安全分析报告: 金三角 v1.3.1

安全分数


安全分数 44/100

风险评级


等级

  1. A
  2. B
  3. C
  4. F

严重性分布 (%)


隐私风险

3

用户/设备跟踪器


调研结果

高危 6
中危 21
信息 2
安全 2
关注 2

高危 域配置不安全地配置为允许明文流量到达范围内的这些域。 

Scope:
119.29.29.99
119.29.29.98

高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 

应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
b/a/a/a/c/a/a.java, line(s) 1477
b/a/a/a/d/p/a/a.java, line(s) 37
g/h/a/a/h1/k0/d.java, line(s) 59

高危 已启用远程WebView调试 

已启用远程WebView调试
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing

Files:
com/just/agentweb/AgentWebConfig.java, line(s) 48,8

高危 使用弱加密算法 

使用弱加密算法
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
b/a/a/a/c/a/a.java, line(s) 2921
b/a/a/a/d/p/b/a.java, line(s) 36

高危 WebView域控制不严格漏洞 

WebView域控制不严格漏洞


Files:
com/just/agentweb/AbsAgentWebSettings.java, line(s) 40,21

高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 

如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7

Files:
com/just/agentweb/UrlLoaderImpl.java, line(s) 73,77,5

中危 应用程序数据可以被备份 

[android:allowBackup=true]
这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。

中危 Activity-Alias (com.grass.mh.FiveActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity-Alias (com.grass.mh.FourActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity-Alias (com.grass.mh.ThreeActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity-Alias (com.grass.mh.TwoActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity-Alias (com.grass.mh.OneActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity-Alias (com.grass.mh.Default) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity (com.grass.mh.ui.mine.activity.LoginActivity) 未被保护。 

存在一个intent-filter。
发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。

中危 Activity设置了TaskAffinity属性 

(com.umeng.message.notify.UPushMessageNotifyActivity)
如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名

中危 Activity-Alias (com.umeng.message.UMessageNotifyActivity) 未被保护。 

[android:exported=true]
发现 Activity-Alias与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
b/a/a/a/e/d.java, line(s) 14
com/grass/mh/SplashActivity.java, line(s) 72
com/grass/mh/ui/community/ReleaseActivity.java, line(s) 45
com/grass/mh/ui/home/HomeFeaturedFragment.java, line(s) 53
com/scwang/smartrefresh/header/FunGameBattleCityHeader.java, line(s) 15
com/scwang/smartrefresh/header/TaurusHeader.java, line(s) 26
g/h/a/a/l1/a0/l.java, line(s) 29
g/h/a/a/l1/a0/s.java, line(s) 17
g/i/a/u0/e/p7.java, line(s) 10
g/p/a/a/b/a.java, line(s) 7
k/q/a.java, line(s) 7
k/q/b.java, line(s) 3
k/q/c/a.java, line(s) 3
org/android/spdy/SpdyBytePool.java, line(s) 3

中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
com/danikula/videocache/StorageUtils.java, line(s) 14,34
com/grass/mh/App.java, line(s) 161
com/grass/mh/player/VideoPlayer.java, line(s) 335
com/grass/mh/utils/DownloadApkUtil.java, line(s) 50,50
com/grass/mh/utils/M3u8CopyUtil.java, line(s) 16,48
com/just/agentweb/AgentWebUtils.java, line(s) 309,366,380
com/lv/downloadvideo/utils/DataCacheUtils.java, line(s) 110
com/lv/downloadvideo/utils/StorageUtils.java, line(s) 25,45,45,54,73
com/maning/updatelibrary/utils/MNUtils.java, line(s) 20
com/yalantis/ucrop/PictureMultiCuttingActivity.java, line(s) 121
com/zy/devicelibrary/utils/FileUtils.java, line(s) 27
com/zy/devicelibrary/utils/MediaFilesUtils.java, line(s) 36,59
com/zy/devicelibrary/utils/OtherUtils.java, line(s) 339
com/zy/devicelibrary/utils/StorageQueryUtil.java, line(s) 53
g/f/b/g4.java, line(s) 33
g/m/b/g/f.java, line(s) 82
g/n/b/a.java, line(s) 32
org/dsq/library/callback/M3u8FileConvert.java, line(s) 18

中危 MD5是已知存在哈希冲突的弱哈希 

MD5是已知存在哈希冲突的弱哈希
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/danikula/videocache/ProxyCacheUtils.java, line(s) 44
com/grass/mh/App.java, line(s) 84,200
com/just/agentweb/AgentWebUtils.java, line(s) 589
com/lv/downloadvideo/utils/MD5Utils.java, line(s) 9
com/zy/devicelibrary/utils/Md5Utils.java, line(s) 9
g/e/a/d0.java, line(s) 278,296

中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
com/lv/downloadvideo/utils/DataCacheUtils.java, line(s) 17
com/lv/downloadvideo/utils/SPHelper.java, line(s) 10
com/lzy/okgo/cache/CacheEntity.java, line(s) 14
com/lzy/okgo/exception/CacheException.java, line(s) 17,13
g/d/a/m/o/o.java, line(s) 95
org/android/spdy/SpdyProtocol.java, line(s) 43

中危 IP地址泄露 

IP地址泄露


Files:
b/a/a/a/a.java, line(s) 85,83,85,83
com/danikula/videocache/HttpProxyCacheServer.java, line(s) 30
g/q/a/e/b.java, line(s) 131
org/android/spdy/SpdyAgent.java, line(s) 737
org/android/spdy/SpdyRequest.java, line(s) 26,161,180,203,228,248,274,293,316,341

中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞 

不安全的Web视图实现。可能存在WebView任意代码执行漏洞
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5

Files:
com/grass/mh/ui/home/OnlineServiceChannelActivity.java, line(s) 55,59
com/grass/mh/ui/mine/activity/OnlineServiceActivity.java, line(s) 66,70

中危 SHA-1是已知存在哈希冲突的弱哈希 

SHA-1是已知存在哈希冲突的弱哈希
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
g/f/b/i.java, line(s) 100
o/d/a/a/a/a.java, line(s) 102

中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件 

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
d/n/a/a.java, line(s) 1022

中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
b/a/a/a/d/n/b/a.java, line(s) 4,5,84
com/danikula/videocache/sourcestorage/DatabaseSourceInfoStorage.java, line(s) 6,7,63
d/o/a/n.java, line(s) 26,1295
g/h/a/a/l1/a0/l.java, line(s) 6,7,191
g/n/a/f/d.java, line(s) 3,4,47
o/b/b/f/f.java, line(s) 4,41

中危 应用程序包含隐私跟踪程序 

此应用程序有多个3隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。

中危 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
友盟统计的=> "UMENG_CHANNEL" : "channel"
SVqWumuteCQHvVIaALrOZXuzVVVeS7f4FGxxu6V+es4=
Wd8xe/qfTwq3ylFNd3IpaqLHZbh2ZNCLluVzmeNkcpw=
JbQbUG5JMJUoI6brnx0x3vZF6jilxsapbXGVfjhN8Fg=
9a04f079-9840-4286-ab92-e65be0885f95
283e979311c20332ebd3cf43752e77ae
UZJDjsNp1+4M5x9cbbdflB779y5YRBcV6Z6rBMLIrO4=
edef8ba9-79d6-4ace-a3c8-27dcd51d21ed
660d5b9a4166f265f480ac8e
uUwZgwDOxcBXrQcntwu+kYFpkiVkOaezL0WYEZ3anJc=
cAajgxHlj7GTSEIzIYIQxmEloOSoJq7VOaxWHfv72QM=
WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18=

信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
b/a/a/a/c/a/a.java, line(s) 531,1174,1188,1200,1577,2964,2977,3006,3105,3131,280,290,315,324,1257,1266,1425,1434,573
b/a/a/a/c/e/b.java, line(s) 13
cn/bingoogolapple/swipebacklayout/BGASwipeBackLayout.java, line(s) 890
com/contrarywind/view/WheelView.java, line(s) 352
com/danikula/videocache/HttpProxyCacheDebuger.java, line(s) 35,56,70,42,49
com/grass/mh/App.java, line(s) 183
com/grass/mh/player/BrushVideoPlayer.java, line(s) 178
com/grass/mh/player/tiktok/TikTokPlayer.java, line(s) 86
com/grass/mh/ui/comment/InputTextDialog.java, line(s) 103
com/grass/mh/ui/comment/InputTextMsgNormalDialog.java, line(s) 109
com/grass/mh/ui/mine/activity/AddGroupActivity.java, line(s) 86
com/grass/mh/ui/shortvideo/ShortVideoFollowListFragment.java, line(s) 238
com/grass/mh/ui/shortvideo/ShortVideoListFragment.java, line(s) 225
com/grass/mh/utils/CThreadPoolExecutor.java, line(s) 39,119,40,87,124
com/grass/mh/utils/KeyBoardChangeListener.java, line(s) 23
com/grass/mh/utils/MigrationHelper.java, line(s) 65
com/grass/mh/view/WheelView.java, line(s) 277
com/grass/mh/view/gridpager/PagerConfig.java, line(s) 13,19
com/grass/mh/view/gridpager/PagerGridLayoutManager.java, line(s) 436,456,525,545
com/grass/mh/viewmodel/VideoPlayerModel.java, line(s) 39
com/just/agentweb/AgentWebUtils.java, line(s) 161,132,133,141,154
com/just/agentweb/AgentWebView.java, line(s) 56,87,100,35,225
com/just/agentweb/DefaultChromeClient.java, line(s) 270,276
com/just/agentweb/DefaultDownloadImpl.java, line(s) 252
com/just/agentweb/JsCallJava.java, line(s) 139,72,43,85
com/just/agentweb/JsCallback.java, line(s) 65
com/just/agentweb/LogUtils.java, line(s) 9,24,38,14,32
com/lv/downloadvideo/M3U8DownloadTask.java, line(s) 127,164,336,353
com/lv/downloadvideo/M3U8Downloader.java, line(s) 53,102,176,188,194,199,204,222,248,277,282,298
com/lv/downloadvideo/utils/DataCacheUtils.java, line(s) 51,54,61,75,96
com/lv/downloadvideo/utils/M3U8Log.java, line(s) 11,17
com/lv/downloadvideo/utils/SPHelper.java, line(s) 18
com/lxj/xpopup/util/XPermission.java, line(s) 90
com/maning/updatelibrary/InstallUtils.java, line(s) 147
com/maning/updatelibrary/http/DownloadFileUtils.java, line(s) 237,288
com/tbruyelle/rxpermissions2/RxPermissionsFragment.java, line(s) 46,91
com/yalantis/ucrop/UCropActivity.java, line(s) 527
com/yalantis/ucrop/view/OverlayView.java, line(s) 289,292
com/yalantis/ucrop/view/TransformImageView.java, line(s) 81,165,224
com/zy/devicelibrary/UtilsApp.java, line(s) 32
com/zy/devicelibrary/data/ContactData.java, line(s) 84
com/zy/devicelibrary/data/ContactDataArmour.java, line(s) 78
com/zy/devicelibrary/utils/Md5Utils.java, line(s) 26
com/zy/devicelibrary/utils/OtherUtils.java, line(s) 387,411
com/zy/devicelibrary/utils/StorageQueryUtil.java, line(s) 58,63,68,69,109,128,152,200,201,174,214
d/b/a/n.java, line(s) 37
d/b/b/a/a.java, line(s) 73
d/b/e/b.java, line(s) 149,183,197,205,366
d/b/e/e/b.java, line(s) 389
d/b/f/b0.java, line(s) 112,180
d/b/f/d.java, line(s) 295
d/b/f/e0.java, line(s) 23,33
d/b/f/h.java, line(s) 31
d/b/f/n.java, line(s) 109,118,210,269
d/b/f/o.java, line(s) 117
d/b/f/u.java, line(s) 99,255,364,178,185,342,410,424,468
d/b/f/v.java, line(s) 34
d/d/a/e2.java, line(s) 12,18,17,23,24,29,37,38
d/d/a/f2.java, line(s) 72
d/d/a/q2/d0/b.java, line(s) 200
d/d/a/r2/f/a.java, line(s) 17
d/h/c/a/c.java, line(s) 38,116
d/h/c/a/e.java, line(s) 199,206
d/h/c/a/g.java, line(s) 932,2227
d/h/c/a/j.java, line(s) 327,363,594,729,884,916,198
d/h/c/a/o.java, line(s) 254,259
d/h/d/a.java, line(s) 215,114,270
d/h/d/c.java, line(s) 1075,2055,2814,2286,290,374,399,417,1091,1124,1875,2138,2184,2210,2902,2909
d/h/d/e.java, line(s) 92
d/j/a/c.java, line(s) 112
d/j/a/d.java, line(s) 31
d/j/b/b/e.java, line(s) 49,88,106,114
d/j/c/c.java, line(s) 41,46
d/j/c/d.java, line(s) 60
d/j/c/e.java, line(s) 48
d/j/c/g/d.java, line(s) 26,49
d/j/d/b.java, line(s) 23
d/j/h/a.java, line(s) 243
d/j/h/d.java, line(s) 184,216
d/j/h/l.java, line(s) 20,31
d/j/h/o.java, line(s) 134,216,581,593,600,609,50,205
d/k/a/b.java, line(s) 379
d/n/a/a.java, line(s) 377,567,700,710,719,725,782,868,886,890,896,935,972,1190,1278,1328,1512,1574,1767,1772,1778,1803,1822,1842,1848,1937,2000,2192,2288,2297,2321,2333,2524,2720,2773,2807,2839,2888,2896,2938,2958,2982,3168,406,3500,3508,3542,3554,3566,3578,3590,3602,3614,3626,3638,3645,3656,3668,98,588,1503,1522,1530,1745,1795,1798,1869,1880,2145,2154,2713,3651
d/o/a/a.java, line(s) 52,193,206,216
d/o/a/b.java, line(s) 589,638,667,672
d/o/a/j0.java, line(s) 18
d/o/a/n.java, line(s) 479,585,939,1891,231,959,236,1228,962,1184
d/o/a/r.java, line(s) 103,114
d/o/a/u.java, line(s) 91,40,48,56,62
d/o/a/v.java, line(s) 71,122,247,271,359,379,425,446,463,475,600,638,679,774,784,238,345,505,523,529,566,611,709,818
d/o/a/w.java, line(s) 108,118
d/s/f.java, line(s) 43
d/s/i.java, line(s) 66
d/s/k.java, line(s) 41
d/s/n.java, line(s) 36
d/t/a.java, line(s) 163,243,257,47,66,80,88,98,72,84,94,111,116,125,142,205
d/x/d.java, line(s) 36
d/x/z.java, line(s) 45
e/a/l/e.java, line(s) 68
e/a/l/h.java, line(s) 67
e/a/l/j/e.java, line(s) 62,74,83,96,99,61,73,82,95
e/a/n/b.java, line(s) 76,151,176,217,257,91,116,117,193,198,199,222,223,97
e/a/o/a.java, line(s) 61,77,97,115,137,162,165
e/a/o/b.java, line(s) 19
e/a/o/c.java, line(s) 32
e/a/o/d.java, line(s) 43
e/a/q/d.java, line(s) 58,59,74,75
e/a/q/g.java, line(s) 60,73
e/a/v/b.java, line(s) 53,90
e/a/v/c.java, line(s) 54,65,79,81
e/a/v/e.java, line(s) 40,41
e/a/v/f.java, line(s) 27
e/a/v/g.java, line(s) 341,118,124,241,265,266,307,309,329,331
e/a/v/j.java, line(s) 111,156,175,226,51,54,85,101,102,202,203,204,212,254,89,287
e/a/v/n.java, line(s) 29
e/a/v/o.java, line(s) 26
g/a/a/a/a.java, line(s) 418,437,472,70,427,456
g/c/a/a/a/a.java, line(s) 15,28
g/c/a/a/c/b/d.java, line(s) 91,90
g/c/a/a/d/b.java, line(s) 39,42
g/c/a/a/d/d/a.java, line(s) 188
g/d/a/c.java, line(s) 237,244,254,259,276,286,236,243,247,253,258,275,282,383,248,384
g/d/a/g.java, line(s) 387,307,308
g/d/a/h.java, line(s) 107,106
g/d/a/j/a.java, line(s) 314
g/d/a/k/d.java, line(s) 177,204,174,203
g/d/a/k/e.java, line(s) 100,121,139,99,120,138
g/d/a/l/a/c/h.java, line(s) 73,154,167,184,285,70,117,153,162,179
g/d/a/l/a/c/i.java, line(s) 89,387,88,341,386,414,438,357,424,461
g/d/a/l/a/c/j.java, line(s) 17,18
g/d/a/m/n/b.java, line(s) 49,48
g/d/a/m/n/j.java, line(s) 50,95,156,47,94,98,104,111,155,108,114
g/d/a/m/n/l.java, line(s) 50,49
g/d/a/m/n/o/b.java, line(s) 98,141,181,97,140,180
g/d/a/m/o/a0/e.java, line(s) 50,83,95,105,51,96,84,108
g/d/a/m/o/a0/k.java, line(s) 94,79
g/d/a/m/o/b0/a.java, line(s) 74,73
g/d/a/m/o/h.java, line(s) 139,140
g/d/a/m/o/j.java, line(s) 23,169
g/d/a/m/o/y.java, line(s) 51,52
g/d/a/m/o/z/i.java, line(s) 171,207,175,212
g/d/a/m/o/z/j.java, line(s) 64,75,177,221,59,63,74,106,114,142,172,189,208,220,107,115,162,194,209
g/d/a/m/p/c.java, line(s) 16,15
g/d/a/m/p/d.java, line(s) 41,40
g/d/a/m/p/f.java, line(s) 102,101
g/d/a/m/p/s.java, line(s) 106,107
g/d/a/m/p/t.java, line(s) 39,38
g/d/a/m/q/a.java, line(s) 84,124,95,134
g/d/a/m/q/c/c.java, line(s) 62,61,78,79
g/d/a/m/q/c/j.java, line(s) 21,27,24,28
g/d/a/m/q/c/l.java, line(s) 115,459,693,114,418,458,484,517,581,601,615,642,662,670,692,713,721,438,494,540
g/d/a/m/q/c/m.java, line(s) 29,33,30,34
g/d/a/m/q/c/q.java, line(s) 83,89,95,101,107,114,120,139,148,84,90,96,102,108,115,121,149,140
g/d/a/m/q/c/y.java, line(s) 86,95,102,87,96,103,104,105,109
g/d/a/m/q/g/a.java, line(s) 70,152,159,166,78,155,162,169
g/d/a/m/q/g/c.java, line(s) 19,20
g/d/a/m/q/g/i.java, line(s) 52,53
g/d/a/n/e.java, line(s) 42,39,83,104,84,105
g/d/a/n/o.java, line(s) 67,68
g/d/a/n/p.java, line(s) 229,230,238
g/d/a/q/i/d.java, line(s) 48,94,95,49
g/d/a/q/i/k.java, line(s) 67,116,117,68
g/d/a/s/j/a.java, line(s) 41,44
g/f/b/a.java, line(s) 97
g/h/a/a/b0.java, line(s) 247,455
g/h/a/a/c0.java, line(s) 230,238,583,1471,1476,1482,1493,571
g/h/a/a/c1/a0/d.java, line(s) 261,694,904,1209,1576,1580
g/h/a/a/c1/b0/d.java, line(s) 161,229
g/h/a/a/c1/c0/d.java, line(s) 251,441
g/h/a/a/c1/c0/e.java, line(s) 43,60,80,100,112,129,139
g/h/a/a/c1/c0/f.java, line(s) 585,687,611,956
g/h/a/a/c1/c0/j.java, line(s) 59
g/h/a/a/c1/d0/i.java, line(s) 280
g/h/a/a/c1/f0/f.java, line(s) 172
g/h/a/a/c1/f0/n.java, line(s) 35
g/h/a/a/c1/f0/r.java, line(s) 51,57
g/h/a/a/c1/g0/a.java, line(s) 384,406
g/h/a/a/d1/e.java, line(s) 257,276,186
g/h/a/a/e1/i/b.java, line(s) 213,316,321,330,559,565,573,611
g/h/a/a/g0.java, line(s) 186
g/h/a/a/h1/i0/c.java, line(s) 38
g/h/a/a/h1/i0/g.java, line(s) 467
g/h/a/a/h1/j0/j/c.java, line(s) 366
g/h/a/a/h1/k0/n.java, line(s) 186,315
g/h/a/a/i1/l/a.java, line(s) 232
g/h/a/a/i1/l/c.java, line(s) 313,363,380,610
g/h/a/a/i1/o/a.java, line(s) 355,178,202,234,335,340
g/h/a/a/i1/o/c.java, line(s) 50
g/h/a/a/i1/p/a.java, line(s) 73
g/h/a/a/i1/q/a.java, line(s) 255,96,275,471,474
g/h/a/a/i1/s/f.java, line(s) 225,300,316,321
g/h/a/a/l1/a0/s.java, line(s) 74,83,101,115,133,139,438,482
g/h/a/a/l1/p.java, line(s) 166
g/h/a/a/l1/r.java, line(s) 142,241,257,253
g/h/a/a/m1/b0.java, line(s) 525
g/h/a/a/m1/e.java, line(s) 38,89
g/h/a/a/o0.java, line(s) 62
g/h/a/a/t0.java, line(s) 396,417,480,508,525,537,576,591,628,818,864,1007,1046
g/h/a/a/x0/t.java, line(s) 100
g/h/a/b/a/g.java, line(s) 48
g/h/a/b/p/a.java, line(s) 330
g/h/a/b/t/b.java, line(s) 129,164
g/h/a/b/u/a.java, line(s) 47
g/i/a/u0/f/i0.java, line(s) 16
g/i/a/w.java, line(s) 130
g/n/a/c/a/a.java, line(s) 162,167
g/n/a/f/a.java, line(s) 66,74,93,98,119
g/n/b/a.java, line(s) 73,77
g/n/b/b/b.java, line(s) 193,197
g/t/a/l/a.java, line(s) 169,121,262
g/t/a/l/b.java, line(s) 53,96,168,180,187,193,245,251,291,357,394
g/t/a/m/b.java, line(s) 62,91,100,120,162,170,187,201,44,52,61,88,99,117,146,161,165,174,183,186,191,198
o/b/a/f.java, line(s) 10,15
o/b/b/a.java, line(s) 395
o/d/b/b/a/a.java, line(s) 25
o/d/b/c/a/a.java, line(s) 51,54
o/d/b/c/a/b.java, line(s) 29,31
o/d/b/c/a/c.java, line(s) 26,33,38,41,46,54
o/d/b/c/a/d.java, line(s) 74
o/d/b/c/a/e.java, line(s) 27
org/android/spdy/NetTimeGaurd.java, line(s) 27,39
org/android/spdy/ProtectedPointerTest.java, line(s) 12,17,55
org/android/spdy/spduLog.java, line(s) 12,26,19,33,69,40,47
org/dsq/library/widget/CacheM3u8FilePlayer.java, line(s) 65
org/dsq/library/widget/bigImage/SubsamplingScaleImageView.java, line(s) 638,207,211,387,391,459,788,797,826,831,1746,1957,2288
org/dsq/library/widget/bigImage/decoder/SkiaPooledImageRegionDecoder.java, line(s) 118
org/greenrobot/greendao/DaoException.java, line(s) 16,17

信息 此应用程序使用SQL Cipher。SQLCipher为sqlite数据库文件提供256位AES加密 

此应用程序使用SQL Cipher。SQLCipher为sqlite数据库文件提供256位AES加密


Files:
org/greenrobot/greendao/database/SqlCipherEncryptedHelper.java, line(s) 18,5,6

安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
g/f/b/h1.java, line(s) 74,52,50,50
g/n/a/g/a.java, line(s) 84,50,82,82

安全 此应用程序可能具有Root检测功能 

此应用程序可能具有Root检测功能
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1

Files:
com/zy/devicelibrary/utils/OtherUtils.java, line(s) 81,65,441,69,69,69,69,69,69,430,433

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (msg.umengcloud.com) 通信。 

{'ip': '223.109.148.130', 'country_short': 'CN', 'country_long': '中国', 'region': '河北', 'city': '张家口', 'latitude': '40.810024', 'longitude': '114.879349'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (ulogs.umengcloud.com) 通信。 

{'ip': '223.109.148.130', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '南京', 'latitude': '32.061668', 'longitude': '118.777992'}

安全评分: ( 金三角 1.3.1)