安全分析报告:
安全分数
安全分数 41/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
2
用户/设备跟踪器
调研结果
高危
5
中危
16
信息
2
安全
1
关注
0
高危 基本配置不安全地配置为允许到所有域的明文流量。
Scope: *
高危 域配置不安全地配置为允许明文流量到达范围内的这些域。
Scope: localhost amabingpay.com 192.168.169.92 192.168.1.130 192.168.1.135 192.168.43.91 192.168.43.92 192.168.223.91 192.168.27.91 192.168.228.92
高危 Activity (com.gowtham.library.ui.ActVideoTrimmer) 的启动模式不是standard模式
Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。
高危 Activity (com.google.firebase.auth.internal.GenericIdpActivity) 的启动模式不是standard模式
Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。
高危 Activity (com.google.firebase.auth.internal.RecaptchaActivity) 的启动模式不是standard模式
Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。
中危 应用程序已启用明文网络流量
[android:usesCleartextTraffic=true] 应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Service (com.amabing.amapay.service.google.firebase.FCMService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.amabing.amapay.service.story.StoryUploadService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.gowtham.library.ui.ActVideoTrimmer) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Activity (com.google.firebase.auth.internal.GenericIdpActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.google.firebase.auth.internal.RecaptchaActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/amabing/amapay/datasource/CachedContactDataSource.java, line(s) 6,152,153,162,163,173,174,186,187,199,200,210,211,270,271 com/amabing/amapay/datasource/ContactDataSource.java, line(s) 6,174,175,184,185,194,195,205,206,218,219,231,232,244,245,255,256,297,298,321,322,337 com/amabing/amapay/datasource/ContactMetaDataSource.java, line(s) 6,96,109 com/amabing/amapay/datasource/DataSourceAbstract.java, line(s) 4,113,120 com/amabing/amapay/datasource/MessageDataSource.java, line(s) 6,105,131,132 com/amabing/amapay/datasource/MessageDownloadedFileDataSource.java, line(s) 6,76,98 com/amabing/amapay/datasource/MessageFileDataSource.java, line(s) 6,97 com/amabing/amapay/datasource/MessageMetaDataSource.java, line(s) 6,100,115 com/amabing/amapay/datasource/MessageTransactionDataSource.java, line(s) 6,84,96 com/amabing/amapay/datasource/NoContactDataSource.java, line(s) 6,71,81,82,89,90,116,117,190,191 com/amabing/amapay/datasource/ToBeSendTransactionDataSource.java, line(s) 6,153,165,199,200,214,215 com/amabing/amapay/datasource/TransactionDataSource.java, line(s) 6,140,141,154,155,175,176,186,187,195,196 com/amabing/amapay/datasource/TransactionMetaDataSource.java, line(s) 6,94,109 com/amabing/amapay/datasource/TransactionTypeDataSource.java, line(s) 6,84,96 com/amabing/amapay/datasource/UserCurrencyDataSource.java, line(s) 6,109,110 com/amabing/amapay/datasource/UserDataSource.java, line(s) 6,92,93,101,102,110,111,119,120,132,133,142,143,153,154,166,167,179,180,190,191 com/amabing/amapay/datasource/UserHistoryMetaDataSource.java, line(s) 6,99,114 com/amabing/amapay/datasource/UserMetaDataSource.java, line(s) 6,102,115 com/amabing/amapay/datasource/UserSubscriberDataSource.java, line(s) 6,88 com/amabing/amapay/datasource/story/StoryCommentDataSource.java, line(s) 6,100 com/amabing/amapay/datasource/story/StoryDataSource.java, line(s) 6,156,165,174,186,198,208,218,227,236,287,288,307,308,334,362,398,399,433,434,471,472,511,512,549,550,586,587,675,711,712 com/amabing/amapay/datasource/story/StoryLoveDataSource.java, line(s) 6,86 com/amabing/amapay/datasource/story/StoryMetaDataSource.java, line(s) 6,110,125 com/amabing/amapay/datasource/story/StorySaveDataSource.java, line(s) 6,89 com/amabing/amapay/datasource/story/StoryViewerDataSource.java, line(s) 6,89 com/downloader/database/AppDbHelper.java, line(s) 6,26 com/downloader/database/DatabaseOpenHelper.java, line(s) 4,5,21
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/amabing/amapay/datasource/ContactMetaDataSource.java, line(s) 17 com/amabing/amapay/datasource/MessageMetaDataSource.java, line(s) 18,21,16 com/amabing/amapay/datasource/TransactionMetaDataSource.java, line(s) 15,19 com/amabing/amapay/datasource/UserHistoryMetaDataSource.java, line(s) 15 com/amabing/amapay/datasource/UserMetaDataSource.java, line(s) 19 com/amabing/amapay/datasource/story/StoryMetaDataSource.java, line(s) 17 com/amabing/amapay/fragment/authentication/ConsentFragment.java, line(s) 24 com/amabing/amapay/router/BaseRouter.java, line(s) 13 com/amabing/amapay/utils/UserUtil.java, line(s) 57
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/amabing/amapay/ContactTransactionActivity.java, line(s) 3234 com/amabing/amapay/utils/UriUtils.java, line(s) 58,167 com/gowtham/library/ui/VideoTrimmerFragment.java, line(s) 901 com/gowtham/library/utils/FileUtils.java, line(s) 49,143 com/yalantis/ucrop/util/FileUtils.java, line(s) 50
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/downloader/utils/Utils.java, line(s) 86
中危 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "ca-app-pub-1110190387583533~9376682592" "google_api_key" : "AIzaSyDkHKfBZixUZJ9R3EuGg62hADQjI7LxUHY" "google_app_id" : "1:274485946878:android:471cd963dc75667a0578af" "google_crash_reporting_api_key" : "AIzaSyDkHKfBZixUZJ9R3EuGg62hADQjI7LxUHY" "word_pass" : "Passer" 0467BE26847E2BE188973CB3FD09F4E0 F3B63DF62CF45836D5D1256145234B31 MzY4ZWVkNmViN2UzM2YzNDc2M2ZmODA3ODQ5NzE3OWFkZWI2Zjc4MjJlNjUyODA0NDViMzUyOWYyZDVhMGNjZA
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/amabing/amapay/ContactActivity.java, line(s) 598 com/amabing/amapay/ContactTransactionActivity$sendAudioMessage$uploadDelegate$1.java, line(s) 52,58 com/amabing/amapay/ContactTransactionActivity$sendImageMessage$uploadDelegate$1.java, line(s) 61 com/amabing/amapay/ContactTransactionActivity$sendMoney$onResultListener$1.java, line(s) 69 com/amabing/amapay/ContactTransactionActivity.java, line(s) 547,585,1108,1170,1181,1207,1943,2358,2987,3008,3239,3246,4107,4343,4493,4666,4719,4793,5122,3257 com/amabing/amapay/MainActivity.java, line(s) 185,199,520,1203,1207,1224 com/amabing/amapay/QrScanActivity.java, line(s) 486,768,773,862,776,723,726,729,732,735,738,741,744,747,754,757,760,763 com/amabing/amapay/adapter/recycler/contact/GlobalContactAdapter.java, line(s) 489 com/amabing/amapay/adapter/recycler/mainHome/ContactsAdapter.java, line(s) 438 com/amabing/amapay/adapter/recycler/story/StoryAdapter.java, line(s) 324 com/amabing/amapay/adapter/recycler/transaction/TransactionHistoryRecyclerAdapter.java, line(s) 460,1013,1747 com/amabing/amapay/broadcast/FirebaseBroadcastReceiver.java, line(s) 67,82,101,120,141 com/amabing/amapay/broadcast/MyBroadcastReceiver.java, line(s) 100 com/amabing/amapay/camera/CameraSource.java, line(s) 234,705,733,251,610,536,544,272,832 com/amabing/amapay/datasource/Transaction.java, line(s) 254 com/amabing/amapay/dialog/ContactDisplayDialog.java, line(s) 438 com/amabing/amapay/dialog/ContactPickerDialog$loadOnlineContact$1.java, line(s) 32 com/amabing/amapay/dialog/ContactPickerDialog.java, line(s) 491 com/amabing/amapay/dialog/ProfileDialogFragment.java, line(s) 786,1055 com/amabing/amapay/dialog/StoryAddDialogFragment$displayTargetedImage$1.java, line(s) 66 com/amabing/amapay/dialog/StoryAddDialogFragment.java, line(s) 462 com/amabing/amapay/dialog/StoryDialogFragment.java, line(s) 179,435,2038,2432 com/amabing/amapay/dialog/StoryRecreateDialogFragment.java, line(s) 1090 com/amabing/amapay/dialog/StoryUserDialogFragment.java, line(s) 137,388,1541,1944,2086 com/amabing/amapay/dialog/UserFavoriteStoryListDialogFragment.java, line(s) 540 com/amabing/amapay/dialog/UserStoryListDialogFragment.java, line(s) 361 com/amabing/amapay/fragment/authentication/AccountCompleteFragment.java, line(s) 526,535,597 com/amabing/amapay/fragment/authentication/OtpFragment.java, line(s) 567,593,661,718,900,634 com/amabing/amapay/fragment/authentication/ProfileEditFragment.java, line(s) 592,601,663 com/amabing/amapay/fragment/contact/SearchFragment$loadOnlineContact$1.java, line(s) 37 com/amabing/amapay/fragment/contact/SearchFragment.java, line(s) 407,577,682 com/amabing/amapay/fragment/history/HistoryFragment.java, line(s) 151 com/amabing/amapay/fragment/main/BalanceFragment.java, line(s) 59 com/amabing/amapay/fragment/main/MainFragment.java, line(s) 467,480,1109,1224 com/amabing/amapay/fragment/main/MultiCurrencyBalanceFragment.java, line(s) 104 com/amabing/amapay/fragment/newPin/NewPinOtpFragment.java, line(s) 633,690,609 com/amabing/amapay/fragment/story/StoryVideoFragment$initializePlayer$3.java, line(s) 270 com/amabing/amapay/fragment/story/StoryVideoFragment.java, line(s) 230,254,543,874,1227,1424,1929,2066,2070,3873,5727,5828,5942,6043,6111,6319 com/amabing/amapay/fragment/userStory/StoryDisplayFragment.java, line(s) 371,1910,2392 com/amabing/amapay/fragment/verification/user/SecondStepIdFragment.java, line(s) 325,334 com/amabing/amapay/fragment/verification/user/SecondStepPassportFragment.java, line(s) 324,333 com/amabing/amapay/helper/MySQLiteHelper.java, line(s) 74 com/amabing/amapay/router/MyStringRequest.java, line(s) 73,137,139 com/amabing/amapay/service/ContactScanService.java, line(s) 90,149,183,242,276,331,210,212,303,305 com/amabing/amapay/service/TransactionLoadService.java, line(s) 130,193,195 com/amabing/amapay/service/google/firebase/FCMService.java, line(s) 18,34,42,101,104 com/amabing/amapay/service/story/StoryUploadService$uploadStoryMediaVideo$1.java, line(s) 45,75 com/amabing/amapay/service/story/StoryUploadService.java, line(s) 103,112,204,218 com/amabing/amapay/setting/SettingsActivity.java, line(s) 282,292,319 com/amabing/amapay/utils/BroadcastUtils.java, line(s) 19 com/amabing/amapay/utils/FileUtil.java, line(s) 76,83 com/amabing/amapay/utils/FileUtils.java, line(s) 50,65 com/amabing/amapay/utils/MessageUtils.java, line(s) 134 com/amabing/amapay/utils/PinRequestUtil.java, line(s) 199,209 com/amabing/amapay/utils/TelephonyUtils.java, line(s) 135 com/amabing/amapay/utils/UriUtils.java, line(s) 202,205,206,210,238,241,242,246 com/amabing/amapay/utils/UserUtil.java, line(s) 141 com/amabing/amapay/view/CircularStatusView.java, line(s) 187 com/amabing/amapay/viewManager/ReadMoreSpan.java, line(s) 41 com/amabing/amapay/viewManager/ReadMoreTextView.java, line(s) 101 com/arthenica/mobileffmpeg/CameraSupport.java, line(s) 34,41 com/arthenica/mobileffmpeg/Config.java, line(s) 108,210,214,244,246,99,123,188,251,296,115,112,126,118 com/arthenica/mobileffmpeg/FFprobe.java, line(s) 35 com/arthenica/mobileffmpeg/MediaInformationParser.java, line(s) 14 com/binspot/binspothttp/request/AbstractHttpRequest.java, line(s) 338,348 com/gowtham/library/ui/seekbar/widgets/CrystalRangeSeekbar.java, line(s) 750 com/gowtham/library/ui/seekbar/widgets/CrystalSeekbar.java, line(s) 648 com/gowtham/library/utils/FileUtils.java, line(s) 176,179,180,182,218 com/gowtham/library/utils/LogMessage.java, line(s) 13,9 com/yalantis/ucrop/UCropActivity.java, line(s) 186 com/yalantis/ucrop/task/BitmapCropTask.java, line(s) 166 com/yalantis/ucrop/task/BitmapLoadTask.java, line(s) 123,152,197,84,87,129,138,145 com/yalantis/ucrop/util/BitmapLoadUtils.java, line(s) 103,51,82 com/yalantis/ucrop/util/EglUtils.java, line(s) 23 com/yalantis/ucrop/util/FileUtils.java, line(s) 58 com/yalantis/ucrop/util/ImageHeaderParser.java, line(s) 54,61,72,80,112,122,134,148,162,168,172,177,183,187,290,53,60,71,79,111,121,133,147,161,167,171,176,182,186 com/yalantis/ucrop/view/TransformImageView.java, line(s) 338,355,152,106 me/jagar/chatvoiceplayerlibrary/FileUtils.java, line(s) 33,43,53,63,73,110,146,114,122,132 me/jagar/chatvoiceplayerlibrary/VoicePlayerPreview.java, line(s) 457 me/jagar/chatvoiceplayerlibrary/VoicePlayerView.java, line(s) 489 net/gotev/uploadservice/DefaultLoggerDelegate.java, line(s) 20,10,15,25
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/amabing/amapay/ContactTransactionActivity.java, line(s) 8,1780,1782
安全 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/274485946878/namespaces/firebase:fetch?key=AIzaSyDkHKfBZixUZJ9R3EuGg62hADQjI7LxUHY ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}