移动应用安全检测报告:
安全基线评分
安全基线评分 53/100
综合风险等级
风险等级评定
- A
- B
- C
- F
漏洞与安全项分布(%)
隐私风险
4
检测到的第三方跟踪器数量
检测结果分布
高危安全漏洞
1
中危安全漏洞
20
安全提示信息
1
已通过安全项
2
重点安全关注
0
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/startapp/sdk/internal/gj.java, line(s) 439,26 com/unity3d/services/core/webview/WebViewApp.java, line(s) 356,10,58,64,78,107
中危安全漏洞 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危安全漏洞 Activity (grant.m4a.to.mp3.revenue.AdMobInAppBillingActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危安全漏洞 Service (grant.m4a.to.mp3.core.RequestService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危安全漏洞 Broadcast Receiver (com.startapp.sdk.adsbase.remoteconfig.BootCompleteListener) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/unity3d/ads/metadata/InAppPurchaseMetaData.java, line(s) 6 com/unity3d/services/ads/gmascar/utils/ScarConstants.java, line(s) 4,5,6,8,9 com/unity3d/services/core/configuration/ExperimentObject.java, line(s) 7,8 com/unity3d/services/core/device/reader/DeviceInfoReaderFilterProvider.java, line(s) 11,12 com/unity3d/services/core/device/reader/JsonStorageKeyNames.java, line(s) 4,6,7,8,10,11,12,13,9,14,5,15,16,17 com/unity3d/services/core/properties/SdkProperties.java, line(s) 33
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/startapp/sdk/ads/banner/bannerstandard/BannerStandard.java, line(s) 855,551 com/startapp/sdk/internal/hb.java, line(s) 159,152 com/unity3d/services/ads/webplayer/WebPlayerView.java, line(s) 317,301 com/unity3d/services/core/webview/WebView.java, line(s) 179,115
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/obsez/android/lib/filechooser/permissions/PermissionsUtil.java, line(s) 9 com/startapp/sdk/adsbase/cache/a.java, line(s) 29 com/startapp/sdk/internal/el.java, line(s) 7 com/startapp/sdk/internal/gj.java, line(s) 55 com/unity3d/services/core/request/metrics/SDKMetrics.java, line(s) 10 p1/a.java, line(s) 3 p1/b.java, line(s) 5 p1/c.java, line(s) 3 q1/a.java, line(s) 4
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/startapp/sdk/internal/jd.java, line(s) 55
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/startapp/sdk/internal/il.java, line(s) 14
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/obsez/android/lib/filechooser/internals/FileUtil.java, line(s) 145 com/startapp/sdk/internal/i7.java, line(s) 38 com/unity3d/services/core/cache/CacheDirectory.java, line(s) 55 e/a.java, line(s) 693 s0/a.java, line(s) 58 s0/k.java, line(s) 36,38 s0/q.java, line(s) 73,77,102 s0/s.java, line(s) 20,21,22 z0/c.java, line(s) 21,22
中危安全漏洞 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/startapp/sdk/internal/nf.java, line(s) 4,4,4,4,4,4
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/startapp/sdk/internal/ge.java, line(s) 6,46,47,48 com/startapp/sdk/internal/s9.java, line(s) 6,133 d/i.java, line(s) 7,95 r0/a.java, line(s) 4,5,15,16,23,24
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/startapp/sdk/internal/sj.java, line(s) 78
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/unity3d/services/core/webview/WebView.java, line(s) 101,115
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/unity3d/services/core/device/Device.java, line(s) 167
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个4隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "ca-app-pub-7948187445190207~1677218305" "google_api_key" : "AIzaSyDJ6Ciwhz4O90Kdd1-jN2UbSIAGNK8V4PI" "google_app_id" : "1:201877093341:android:54be34a8bbb4d4d1cc1434" "google_crash_reporting_api_key" : "AIzaSyDJ6Ciwhz4O90Kdd1-jN2UbSIAGNK8V4PI" 2F73797374656D2F6C69622F6C69627265666572656E63652D72696C2E736F 3A757365722F72656C656173652D6B657973
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a/a.java, line(s) 237 a/b.java, line(s) 97 a1/c.java, line(s) 21,36,43 com/arthenica/ffmpegkit/AbstractSession.java, line(s) 66,75 com/arthenica/ffmpegkit/CameraSupport.java, line(s) 21,28 com/arthenica/ffmpegkit/FFmpegKitConfig.java, line(s) 503,507,542,546,195,354,362,467,476,552,610,619,120,122,230,241,326 com/arthenica/ffmpegkit/FFmpegSession.java, line(s) 25 com/arthenica/ffmpegkit/MediaInformationJsonParser.java, line(s) 14 com/devbrackets/android/exomedia/core/video/scale/MatrixManager.java, line(s) 181 com/devbrackets/android/exomedia/core/video/surface/BaseSurfaceEnvelope.java, line(s) 140 com/devbrackets/android/exomedia/fallback/FallbackMediaPlayerImpl.java, line(s) 119,372,379 com/devbrackets/android/exomedia/nmp/ExoMediaPlayerImpl.java, line(s) 771 com/devbrackets/android/exomedia/nmp/manager/WakeManager.java, line(s) 58 com/devbrackets/android/exomedia/ui/widget/attr/VideoViewAttributeParser.java, line(s) 38 com/devbrackets/android/exomedia/util/view/UnhandledMediaKeyLogger.java, line(s) 112 com/jmedeisis/draglinearlayout/DragLinearLayout.java, line(s) 411 com/limurse/iap/BillingService.java, line(s) 138,259,238,604,636 com/limurse/iap/Security.java, line(s) 35,53,56,61,65,77 com/startapp/sdk/ads/interstitials/InterstitialAd.java, line(s) 100 com/startapp/sdk/internal/cl.java, line(s) 15 com/startapp/sdk/internal/g.java, line(s) 38 com/startapp/sdk/internal/nc.java, line(s) 31,33,41,46 com/startapp/sdk/internal/xh.java, line(s) 226,214,325 com/startapp/simple/bloomfilter/creation/TokenToBitSet.java, line(s) 25 com/unity3d/ads/UnityAdsBaseOptions.java, line(s) 22 com/unity3d/ads/metadata/MetaData.java, line(s) 34,49 com/unity3d/services/ads/UnityAdsImplementation.java, line(s) 86,147 com/unity3d/services/ads/adunit/AdUnitActivityController.java, line(s) 360,362,53,129,187,220,261,291,311,377,225 com/unity3d/services/ads/adunit/AdUnitViewHandlerFactory.java, line(s) 22 com/unity3d/services/ads/adunit/VideoPlayerHandler.java, line(s) 17,35 com/unity3d/services/ads/api/AdUnit.java, line(s) 204,210,259,262,266,269,477,480,483,486,509,111,133,156,164,342,433,500,513,518,523 com/unity3d/services/ads/api/VideoPlayer.java, line(s) 59,77,100,149,160,178 com/unity3d/services/ads/api/WebPlayer.java, line(s) 52 com/unity3d/services/ads/gmascar/adapters/ScarAdapterFactory.java, line(s) 45 com/unity3d/services/ads/gmascar/bridges/AdapterStatusBridge.java, line(s) 21,39 com/unity3d/services/ads/gmascar/bridges/InitializeListenerBridge.java, line(s) 22,41 com/unity3d/services/ads/gmascar/bridges/mobileads/MobileAdsBridge.java, line(s) 21 com/unity3d/services/ads/gmascar/bridges/mobileads/MobileAdsBridgeLegacy.java, line(s) 23 com/unity3d/services/ads/gmascar/finder/GMAInitializer.java, line(s) 53 com/unity3d/services/ads/gmascar/finder/ScarVersionFinder.java, line(s) 37,49 com/unity3d/services/ads/token/InMemoryAsyncTokenStorage.java, line(s) 147,181 com/unity3d/services/ads/token/NativeTokenGenerator.java, line(s) 35 com/unity3d/services/ads/topics/TopicsReceiver.java, line(s) 43 com/unity3d/services/ads/topics/TopicsService.java, line(s) 55 com/unity3d/services/ads/video/VideoPlayerView.java, line(s) 46,49,73,116,121,143,186,198,230 com/unity3d/services/ads/webplayer/WebPlayerView.java, line(s) 63,69,294,336,387,402,417,430,638,640,657 com/unity3d/services/banners/BannerView.java, line(s) 123 com/unity3d/services/core/api/Cache.java, line(s) 165,179,55,131,184 com/unity3d/services/core/api/DeviceInfo.java, line(s) 142,160,182,320,345,359,413 com/unity3d/services/core/api/Intent.java, line(s) 48,62,208,232,247 com/unity3d/services/core/api/Request.java, line(s) 33,45,96,108,126,138 com/unity3d/services/core/api/Sdk.java, line(s) 17,38,54,80,86,92,98 com/unity3d/services/core/broadcast/BroadcastEventReceiver.java, line(s) 40 com/unity3d/services/core/cache/CacheDirectory.java, line(s) 25,27,66,70,79,104,108,114,121,30,59,74 com/unity3d/services/core/cache/CacheThread.java, line(s) 76 com/unity3d/services/core/cache/CacheThreadHandler.java, line(s) 37,40,44,67 com/unity3d/services/core/configuration/ConfigurationReader.java, line(s) 25 com/unity3d/services/core/configuration/ConfigurationRequestFactory.java, line(s) 32 com/unity3d/services/core/configuration/EnvironmentCheck.java, line(s) 29,41,32,44,47,50,53 com/unity3d/services/core/configuration/ExperimentObject.java, line(s) 24 com/unity3d/services/core/configuration/ExperimentsReader.java, line(s) 25 com/unity3d/services/core/configuration/InitializationNotificationCenter.java, line(s) 43 com/unity3d/services/core/configuration/InitializeEventsMetricSender.java, line(s) 42,52,60,70,165,172 com/unity3d/services/core/configuration/InitializeThread.java, line(s) 283,319,446,461,505,513,613,625,652,709,128,292,295,326,329,374,394,562,599,713,864,873,199,355,455,539 com/unity3d/services/core/configuration/PrivacyConfigurationLoader.java, line(s) 63 com/unity3d/services/core/connectivity/ConnectivityMonitor.java, line(s) 56,91,100,82,130 com/unity3d/services/core/device/AdvertisingId.java, line(s) 127,145,155 com/unity3d/services/core/device/Device.java, line(s) 169,478,530,539,289 com/unity3d/services/core/device/OpenAdvertisingId.java, line(s) 129,151,158 com/unity3d/services/core/device/Storage.java, line(s) 47,51,58 com/unity3d/services/core/device/reader/DeviceInfoReaderCompressor.java, line(s) 20,33 com/unity3d/services/core/device/reader/DeviceInfoReaderExtended.java, line(s) 45 com/unity3d/services/core/domain/task/InitializeStateConfig$doWork$2.java, line(s) 39 com/unity3d/services/core/domain/task/InitializeStateCreate$doWork$2.java, line(s) 37,46,49 com/unity3d/services/core/domain/task/InitializeStateCreateWithRemote$doWork$2.java, line(s) 37,45,48 com/unity3d/services/core/domain/task/InitializeStateError$doWork$2.java, line(s) 35 com/unity3d/services/core/domain/task/InitializeStateLoadCache$doWork$2.java, line(s) 41,55 com/unity3d/services/core/domain/task/InitializeStateLoadCache.java, line(s) 139 com/unity3d/services/core/domain/task/InitializeStateNetworkError$doWork$2.java, line(s) 38 com/unity3d/services/core/domain/task/InitializeStateNetworkError.java, line(s) 88,104 com/unity3d/services/core/log/DeviceLog.java, line(s) 70,202,209 com/unity3d/services/core/misc/JsonFlattener.java, line(s) 43 com/unity3d/services/core/misc/JsonStorage.java, line(s) 156,26,32,51,72,84,96,165,171 com/unity3d/services/core/misc/JsonStorageAggregator.java, line(s) 34 com/unity3d/services/core/misc/Utilities.java, line(s) 129,146,180 com/unity3d/services/core/misc/ViewUtilities.java, line(s) 25,33 com/unity3d/services/core/preferences/AndroidPreferences.java, line(s) 18,32,46,60,74 com/unity3d/services/core/properties/ClientProperties.java, line(s) 40,71,83,85 com/unity3d/services/core/properties/SdkProperties.java, line(s) 231,233,98 com/unity3d/services/core/reflection/GenericBridge.java, line(s) 32,47,56,62,70,76,84,91 com/unity3d/services/core/request/WebRequest.java, line(s) 70,162,167 com/unity3d/services/core/request/WebRequestRunnable.java, line(s) 91,76,95 com/unity3d/services/core/request/WebRequestThread.java, line(s) 63,115,130 com/unity3d/services/core/request/metrics/MetricCommonTags.java, line(s) 72 com/unity3d/services/core/request/metrics/MetricSender$sendMetrics$$inlined$CoroutineExceptionHandler$1.java, line(s) 19 com/unity3d/services/core/request/metrics/MetricSender$sendMetrics$1.java, line(s) 74,76 com/unity3d/services/core/request/metrics/MetricSender.java, line(s) 73,89,97 com/unity3d/services/core/request/metrics/MetricSenderWithBatch.java, line(s) 41 com/unity3d/services/core/request/metrics/SDKMetrics.java, line(s) 38,43,53,86,97 com/unity3d/services/core/sensorinfo/SensorInfoListener.java, line(s) 28 com/unity3d/services/core/timer/BaseTimer.java, line(s) 77 com/unity3d/services/core/webview/WebView.java, line(s) 63 com/unity3d/services/core/webview/WebViewApp.java, line(s) 60,108,156,201,245,295,67,71,74,91,135,237,267,308,343,359 com/unity3d/services/core/webview/WebViewUrlBuilder.java, line(s) 34 com/unity3d/services/core/webview/bridge/Invocation.java, line(s) 65 com/unity3d/services/core/webview/bridge/NativeCallback.java, line(s) 39 com/unity3d/services/core/webview/bridge/WebViewBridge.java, line(s) 91 com/unity3d/services/core/webview/bridge/WebViewBridgeInterface.java, line(s) 44,51 com/unity3d/services/core/webview/bridge/WebViewCallback.java, line(s) 72 com/unity3d/services/store/core/StoreLifecycleListener.java, line(s) 43 com/unity3d/services/store/gpbl/bridges/CommonJsonResponseBridge.java, line(s) 33 com/unity3d/services/store/gpbl/bridges/PurchaseBridge.java, line(s) 37 d/i.java, line(s) 144 e/a.java, line(s) 304 n/c.java, line(s) 21,26 r0/a.java, line(s) 21,22
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: y1/v.java, line(s) 84,83,92,82,82
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/201877093341/namespaces/firebase:fetch?key=AIzaSyDJ6Ciwhz4O90Kdd1-jN2UbSIAGNK8V4PI ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}