid/data/DataController.java, line(s) 126 com/newrelic/agent/android/instrumentation/io/CountingInputStream.java, line(s) 119 com/newrelic/agent/android/logging/AndroidAgentLog.java, line(s) 12,19,47,54,33,26,40 com/newrelic/agent/android/logging/ConsoleAgentLog.java, line(s) 66 com/newrelic/agent/android/rum/AppApplicationLifeCycle.java, line(s) 84,95,102 com/newrelic/agent/android/sample/Sampler.java, line(s) 85,86,244,251 com/newrelic/agent/android/stores/SharedPrefsAnalyticsAttributeStore.java, line(s) 86 com/newrelic/agent/android/tracing/TraceMachine.java, line(s) 234,235 com/newrelic/agent/android/util/AgentBuildOptionsReporter.java, line(s) 7,8 com/newrelic/cordova/plugin/NewRelicCordovaPlugin.java, line(s) 43,349 com/spoon/imagepicker/ImagePicker.java, line(s) 218,213 cordova/plugins/Diagnostic.java, line(s) 94,230,322,328,336,250,236,474,300,333,345,533,561,243 cordova/plugins/Diagnostic_Bluetooth.java, line(s) 41,34 cordova/plugins/Diagnostic_Camera.java, line(s) 20 cordova/plugins/Diagnostic_Location.java, line(s) 52,42,210 cordova/plugins/Diagnostic_Notifications.java, line(s) 24 cordova/plugins/screenorientation/CDVOrientation.java, line(s) 21,32 nl/xservices/plugins/Calendar.java, line(s) 172,385,591,595,602,605,481,221,239,258,261,271,293,300,319,326,378,393,409,425,435,452,582 nl/xservices/plugins/GooglePlus.java, line(s) 319,79,86,91,96,104,117,137,139,187,194,196,199,212,214 nl/xservices/plugins/accessor/AbstractCalendarAccessor.java, line(s) 336,526,546 uk/co/workingedge/phonegap/plugin/LaunchReview.java, line(s) 31
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: nl/xservices/plugins/SocialSharing.java, line(s) 5,373
安全提示信息 应用与Firebase数据库通信
该应用与位于 https://styleseat-89a56.firebaseio.com 的 Firebase 数据库进行通信
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: cordova/plugins/Diagnostic.java, line(s) 133,224,225
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/1016475266319/namespaces/firebase:fetch?key=AIzaSyA26snJuvUPeFyFCIQyNKq1dSlOHuDzhkU ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
StyleSeat v134.6.0
Android APK
52
综合安全评分
中风险