安全分析报告:
安全分数
安全分数 52/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
1
用户/设备跟踪器
调研结果
高危
2
中危
10
信息
2
安全
2
关注
0
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: io/flutter/plugins/webviewflutter/j3.java, line(s) 346,10,11
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: p3/f.java, line(s) 48 q1/a.java, line(s) 80
中危 应用程序存在Janus漏洞
应用程序使用了v1签名方案进行签名,如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞的攻击。在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。
中危 应用程序可以安装在有漏洞的已更新 Android 版本上
Android 4.4-4.4.4, [minSdk=19] 该应用程序可以安装在具有多个未修复漏洞的旧版本 Android 上。这些设备不会从 Google 接收合理的安全更新。支持 Android 版本 => 10、API 29 以接收合理的安全更新。
中危 应用程序数据存在被泄露的风险
未设置[android:allowBackup]标志 这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Service (io.agora.rtc.ss.impl.LocalScreenSharingService) 未被保护。
存在一个intent-filter。 发现 Service与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Service是显式导出的。
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: b0/b.java, line(s) 109 com/journeyapps/barcodescanner/e.java, line(s) 169 io/flutter/plugins/imagepicker/c.java, line(s) 49 io/flutter/plugins/imagepicker/e.java, line(s) 242 y/a.java, line(s) 3232
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: i0/a.java, line(s) 57 io/agora/rtc/internal/CommonUtility.java, line(s) 399,399 w4/a.java, line(s) 267,276
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: d4/a.java, line(s) 54 p3/d.java, line(s) 12
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: io/agora/rtc/audio/MediaCodecAudioDecoder.java, line(s) 25 k0/q1.java, line(s) 7 l1/p0.java, line(s) 4 o1/b.java, line(s) 13
中危 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "library_zxingandroidembedded_author" : "JourneyApps" "library_zxingandroidembedded_authorWebsite" : "https://journeyapps.com/" 9a04f079-9840-4286-ab92-e65be0885f95 e2719d58-a985-b3c9-781a-b030af78d30e VGhpcyBpcyB0aGUgcHJlZml4IGZvciBCaWdJbnRlZ2Vy 16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a edef8ba9-79d6-4ace-a3c8-27dcd51d21ed
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: b0/a.java, line(s) 225,334,390,189,196,198,204,316,327,338,374,102,133,192,200,207,220,238,250,296 b0/b.java, line(s) 50,61,63,90,92,110,129,165,207,229,284,292,295,299,86,94,103,217,233,248,255,290 c/e.java, line(s) 1481,905,908,1963,2195,1540 c/g.java, line(s) 150 c/h.java, line(s) 40,50,65,75,92,104,116,125,138,152,164 c/j.java, line(s) 54,100 com/journeyapps/barcodescanner/a.java, line(s) 585,626,97,253,323,345 com/journeyapps/barcodescanner/e.java, line(s) 94,191,176 d/a.java, line(s) 97 e4/b.java, line(s) 11,15,28,32,36 g/g.java, line(s) 118,151,228 g0/a.java, line(s) 16 g0/n.java, line(s) 42,64,67,246,254,260,265 g0/o.java, line(s) 223,227,232 g0/p.java, line(s) 59 g2/r.java, line(s) 36,31,26,21 h/c.java, line(s) 269 h0/b.java, line(s) 95 h0/g.java, line(s) 122,126 i0/a.java, line(s) 180,198 io/agora/agora_rtc_engine/AgoraRtcChannelPlugin.java, line(s) 79 io/agora/rtc/gdp/EglCore.java, line(s) 68,142,151,97,89,124 io/agora/rtc/gdp/EglSurfaceBase.java, line(s) 86,107 io/agora/rtc/gdp/GDPAndroid.java, line(s) 116,186,195,206,319 io/agora/rtc/gdp/GlUtil.java, line(s) 29,72,82,83,98,102,110,111,112 io/agora/rtc/gl/EglBase14.java, line(s) 134 io/agora/rtc/gl/EglRenderer.java, line(s) 135 io/agora/rtc/gl/GlShader.java, line(s) 76,30,47 io/agora/rtc/mediaio/AgoraBufferedCamera2.java, line(s) 95,100,245,291,355,361 io/agora/rtc/mediaio/AgoraSurfaceView.java, line(s) 130 io/agora/rtc/mediaio/AgoraTextureCamera.java, line(s) 67,96,92,113,82 io/agora/rtc/mediaio/AgoraTextureView.java, line(s) 127 io/agora/rtc/mediaio/BaseVideoRenderer.java, line(s) 206,286 io/agora/rtc/mediaio/SurfaceTextureHelper.java, line(s) 54,101,250,302,85,138,155,172,236 io/agora/rtc/mediaio/VideoFrameConsumerImpl.java, line(s) 20,29,37,57 io/agora/rtc/ss/ScreenSharingClient.java, line(s) 38,43,112,139,150,203,212,297,119,126,144,166,234,263,158,162,183,219 io/agora/rtc/ss/gles/EglCore.java, line(s) 71,146,155,101,93,128 io/agora/rtc/ss/gles/EglSurfaceBase.java, line(s) 88,109 io/agora/rtc/ss/gles/GLRender.java, line(s) 70,78,85,203,341,346 io/agora/rtc/ss/gles/GlUtil.java, line(s) 14 io/agora/rtc/ss/gltool/EglBase14.java, line(s) 134,191,207 io/agora/rtc/ss/gltool/GlShader.java, line(s) 74,29,45 io/agora/rtc/ss/gltool/GlUtil.java, line(s) 45,51,109,119,120,168,172,180,181,182 io/agora/rtc/ss/gltool/TextureBufferHelper.java, line(s) 67,85,53 io/agora/rtc/ss/gltool/VideoFrameProducer.java, line(s) 32 io/agora/rtc/ss/impl/AudioCapture.java, line(s) 76 io/agora/rtc/ss/impl/LocalScreenSharingService.java, line(s) 70,90,99,63,113,119 io/agora/rtc/ss/impl/ScreenCapture.java, line(s) 105,115,134,240,192,196,246 io/agora/rtc/ss/impl/ScreenSharing.java, line(s) 175,273,355,373,404,409,495,560,506,509,289,397,486,545 io/agora/rtc/ss/impl/ScreenSharingService.java, line(s) 43,106,116,120,77,99 io/agora/rtc/utils/YuvUtils.java, line(s) 188,204,222,238 io/agora/rtc/video/TextureRenderer.java, line(s) 83 io/agora/rtc/video/ViEAndroidGLES20.java, line(s) 171,338 io/agora/rtc/video/ViETextureView.java, line(s) 332 io/agora/rtc/video/ViETextureViewWrapper.java, line(s) 308 io/agora/rtc/video/VideoCaptureCamera.java, line(s) 169 io/flutter/plugins/imagepicker/b.java, line(s) 21 io/flutter/plugins/imagepicker/g.java, line(s) 35 io/flutter/plugins/webviewflutter/c.java, line(s) 74 io/flutter/plugins/webviewflutter/c2.java, line(s) 26,55,78,125,117 m/c.java, line(s) 56 m/d.java, line(s) 62 m/h.java, line(s) 288,301,312,127,136,229 n/c.java, line(s) 402,407 n/e.java, line(s) 75 n/f.java, line(s) 36,68 n/g.java, line(s) 48,106 n/j.java, line(s) 92,95 n/k.java, line(s) 96 n3/a.java, line(s) 16 o/a.java, line(s) 58,67,125,135 o/e.java, line(s) 34,66 p3/f.java, line(s) 34,56,73 r3/b.java, line(s) 44,48,56,64,94,115,118,125,138 s2/e.java, line(s) 32,69 s2/g.java, line(s) 37,30 t2/a.java, line(s) 11 u/c.java, line(s) 17 v/b.java, line(s) 149 w3/c.java, line(s) 6,17,13 w4/a.java, line(s) 291,295 x3/j.java, line(s) 80 y/a.java, line(s) 340,1136,1305,1327,1488,1491,1500,1505,1545,1566,1573,1589,1601,1625,1652,1668,1673,1680,1750,1760,1778,1806,1836,1921,1968,2197,2229,2333,2408,2549,2640,2653,2673,2680,2865,2917,2938,2951,2983,3009,3132,3172,3177,3183,3356,3411,3480,3598,3608,3636,3675,756,764,798,810,822,834,846,858,870,882,894,901,912,924,2244,95,907,1380,2286,2300,2828,3145,3147,3149,3370,3556 y3/a.java, line(s) 74,97,115 y3/c.java, line(s) 24,25,29,34,40,61,63,69,79,103,109,123,130,133,135,141,153,156,158,167,170,181,187 y3/g.java, line(s) 30,46,65,82,126,34,53,70,86 y3/h.java, line(s) 47,65,292,93,136,166,132,138,176,184 y3/l.java, line(s) 26 y3/n.java, line(s) 26 y3/q.java, line(s) 35,36 y4/a.java, line(s) 58,47 y4/b.java, line(s) 32,35 y4/c.java, line(s) 12,26,50
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: io/flutter/plugin/editing/b.java, line(s) 4,73,82 io/flutter/plugin/platform/b.java, line(s) 7,237
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: u3/c.java, line(s) 34,33,30
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: io/agora/rtc/video/VideoCapture.java, line(s) 208