应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Spacetech v2.10.1
55
安全评分
安全基线评分
55/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
1
高危
26
中危
1
信息
3
安全
隐私风险评估
2
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
1
中危安全漏洞
26
安全提示信息
1
已通过安全项
3
重点安全关注
2
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: M3/C0716c.java, line(s) 480
中危安全漏洞 应用数据允许备份
[android:allowBackup=true] 该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据,存在数据泄露风险。
中危安全漏洞 Activity (com.spacetech.client40.view.AdminPolicyComplianceActivity) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_DEVICE_ADMIN [android:exported=true] 检测到 Activity 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.spacetech.client40.view.ProvisioningModeActivity) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_DEVICE_ADMIN [android:exported=true] 检测到 Activity 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.spacetech.client40.view.DummySurface) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.spacetech.client40.receiver.PhoneStatReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.spacetech.client40.receiver.BootCompleteReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.RECEIVE_BOOT_COMPLETED [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.spacetech.client40.receiver.FrpChangedReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.spacetech.client40.receiver.DeviceAdmin) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_DEVICE_ADMIN [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.spacetech.client40.receiver.SmsReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BROADCAST_SMS [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.spacetech.client40.receiver.InstallationBroadcast) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.spacetech.client40.service.LocationService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.spacetech.client40.service.PreventiveService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 高优先级 Intent(999) - {1} 个命中
[android:priority] 通过设置较高的 Intent 优先级,应用可覆盖其他请求,可能导致安全风险。
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: D2/z.java, line(s) 293 J2/g.java, line(s) 103 f3/C0429b.java, line(s) 43
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: D2/i.java, line(s) 28 D4/c.java, line(s) 7 H4/AbstractC0492a.java, line(s) 3 H4/C0493b.java, line(s) 4 Q1/I1.java, line(s) 40 Z2/C1066a.java, line(s) 18 i4/C0510a.java, line(s) 5
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: K0/m.java, line(s) 223 T0/c.java, line(s) 220
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: Q1/I1.java, line(s) 103 T0/c.java, line(s) 96
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: g0/d.java, line(s) 34
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: D2/a.java, line(s) 6,259,271 D2/t.java, line(s) 6,61 L1/d.java, line(s) 8,69 P0/C0838c.java, line(s) 5,6,69,74 Q1/B0.java, line(s) 6,7,75 Q1/C0100h.java, line(s) 5,6,81,246,939,1245 e2/b.java, line(s) 4,57 g2/a.java, line(s) 6,36 m1/j.java, line(s) 4,5,77
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: g0/u.java, line(s) 384
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "com.google.firebase.crashlytics.mapping_file_id" : "c6c797a0d7884ba99a26871764b723cf" "google_api_key" : "AIzaSyCVlYU5rbVtk4z5ACEERvqv4jspvp-2YSs" "google_app_id" : "1:232201991739:android:f24790afe0afae7ec88e1e" "google_crash_reporting_api_key" : "AIzaSyCVlYU5rbVtk4z5ACEERvqv4jspvp-2YSs" 86254750241babac4b8d52996a675549 bc046babfbc47c5d4bf882bc8281c802 925f1b1b0f9d144a200cb1b69167f09b a-95ed6082-b8e9-46e8-a73f-ff56f00f5d9d 470fa2b4ae81cd56ecbcda9735803434cec591fa
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: A/f.java, line(s) 36,41 B1/b.java, line(s) 56,55,49 B1/d.java, line(s) 55,60,85,94 C0/m.java, line(s) 85 D2/a.java, line(s) 143,154,61,62,98,99,153,178,221 D2/e.java, line(s) 33 D2/i.java, line(s) 164,186,165,158 D2/j.java, line(s) 74 D2/t.java, line(s) 104,106,114,121 D2/z.java, line(s) 306,301 D3/a.java, line(s) 27,36,43,52,28,37,44,53 E0/d.java, line(s) 31,159,30,158 E0/l.java, line(s) 60 F1/e.java, line(s) 54,60,180,205,175,57,137 F1/g.java, line(s) 593,412 F2/a.java, line(s) 37,36,41 F2/c.java, line(s) 26 H/a.java, line(s) 60 H3/d.java, line(s) 274,284,275,285 H4/d.java, line(s) 40 I2/b.java, line(s) 10,9 J2/A.java, line(s) 66 J2/g.java, line(s) 36,107 J2/i.java, line(s) 29 J2/k.java, line(s) 38,45,46,54 J2/m.java, line(s) 102,134,297,318,393,340,366,101,133,155,296,317,330,335,368,382,392,156,331,336,383,98,108,327,371 J2/o.java, line(s) 54 J2/r.java, line(s) 79,97,75,102,105,107,123,67,78,96,68,84,121 J2/t.java, line(s) 40,55,70,76,83,88,29,33,60,39,54,69,75,82,87 J2/u.java, line(s) 56,55 J2/x.java, line(s) 24,31,37,23,30,36 J2/z.java, line(s) 45,46 K/AbstractC0605X0.java, line(s) 32 K/C0006c.java, line(s) 83 K/C0017n.java, line(s) 32,45,92,149,192,209,233 K/C0644s.java, line(s) 68 K/C0648u.java, line(s) 166 K/DialogInterfaceOnClickListenerC0579K.java, line(s) 36,101,106,126 K/G.java, line(s) 78 K/Q.java, line(s) 100,81,99 K/ViewOnClickListenerC0603W0.java, line(s) 90,113,212,226 K/c1.java, line(s) 69,104,121,140 K/j0.java, line(s) 31 K/n0.java, line(s) 76,93,67 K/n1.java, line(s) 22 K0/AbstractC0677r.java, line(s) 134 K0/BinderC0674o.java, line(s) 102,116 K0/C0032d.java, line(s) 143,153,44,59,60,68,83,84,93,100,114,121,136,147 K0/C0673n.java, line(s) 110,211,213 K0/C0679t.java, line(s) 55,59 K0/CallableC0033e.java, line(s) 58,88,97,79,81,100,106,109,57,87 K0/m.java, line(s) 227,244,249,221,255,326 L1/d.java, line(s) 100,99 L2/d.java, line(s) 30,58 L2/g.java, line(s) 142,169,76,82,141,168,54,67,106,148,190,235 L2/l.java, line(s) 27,61 L2/n.java, line(s) 83 M2/C0713d.java, line(s) 101,135 M2/u0.java, line(s) 332,359 M3/C0716c.java, line(s) 235,328,628,247,249,234,327,619,627,354,382,391,461 M3/c.java, line(s) 38 N/b.java, line(s) 41 O/s.java, line(s) 18,17 P0/C0842g.java, line(s) 47,157 P3/n.java, line(s) 31,46,47,57 P3/o.java, line(s) 103,125,148 P3/p.java, line(s) 21,37 P3/u.java, line(s) 46 P3/v.java, line(s) 92,106,109,116 Q1/C.java, line(s) 191,244,189 Q1/C0856a.java, line(s) 88,186 Q1/C0857b.java, line(s) 37,51,60 Q1/I1.java, line(s) 1042,836 Q1/J0.java, line(s) 44,38,122,41,52,55,58 Q1/O.java, line(s) 207 Q1/R0.java, line(s) 122,141,121,140,115,138 R/e.java, line(s) 205 R2/C0874d.java, line(s) 38,37,45 R2/c.java, line(s) 31,61,54,30,47,57,60,48,58 T0/c.java, line(s) 279,238,244,368 T0/d.java, line(s) 224,250,392,222,404,391,415,416,264,273,336,439,452 T1/C0897b.java, line(s) 79,96,78,95,119 T1/a.java, line(s) 102,109,187,263,275,116,204 T1/d.java, line(s) 31,30 T1/e.java, line(s) 44,57,78,43,56,77,74,98,110 T1/f.java, line(s) 15,12 T1/i.java, line(s) 55,54 T1/j.java, line(s) 79,46,94,108 T1/k.java, line(s) 48,47,61,84,113,133,141,62,85,114,134,142 T1/l.java, line(s) 36,43,35,42 T1/m.java, line(s) 44,43 U1/AbstractBinderC0930m.java, line(s) 62 U1/AbstractC0924g.java, line(s) 35 U1/AbstractC0933p.java, line(s) 62,66 U1/C0922e.java, line(s) 51,94,101 U1/C0925h.java, line(s) 212,214,103,136,140,209,37,50 U1/HandlerC0927j.java, line(s) 26 W0/b.java, line(s) 20,30 X0/r.java, line(s) 46,52,58,64,70 Y2/AbstractC1044b.java, line(s) 130,148,189,129,147 Y2/C1046d.java, line(s) 21 Y2/C1048f.java, line(s) 231,249,76,80,86,89,156 a1/a.java, line(s) 72,87 a2/m.java, line(s) 79,67,86 b4/d.java, line(s) 291,393,396,431 com/spacetech/client40/fcm/MyFirebaseMessagingService.java, line(s) 26 com/spacetech/client40/receiver/FrpChangedReceiver.java, line(s) 20 com/spacetech/client40/receiver/InstallationBroadcast.java, line(s) 34,32,55,59,63,67,71,75,78 com/spacetech/client40/receiver/PhoneStatReceiver.java, line(s) 23 com/spacetech/client40/receiver/SmsReceiver.java, line(s) 48,25,39 com/spacetech/client40/service/LocationService.java, line(s) 61,80,83,65,67 com/spacetech/client40/service/NetworkService.java, line(s) 17,23 com/spacetech/client40/service/ReminderNotificationService.java, line(s) 55 com/spacetech/client40/service/WarningAudioService.java, line(s) 18,42,55,60 com/spacetech/client40/util/DailyCheckWorker.java, line(s) 30 com/spacetech/client40/util/PeriodicHeartbeatWorker.java, line(s) 56,58 com/spacetech/client40/view/DummySurface.java, line(s) 227,237,250,253,317,327,340,343,407,417,430,433,497,507,520,523,587,597,610,613,245,335,425,515,605 com/spacetech/client40/view/LocationActivity.java, line(s) 23,45,47,38 com/spacetech/client40/view/Registration.java, line(s) 297,325 com/spacetech/client40/view/UserDashboard.java, line(s) 199 e3/C0406c.java, line(s) 137,311 e3/b.java, line(s) 73,55,83 f/AbstractActivityC0415g.java, line(s) 493 f/HandlerC0411c.java, line(s) 50,42 f/k.java, line(s) 42 f/m.java, line(s) 109 f/r.java, line(s) 64,81,111 f/u.java, line(s) 922,924,926,501,585,588 f3/C0429b.java, line(s) 36,47 g0/e.java, line(s) 348,89,289,393,420,347,359,381,360,382 g0/i.java, line(s) 133,136,214 g0/l.java, line(s) 57,189,190 g0/m.java, line(s) 138,139 g0/q.java, line(s) 31,36 g0/u.java, line(s) 468,482,469,483 g2/b.java, line(s) 38,39 g2/c.java, line(s) 88,83,126,132 g3/c.java, line(s) 82,83 g4/d.java, line(s) 59,218,73,83 g4/l.java, line(s) 223,232,222,424,207,215,229 h0/d.java, line(s) 283,182 h0/e.java, line(s) 75,83,43,74,78,44,79 i/C0503h.java, line(s) 88,137,149,159 i/C0504i.java, line(s) 166 j0/C0530j.java, line(s) 28 j0/C0541v.java, line(s) 149,120 j0/H.java, line(s) 549 j0/S.java, line(s) 46 j0/X.java, line(s) 156 k2/a.java, line(s) 84,118,83,114 k2/d.java, line(s) 34,46,33,45 k3/ServiceConnectionC0691B.java, line(s) 42,46,54,67,84,113,138,92,97,121,41,45,53,66,81,112,137 k3/g.java, line(s) 58,57 k3/i.java, line(s) 30,29 k3/l.java, line(s) 52,26,29,41,51,42 k3/q.java, line(s) 127,142,126,141 k3/r.java, line(s) 33,49 k3/s.java, line(s) 22 k3/w.java, line(s) 23,37,22,36 k3/x.java, line(s) 57,104,56,117,130,147,154 k3/z.java, line(s) 22,21 o3/C0763D.java, line(s) 57 o3/C0775P.java, line(s) 60,69,59 o3/C0777S.java, line(s) 64,88,104,94 o3/C0796m.java, line(s) 18,25 o3/C0807x.java, line(s) 33 o3/HandlerC0779U.java, line(s) 46,62,63,106,109 o3/ServiceConnectionC0778T.java, line(s) 25,34 o3/b.java, line(s) 286,296,299,321,406,111,146,426,428,544,637,722,724,649 o3/d.java, line(s) 28,30,45,46,53,55,70,71,84,89 o3/e.java, line(s) 28,42 o3/f.java, line(s) 63 o3/l.java, line(s) 90,107,128 o3/m.java, line(s) 25,28 o3/q.java, line(s) 183,189,193,210,217 o3/s.java, line(s) 25,19,22 o3/u.java, line(s) 74,76 o3/z.java, line(s) 105,278,281,291,361,62 p2/a.java, line(s) 118 p2/c.java, line(s) 193,225,349,416,198,95,192,224,348,415,96,375 p2/e.java, line(s) 228,227 q0/C0855a.java, line(s) 61 q2/c.java, line(s) 75,74 q3/c.java, line(s) 29 q3/g.java, line(s) 33 t/g.java, line(s) 51 t/i.java, line(s) 361,376,382 t/m.java, line(s) 408,541,547,548,549,554,615,441,444,477 u0/C0917p.java, line(s) 492 w1/b.java, line(s) 35 w1/d.java, line(s) 259,465 w1/l.java, line(s) 269,339 w1/t.java, line(s) 147,151 x/ServiceConnectionC0996G.java, line(s) 51,83,89,113,222,232,254,262,48,82,88,112,221,231,253,261,66,92,126,211 x1/AbstractC1022e.java, line(s) 323,183,189,196,351 x1/C1025h.java, line(s) 83 x1/D.java, line(s) 37 x1/F.java, line(s) 37,52 x1/I.java, line(s) 40,45 x1/K.java, line(s) 47 x1/r.java, line(s) 78,81,84,87,90,93,101,104,107,110,149,154 x1/s.java, line(s) 49 z/AbstractC1064b.java, line(s) 46 z4/a.java, line(s) 81
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: g4/e.java, line(s) 53,52,51 g4/h.java, line(s) 85,75,84,97,83,83 g4/m.java, line(s) 53,52,51,51 g4/n.java, line(s) 110,98,109,108,108 q3/b.java, line(s) 22,42,23,43
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: J2/g.java, line(s) 94,94,95
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/232201991739/namespaces/firebase:fetch?key=AIzaSyCVlYU5rbVtk4z5ACEERvqv4jspvp-2YSs ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (app-measurement.com) 通信。
{'ip': '180.163.150.166', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (pagead2.googlesyndication.com) 通信。
{'ip': '180.163.150.166', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
综合安全基线评分总结
Spacetech v2.10.1
Android APK
55
综合安全评分
中风险