安全分析报告:
安全分数
安全分数 31/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
2
用户/设备跟踪器
调研结果
高危
16
中危
17
信息
2
安全
2
关注
16
高危 应用程序存在Janus漏洞
应用程序使用了v1签名方案进行签名,如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞的攻击。在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。
高危 基本配置不安全地配置为允许到所有域的明文流量。
Scope: *
高危 Activity (com.cyjh.elfin.activity.news.SplashActivity) 的启动模式不是standard模式
Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。
高危 Activity (com.cyjh.elfin.activity.news.SplashActivity) 容易受到 Android Task Hijacking/StrandHogg 的攻击。
活动不应将启动模式属性设置为“singleTask”。 然后,其他应用程序可以将恶意活动放置在活动栈顶部,从而导致任务劫持/StrandHogg 1.0 漏洞。 这使应用程序成为网络钓鱼攻击的易受攻击目标。 可以通过将启动模式属性设置为“singleInstance”或设置空 taskAffinity (taskAffinity="") 属性来修复此漏洞。 您还可以将应用的目标 SDK 版本 (26) 更新到 28 或更高版本以在平台级别修复此问题。
高危 Activity (com.cyjh.elfin.activity.ElfinFreeActivity) 的启动模式不是standard模式
Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。
高危 Activity (com.cyjh.elfin.activity.ElfinFreeActivity) 容易受到 Android Task Hijacking/StrandHogg 的攻击。
活动不应将启动模式属性设置为“singleTask”。 然后,其他应用程序可以将恶意活动放置在活动栈顶部,从而导致任务劫持/StrandHogg 1.0 漏洞。 这使应用程序成为网络钓鱼攻击的易受攻击目标。 可以通过将启动模式属性设置为“singleInstance”或设置空 taskAffinity (taskAffinity="") 属性来修复此漏洞。 您还可以将应用的目标 SDK 版本 (26) 更新到 28 或更高版本以在平台级别修复此问题。
高危 Activity (com.cyjh.elfin.activity.AdActivity) 的启动模式不是standard模式
Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。
高危 Activity (com.cyjh.elfin.activity.AdActivity) 容易受到 Android Task Hijacking/StrandHogg 的攻击。
活动不应将启动模式属性设置为“singleTask”。 然后,其他应用程序可以将恶意活动放置在活动栈顶部,从而导致任务劫持/StrandHogg 1.0 漏洞。 这使应用程序成为网络钓鱼攻击的易受攻击目标。 可以通过将启动模式属性设置为“singleInstance”或设置空 taskAffinity (taskAffinity="") 属性来修复此漏洞。 您还可以将应用的目标 SDK 版本 (26) 更新到 28 或更高版本以在平台级别修复此问题。
高危 Activity (com.cyjh.elfin.activity.news.FullScreenTwoAdActivity) 的启动模式不是standard模式
Activity 不应将启动模式属性设置为 "singleTask/singleInstance",因为这会使其成为根 Activity,并可能导致其他应用程序读取调用 Intent 的内容。因此,当 Intent 包含敏感信息时,需要使用 "standard" 启动模式属性。
高危 Activity (com.cyjh.elfin.activity.news.FullScreenTwoAdActivity) 容易受到 Android Task Hijacking/StrandHogg 的攻击。
活动不应将启动模式属性设置为“singleTask”。 然后,其他应用程序可以将恶意活动放置在活动栈顶部,从而导致任务劫持/StrandHogg 1.0 漏洞。 这使应用程序成为网络钓鱼攻击的易受攻击目标。 可以通过将启动模式属性设置为“singleInstance”或设置空 taskAffinity (taskAffinity="") 属性来修复此漏洞。 您还可以将应用的目标 SDK 版本 (26) 更新到 28 或更高版本以在平台级别修复此问题。
高危 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: com/lidroid/xutils/http/client/DefaultSSLSocketFactory.java, line(s) 49,13,14,15 com/lidroid/xutils/util/OtherUtils.java, line(s) 233,233,14,15,16,17,18
高危 应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文
应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode Files: com/iflytek/collector/a/a/a.java, line(s) 24 com/iflytek/voiceads/utils/d.java, line(s) 52
高危 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: com/iflytek/voiceads/bridge/l.java, line(s) 58,56 com/iflytek/voiceads/f/b.java, line(s) 61,59
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/cyjh/elfin/fragment/MsgDetailFragment.java, line(s) 27,7 com/iflytek/voiceads/view/AdView.java, line(s) 109,16
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/cyjh/share/Encrypt/DesUtil.java, line(s) 23,32 com/goldcoast/sdk/c/a.java, line(s) 14,39
高危 使用弱加密算法
使用弱加密算法 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/cyjh/share/Encrypt/DesUtil.java, line(s) 23,32 com/cyjh/share/util/DesUtil.java, line(s) 24,31,38,51,64
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Service (com.kaopu.download.kernel.DownloadService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.cyjh.elfin.receiver.InstallAndRemoveAppSuccessReceive) 未被保护。
存在一个intent-filter。 发现 Broadcast Receiver与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Broadcast Receiver是显式导出的。
中危 Broadcast Receiver (com.cyjh.elfin.receiver.StartBootReceiver) 未被保护。
存在一个intent-filter。 发现 Broadcast Receiver与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Broadcast Receiver是显式导出的。
中危 Broadcast Receiver (com.cyjh.elfin.receiver.TaskReceiver) 未被保护。
存在一个intent-filter。 发现 Broadcast Receiver与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Broadcast Receiver是显式导出的。
中危 Service (com.ime.input.InputKb) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_INPUT_METHOD [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/cyjh/elfin/activity/StudioBindClearActivity.java, line(s) 22 com/cyjh/elfin/constant/MyBuildConfig.java, line(s) 21 com/cyjh/elfin/listener/IFLYADListener.java, line(s) 9,12,8 com/cyjh/elfin/net/xutils/HttpTools.java, line(s) 29,30,44 com/cyjh/mq/sdk/entity/Script4Run.java, line(s) 249,249 com/cyjh/share/bean/NotifyMsgBean.java, line(s) 51 com/cyjh/share/bean/request/EditProjectNumberRequestInfo.java, line(s) 88 com/cyjh/share/bean/response/VersionUpdateInfo.java, line(s) 61 com/cyjh/share/oss/Config.java, line(s) 14 com/cyjh/share/util/MyRas.java, line(s) 31,30 com/cyjh/share/util/RSAUtils.java, line(s) 14,15 com/kaopu/download/BaseDownloadWorker.java, line(s) 12 org/litepal/util/cipher/CipherUtil.java, line(s) 12
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/cyjh/elfin/AppContext.java, line(s) 640 com/cyjh/elfin/activity/ElfinFreeActivity.java, line(s) 674 com/cyjh/elfin/constant/Constants.java, line(s) 85,97 com/cyjh/elfin/dialog/UpdateDialog.java, line(s) 176 com/cyjh/elfin/download/ApkDownloadHelper.java, line(s) 63 com/cyjh/elfin/fragment/ScriptUipSetFragment.java, line(s) 610 com/cyjh/elfin/log/AppCrashHandler.java, line(s) 77,78 com/cyjh/elfin/log/engine/MetaData.java, line(s) 23 com/cyjh/elfin/services/DownloadService.java, line(s) 26,70 com/cyjh/elfin/util/CommonUtils.java, line(s) 91,130 com/cyjh/elfin/util/ScriptUtil.java, line(s) 99 com/cyjh/event/Injector.java, line(s) 207 com/cyjh/feedback/lib/fragment/ImageSelectFragment.java, line(s) 93 com/cyjh/mobileanjian/ipc/log/MetaData.java, line(s) 22 com/cyjh/mobileanjian/ipc/script/ScriptRunnerLite.java, line(s) 194,198 com/cyjh/mobileanjian/ipc/uip/UipHelper.java, line(s) 42 com/cyjh/mobileanjian/ipc/utils/FileLogger.java, line(s) 16 com/cyjh/mq/ipc/MqmHandler.java, line(s) 309 com/cyjh/share/util/AppUtils.java, line(s) 135,159 com/cyjh/share/util/CommonUtil.java, line(s) 36,96,122,148,182,253 com/cyjh/share/util/CommonUtils.java, line(s) 262,301 com/cyjh/share/util/FileUtil.java, line(s) 75,179 com/cyjh/share/util/PathUtils.java, line(s) 35 com/hlzn/socketclient/utils/SocketServiceErrorUtil.java, line(s) 21,42 com/iflytek/voiceads/download/c.java, line(s) 9 com/iflytek/voiceads/param/e.java, line(s) 362,391 com/iflytek/voiceads/utils/f.java, line(s) 73 com/iflytek/voiceads/utils/n.java, line(s) 8 com/lidroid/xutils/util/OtherUtils.java, line(s) 82 org/litepal/Operator.java, line(s) 230 org/litepal/tablemanager/Connector.java, line(s) 23,25
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/cyjh/elfin/database/MsgDatabaseHelper.java, line(s) 4,5,18 com/iflytek/voiceads/download/c/b.java, line(s) 5,59 com/iflytek/voiceads/download/c/c.java, line(s) 4,5,16 com/lidroid/xutils/DbUtils.java, line(s) 5,443 org/litepal/Operator.java, line(s) 6,327 org/litepal/tablemanager/AssociationCreator.java, line(s) 5,215 org/litepal/tablemanager/Generator.java, line(s) 4,76 org/litepal/util/DBUtility.java, line(s) 4,112
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/cyjh/elfin/activity/ElfinFreeActivity.java, line(s) 99 com/cyjh/elfin/entity/ParamsWrap.java, line(s) 21 com/cyjh/elfin/mvp/managers/IFLYAdSwitchManager.java, line(s) 12 com/cyjh/elfin/mvp/presenters/IFLYAdSwitchPresenter.java, line(s) 14 com/cyjh/share/bean/request/BaseRequestInfo.java, line(s) 13 com/cyjh/share/manager/VariableAndConstantsManager.java, line(s) 17 com/lidroid/xutils/http/client/multipart/MultipartEntity.java, line(s) 11
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/cyjh/elfin/log/engine/MetaData.java, line(s) 122 com/cyjh/mobileanjian/ipc/log/MetaData.java, line(s) 98 com/cyjh/share/util/MD5Util.java, line(s) 14,39 com/goldcoast/sdk/domain/EntryPoint.java, line(s) 894 com/iflytek/voiceads/utils/d.java, line(s) 20 com/lidroid/xutils/cache/MD5FileNameGenerator.java, line(s) 22 com/sun/mail/pop3/Protocol.java, line(s) 79 com/sun/mail/smtp/DigestMD5.java, line(s) 85 org/litepal/util/cipher/CipherUtil.java, line(s) 40
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/iflytek/voiceads/bridge/DSBridgeWebView.java, line(s) 211,203
中危 IP地址泄露
IP地址泄露 Files: com/cyjh/elfin/mvp/managers/FengLingAdManager.java, line(s) 38 com/cyjh/elfin/mvp/presenters/ScreenFullAdPresenter.java, line(s) 48 com/cyjh/elfin/util/CommonUtils.java, line(s) 40,48 com/cyjh/elfin/util/EmulatorCheckUtil.java, line(s) 244 com/cyjh/share/util/CommonUtils.java, line(s) 60,68
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/iflytek/voiceads/utils/m.java, line(s) 20
中危 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/cyjh/elfin/activity/news/FengLingAdWebViewActivity.java, line(s) 81,77 com/iflytek/voiceads/view/AdView.java, line(s) 209,202
中危 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 腾讯Bugly SDK的=> "BUGLY_APPID" : "b8928aa4f5" 凭证信息=> "IFLYTEK_APPKEY_AD" : "589ac20e" 腾讯Bugly SDK的=> "BUGLY_APP_CHANNEL" : "elffreestudio" 友盟统计的=> "UMENG_APPKEY" : "579ad79de0f55a8b3c001633" 761D5F3C12409F07DCE571A8AA3C0480 97a4d47f7a0f4b2c8d1381db80c75c55 A9DDDF2A4F7D94594EC2EA98407A410E1 9312C6DA2448C84DB3C4FE8F66E2B394 5FF8BF855D9553F32AA0CD1DB70FEDC6 BA2159EDE8B5B1B06F70D35A9630B683 30820268308201d102044a9c4610300d06092a864886f70d0101040500307a310b3009060355040613025553310b3009060355040813024341311230100603550407130950616c6f20416c746f31183016060355040a130f46616365626f6f6b204d6f62696c653111300f060355040b130846616365626f6f6b311d301b0603550403131446616365626f6f6b20436f72706f726174696f6e3020170d3039303833313231353231365a180f32303530303932353231353231365a307a310b3009060355040613025553310b3009060355040813024341311230100603550407130950616c6f20416c746f31183016060355040a130f46616365626f6f6b204d6f62696c653111300f060355040b130846616365626f6f6b311d301b0603550403131446616365626f6f6b20436f72706f726174696f6e30819f300d06092a864886f70d010101050003818d0030818902818100c207d51df8eb8c97d93ba0c8c1002c928fab00dc1b42fca5e66e99cc3023ed2d214d822bc59e8e35ddcf5f44c7ae8ade50d7e0c434f500e6c131f4a2834f987fc46406115de2018ebbb0d5a3c261bd97581ccfef76afc7135a6d59e8855ecd7eacc8f8737e794c60a761c536b72b11fac8e603f5da1a2d54aa103b8a13c0dbc10203010001300d06092a864886f70d0101040500038181005ee9be8bcbb250648d3b741290a82a1c9dc2e76a0af2f2228f1d9f9c4007529c446a70175c5a900d5141812866db46be6559e2141616483998211f4a673149fb2232a10d247663b26a9031e15f84bc1c74d141ff98a02d76f85b2c8ab2571b6469b232d8e768a7f7ca04f7abe4a775615916c07940656b58717457b42bd928a2 3CCD2FB15632CD8044CD37D46DE41E3C LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDVXFGODUzcnQxZjFoZEtzak5Fc1NGRFA3TgpJZ2FSSzN6QWdqT0VWdFJCSmRxb001M2toaHZEMVBYMGRqbVkzT21IajZYRHlBaEdBNFJTN3czRkJCbDloTkx4ClZpV2RaNUV5a0M2WWhVei83SGt6OE5CbEttbDNscWpPanFyMWhyck1FNFdkalRKcUVXbWFiRlZOZDgvQk4xUzQKQURzcmpUMGQwQkFyd3dtRFVRSURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo= 5e1f6df6cc024c80b7e8b86dc670c100 MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCt8H0BF3SquJmk6xIo2bTldgvtazLIeSbR4cle 21462E427898ADCCC2171718D603B0DE 2FABB9840C76199A1E170A7C19698595 94CCB814573108BFBD19D8E2BB45AEE0 F4F04588C1076DA9017964B229D657DA 516cf79ca36f66e28a9caa8ad8a4c7bc nmOYRYZP042vWRcKZ6iQLdLYmyg6tIzjYVfH0f6YX8OLIU7fy0TA/c88rzwIDAQAB LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlDWEFJQkFBS0JnUUNnNHBYZzYyTDJhOTJrWFVoMndhL1pSVE1GODhZS0NQNTBZeURpdlpRK3A5eXBlL2lVCmtHS2hPcEhGU0ZQeEZqMVRVWGc5ajBTRGpXUW5ZcWRQQkJPVDV2UG1YN3FnckhZRTFlSi90L09CSHdPQzZNUVgKWUJleksvdUhJcEF5bXhtOHpGamlxWGZWRWVKa0hOc2Y1QVd6S3lCL0JLN2w1VktkU3ppOUpGek4yUUlEQVFBQgpBb0dBU0twZXVLS0laYldOZTczNFMwOHJIaTZ2bjNvZDBnMkM1RTJibmwyekZlT2FlbUI0ZzUxOU5zWXQ3ZFcvCnVDM3J6L1NGb3dSUkZUdm81eE1iYjBodmtJL2xJdWljNmlsSnRYQVdmSXplT3Z3NTNmV25KM0xMK2tkaVpabnkKWTVGcU9DMGtrbVFQUjFEeHVxQmh4SkhMeVozVTY1MzE5UjZEMDc0aUZVTFJUSnNDUVFEQjc1aGE4RWRxYkJIZworeHRldVc2ZnRyL2Q1QnFVdDZyUEdFNkNZWDJSRE5abFRPWjZIR2FranpCM0FGTDZuTXFldnFueVF4UGFLSksxCnkzOGVJWHBQQWtFQTFGOUVYNXdnOGlDNUVkVng5VTNQTlQxYmQ4UnJaRlF3R1g0YmUwclhNOW0yaXZ2SUptOU0KVEZKcUJBWmF6cU84ZTdRRS9GWXArQWFLbFBZU04xbXpWd0pCQUw1UjNrZG9RLzJKZnVZMkozOEhKU3Z4MFVyMQpmcXh4cmx1OE05ZTV5dHRkS00yUzhSL20zVWdqQ1dIUFhKOTYzVkY2TlJkOWdtNzJvRHR1TUJxbXFmc0NRQmlyCmZHalMzU3pqU2p4ZEhDRFB5aHM0Sm5EeU96dHJZQzhGN0RGVlQweHhwUGZlS2JEMVN0cXUxQ3ZsaFJUdUJrNGsKYWxQWnVvUmFWaXpack9JTEpIOENRRkE5Q1VPbnlLYmwybG10aEt3YVQ1cDJIeFdMNVNmeDVYV21IdXE2YVFwVwpOek9IZi8yaHZ2czl3MStodmJHNzMrQ0xaUEpkNXZkb3BzVTRMVVFMT0kwPQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= 410D8AC18806EDFE511A00EFD3329F20 DFEE16B42C8B2890D8FF2860AF5562B1
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/cyjh/elfin/AppContext.java, line(s) 188,505,530,594,774,788,127,132,526,560,561,562,563,564,565,567,623 com/cyjh/elfin/activity/EditProjectNumberActivity.java, line(s) 158,187 com/cyjh/elfin/activity/ElfinFreeActivity.java, line(s) 353,354,355,566,156,164,262,283,289,299,328,364,373,585,622,628,789,797,802,810,821,828,836,857 com/cyjh/elfin/activity/ScriptLogActivity.java, line(s) 84,89,104,105,106 com/cyjh/elfin/activity/ScriptLogDetailActivity.java, line(s) 47,63 com/cyjh/elfin/activity/SettingActivity.java, line(s) 126,200,224,110,301,302,303 com/cyjh/elfin/activity/StudioBindActivity.java, line(s) 138,151 com/cyjh/elfin/activity/news/FullScreenTwoAdActivity.java, line(s) 66,204,211,222 com/cyjh/elfin/activity/news/SplashActivity.java, line(s) 372,156,164,368,495,502,516,532,543,557,575,691,697,713,812 com/cyjh/elfin/activity/news/SplashAppActivity.java, line(s) 100,107,141,145,151,160,164 com/cyjh/elfin/adpter/ScriptLogListViewAdapter.java, line(s) 96 com/cyjh/elfin/dialog/ScriptUIDialog.java, line(s) 76,89,97,103,123,133,140,169,180,188,219,229,238,246,258,267,275,299,321,413,419,457,476,480,492,497,502 com/cyjh/elfin/dialog/SettingDialog.java, line(s) 158,277,278,279 com/cyjh/elfin/dialog/UpdateDialog.java, line(s) 91,97,106,133,184,192,242 com/cyjh/elfin/download/AdApkDownloadPresenter.java, line(s) 131 com/cyjh/elfin/download/ApkDownloadHelper.java, line(s) 69,57,60,76,81,82 com/cyjh/elfin/download/GameDownloadCallBackImpl.java, line(s) 51 com/cyjh/elfin/entity/ParamsWrap.java, line(s) 114 com/cyjh/elfin/floatview/BottomScreenDisplayXunFeiFloat.java, line(s) 80,95,148,159,161 com/cyjh/elfin/floatview/DeleteFloatView.java, line(s) 52,53,66 com/cyjh/elfin/floatview/ElfinFloatView.java, line(s) 614,598,602,604,609 com/cyjh/elfin/floatview/XunFeiFloatManager.java, line(s) 39,43,50,54 com/cyjh/elfin/fragment/AbGamesDetailFragment.java, line(s) 296 com/cyjh/elfin/fragment/AbnormalGameListFragment.java, line(s) 233 com/cyjh/elfin/fragment/AdFragment.java, line(s) 72,75,83,123,372 com/cyjh/elfin/fragment/DescriptionFragment.java, line(s) 31 com/cyjh/elfin/fragment/OptionFragment.java, line(s) 144,163,170,238,262,277,285,294,298,316,333,336,340,344,361,376,383,386,414,425,433,464,467,474,484,492,506,515,523,546,561,571,690,698,707,753,754,759,762,767,770,771,776,878,885,908,913,919,924 com/cyjh/elfin/fragment/RecommendGamesFragment.java, line(s) 58,112 com/cyjh/elfin/fragment/ScriptUipSetFragment.java, line(s) 886,893,458,511,514,529,596,612,616,633,636,645,682,688,692,697,707,732,778,784,791,807,811,823,828,833,1045,1059,1060,1064,1069,1079,1083,1090 com/cyjh/elfin/fragment/SplashFragment.java, line(s) 185,194,198,209,219,246,251,279,281,290,294,295,297,308,310,316,355,362,366,374,383,389,395,400,405,409,416,421,422,429,434,455,477,484,625,627,813,815,1015,1035,1057,1073,1093,1122,1177,1182,1212,1216,1285,1311 com/cyjh/elfin/log/CommonLog.java, line(s) 11,15,40,44,48 com/cyjh/elfin/log/engine/MetaData.java, line(s) 103 com/cyjh/elfin/model/LogData.java, line(s) 100,107,112 com/cyjh/elfin/mvp/managers/BackgroundSettingsAdStatistics.java, line(s) 20,28 com/cyjh/elfin/mvp/managers/FengLingAdManager.java, line(s) 72,76,247,251,137,266 com/cyjh/elfin/mvp/managers/IFLYAdSwitchManager.java, line(s) 25,27,30,33,42,49,67,74 com/cyjh/elfin/mvp/presenters/AbGameDetailsPresenter.java, line(s) 77 com/cyjh/elfin/mvp/presenters/ScreenFullAdPresenter.java, line(s) 28 com/cyjh/elfin/mvp/presenters/ScreenFullAdRedownloadPresenter.java, line(s) 19 com/cyjh/elfin/mvp/presenters/UpdateVersionPresenter.java, line(s) 35,36,37,38,51 com/cyjh/elfin/mvp/presenters/opera/FindToolBoxOpera.java, line(s) 20,30 com/cyjh/elfin/net/xutils/HttpTools.java, line(s) 122,126,130,134,142,144,148,150,153,155,159,161,164,166,168,193,200,204,208,210,214,216,220,222,226,228,232,234,237,239 com/cyjh/elfin/oldfragment/AdFragment.java, line(s) 80,86,89,196,229,248,331,336,446 com/cyjh/elfin/receiver/NetStateReceiver.java, line(s) 101,105 com/cyjh/elfin/rom/FloatWindowManager.java, line(s) 45,31,51,74,108,125,142,155 com/cyjh/elfin/rom/HuaweiUtils.java, line(s) 35,41,44,61,64 com/cyjh/elfin/rom/MeizuUtils.java, line(s) 22,25,43,46 com/cyjh/elfin/rom/MiuiUtils.java, line(s) 33,49,52,65,66,79,91,103,123 com/cyjh/elfin/rom/OppoUtils.java, line(s) 40,43 com/cyjh/elfin/rom/QikuUtils.java, line(s) 26,43,46 com/cyjh/elfin/rom/RomUtils.java, line(s) 57,76,82,87,99 com/cyjh/elfin/services/DownloadApkService.java, line(s) 38,55,63,64,94 com/cyjh/elfin/services/PhoneStateService.java, line(s) 30,31,35,38,40 com/cyjh/elfin/services/SavePicService.java, line(s) 36 com/cyjh/elfin/util/AppDeviceUtils.java, line(s) 57,62,148,152,158,160,164,167,269,472,481,487 com/cyjh/elfin/util/LogUtils.java, line(s) 13,20,27,34,41,48,59,66,73,80 com/cyjh/elfin/util/ScriptDownloadHelper.java, line(s) 32,38,44,79,81,122 com/cyjh/elfin/util/ScriptUtil.java, line(s) 50,113,147 com/cyjh/event/Injector.java, line(s) 141,149,154,167,173,185,190,213,216,219,222,242,247,251,256,263,267,272,279,287,292,300,305,317,353,358,366,375,383,402,412,431,445,465,470,486,503,542,577,585,611,616,624,713,836,841,855,865,875,397 com/cyjh/feedback/lib/activity/ImageSelectActivity.java, line(s) 48 com/cyjh/feedback/lib/dialog/FeedBackDialog.java, line(s) 163,172,150,164 com/cyjh/mobileanjian/ipc/AppAgent.java, line(s) 118,132,162,168,174 com/cyjh/mobileanjian/ipc/RootManager.java, line(s) 94,173,175 com/cyjh/mobileanjian/ipc/RootShell.java, line(s) 62,37,191,143 com/cyjh/mobileanjian/ipc/log/MetaData.java, line(s) 93 com/cyjh/mobileanjian/ipc/rpc/AndroidHelper.java, line(s) 108 com/cyjh/mobileanjian/ipc/rpc/Invocator.java, line(s) 15,20,21,31,50,59,71,76,77,81,91,97,109,119,124 com/cyjh/mobileanjian/ipc/rpc/Telephony.java, line(s) 14 com/cyjh/mobileanjian/ipc/script/ScriptRunnerLite.java, line(s) 118,147,193,206,208,246,248 com/cyjh/mobileanjian/ipc/stuff/AnalyseResultWrapper.java, line(s) 19 com/cyjh/mobileanjian/ipc/ui/UiManager.java, line(s) 1082,91,129,130,183,284,368,444,445,446,447,703,747,839,1111 com/cyjh/mobileanjian/ipc/ui/UiManagerLite.java, line(s) 1083,130,131,184,283,369,445,446,447,448,704,748,840,1112 com/cyjh/mobileanjian/ipc/ui/UiShowLayout.java, line(s) 163,164,205 com/cyjh/mobileanjian/ipc/uip/DefaultUipJsonParser.java, line(s) 65,81,84,114,162,171,225,264,303 com/cyjh/mobileanjian/ipc/uip/UipEventStub.java, line(s) 33,48,16 com/cyjh/mobileanjian/ipc/uip/UipHelper.java, line(s) 58,178,303,203,256,328,554,501,506,512 com/cyjh/mobileanjian/ipc/uip/UisScriptRunner.java, line(s) 42,45 com/cyjh/mobileanjian/ipc/utils/ContactsUtils.java, line(s) 39 com/cyjh/mobileanjian/ipc/utils/DbLog.java, line(s) 39,54 com/cyjh/mobileanjian/ipc/utils/RpcError.java, line(s) 21 com/cyjh/mobileanjian/ipc/utils/UipConfigUtil.java, line(s) 89,100 com/cyjh/mobileanjian/ipc/view/ExToast.java, line(s) 62,65 com/cyjh/mobileanjian/rpc/Rpc.java, line(s) 17,18,63,67,97,19,79,80 com/cyjh/mobileanjian/screencap/ForScreenShotActivity.java, line(s) 44 com/cyjh/mq/ipc/IpcConnection.java, line(s) 238,245 com/cyjh/mq/ipc/IpcServer.java, line(s) 61,79,81,90 com/cyjh/mq/ipc/MqmHandler.java, line(s) 489,490,517,263,408 com/cyjh/mq/service/IpcService.java, line(s) 149,186,179 com/cyjh/share/bean/request/BaseRequestInfo.java, line(s) 63 com/cyjh/share/mvp/presenter/AppDomainRequestPresenter.java, line(s) 42,62,65,73,76,88,99,123 com/cyjh/share/mvp/presenter/AppStartupPresenter.java, line(s) 32,44 com/cyjh/share/mvp/presenter/AppStatisticsPresenter.java, line(s) 72,74,76,79,88,91,94,104,132,149 com/cyjh/share/mvp/presenter/AppVersionUpdatePresenter.java, line(s) 53,89,110,61,67,102,106 com/cyjh/share/mvp/presenter/EditDeviceNameRequestPresenter.java, line(s) 41,63,74,90,103,107 com/cyjh/share/mvp/presenter/EditProjectNumberRequestPresenter.java, line(s) 43,60,64,84,95,114,126,130 com/cyjh/share/mvp/presenter/FeedbackCommitDataPresenter.java, line(s) 23,33,42 com/cyjh/share/mvp/presenter/GetTokenAliCloudPresenter.java, line(s) 27,37,50,47 com/cyjh/share/mvp/presenter/IMPresenter.java, line(s) 57,67,94,51,53,77,88 com/cyjh/share/mvp/presenter/NoticeDetailsPresenter.java, line(s) 32,44,64 com/cyjh/share/mvp/presenter/NoticeListPresenter.java, line(s) 32,36,39,51,59,84 com/cyjh/share/mvp/presenter/TemplateVerifyPresenter.java, line(s) 32,72 com/cyjh/share/mvp/presenter/UploadDeviceScreenshotRequestPresenter.java, line(s) 42,64,75,91,104,108 com/cyjh/share/mvp/presenter/UploadInstanceDataRequestPresenter.java, line(s) 42,64,75,91,104,108 com/cyjh/share/mvp/presenter/UploadScriptSettingRequestPresenter.java, line(s) 41,63,74,90,104,108 com/cyjh/share/net/volley/VollerHttpManager.java, line(s) 31,48,69,85 com/cyjh/share/oss/MyOSSUtils.java, line(s) 121,126,127,128,129,117,149 com/cyjh/share/rom/Rom.java, line(s) 135 com/cyjh/share/util/AppUtils.java, line(s) 494,507 com/cyjh/share/util/CommonUtil.java, line(s) 52 com/cyjh/share/util/DownloadUtil.java, line(s) 47,84,102,116,125,160 com/cyjh/share/util/EmulatorUtils.java, line(s) 22,43,67 com/cyjh/share/util/FileUtil.java, line(s) 25,31,39,48,125,129,132,139,143,146 com/cyjh/share/util/MyRas.java, line(s) 82,83 com/cyjh/share/util/ScreenCaptureUtil.java, line(s) 147,54,143,31,33 com/cyjh/share/util/ShellUtils.java, line(s) 152 com/cyjh/share/util/SlLog.java, line(s) 12,19,26,33,40 com/cyjh/share/util/UploadUtils.java, line(s) 181,187,191,203,215,226 com/cyjh/share/util/ZipUtil.java, line(s) 16,34,48,51 com/cyjh/share/view/SlCustomInputLayout.java, line(s) 58,67,79 com/goldcoast/sdk/c/g.java, line(s) 31 com/goldcoast/sdk/domain/EntryPoint.java, line(s) 496,806,813 com/hlzn/socketclient/MsgTimeoutTimer.java, line(s) 29 com/hlzn/socketclient/MsgTimeoutTimerManager.java, line(s) 26,33 com/hlzn/socketclient/client/SocketClient.java, line(s) 35,52,69,86,103,120,137,173,190,207,225 com/hlzn/socketclient/service/SocketService.java, line(s) 292,295,298,92,108,125,142,158,174,190,230,232,279,318,348,360,375,516,523,532,536,538,543,545,550,555,557,564,569,572,575,580,583,586,591,594,597,602,605,608,613,616,619,624,627,630,635,638,645,666 com/hlzn/socketclient/utils/ServiceIntentUtil.java, line(s) 47 com/hlzn/socketclient/utils/SlLog.java, line(s) 12,19,26,33,40 com/hlzn/socketclient/utils/SocketServiceErrorUtil.java, line(s) 30,34,37 com/iflytek/voiceads/config/SDKLogger.java, line(s) 10,16,22,28 com/iflytek/voiceads/utils/g.java, line(s) 10,20 com/kaopu/download/kernel/DownloadWorkerSupervisor.java, line(s) 18 com/kaopu/download/util/Log.java, line(s) 5,9,13,17,21,25,29,33,37,41,45,49,53,57 com/lidroid/xutils/util/LogUtils.java, line(s) 55,66,77,88,108,119,130,141,152,163,174,185,196,207 com/orhanobut/logger/LoggerPrinter.java, line(s) 133,127,121,116,124,130 com/sun/activation/registries/LogSupport.java, line(s) 28,35 com/sun/mail/dsn/DeliveryStatus.java, line(s) 35,42,47,52 com/sun/mail/imap/protocol/BODYSTRUCTURE.java, line(s) 44,48,56,69,73,79,84,92,96,103,110,117,128,135,145,149,154,162,166,170,174,178,186,197,211,219,228,232,242,248,256,263,271,298,307,314 org/greenrobot/eventbus/BackgroundPoster.java, line(s) 40 org/greenrobot/eventbus/EventBus.java, line(s) 170,122,131,133,435 org/greenrobot/eventbus/util/AsyncExecutor.java, line(s) 98 org/greenrobot/eventbus/util/ErrorDialogConfig.java, line(s) 42 org/greenrobot/eventbus/util/ErrorDialogManager.java, line(s) 165 org/greenrobot/eventbus/util/ExceptionToResourceMapping.java, line(s) 31 org/litepal/crud/SaveHandler.java, line(s) 180 org/litepal/tablemanager/AssociationCreator.java, line(s) 113,161,199,211 org/litepal/tablemanager/AssociationUpdater.java, line(s) 32,70,85,87,89,91,177,243 org/litepal/tablemanager/Upgrader.java, line(s) 20,30,36,57,88,130,133,135,161,194 org/litepal/util/LitePalLog.java, line(s) 12,18 org/litepal/util/cipher/AESCrypt.java, line(s) 97,103,49,72
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/cyjh/mobileanjian/ipc/rpc/AndroidHelper.java, line(s) 8,228
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/cyjh/share/util/CommonUtils.java, line(s) 189,189,192,192 com/cyjh/share/util/EmulatorUtils.java, line(s) 34 com/iflytek/voiceads/param/e.java, line(s) 49,49,49,49,49,49
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/b/a/ai.java, line(s) 112,101,110,110 com/github/kevinsawicki/http/HttpRequest.java, line(s) 614,1582 com/iflytek/voiceads/request/a.java, line(s) 187,180
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (hydra.alibaba.com) 通信。
{'ip': '117.27.139.140', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (api.voiceads.cn) 通信。
{'ip': '117.27.139.140', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (m.anjian.com) 通信。
{'ip': '117.27.139.140', 'country_short': 'CN', 'country_long': '中国', 'region': '福建', 'city': '福州', 'latitude': '26.061390', 'longitude': '119.306107'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (logconf.iflytek.com) 通信。
{'ip': '117.27.139.140', 'country_short': 'CN', 'country_long': '中国', 'region': '安徽', 'city': '合肥', 'latitude': '31.863815', 'longitude': '117.280830'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (log.iflytek.com) 通信。
{'ip': '117.27.139.140', 'country_short': 'ansaviertel\x16Hanscom Air Force Base\x05Hanse\tHanselaer\x05Hansi\x05Hansk\x06Hanska\x07Ha', 'country_long': '中国', 'region': '安徽', 'city': '合肥', 'latitude': '31.863815', 'longitude': '117.280830'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (app.51moba.com) 通信。
{'ip': '117.27.139.140', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': 'ac\rAqmola oblysy\rAqtobe oblysy\tAr Raqqah\tAr Rayyan\x08Ar Riyad\x04Arad\tAragacotn\x06Aragon\x06Aragua\x06Ararat\x06Arauca\x05Arbil\x07', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (mt.voiceads.cn) 通信。
{'ip': '117.27.139.140', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (bbs.anjian.com) 通信。
{'ip': '117.27.139.140', 'country_short': 'CN', 'country_long': '中国', 'region': '福建', 'city': '福州', 'latitude': '26.061390', 'longitude': '119.306107'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (app.mobileanjian.com) 通信。
{'ip': '117.27.139.140', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (down.nishuoa.com) 通信。
{'ip': '115.150.38.211', 'country_short': 'CN', 'country_long': '中国', 'region': '江西', 'city': '赣州', 'latitude': '25.850000', 'longitude': '114.933327'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (cmnsguider.yunos.com) 通信。
{'ip': '203.119.169.44', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (ulogs.umengcloud.com) 通信。
{'ip': '223.109.148.176', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '南京', 'latitude': '32.061668', 'longitude': '118.777992'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (pv.sohu.com) 通信。
{'ip': '47.101.35.178', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '台州', 'latitude': '32.492168', 'longitude': '119.910767'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (api-cn.felink.com) 通信。
{'ip': '47.101.35.178', 'country_short': 'CN', 'country_long': '中国', 'region': '福建', 'city': '厦门', 'latitude': '24.479790', 'longitude': '118.081871'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (imp.voiceads.cn) 通信。
{'ip': '47.101.35.178', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (auth2.mobileanjian.com) 通信。
{'ip': '47.101.35.178', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}