页面标题
页面副标题
移动应用安全检测报告
爱赞美 v1.0.1
41
安全评分
安全基线评分
41/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
7
高危
16
中危
2
信息
2
安全
隐私风险评估
0
第三方跟踪器
隐私安全
未检测到第三方跟踪器
检测结果分布
高危安全漏洞
7
中危安全漏洞
16
安全提示信息
2
已通过安全项
2
重点安全关注
0
高危安全漏洞 基本配置不安全地配置为允许到所有域的明文流量。
Scope: *
高危安全漏洞 域配置不安全地配置为允许明文流量到达范围内的这些域。
Scope: zanmei.ai
高危安全漏洞 应用可被调试
[android:debuggable=true] 应用开启了可调试标志,攻击者可轻易附加调试器进行逆向分析,导出堆栈信息或访问调试相关类,极大提升被攻击风险。
高危安全漏洞 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/daimajia/slider/library/BuildConfig.java, line(s) 3,5 com/izm/android/BuildConfig.java, line(s) 3,6 im/delight/android/webview/BuildConfig.java, line(s) 3,4
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/zanmeishi/zanplayer/business/search/VideoWebActivity.java, line(s) 232,17
高危安全漏洞 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: com/zanmeishi/zanplayer/http/SSLManager.java, line(s) 16,24,8,9,10,11,12,13
高危安全漏洞 已启用远程WebView调试
已启用远程WebView调试 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/github/lzyzsd/jsbridge/BridgeWebView.java, line(s) 72,8
中危安全漏洞 基本配置配置为信任系统证书。
Scope: *
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 Broadcast Receiver (com.zanmeishi.zanplayer.business.player.HeadsetButtonReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.zanmeishi.zanplayer.main.MainActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/zanmeishi/zanplayer/Storage.java, line(s) 98,104,109 com/zanmeishi/zanplayer/business/download/config/MutilScreenConfig.java, line(s) 7 com/zanmeishi/zanplayer/util/AppInfoUtil.java, line(s) 89 com/zanmeishi/zanplayer/util/CacheUtil.java, line(s) 11,19 com/zanmeishi/zanplayer/util/DeviceUtils.java, line(s) 105,119,189,191 com/zanmeishi/zanplayer/util/FileUtil.java, line(s) 170,171,189,203,217,562 com/zanmeishi/zanplayer/utils/AppUtils.java, line(s) 424,425,431 com/zanmeishi/zanplayer/utils/SDUtils.java, line(s) 20,24 com/zanmeishi/zanplayer/utils/Util.java, line(s) 181 com/zanmeishi/zanplayer/utils/application/AppInfoUtils.java, line(s) 55,55,56 com/zanmeishi/zanplayer/widget/lrcview/ZanLrcView.java, line(s) 184,185 pi/android/FileSystem.java, line(s) 9 pi/android/IOUtil.java, line(s) 362
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/koushikdutta/async/util/FileCache.java, line(s) 73 com/zanmeishi/zanplayer/business/download/model/DownloadTask.java, line(s) 39 com/zanmeishi/zanplayer/component/dbmanager/CgiCacheNode.java, line(s) 17 com/zanmeishi/zanplayer/util/MD5.java, line(s) 370,398 com/zanmeishi/zanplayer/utils/StringUtils.java, line(s) 71,93 com/zanmeishi/zanplayer/utils/Utils.java, line(s) 259,620
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/tencent/moduleupdate/UpdateLibHelper.java, line(s) 28 com/zanmeishi/zanplayer/api/Urls.java, line(s) 16 com/zanmeishi/zanplayer/business/login/model/LoginConstants.java, line(s) 96,95 com/zanmeishi/zanplayer/component/dbmanager/DownloadInfoTable.java, line(s) 27,94,162 com/zanmeishi/zanplayer/view/TXImageView.java, line(s) 283
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/koushikdutta/async/http/WebSocketImpl.java, line(s) 51
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/dolby/dap/DolbyAudioProcessing.java, line(s) 29 com/koushikdutta/async/AsyncSSLSocketWrapper.java, line(s) 108,592 com/koushikdutta/async/dns/Dns.java, line(s) 102,132,94 com/tencent/moduleupdate/UpdateLibHelper.java, line(s) 31,32,33 com/zanmeishi/zanplayer/business/login/model/LoginConstants.java, line(s) 30
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/zanmeishi/zanplayer/component/dbmanager/CgiCacheTable.java, line(s) 6,71,76,77,82,83,127 com/zanmeishi/zanplayer/component/dbmanager/DbManager.java, line(s) 6,7,43 com/zanmeishi/zanplayer/component/dbmanager/DownloadInfoTable.java, line(s) 6,162,354,363,364 com/zanmeishi/zanplayer/component/dbmanager/FavoriteAlbumTable.java, line(s) 6,116,121,122,127,128,172 com/zanmeishi/zanplayer/component/dbmanager/FavoriteBoxTable.java, line(s) 6,116,121,122,127,128,172 com/zanmeishi/zanplayer/component/dbmanager/FavoriteSingerTable.java, line(s) 6,116,121,122,127,128,172 com/zanmeishi/zanplayer/component/dbmanager/FavoriteSongTable.java, line(s) 6,116,121,122,127,128,172 com/zanmeishi/zanplayer/component/dbmanager/LikeSongTable.java, line(s) 6,116,121,122,127,128,172
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/zanmeishi/zanplayer/business/column/PageModuleView.java, line(s) 96,87 com/zanmeishi/zanplayer/business/search/H5WebActivity.java, line(s) 72,63 com/zanmeishi/zanplayer/business/search/VideoWebActivity.java, line(s) 90,80
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/tencent/mm/androidcov/Instrumenter.java, line(s) 138
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/koushikdutta/async/dns/Dns.java, line(s) 19 com/koushikdutta/async/util/FileCache.java, line(s) 17 com/zanmeishi/zanplayer/utils/StringUtils.java, line(s) 12
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "library_roundedimageview_authorWebsite" : "https://github.com/vinc3m1" 7ZWY64KY7J2YIO2MjOydvOydhCDshKDtg50= 258EAFA5-E914-47DA-95CA-C5AB0DC85B11 2KfbjNqpINmB2KfYptmEINmF24zauiDYs9uSINin2YbYqtiu2KfYqCDaqdix24zaug== 025965f43acd053bdfdf817b35f54275 7a5b85d3ee2e0991ca3502602e9389a98f55c0576b887125894a7ec03823f8d3 40f65c7ec5d04a1f241e9e4f417ffafd 2LHYpyDYp9mG2KrYrtin2Kgg2qnZhtuM2K8g24zaqSDZgdin24zZhA== b6834583e7ca6f5959b29bb9d163c9cf
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: antlr/ASTFactory.java, line(s) 263 antlr/CSharpCodeGenerator.java, line(s) 81,119,139,181,216,247,335,430,460,1103,1144,1214,1222,1229,1245,1365,1833,2117 antlr/CharScanner.java, line(s) 223,228,233,238,240,246,248,316,323,328 antlr/CodeGenerator.java, line(s) 184 antlr/CppCodeGenerator.java, line(s) 318,358,376,383,409,449,483,514,599,693,721,1254,1281,1359,1371,1378,1394,2409,2599,2696 antlr/DumpASTVisitor.java, line(s) 10,21,23,25,26 antlr/JavaCodeGenerator.java, line(s) 77,110,128,296,331,489,563,720,749,909,952,1014,1022,1029,1045,1163,1571,1829 antlr/LLkAnalyzer.java, line(s) 32,60,67,73,78,82,104,111,160,173,188,200,207,210,214,233,237,268,272,278,288,299,309,313,323,338,358,366,373,379,402,427,436,440,454,469,488,496,504,518,530,538,553,574,582,597,617,628,638,648,653,659,668 antlr/LLkParser.java, line(s) 42,45,48,50,53 antlr/Parser.java, line(s) 160,207,212,214,220,222,262,269,274 antlr/Tool.java, line(s) 216,221,259,260,261,262,263,264,265,266,267,268,269,270,274,289,290,291,292,293,322,330,417,421,425,432,434,326 antlr/TreeParser.java, line(s) 50,55,59,63,80,87,92 antlr/build/Tool.java, line(s) 17,120,124,132,116,128 antlr/collections/impl/Vector.java, line(s) 38 antlr/debug/InputBufferReporter.java, line(s) 9,14,19,24,29 antlr/debug/LLkDebuggingParser.java, line(s) 279,304,305 antlr/debug/ParserReporter.java, line(s) 6,11,16,21,26,31,36,41,46,51,56,61 antlr/debug/Tracer.java, line(s) 16,23 antlr/debug/misc/ASTFrame.java, line(s) 24,26,28 antlr/debug/misc/JTreeASTModel.java, line(s) 84 antlr/preprocessor/Tool.java, line(s) 26,28 cn/dreamtobe/kpswitch/handler/KPSwitchRootLayoutHandler.java, line(s) 34,45,49,55,59 cn/dreamtobe/kpswitch/util/KeyboardUtil.java, line(s) 43,174,181,221,152,190,207 cn/dreamtobe/kpswitch/util/StatusBarHeightUtil.java, line(s) 21 cn/dreamtobe/kpswitch/util/ViewUtil.java, line(s) 16 com/daimajia/slider/library/SliderTypes/BaseSliderView.java, line(s) 198 com/daimajia/slider/library/Tricks/ViewPagerEx.java, line(s) 471,477,2083,500 com/dolby/dap/DLog.java, line(s) 10,16 com/dolby/dap/DolbyAudioProcessing.java, line(s) 27,33,47,52,57,70,87,96,36,29,78,105,114,123,132,141,40 com/dolby/dap/DsClient07Wrapper.java, line(s) 48,51,55,58,62,71,76,87,244,30,42,91,102,113,124,135,150,162,173,184,194,214,225,235,28,38 com/dolby/dap/DsClient10Wrapper.java, line(s) 48,51,55,58,62,71,76,87,244,30,42,91,102,113,124,135,150,162,173,184,194,214,225,235,28,38 com/dolby/dap/DsClient13Wrapper.java, line(s) 159,162,166,169,173,182,187,198,206,210,212,216,233,254,269,282,299,324,434,516,138,153,236,257,272,284,308,327,340,351,362,372,382,393,404,415,425,446,456,467,478,488,499,509,135,149 com/dolby/dap/DsClientFactory.java, line(s) 32,35 com/dolby/dap/DsClientManager.java, line(s) 83,86,103,106,114,161,173,180,201,210,215,219,226,230,237,245,258,261,286,305,312,323,330,333,338,341,352,362,365,370,372,383,387,389,398,406,418,425,428,431,439,443,472,475,479,484,488,503,518,529,539,553,559,561,573,578,584,586,588,598,603,185,212,223,239,252,272,280,299,314,325,346,357,413,531,568,593,249,267,278,296,491,548,560,587 com/github/ybq/android/spinkit/animation/SpriteAnimatorBuilder.java, line(s) 145 com/koushikdutta/async/AsyncNetworkSocket.java, line(s) 221 com/koushikdutta/async/AsyncServer.java, line(s) 217,377,539,646,714,729,870,900,902,906 com/koushikdutta/async/ByteBufferList.java, line(s) 343 com/koushikdutta/async/PushParser.java, line(s) 235 com/koushikdutta/async/Util.java, line(s) 31,41,42 com/koushikdutta/async/http/AsyncHttpRequest.java, line(s) 255,263,264,272,280,281,231,239,247 com/koushikdutta/async/http/HybiParser.java, line(s) 427 com/koushikdutta/async/http/cache/RawHeaders.java, line(s) 107 com/koushikdutta/async/http/server/AsyncHttpServer.java, line(s) 62,112,106 com/koushikdutta/async/http/server/AsyncHttpServerRequestImpl.java, line(s) 83 com/koushikdutta/async/http/server/AsyncHttpServerRouter.java, line(s) 245 com/makeramen/roundedimageview/RoundedDrawable.java, line(s) 121 com/makeramen/roundedimageview/RoundedImageView.java, line(s) 272,312 com/nineoldandroids/animation/PropertyValuesHolder.java, line(s) 157,188,236,254,256,274,276,311,313,447,449,537,539 com/tencent/mm/androidcov/Instrumenter.java, line(s) 80,85,87 com/tencent/mm/androidcov/Logger.java, line(s) 5,9,13,17 com/tencent/mm/androidcov/example/Hello.java, line(s) 8,13 com/tencent/mm/androidcov/example/ThreadExample.java, line(s) 29,56 com/tencent/mm/androidcov/util/Trace.java, line(s) 12 com/tencent/moduleupdate/TSystemLoad.java, line(s) 9,18,21 com/zanmeishi/zanplayer/business/download/DownloadListBussiness.java, line(s) 263,273 com/zanmeishi/zanplayer/business/login/model/DataGetter.java, line(s) 253 com/zanmeishi/zanplayer/business/player/AVRCPService.java, line(s) 24,34,42,71,74 com/zanmeishi/zanplayer/business/update/UpdateApkDownloader.java, line(s) 74 com/zanmeishi/zanplayer/main/MainActivity.java, line(s) 305 com/zanmeishi/zanplayer/member/player/PlayerDragView.java, line(s) 898 com/zanmeishi/zanplayer/util/AppInfoUtil.java, line(s) 60,68 com/zanmeishi/zanplayer/util/BitmapUtil.java, line(s) 475 com/zanmeishi/zanplayer/utils/ConvertUtil.java, line(s) 104 com/zanmeishi/zanplayer/utils/log/LogUtil.java, line(s) 47,51,7,11,15,19,23,27,31,35,39,43 com/zanmeishi/zanplayer/view/PullToRefreshAdapterViewBase.java, line(s) 85,94 com/zanmeishi/zanplayer/view/PullToRefreshBase.java, line(s) 827,1046,1055,1079,1137,1177,1192,1293,1305,1382,1390 com/zanmeishi/zanplayer/view/PullToRefreshHandleViewBase.java, line(s) 277,294,318,329,333,344,357,362,365 com/zanmeishi/zanplayer/widget/lrcview/LrcRow.java, line(s) 40 net/sourceforge/cobertura/util/IOUtil.java, line(s) 70,84 org/greenrobot/eventbus/Logger.java, line(s) 32,37 org/objectweb/asm/commons/JSRInlinerAdapter.java, line(s) 186 org/objectweb/asm/util/ASMifier.java, line(s) 232,233 org/objectweb/asm/util/CheckClassAdapter.java, line(s) 232,233 org/objectweb/asm/util/Textifier.java, line(s) 160,161 org/objectweb/asm/xml/Processor.java, line(s) 599,601,649,650,651,721 org/sufficientlysecure/htmltextview/HtmlLocalImageGetter.java, line(s) 22 org/sufficientlysecure/htmltextview/HtmlRemoteImageGetter.java, line(s) 55 org/sufficientlysecure/htmltextview/HtmlTextView.java, line(s) 89
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/zanmeishi/zanplayer/business/homepage/FragmentHomeAlbum.java, line(s) 4,339 com/zanmeishi/zanplayer/business/homepage/FragmentHomeBox.java, line(s) 4,296 com/zanmeishi/zanplayer/business/homepage/FragmentHomeSinger.java, line(s) 4,404 com/zanmeishi/zanplayer/main/ShareAppActivity.java, line(s) 4,39 com/zanmeishi/zanplayer/member/player/PlayerDragView.java, line(s) 7,822
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/koushikdutta/async/AsyncSSLSocketWrapper.java, line(s) 694,113,136,690,692,694,691,691 com/zanmeishi/zanplayer/http/ZanRetrofit.java, line(s) 28,28
已通过安全项 此应用程序没有隐私跟踪程序
此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。
综合安全基线评分总结
爱赞美 v1.0.1
Android APK
41
综合安全评分
中风险