页面标题
页面副标题
移动应用安全检测报告
AcFan v1.5.1
41
安全评分
安全基线评分
41/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
4
高危
11
中危
2
信息
1
安全
隐私风险评估
1
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
4
中危安全漏洞
11
安全提示信息
2
已通过安全项
1
重点安全关注
2
高危安全漏洞 基本配置不安全地配置为允许到所有域的明文流量。
Scope: *
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: d/h/a/a/h0/a.java, line(s) 31
高危安全漏洞 已启用远程WebView调试
已启用远程WebView调试 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/just/agentweb/AgentWebConfig.java, line(s) 48,8
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/just/agentweb/UrlLoaderImpl.java, line(s) 70,75,5
中危安全漏洞 应用数据允许备份
[android:allowBackup=true] 该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据,存在数据泄露风险。
中危安全漏洞 Activity (com.grass.mh.ui.mine.activity.LoginActivity) 未受保护。
存在 intent-filter。 检测到 Activity 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Activity 被显式导出,存在安全风险。
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/just/agentweb/AbsAgentWebSettings.java, line(s) 41,24
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/grass/mh/ui/community/adapter/CommunityAdAdapter.java, line(s) 15 com/grass/mh/ui/shortvideo/adapter/TikTokAdapter.java, line(s) 31 com/scwang/smartrefresh/header/FunGameBattleCityHeader.java, line(s) 15 com/scwang/smartrefresh/header/TaurusHeader.java, line(s) 26 d/c/a/a/d/b.java, line(s) 6 d/o/a/a/b/a.java, line(s) 7 h/q/a.java, line(s) 7 h/q/b.java, line(s) 4 h/q/c/a.java, line(s) 4
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/danikula/videocache/StorageUtils.java, line(s) 14,34 com/grass/mh/utils/DownloadApkUtil.java, line(s) 61,61 com/just/agentweb/AgentWebUtils.java, line(s) 303,360,384 com/maning/updatelibrary/utils/MNUtils.java, line(s) 20 com/yalantis/ucrop/PictureMultiCuttingActivity.java, line(s) 190 d/l/b/g/f.java, line(s) 82 d/l/b/g/g/b.java, line(s) 899 d/m/b/a.java, line(s) 27 org/dsq/library/callback/M3u8FileConvert.java, line(s) 18
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/danikula/videocache/ProxyCacheUtils.java, line(s) 44 com/just/agentweb/AgentWebUtils.java, line(s) 575 d/e/a/d0.java, line(s) 186,204
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/lzy/okgo/cache/CacheEntity.java, line(s) 14 com/lzy/okgo/exception/CacheException.java, line(s) 17,13 d/d/a/m/o/o.java, line(s) 85
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/danikula/videocache/HttpProxyCacheServer.java, line(s) 30 d/p/a/e/b.java, line(s) 94
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/grass/mh/ui/home/OnlineServiceChannelActivity.java, line(s) 54,58 com/grass/mh/ui/mine/activity/OnlineServiceActivity.java, line(s) 48,52
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/danikula/videocache/sourcestorage/DatabaseSourceInfoStorage.java, line(s) 6,7,63 d/m/a/f/d.java, line(s) 3,4,26,27,28,29,40,43,46,49 k/b/b/f/f.java, line(s) 4,50
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: b/b/a/n.java, line(s) 37 b/b/b/a/a.java, line(s) 74 b/b/e/b.java, line(s) 137,170,182,192,354 b/b/f/b0.java, line(s) 93,161 b/b/f/d.java, line(s) 254 b/b/f/e0.java, line(s) 23,33 b/b/f/h.java, line(s) 31 b/b/f/n.java, line(s) 95,104,176 b/b/f/o.java, line(s) 118 b/b/f/u.java, line(s) 85,119,211,225,269 b/b/f/v.java, line(s) 31 b/d/a/e2.java, line(s) 12,18,17,23,24,29,37,38 b/d/a/f2.java, line(s) 65 b/d/a/r2/f/a.java, line(s) 17 b/h/c/a/c.java, line(s) 38,116 b/h/c/a/e.java, line(s) 185,192 b/h/c/a/j.java, line(s) 332,363,600,739,836,871,201 b/h/c/a/o.java, line(s) 236,241 b/h/d/a.java, line(s) 219,111,268 b/h/d/b.java, line(s) 1046,1831,2590,2062,272,356,381,399,1062,1095,1651,1914,1960,1986,2678,2685 b/h/d/d.java, line(s) 91 b/j/a/d.java, line(s) 30 b/j/b/b/e.java, line(s) 34 b/j/c/c.java, line(s) 42,47 b/j/c/d.java, line(s) 59 b/j/c/e.java, line(s) 48 b/j/c/g/d.java, line(s) 25,48 b/j/d/b.java, line(s) 23 b/j/h/d.java, line(s) 184,216 b/j/h/l.java, line(s) 20,31 b/j/h/o.java, line(s) 126,203,539,551,558,567,50,192 b/k/a/b.java, line(s) 360 b/n/a/a.java, line(s) 356,539,671,681,690,696,727,813,877,939,1080,1091,1098,1200,1263,1455,1547,1616,1668,1702,1734,1764,1942,385,91,560,868,887,895,1130,1141,1408,1417,1593 b/o/a/a.java, line(s) 46,179,192,204 b/o/a/j0.java, line(s) 17 b/o/a/n.java, line(s) 1583,1606,1613,610,1235,615,1514,1238,1309 b/o/a/r.java, line(s) 103,117 b/o/a/u.java, line(s) 88,37,45,53,59 b/o/a/v.java, line(s) 70,121,241,265,352,379,418,439,456,468,556,631,672,767,777,232,338,498,516,522,567,604,702,811 b/o/a/w.java, line(s) 107,117 b/s/f.java, line(s) 39,45 b/s/h.java, line(s) 33 b/s/i.java, line(s) 31,63 b/s/j.java, line(s) 27 b/s/k.java, line(s) 37 b/s/m.java, line(s) 30 b/s/n.java, line(s) 32 b/t/a.java, line(s) 177,191,44,63,77,81,91,69,85,95,139 b/x/d.java, line(s) 30 b/x/z.java, line(s) 45 com/contrarywind/view/WheelView.java, line(s) 334 com/danikula/videocache/HttpProxyCacheDebuger.java, line(s) 35,56,70,42,49 com/grass/mh/App.java, line(s) 116 com/grass/mh/player/BrushVideoPlayer.java, line(s) 164 com/grass/mh/player/tiktok/TikTokPlayer.java, line(s) 67 com/grass/mh/ui/comment/InputTextDialog.java, line(s) 98 com/grass/mh/ui/mine/activity/AddGroupActivity.java, line(s) 87 com/grass/mh/ui/mine/fragment/MineFansAddFragment.java, line(s) 61 com/grass/mh/ui/shortvideo/ShortVideoFollowFragment.java, line(s) 223 com/grass/mh/ui/shortvideo/ShortVideoHotFragment.java, line(s) 205 com/grass/mh/ui/shortvideo/VideoListActivity.java, line(s) 244 com/grass/mh/utils/CThreadPoolExecutor.java, line(s) 39,115,40,83,120 com/grass/mh/utils/KeyBoardChangeListener.java, line(s) 24 com/grass/mh/view/WheelView.java, line(s) 267 com/grass/mh/view/gridpager/PagerConfig.java, line(s) 13,19 com/grass/mh/view/gridpager/PagerGridLayoutManager.java, line(s) 415,419,502,506 com/grass/mh/viewmodel/VideoPlayerModel.java, line(s) 28 com/just/agentweb/AgentWebUtils.java, line(s) 155,126,127,135,148 com/just/agentweb/AgentWebView.java, line(s) 56,87,100,35,225 com/just/agentweb/DefaultChromeClient.java, line(s) 269,275 com/just/agentweb/DefaultDownloadImpl.java, line(s) 253 com/just/agentweb/JsCallJava.java, line(s) 115,68,42,81 com/just/agentweb/JsCallback.java, line(s) 69 com/just/agentweb/LogUtils.java, line(s) 9,24,38,14,32 com/lxj/xpopup/util/XPermission.java, line(s) 88 com/maning/updatelibrary/InstallUtils.java, line(s) 185 com/maning/updatelibrary/http/DownloadFileUtils.java, line(s) 235 com/tbruyelle/rxpermissions2/RxPermissionsFragment.java, line(s) 46,89 com/yalantis/ucrop/UCropActivity.java, line(s) 509 com/yalantis/ucrop/view/OverlayView.java, line(s) 228,231 com/yalantis/ucrop/view/TransformImageView.java, line(s) 71,155,210 d/a/a/a/a.java, line(s) 155 d/c/a/a/a/a.java, line(s) 14,26 d/c/a/a/c/b/d.java, line(s) 78,77 d/c/a/a/d/b.java, line(s) 45,48 d/c/a/a/d/d/a.java, line(s) 140 d/d/a/c.java, line(s) 229,242,247,250,266,276,228,235,241,246,249,265,272,367,236,368 d/d/a/g.java, line(s) 334,297,298 d/d/a/h.java, line(s) 94,93 d/d/a/j/a.java, line(s) 294 d/d/a/k/d.java, line(s) 178,205,175,204 d/d/a/k/e.java, line(s) 91,112,130,90,111,129 d/d/a/l/a/c/h.java, line(s) 64,154,167,184,275,61,117,153,162,179 d/d/a/l/a/c/i.java, line(s) 327,298,326,354,378,314,364,403 d/d/a/l/a/c/j.java, line(s) 17,18 d/d/a/m/n/b.java, line(s) 49,48 d/d/a/m/n/j.java, line(s) 45,114,166,42,113,165,169,175,182,179,185 d/d/a/m/n/l.java, line(s) 50,49 d/d/a/m/n/o/b.java, line(s) 95,94 d/d/a/m/o/a0/e.java, line(s) 49,81,93,103,50,94,82,106 d/d/a/m/o/a0/k.java, line(s) 94,79 d/d/a/m/o/b0/a.java, line(s) 70,69 d/d/a/m/o/h.java, line(s) 137,138 d/d/a/m/o/j.java, line(s) 24,162 d/d/a/m/o/y.java, line(s) 63,64 d/d/a/m/o/z/i.java, line(s) 139,176,143,181 d/d/a/m/o/z/j.java, line(s) 58,69,170,214,53,57,68,117,125,135,165,182,201,213,118,126,155,187,202 d/d/a/m/p/c.java, line(s) 16,15 d/d/a/m/p/d.java, line(s) 41,40 d/d/a/m/p/f.java, line(s) 100,99 d/d/a/m/p/s.java, line(s) 101,102 d/d/a/m/p/t.java, line(s) 39,38 d/d/a/m/q/a.java, line(s) 82,122,93,132 d/d/a/m/q/c/j.java, line(s) 21,26,22,29 d/d/a/m/q/c/m.java, line(s) 50,53,51,54 d/d/a/m/q/c/q.java, line(s) 51,57,63,69,75,82,88,102,111,52,58,64,70,76,83,89,112,103 d/d/a/m/q/c/y.java, line(s) 85,94,101,86,95,102,103,104,108 d/d/a/m/q/g/a.java, line(s) 67,137,144,151,75,140,147,154 d/d/a/m/q/g/c.java, line(s) 19,20 d/d/a/m/q/g/i.java, line(s) 47,48 d/d/a/n/e.java, line(s) 38,35,79,100,80,101 d/d/a/n/o.java, line(s) 62,63 d/d/a/n/p.java, line(s) 208,209,220 d/d/a/q/i/d.java, line(s) 46,92,93,47 d/d/a/q/i/k.java, line(s) 66,115,116,67 d/d/a/s/j/a.java, line(s) 41,44 d/f/b/a.java, line(s) 90 d/h/a/a/e0/f/e.java, line(s) 162 d/h/a/a/g0/p/g.java, line(s) 84 d/h/a/a/g0/q/h.java, line(s) 225 d/h/a/a/g0/r/c.java, line(s) 93 d/h/a/a/g0/r/h.java, line(s) 299 d/h/a/a/g0/r/o.java, line(s) 118,124,180 d/h/a/a/g0/s/a.java, line(s) 48 d/h/a/a/h.java, line(s) 80 d/h/a/a/h0/j.java, line(s) 300,320,325 d/h/a/a/i.java, line(s) 270,272,280,282,331,336 d/h/a/a/k0/k/a.java, line(s) 89,92 d/h/a/a/k0/l/c.java, line(s) 160,74,171,528,537,547 d/h/a/a/k0/n/c.java, line(s) 66 d/h/a/a/k0/n/d.java, line(s) 107 d/h/a/a/k0/n/e.java, line(s) 71 d/h/a/a/l0/j.java, line(s) 78 d/h/a/a/o.java, line(s) 310,319,330 d/h/a/b/a/g.java, line(s) 48 d/h/a/b/p/a.java, line(s) 315 d/h/a/b/t/b.java, line(s) 119,154 d/h/a/b/u/a.java, line(s) 41 d/i/a/c.java, line(s) 55 d/i/a/k/e0/j0.java, line(s) 15 d/i/a/k/g0/c/s1.java, line(s) 21 d/i/a/k/g0/c/t1.java, line(s) 26 d/i/a/k/g0/c/v1.java, line(s) 29 d/i/a/k/g0/c/w1.java, line(s) 26 d/i/a/k/g0/c/y1.java, line(s) 21 d/i/a/k/g0/c/z1.java, line(s) 31 d/i/a/k/g0/e/d.java, line(s) 25 d/i/a/k/g0/e/e.java, line(s) 26 d/i/a/k/g0/e/i.java, line(s) 29 d/l/b/g/g/b.java, line(s) 1912,907 d/m/a/f/a.java, line(s) 63,71,90,95,116 d/m/b/a.java, line(s) 68,72 d/m/b/b/b.java, line(s) 184,188 d/r/a/l/b.java, line(s) 46,88,160,166,174,185,202 d/r/a/m/b.java, line(s) 78,82,91,111,133,163,176,182,39,75,81,84,90,108,130,143,158,172,175,178,181,184 k/b/a/f.java, line(s) 10,15 k/b/b/a.java, line(s) 326 org/dsq/library/widget/CacheM3u8FilePlayer.java, line(s) 64 org/dsq/library/widget/bigImage/SubsamplingScaleImageView.java, line(s) 639,208,212,388,392,460,795,800,811,820,1521,1730,2051 org/dsq/library/widget/bigImage/decoder/SkiaPooledImageRegionDecoder.java, line(s) 120 org/greenrobot/greendao/DaoException.java, line(s) 16,17
安全提示信息 此应用程序使用SQL Cipher。SQLCipher为sqlite数据库文件提供256位AES加密
此应用程序使用SQL Cipher。SQLCipher为sqlite数据库文件提供256位AES加密 Files: org/greenrobot/greendao/database/SqlCipherEncryptedHelper.java, line(s) 18,8,9
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: d/m/a/g/a.java, line(s) 82,48,81,69,80,80
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (clsp.fun) 通信。
{'ip': '106.119.171.53', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '无锡', 'latitude': '31.569349', 'longitude': '120.288788'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (tc-bj-alijs-1324672756.cos.ap-beijing.myqcloud.com) 通信。
{'ip': '106.119.171.53', 'country_short': 'CN', 'country_long': '中国', 'region': '河北', 'city': '石家庄', 'latitude': '38.041599', 'longitude': '114.478081'}
综合安全基线评分总结
AcFan v1.5.1
Android APK
41
综合安全评分
中风险