安全分析报告:
安全分数
安全分数 52/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
1
用户/设备跟踪器
调研结果
高危
2
中危
14
信息
3
安全
2
关注
0
高危 应用程序存在Janus漏洞
应用程序使用了v1签名方案进行签名,如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞的攻击。在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。
高危 应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文
应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode Files: k8/b.java, line(s) 95
中危 应用程序可以安装在有漏洞的已更新 Android 版本上
Android 5.0-5.0.2, [minSdk=21] 该应用程序可以安装在具有多个未修复漏洞的旧版本 Android 上。这些设备不会从 Google 接收合理的安全更新。支持 Android 版本 => 10、API 29 以接收合理的安全更新。
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Activity-Alias (eu.thedarken.sdm.SDMMainHiddenLaunch) 未被保护。
[android:exported=true] 发现 Activity-Alias与设备上的其他应用程序共享,因此使其对设备上的任何其他应用程序都可访问。
中危 Activity (eu.thedarken.sdm.main.ui.upgrades.UpgradeActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此使其对设备上的任何其他应用程序都可访问。
中危 Activity (eu.thedarken.sdm.oneclick.widget.OneClickWidgetConfigActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此使其对设备上的任何其他应用程序都可访问。
中危 Broadcast Receiver (eu.thedarken.sdm.oneclick.widget.QuickAccessWidgetProvider) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此使其对设备上的任何其他应用程序都可访问。
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: b2/f.java, line(s) 37 b2/q.java, line(s) 95 b2/w.java, line(s) 75 com/bugsnag/android/DeliveryHeadersKt.java, line(s) 20 com/bugsnag/android/EventFilenameInfo.java, line(s) 278 com/bugsnag/android/ExceptionHandler.java, line(s) 6 com/bugsnag/android/ImmutableConfig.java, line(s) 371 com/bugsnag/android/ManifestConfigLoader.java, line(s) 14 com/bugsnag/android/SharedPrefMigrator.java, line(s) 10,11,12,13 com/bugsnag/android/SystemBroadcastReceiver.java, line(s) 12 eu/thedarken/sdm/main/core/updates/UpdateApi.java, line(s) 22 eu/thedarken/sdm/main/core/upgrades/account/LicenseApi.java, line(s) 22,159,437 lc/b.java, line(s) 26,47,20,58,9,31,14,41,36,52 y1/f.java, line(s) 47
中危 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: eu/thedarken/sdm/exclusions/core/a.java, line(s) 32 o5/d.java, line(s) 22,23,21,21
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/github/mikephil/charting/charts/Chart.java, line(s) 675,723 com/github/mikephil/charting/utils/FileUtils.java, line(s) 124,153 eu/thedarken/sdm/exclusions/ui/ExclusionManagerFragment.java, line(s) 391 eu/thedarken/sdm/systemcleaner/ui/filter/user/UserFilterFragment.java, line(s) 430 eu/thedarken/sdm/ui/picker/PickerActivity.java, line(s) 50,60 eu/thedarken/sdm/ui/picker/PickerFragment.java, line(s) 62,433 hb/e.java, line(s) 27,29 j9/b.java, line(s) 152 q5/m1.java, line(s) 27 t7/g.java, line(s) 373,373,373 w7/a.java, line(s) 68
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: a3/c.java, line(s) 6,183 h3/b.java, line(s) 10,105 i3/k.java, line(s) 4,26 j3/j.java, line(s) 4,33 j3/k.java, line(s) 3,34 j3/n.java, line(s) 4,27 j3/o.java, line(s) 4,5,92 j3/q.java, line(s) 4,5,205 x4/a.java, line(s) 4,5,58
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/bugsnag/android/DeliveryHeadersKt.java, line(s) 31 k8/b.java, line(s) 87
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: j7/f.java, line(s) 29
中危 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "category_user" : "Pengguna" "tag_user" : "صارف" "tag_user" : "使用者" "category_user" : "Bikaranîvan" "private_storage" : "พื้นที่เก็บข้อมูลส่วนตัว" "owner_user" : "Felhasználó" "tag_user" : "Utente" "owner_user" : "ഉടമസ്ഥൻ" "owner_user" : "Pengguna" "owner_user" : "משתמש" "private_data_corpses_summary" : "标准专用应用程序数据。" "owner_user" : "Naudotojas" "owner_user" : "İstifadəçi" "owner_user" : "प्रयोगकर्ता" "category_user" : "Usuário" "owner_user" : "صارف" "category_user" : "Käyttäjä" "owner_user" : "Používateľ" "owner_user" : "Gebruiker" "category_user" : "Naudotojas" "category_user" : "Корисник" "tag_user" : "Korisnik" "owner_user" : "පරිශිලක" "tag_user" : "Gebruiker" "category_user" : "کاربر" "owner_user" : "Përdoruesi" "tag_user" : "පරිශිලක" "category_user" : "Χρήστης" "owner_user" : "Корисник" "category_user" : "使用者" "owner_user" : "Użytkownik" "category_user" : "Utilisateur" "private_storage" : "私人儲存空間" "owner_user" : "Utente" "tag_user" : "Uporabnik" "tag_user" : "Utilizador" "tag_user" : "Käyttäjä" "category_user" : "Користувач" "owner_user" : "Bikaranîvan" "tag_user" : "მომხმარებელი" "owner_user" : "Käyttäjä" "tag_user" : "Kasutaja" "owner_user" : "ผู้ใช้" "category_user" : "사용자" "tag_user" : "Paydalanıwshı" "tag_user" : "Utilizator" "tag_user" : "Потребител" "private_storage" : "プライベートストレージ" "tag_user" : "Bikaranîvan" "category_user" : "Utilizador" "owner_user" : "کاربر" "tag_user" : "Benutzer" "category_user" : "Utilizator" "category_user" : "प्रयोगकर्ता" "tag_user" : "User" "category_user" : "Felhasználó" "tag_user" : "ഉടമസ്ഥൻ" "category_user" : "用户" "category_user" : "Paydalanıwshı" "owner_user" : "उपयोगकर्ता" "tag_user" : "Användare" "tag_user" : "Používateľ" "tag_user" : "Pengguna" "category_user" : "उपयोगकर्ता" "owner_user" : "Uživatel" "category_user" : "පරිශිලක" "tag_user" : "Użytkownik" "owner_user" : "Користувач" "tag_user" : "사용자" "category_user" : "User" "category_user" : "Uživatel" "tag_user" : "Bruger" "category_user" : "Usuario" "category_user" : "ব্যবহারকারী" "tag_user" : "ผู้ใช้" "private_data_corpses_summary" : "標準のプライベートアプリのデータ。" "tag_user" : "İstifadəçi" "tag_user" : "Utilisateur" "tag_user" : "Корисник" "tag_user" : "उपयोगकर्ता" "setup_accessibilityservice_api_rationale" : "54a54909e61f19d00f32a88b8c484245d03c7eaf" "tag_user" : "Notandi" "tag_user" : "ユーザー" "owner_user" : "Карыстальнік" "category_user" : "Impitadore" "tag_user" : "Χρήστης" "category_user" : "Kullanıcı" "category_user" : "Usuari" "owner_user" : "Utilizador" "category_user" : "ผู้ใช้" "category_user" : "Bruger" "tag_user" : "مستخدم" "category_user" : "משתמש" "tag_user" : "Uživatel" "category_user" : "ഉടമസ്ഥൻ" "tag_user" : "Felhasználó" "owner_user" : "Bruker" "owner_user" : "Impitadore" "tag_user" : "Impitadore" "owner_user" : "Benutzer" "owner_user" : "Utilizator" "category_user" : "صارف" "category_user" : "ユーザー" "owner_user" : "Notandi" "tag_user" : "Usuário" "category_user" : "Kasutaja" "owner_user" : "Usuario" "tag_user" : "प्रयोगकर्ता" "owner_user" : "Bruger" "owner_user" : "Erabiltzailea" "owner_user" : "ユーザー" "category_user" : "Användare" "owner_user" : "Uporabnik" "owner_user" : "მომხმარებელი" "category_user" : "Bruker" "tag_user" : "用户" "owner_user" : "사용자" "owner_user" : "用户" "category_user" : "Gebruiker" "tag_user" : "ব্যবহারকারী" "tag_user" : "Usuari" "tag_user" : "Користувач" "owner_user" : "Utilisateur" "private_data_corpses_summary" : "ข้อมูลแอปส่วนตัวแบบมาตรฐาน" "owner_user" : "مستخدم" "owner_user" : "Usuari" "owner_user" : "Usuário" "tag_user" : "Naudotojas" "owner_user" : "Paydalanıwshı" "owner_user" : "Korisnik" "category_user" : "Потребител" "category_user" : "Përdoruesi" "owner_user" : "User" "category_user" : "Карыстальнік" "owner_user" : "Användare" "category_user" : "Erabiltzailea" "private_storage" : "私有存储" "owner_user" : "Kullanıcı" "tag_user" : "Usuario" "category_user" : "Benutzer" "category_user" : "İstifadəçi" "tag_user" : "Пользоват." "tag_user" : "משתמש" "owner_user" : "使用者" "category_user" : "Utente" "tag_user" : "Përdoruesi" "tag_user" : "Kullanıcı" "tag_user" : "کاربر" "category_user" : "مستخدم" "owner_user" : "Потребител" "tag_user" : "Bruker" "owner_user" : "Kasutaja" "category_user" : "მომხმარებელი" "category_user" : "Uporabnik" "category_user" : "Użytkownik" "tag_user" : "Карыстальнік" "category_user" : "Notandi" "owner_user" : "Χρήστης" "tag_user" : "Erabiltzailea" "category_user" : "Používateľ" "category_user" : "Пользовательские" "category_user" : "Korisnik" "private_data_corpses_summary" : "標準私人應用程式資料" "owner_user" : "Пользователь"
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a1/z.java, line(s) 1401,1423 a2/a.java, line(s) 99,157,98,156 a3/d.java, line(s) 181,254,257,355,356,182 b0/c.java, line(s) 99,86,105 b1/b.java, line(s) 267,278 b1/f.java, line(s) 1012 b2/j.java, line(s) 493,106,224,492,355 b2/k.java, line(s) 127,135,142,128 b2/m.java, line(s) 16,202 b2/y.java, line(s) 39,40 c0/g.java, line(s) 44,53,70 c0/i.java, line(s) 30 c2/h.java, line(s) 153,183,154,184 c2/i.java, line(s) 47,59,147,196,46,58,108,111,118,143,159,165,183,195,198,109,119,128,163,184 com/airbnb/lottie/LottieAnimationView.java, line(s) 81 com/bugsnag/android/DebugLogger.java, line(s) 15,22,28,35,41,48,54,61 com/bugsnag/android/ExceptionHandler.java, line(s) 48 com/bumptech/glide/load/engine/GlideException.java, line(s) 139 com/github/mikephil/charting/charts/BarChart.java, line(s) 94 com/github/mikephil/charting/charts/BarLineChartBase.java, line(s) 307,310,620,625,740,784 com/github/mikephil/charting/charts/Chart.java, line(s) 391,519,569,640,644,747,648 com/github/mikephil/charting/charts/CombinedChart.java, line(s) 119 com/github/mikephil/charting/charts/HorizontalBarChart.java, line(s) 119,80,83 com/github/mikephil/charting/charts/PieRadarChartBase.java, line(s) 223 com/github/mikephil/charting/components/AxisBase.java, line(s) 51 com/github/mikephil/charting/data/ChartData.java, line(s) 78 com/github/mikephil/charting/data/CombinedData.java, line(s) 176,192,199 com/github/mikephil/charting/data/LineDataSet.java, line(s) 206,214 com/github/mikephil/charting/data/PieEntry.java, line(s) 63,75 com/github/mikephil/charting/listener/BarLineChartTouchListener.java, line(s) 233 com/github/mikephil/charting/renderer/CombinedChartRenderer.java, line(s) 122 com/github/mikephil/charting/renderer/ScatterChartRenderer.java, line(s) 50 com/github/mikephil/charting/utils/FileUtils.java, line(s) 29,46,58,81,103,115,147,158,169 com/github/mikephil/charting/utils/Utils.java, line(s) 68,83,354 d0/c.java, line(s) 49,54 d0/d.java, line(s) 46 d0/e.java, line(s) 57,68 d0/f.java, line(s) 38 d0/g.java, line(s) 47,251 d0/l.java, line(s) 75 d2/d.java, line(s) 26,32,74,106,27,75,33,107 d2/i.java, line(s) 83,68 d3/k.java, line(s) 36,39,43,47,79,82,85,88,91 d4/c.java, line(s) 182 e/b.java, line(s) 121 e/i.java, line(s) 180 e/l.java, line(s) 661,678,1124,1126,1128,2622,2493,2502,2512,2521,2536,2545,2558,2567,705,1830,1840,1845,1900,2053,2065,2317,2320,1027 e/m.java, line(s) 53 e/s.java, line(s) 83,82 e/t.java, line(s) 22,36,47 e0/a.java, line(s) 51,60,79,89 e0/f.java, line(s) 25,36,69 e2/a.java, line(s) 69,68 eu/thedarken/sdm/duplicates/ui/autoselection/AutoSelectionCriteriaAdapter.java, line(s) 91,93 eu/thedarken/sdm/main/ui/SDMMainActivity.java, line(s) 218 f/b.java, line(s) 90 f2/c.java, line(s) 33,32 f2/e.java, line(s) 86,85 f2/s.java, line(s) 85,86 f4/d.java, line(s) 113 fe/h.java, line(s) 77,77 g0/f.java, line(s) 21 g1/p.java, line(s) 33 g3/a.java, line(s) 9,16,8,15 g4/a.java, line(s) 23 gb/s.java, line(s) 96 ge/d.java, line(s) 36 hb/a.java, line(s) 26,29,41 i2/b.java, line(s) 46,45,55,85,86 i2/g.java, line(s) 19,23,20,24 i2/h.java, line(s) 154,176,186,207,214,220,224,227,230,274,278,281,295,298,153,175,185,206,213,219,223,226,229,273,277,280,294,297 i2/j.java, line(s) 106,277,428,105,276,355,372,387,403,427,450,475,551,564,356,451,476,404 i2/k.java, line(s) 51,54,52,55 i2/r.java, line(s) 72,81,88,73,82,89,90,91,94 i2/u.java, line(s) 101,100 i3/c.java, line(s) 91,90 i4/f.java, line(s) 385 j/f.java, line(s) 114,151,163,173,349 j3/o.java, line(s) 224,223 k0/a.java, line(s) 260 k0/a0.java, line(s) 224,245,67,79,86,95,41,218 k0/b.java, line(s) 40 k0/h.java, line(s) 24,38,85,147,186,203,227 k0/q.java, line(s) 506,420,505,145 k0/u.java, line(s) 18,29 l2/a.java, line(s) 60,147,152,157,61,148,153,158 l2/g.java, line(s) 40,41 l9/d.java, line(s) 227 me/zhanghai/android/materialprogressbar/BaseProgressLayerDrawable.java, line(s) 68 me/zhanghai/android/materialprogressbar/MaterialProgressBar.java, line(s) 247,251,370 n0/e.java, line(s) 24,33 n0/g.java, line(s) 28,27 n2/d.java, line(s) 31,30,59,87,60,88 n2/i.java, line(s) 53,54 n2/j.java, line(s) 168,169,180 n2/m.java, line(s) 53,54 o0/b.java, line(s) 39 o1/d.java, line(s) 146,165 o3/g.java, line(s) 41 q/d.java, line(s) 380 q0/c.java, line(s) 314 q1/j.java, line(s) 48,47,58,59 q2/g.java, line(s) 395,21,338,356 r2/g.java, line(s) 37,101,102,38 s1/c.java, line(s) 18 u/d.java, line(s) 699,131,613 v/a.java, line(s) 137,140,141,142,146 v/b.java, line(s) 224,89 v0/c.java, line(s) 72 v1/b.java, line(s) 15,14 v1/e.java, line(s) 200,213,218,221,237,246,184,199,206,212,217,220,236,243,207,185 v1/i.java, line(s) 216,217 v1/j.java, line(s) 71,70 v2/a.java, line(s) 43,44 vc/b.java, line(s) 12,30 w0/a.java, line(s) 130,135,142,146,158,167 x0/e.java, line(s) 194 x1/d.java, line(s) 180,207,179,206 x1/e.java, line(s) 82,103,117,81,102,116 yd/c.java, line(s) 372 z/d.java, line(s) 93 z/e.java, line(s) 30 z/g.java, line(s) 27 z/h.java, line(s) 37,50,63 z/n.java, line(s) 103,134,140,164,267,277,299,307,99,133,139,163,266,276,298,306,118,143,177,256 z0/a.java, line(s) 37 z1/b.java, line(s) 57,56 z1/i.java, line(s) 65,122,64,68,72,78,121,75,79 z1/k.java, line(s) 38,37
信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: d7/b.java, line(s) 255,255 eu/thedarken/sdm/App.java, line(s) 167,167 i8/d.java, line(s) 69,69 l7/e.java, line(s) 78,78 t7/d.java, line(s) 244,244 u5/a.java, line(s) 187,187 ua/w.java, line(s) 59,59
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: ua/g.java, line(s) 4,23,54
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: fe/c.java, line(s) 79,78,77 fe/d.java, line(s) 113,102,130,111,111 fe/g.java, line(s) 78,77,76,76 fe/h.java, line(s) 218,206,216,216
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/bugsnag/android/RootDetector.java, line(s) 30,30,30