安全分析报告:
安全分数
安全分数 47/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
4
用户/设备跟踪器
调研结果
高危
4
中危
15
信息
2
安全
2
关注
0
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: a/w/s.java, line(s) 1328 d/f/a/a/m/a.java, line(s) 24,36
高危 该文件是World Writable。任何应用程序都可以写入文件
该文件是World Writable。任何应用程序都可以写入文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: d/f/a/a/u/k.java, line(s) 34,56,185,216
高危 已启用远程WebView调试
已启用远程WebView调试 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/gh/prokash/activity/WebActivity.java, line(s) 93,7
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/gh/prokash/activity/PermissionsActivity.java, line(s) 80,10
中危 应用程序已启用明文网络流量
[android:usesCleartextTraffic=true] 应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。
中危 应用程序数据存在被泄露的风险
未设置[android:allowBackup]标志 这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Activity (com.facebook.CustomTabActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.appsflyer.SingleInstallBroadcastReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.gh.prokash.activity.SSOActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/gh/prokash/base/MainApplication.java, line(s) 32 com/scwang/smartrefresh/header/FunGameBattleCityHeader.java, line(s) 14 com/scwang/smartrefresh/header/TaurusHeader.java, line(s) 26 d/d/w/s0/c/c.java, line(s) 10 d/f/a/a/d/c.java, line(s) 5 d/f/a/a/f/f.java, line(s) 17 d/f/a/a/g/e.java, line(s) 11 d/f/a/a/l/d.java, line(s) 7 d/f/a/a/l/t.java, line(s) 6 d/f/a/a/n/l.java, line(s) 12 d/f/a/a/n/t.java, line(s) 4 d/f/a/a/o/c.java, line(s) 20 d/f/a/a/o/f/a$b/b.java, line(s) 14 d/f/a/a/r/a.java, line(s) 6 d/f/a/a/u/o.java, line(s) 29 d/h/a/a/k/a.java, line(s) 7 h/j/a.java, line(s) 8 h/j/b.java, line(s) 4 h/j/c/a.java, line(s) 5
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: a/b/e/i/g.java, line(s) 31,33 com/gh/prokash/framework/response/ConfigResponse.java, line(s) 44 d/a/a/a.java, line(s) 51
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: a/w/s.java, line(s) 467,927,952 com/appsflyer/internal/ag.java, line(s) 29
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: a/w/s.java, line(s) 837 d/f/a/a/f/f.java, line(s) 73 d/f/a/a/o/h.java, line(s) 34 d/f/a/a/u/o.java, line(s) 428
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/gh/prokash/activity/WebActivity.java, line(s) 84,88 d/f/a/a/n/u.java, line(s) 11,10
中危 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/gh/prokash/activity/WebActivity.java, line(s) 96,88
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: a/r/c.java, line(s) 99 com/gh/prokash/activity/FaceActivity.java, line(s) 93 com/gh/prokash/activity/GHUploadCertificateActivity.java, line(s) 182 com/gh/prokash/activity/GHUploadCertificateActivitycp.java, line(s) 222 com/gh/prokash/activity/RectCameraActivity.java, line(s) 156
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: a/w/s.java, line(s) 936,936,936 d/e/a/i/j/a.java, line(s) 38,42 d/f/a/a/g/d.java, line(s) 77,78
中危 应用程序包含隐私跟踪程序
此应用程序有多个4隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "tingyun_key" : "e01ffb87489b46af8a93f5648097d3c8" "facebook_app_id" : "1398497680558400" "facebook_client_token" : "80813347cdf68cc11950070931daa450" df6b721c8b4d3b6eb44c861d4415007e5a35fc95 5e8f16062ea3cd2c4a0d547876baa6f38cabf625 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 cc2751449a350f668590264ed76692694a80308a a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901 FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212 E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1 3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F 9b8f518b086098de3d77736f9458a3d2f6f95a37 da9beed4-6a78-47e7-b9d0-1b4eec47565c
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a/b/a/l.java, line(s) 168 a/b/a/o.java, line(s) 37 a/b/e/f.java, line(s) 142,176,188,198,360 a/b/f/a0.java, line(s) 87,110,210,224 a/b/f/b0.java, line(s) 34 a/b/f/f.java, line(s) 168 a/b/f/i0.java, line(s) 337,377 a/b/f/j0.java, line(s) 102,170 a/b/f/m0.java, line(s) 22,32,50,52,54 a/b/f/n.java, line(s) 102,111,197,226 a/b/f/q.java, line(s) 117 a/b/f/w.java, line(s) 54,69,94,314 a/g/a/a/c.java, line(s) 112 a/g/a/b/c.java, line(s) 150 a/g/a/b/e.java, line(s) 284,96,143 a/g/a/b/f.java, line(s) 126,128 a/g/a/b/g.java, line(s) 32,59 a/g/a/b/h.java, line(s) 126,131 a/g/a/b/j.java, line(s) 146 a/g/a/b/k.java, line(s) 137 a/g/a/b/l.java, line(s) 186,190,194 a/g/a/b/m.java, line(s) 352,1541,2664 a/g/a/b/p.java, line(s) 275,306,427,546,579,187,204 a/g/a/b/q.java, line(s) 129,131 a/g/a/b/r.java, line(s) 171,173,337 a/g/b/d.java, line(s) 242 a/g/c/a.java, line(s) 219,112,194 a/g/c/b.java, line(s) 671,1642,1045,1134,690,700,1072,1687,1694 a/g/c/d.java, line(s) 92,171 a/i/a/d.java, line(s) 32 a/i/b/b/h.java, line(s) 44 a/i/c/c.java, line(s) 43,48 a/i/c/d.java, line(s) 35 a/i/c/e.java, line(s) 60 a/i/c/f.java, line(s) 46 a/i/c/g.java, line(s) 61,234 a/i/e/a.java, line(s) 22 a/i/h/a.java, line(s) 24 a/i/i/b.java, line(s) 56 a/i/i/g.java, line(s) 166,184,207 a/i/i/p.java, line(s) 263,283,83,175 a/i/i/t.java, line(s) 20,31 a/i/i/y.java, line(s) 356,366,377,386 a/k/a/e.java, line(s) 367 a/l/a/h.java, line(s) 2281,2282,2290,2298 a/p/a/a.java, line(s) 163,168,175,179,195,205 a/q/d.java, line(s) 42,77 a/q/h.java, line(s) 48,54 a/q/j.java, line(s) 38 a/q/k.java, line(s) 35,69 a/q/l.java, line(s) 29 a/q/m.java, line(s) 42 a/q/o.java, line(s) 33 a/q/p.java, line(s) 35 a/q/w.java, line(s) 47 a/r/a.java, line(s) 112,233,247,45,64,78,82,92,70,86,96,108,118,138,155,195 a/r/c.java, line(s) 56,67,69,102,118,190,237,241,257,279,93,230,245,267,283,298 a/w/t.java, line(s) 71,93,117 a/w/u.java, line(s) 26 a/w/v.java, line(s) 27,50 com/appsflyer/AFLogger.java, line(s) 50,95,133,93,75,57,68 com/gh/prokash/activity/RectCameraActivity.java, line(s) 308 com/networkbench/nbslens/nbsnativecrashlib/NativeHandler.java, line(s) 27,31,36 com/scwang/smartrefresh/header/waveswipe/WaveView.java, line(s) 143 d/c/a/c.java, line(s) 214,227,232,235,244,256,195,213,220,226,231,234,243,250,221,196 d/c/a/g.java, line(s) 114,113 d/c/a/i/a.java, line(s) 276 d/c/a/j/d.java, line(s) 177,204,174,203 d/c/a/j/e.java, line(s) 94,123,130,93,122,129 d/c/a/k/h/b.java, line(s) 56,55 d/c/a/k/h/i.java, line(s) 99,140,96,139,143,149,156,153,159 d/c/a/k/h/k.java, line(s) 57,56 d/c/a/k/h/n/b.java, line(s) 102,101 d/c/a/k/i/a0/e.java, line(s) 50,82,94,104,51,95,83,107 d/c/a/k/i/a0/j.java, line(s) 95,80 d/c/a/k/i/b0/a.java, line(s) 80,79 d/c/a/k/i/h.java, line(s) 159,219,348 d/c/a/k/i/i.java, line(s) 137,138 d/c/a/k/i/k.java, line(s) 159 d/c/a/k/i/y.java, line(s) 81,82 d/c/a/k/i/z/i.java, line(s) 157,194,161,199 d/c/a/k/i/z/j.java, line(s) 60,64,75,186,233,59,63,74,123,134,151,181,198,217,229,127,142,171,203,218 d/c/a/k/j/c.java, line(s) 16,15 d/c/a/k/j/d.java, line(s) 46,45 d/c/a/k/j/f.java, line(s) 103,102 d/c/a/k/j/s.java, line(s) 85,86 d/c/a/k/j/t.java, line(s) 39,38 d/c/a/k/k/b/h.java, line(s) 21,26,22,29 d/c/a/k/k/b/i.java, line(s) 178,182,185,197,200,251,272,282,304,314,317,320,323,326,175,181,184,196,199,250,271,281,299,313,316,319,322,325 d/c/a/k/k/b/k.java, line(s) 50,53,51,54 d/c/a/k/k/b/s.java, line(s) 84,93,100,85,94,101,102,103,107 d/c/a/k/k/f/a.java, line(s) 67,155,162,169,75,158,165,172 d/c/a/k/k/f/d.java, line(s) 16,17 d/c/a/k/k/f/j.java, line(s) 44,45 d/c/a/l/e.java, line(s) 42,39,83,101,84,102 d/c/a/l/k.java, line(s) 63,64 d/c/a/l/l.java, line(s) 161,162,173 d/c/a/l/o.java, line(s) 64,65 d/c/a/o/f.java, line(s) 167,24,390,405 d/c/a/o/g/i.java, line(s) 44,90,91,45 d/c/a/q/i/a.java, line(s) 48,51 d/d/a0/b/d.java, line(s) 531,636,677 d/d/c.java, line(s) 80 d/d/k.java, line(s) 14,22 d/d/r.java, line(s) 211,214,219 d/d/s/b0/a.java, line(s) 60 d/d/s/d.java, line(s) 226 d/d/s/h.java, line(s) 77 d/d/s/t.java, line(s) 64,75 d/d/s/v/i.java, line(s) 91,203,225,240 d/d/s/v/l/c.java, line(s) 73,97 d/d/s/y/a.java, line(s) 145,127 d/d/s/y/f.java, line(s) 64 d/d/w/h.java, line(s) 114 d/d/w/l0.java, line(s) 70 d/d/w/q.java, line(s) 83 d/d/w/r0/c.java, line(s) 31 d/d/w/w.java, line(s) 80 d/d/x/i.java, line(s) 137 d/e/a/a/m1.java, line(s) 80 d/e/a/g/k.java, line(s) 16 d/e/a/h/h/b.java, line(s) 52 d/e/a/h/j/c.java, line(s) 122,188 d/f/a/a/i/c.java, line(s) 49,105,109,59,87,91,53,96,100,45,56,65,78,82,114,118 d/f/a/a/k/d.java, line(s) 30 d/f/a/a/u/h.java, line(s) 41,44,47,50,55,60,63,66,69 d/f/c/b/d.java, line(s) 196,209,213,284,319,357,375,381 d/f/c/b/f.java, line(s) 257,275,64 d/f/c/b/h.java, line(s) 77,163 d/h/a/b/h/c/a.java, line(s) 42,47 k/a/a/f.java, line(s) 58,63 m/a/a/e.java, line(s) 105,102
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: d/e/a/h/j/c.java, line(s) 4,77
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: d/f/a/a/n/h.java, line(s) 172,227,612 i/x.java, line(s) 214,213,222,212,212
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: d/f/a/a/g/d.java, line(s) 115,115,115 d/f/c/b/h.java, line(s) 19,19,19,19,19