安全分析报告: XPJ v3.0.6

安全分数


安全分数 34/100

风险评级


等级

  1. A
  2. B
  3. C
  4. F

严重性分布 (%)


隐私风险

0

用户/设备跟踪器


调研结果

高危 8
中危 12
信息 1
安全 1
关注 0

高危 基本配置不安全地配置为允许到所有域的明文流量。 

Scope:
*

高危 使用弱加密算法 

使用弱加密算法
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/remobile/des/RCTDes.java, line(s) 48,56

高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 

应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/nimbusds/jose/crypto/AESCBC.java, line(s) 30
com/nimbusds/jose/jca/JCASupport.java, line(s) 154

高危 已启用远程WebView调试 

已启用远程WebView调试
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing

Files:
com/aweproject/WebViewManager.java, line(s) 78,10,11
wendu/dsbridge/game/GameActivity.java, line(s) 150,198,28,29

高危 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 

不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification

Files:
com/aweproject/WebViewManager.java, line(s) 91,90
wendu/dsbridge/game/GameActivity.java, line(s) 165,224,164,223
wendu/dsbridge/game/Html5WebView.java, line(s) 106,105

高危 WebView域控制不严格漏洞 

WebView域控制不严格漏洞


Files:
wendu/dsbridge/game/GameActivity.java, line(s) 180,139,159,174,226
wendu/dsbridge/game/Html5WebView.java, line(s) 174,119,120,123,169

高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 

如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7

Files:
com/reactnativecommunity/webview/RNCWebViewManager.java, line(s) 297,27,28
wendu/dsbridge/game/GameActivity.java, line(s) 428,28,29

高危 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 

SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis

Files:
com/aweproject/apkupdata/DownloadUtils.java, line(s) 54,14,15,16,17,18,19

中危 基本配置配置为信任系统证书。 

Scope:
*

中危 应用程序数据可以被备份 

[android:allowBackup=true]
这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。

中危 Activity设置了TaskAffinity属性 

(com.github.moduth.blockcanary.ui.DisplayActivity)
如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名

中危 Activity (com.github.moduth.blockcanary.ui.DisplayActivity) 未被保护。 

存在一个intent-filter。
发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。

中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
com/aweproject/BuildConfig.java, line(s) 6
com/aweproject/GameModule.java, line(s) 23,24
com/demohud/MyToast/ToastModule.java, line(s) 14,15
com/github/moduth/blockcanary/ui/DisplayActivity.java, line(s) 44
com/microsoft/codepush/react/CodePushConstants.java, line(s) 5,31,7,19,28,20,12,18,26,27,21,22,25,29,23
com/microsoft/codepush/react/CodePushTelemetryManager.java, line(s) 13,18,22,15,17,19,20,21
com/reactlibrary/RNReactNativePingModule.java, line(s) 28

中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
com/aweproject/apkupdata/ApkDownInstall.java, line(s) 77
com/github/moduth/blockcanary/BlockCanaryInternals.java, line(s) 75,77,78
com/imagepicker/utils/MediaUtils.java, line(s) 38,34,36,231
com/imagepicker/utils/RealPathUtil.java, line(s) 129,40
com/reactnativecommunity/webview/RNCWebViewModule.java, line(s) 325,323
com/rnfs/RNFSManager.java, line(s) 1045,951,1035,1039

中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件 

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
com/reactnativecommunity/webview/RNCWebViewModule.java, line(s) 325

中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
com/reactnativecommunity/asyncstorage/ReactDatabaseSupplier.java, line(s) 4,5,6,43

中危 IP地址泄露 

IP地址泄露


Files:
com/nimbusds/jose/jwk/Curve.java, line(s) 18,19,20
wendu/dsbridge/game/GameActivity.java, line(s) 203

中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞 

不安全的Web视图实现。可能存在WebView任意代码执行漏洞
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5

Files:
wendu/dsbridge/DWebView.java, line(s) 864,857

中危 SHA-1是已知存在哈希冲突的弱哈希 

SHA-1是已知存在哈希冲突的弱哈希
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/nimbusds/jose/crypto/RSA_OAEP.java, line(s) 18,30

中危 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
"reactNativeCodePush_androidDeploymentKey" : "deployment-key-here"
3757180025770020463545507224491183603594455134769762486694567779615544477440556316691234405012945539562144444537289428522585666729196580810124344277578376784
36134250956749795798585127919587881956611106672985015071877198253568414405109
6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151
27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575
6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057148
115792089210356248762697446949407573529996955224135760342422259061068512044369
6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449
1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984
2661740802050217063228768716723360960729859168756973147706671368418802944996427808491545080627771902352094241225065558662157113545570916814161637315895999846
39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112316
Yc4DOutmhIWcB5gkUH4LEei8ZFjYGSAUTQq6i
8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871
115792089210356248762697446949407573530086143415290314195533631308867097853951
41058363725152142129326129780047268409114441015993725554835256314039467401291
115792089210356248762697446949407573530086143415290314195533631308867097853948
39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319
48439561293906451759052585252797914202762949526041747995844080717082404635286
26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087
39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643

信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
com/aweproject/GameModule.java, line(s) 52,92
com/aweproject/MainApplication.java, line(s) 75
com/aweproject/WebViewManager.java, line(s) 55,85
com/aweproject/apkupdata/ApkDownInstall.java, line(s) 84,93,101,110,141
com/aweproject/apkupdata/DownloadUtils.java, line(s) 57
com/brentvatne/react/ReactVideoView.java, line(s) 457,461
com/github/moduth/blockcanary/CpuSampler.java, line(s) 111,126,141
com/github/moduth/blockcanary/DisplayService.java, line(s) 39
com/github/moduth/blockcanary/LogWriter.java, line(s) 62,104
com/github/moduth/blockcanary/Uploader.java, line(s) 26
com/github/moduth/blockcanary/internal/BlockInfo.java, line(s) 78,93
com/github/moduth/blockcanary/internal/PerformanceUtils.java, line(s) 33,63,73,85
com/github/moduth/blockcanary/ui/BlockInfoEx.java, line(s) 93,98,110
com/github/moduth/blockcanary/ui/DisplayActivity.java, line(s) 388,352
com/horcrux/svg/Brush.java, line(s) 141,151
com/horcrux/svg/ClipPathView.java, line(s) 36
com/horcrux/svg/ImageView.java, line(s) 143
com/horcrux/svg/LinearGradientView.java, line(s) 79
com/horcrux/svg/MaskView.java, line(s) 83
com/horcrux/svg/PatternView.java, line(s) 90
com/horcrux/svg/RadialGradientView.java, line(s) 93
com/horcrux/svg/UseView.java, line(s) 59,90,105
com/horcrux/svg/VirtualView.java, line(s) 363,294,328,332
com/imagepicker/utils/MediaUtils.java, line(s) 181
com/microsoft/codepush/react/CodePushUtils.java, line(s) 204,208
com/reactnativecommunity/asyncstorage/AsyncStorageModule.java, line(s) 129,169,183,197,214,221,227,232,270,274,279,299,329,343,357,371,384,388,393,409,429,453
com/reactnativecommunity/asyncstorage/ReactDatabaseSupplier.java, line(s) 90,93
com/reactnativecommunity/webview/RNCWebViewManager.java, line(s) 146,148
com/reactnativecommunity/webview/RNCWebViewModule.java, line(s) 294
com/rnfs/Downloader.java, line(s) 164
com/swmansion/gesturehandler/react/RNGestureHandlerRootHelper.java, line(s) 44,56
wendu/dsbridge/DWebView.java, line(s) 81,1167
wendu/dsbridge/game/Html5WebView.java, line(s) 62,73,111,163

安全 此应用程序没有隐私跟踪程序 

此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。

安全评分: ( XPJ 3.0.6)