安全分析报告:
安全分数
安全分数 37/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
8
用户/设备跟踪器
调研结果
高危
4
中危
12
信息
1
安全
0
关注
4
高危 应用程序存在Janus漏洞
应用程序使用了v1签名方案进行签名,如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞的攻击。在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。
高危 WebView域控制不严格漏洞
WebView域控制不严格漏洞 Files: com/airpush/injector/internal/ads/types/vast/web/VastWebPlayerView.java, line(s) 110,99 com/startapp/android/publish/ads/splash/d.java, line(s) 27,26,27
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: bolts/WebViewAppLinkResolver.java, line(s) 124,6,7 com/airpush/injector/internal/ads/types/banners/web/WebBannerView.java, line(s) 127,8,9 com/startapp/android/publish/ads/splash/d.java, line(s) 41,5,6 com/startapp/android/publish/ads/splash/i.java, line(s) 146,9 com/startapp/android/publish/common/commonUtils/r.java, line(s) 350,23,24
高危 应用程序包含隐私跟踪程序
此应用程序有多个8隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 应用程序可以安装在有漏洞的已更新 Android 版本上
Android 4.1-4.1.2, [minSdk=16] 该应用程序可以安装在具有多个未修复漏洞的旧版本 Android 上。这些设备不会从 Google 接收合理的安全更新。支持 Android 版本 => 10、API 29 以接收合理的安全更新。
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Broadcast Receiver (com.startapp.android.publish.common.metaData.BootCompleteListener) 未被保护。
存在一个intent-filter。 发现 Broadcast Receiver与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Broadcast Receiver是显式导出的。
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: bolts/MeasurementEvent.java, line(s) 18,19 com/airpush/injector/internal/common/old/Config.java, line(s) 30,57 com/bumptech/glide/load/Option.java, line(s) 75 com/bumptech/glide/load/engine/DataCacheKey.java, line(s) 33 com/bumptech/glide/load/engine/EngineResource.java, line(s) 84 com/bumptech/glide/load/engine/ResourceCacheKey.java, line(s) 72 com/bumptech/glide/manager/RequestManagerRetriever.java, line(s) 36,35
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/SBStudio/PSP_PPSSPP_Emulator_Games/Activity/Konten.java, line(s) 244 com/airpush/injector/internal/common/old/Util.java, line(s) 687 com/airpush/injector/internal/common/utils/DeviceInfoUtils.java, line(s) 39 com/gamedragontoha/pspwaruirengcom/Activity/Konten.java, line(s) 244 com/nostra13/universalimageloader/utils/StorageUtils.java, line(s) 21,50,50,55,55,60 com/startapp/android/publish/common/commonUtils/n.java, line(s) 43
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/airpush/injector/internal/common/old/Util.java, line(s) 423,645 com/airpush/injector/internal/common/utils/ByteUtils.java, line(s) 17 com/nostra13/universalimageloader/cache/disc/naming/Md5FileNameGenerator.java, line(s) 18 com/startapp/android/publish/ads/video/d.java, line(s) 37
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/airpush/injector/internal/common/old/Util.java, line(s) 443
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: bolts/WebViewAppLinkResolver.java, line(s) 114,89 com/airpush/injector/internal/ads/types/appwall/AppWallWebView.java, line(s) 33,80 com/airpush/injector/internal/ads/types/mraid/MraidWebView.java, line(s) 122,159 com/airpush/injector/internal/ads/types/overlay/OverlayWebView.java, line(s) 61,48,171 com/airpush/injector/internal/ads/types/vast/ContentBarView.java, line(s) 80,105 com/airpush/injector/internal/ads/types/vast/EndCardView.java, line(s) 101,104 com/airpush/injector/internal/ads/types/vast/web/VastWebPlayerView.java, line(s) 118,100 com/startapp/android/publish/ads/a/c.java, line(s) 123,110 com/startapp/android/publish/ads/banner/bannerstandard/BannerStandard.java, line(s) 266,198 com/startapp/android/publish/ads/splash/d.java, line(s) 30,26 com/startapp/android/publish/adsCommon/adinformation/b.java, line(s) 150,146
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/airpush/injector/internal/common/utils/StringUtils.java, line(s) 3 com/startapp/android/publish/ads/banner/Banner.java, line(s) 26 com/startapp/android/publish/ads/video/a/b.java, line(s) 8 com/startapp/android/publish/cache/a.java, line(s) 17 com/startapp/android/publish/cache/g.java, line(s) 17
中危 IP地址泄露
IP地址泄露 Files: com/airpush/injector/internal/common/utils/NetworkUtils.java, line(s) 71
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/airpush/injector/internal/statistics/StatisticsDbStorage.java, line(s) 6,203
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "com_facebook_device_auth_instructions" : "<b>facebook.com/device</b>にアクセスして、上のコードを入力してください。" "com_facebook_device_auth_instructions" : "前往<b>facebook.com/device</b>,並輸入上方顯示的代碼。" "com_facebook_device_auth_instructions" : "请访问<b>facebook.com/device</b>并输入以上验证码。" "com_facebook_device_auth_instructions" : "前往<b>facebook.com/device</b>,並輸入上方顯示的代碼。" 7fd34eb33a471feb972c26d13e35f31b428536c3 3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f Y29tLnBzcHdhcnVpcmVuZ2NvbS5nYW1lZHJhZ29udG9oYQ== 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 5e8f16062ea3cd2c4a0d547876baa6f38cabf625 42893825-3d6a-41e1-9b47-93180fe2b3b2 Y29tLlNCU3R1ZGlvLlBTUF9QUFNTUFBfRW11bGF0b3JfR2FtZXM= a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc 51ff84a4ebf155b7d3f554698421f4daf4e58cc8 470fa2b4ae81cd56ecbcda9735803434cec591fa com/Vo9wbFH89BbDbWFhUezQZOGPKmfkJSAtIbVWk3QxPbvJwcR8I79EVuI0aB41a
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: bolts/MeasurementEvent.java, line(s) 60,72 com/SBStudio/PSP_PPSSPP_Emulator_Games/Activity/Konten.java, line(s) 231 com/SBStudio/PSP_PPSSPP_Emulator_Games/HttpHandler.java, line(s) 23,27,31,35 com/airpush/injector/internal/common/Logger.java, line(s) 33 com/airpush/injector/internal/common/old/Util.java, line(s) 506 com/airpush/injector/internal/skeleton/AdLoader.java, line(s) 55 com/bumptech/glide/Glide.java, line(s) 161,170,121,120,160,167,194,195 com/bumptech/glide/gifdecoder/GifHeaderParser.java, line(s) 246,284,245,283 com/bumptech/glide/gifdecoder/StandardGifDecoder.java, line(s) 161,174,188,159,172,186,209,218,662 com/bumptech/glide/load/data/AssetPathFetcher.java, line(s) 35,34 com/bumptech/glide/load/data/HttpUrlFetcher.java, line(s) 55,109,49,54,108,50 com/bumptech/glide/load/data/LocalUriFetcher.java, line(s) 37,36 com/bumptech/glide/load/data/mediastore/ThumbFetcher.java, line(s) 51,50 com/bumptech/glide/load/data/mediastore/ThumbnailStreamOpener.java, line(s) 55,54 com/bumptech/glide/load/engine/DecodeJob.java, line(s) 185,184,328,374,418 com/bumptech/glide/load/engine/DecodePath.java, line(s) 55,56 com/bumptech/glide/load/engine/Engine.java, line(s) 77,85,93,103,110 com/bumptech/glide/load/engine/GlideException.java, line(s) 61,73 com/bumptech/glide/load/engine/SourceGenerator.java, line(s) 65,66 com/bumptech/glide/load/engine/bitmap_recycle/LruArrayPool.java, line(s) 79,133,80,134 com/bumptech/glide/load/engine/bitmap_recycle/LruBitmapPool.java, line(s) 116,147,156,180,75,82,115,125,146,155,169,179,188,76,83,126,194,170 com/bumptech/glide/load/engine/cache/DiskLruCacheWrapper.java, line(s) 46,56,70,76,106,118,47,71,57,77,107,119 com/bumptech/glide/load/engine/cache/MemorySizeCalculator.java, line(s) 58,42 com/bumptech/glide/load/engine/executor/GlideExecutor.java, line(s) 39,154,36,153 com/bumptech/glide/load/engine/prefill/BitmapPreFillRunner.java, line(s) 68,67 com/bumptech/glide/load/model/ByteBufferEncoder.java, line(s) 20,19 com/bumptech/glide/load/model/ByteBufferFileLoader.java, line(s) 59,58 com/bumptech/glide/load/model/FileLoader.java, line(s) 63,62 com/bumptech/glide/load/model/ResourceLoader.java, line(s) 40,41 com/bumptech/glide/load/model/StreamEncoder.java, line(s) 39,38 com/bumptech/glide/load/resource/bitmap/BitmapEncoder.java, line(s) 53,52,58,72,73 com/bumptech/glide/load/resource/bitmap/DefaultImageHeaderParser.java, line(s) 119,126,142,149,177,187,199,214,228,234,238,243,249,253,118,125,141,148,176,186,198,213,227,233,237,242,248,252 com/bumptech/glide/load/resource/bitmap/Downsampler.java, line(s) 210,226,261,129,139,197,209,225,260,130,198,288 com/bumptech/glide/load/resource/bitmap/TransformationUtils.java, line(s) 145,89,98,105,122,127,144,90,99,106,107,108,112,123,128 com/bumptech/glide/load/resource/gif/ByteBufferGifDecoder.java, line(s) 82,91,83,92 com/bumptech/glide/load/resource/gif/GifDrawableEncoder.java, line(s) 25,26 com/bumptech/glide/load/resource/gif/StreamGifDecoder.java, line(s) 57,58 com/bumptech/glide/manager/RequestManagerFragment.java, line(s) 127,128 com/bumptech/glide/manager/RequestManagerRetriever.java, line(s) 301,302 com/bumptech/glide/manager/SupportRequestManagerFragment.java, line(s) 123,124 com/bumptech/glide/module/ManifestParser.java, line(s) 20,27,38,43,19,26,31,37,42,32 com/bumptech/glide/request/SingleRequest.java, line(s) 357,142,280,290,294,387,374 com/bumptech/glide/request/target/ViewTarget.java, line(s) 209,210 com/bumptech/glide/util/ContentLengthInputStream.java, line(s) 28,27 com/bumptech/glide/util/pool/FactoryPools.java, line(s) 89,90 com/clockbyte/admobadapter/AdmobFetcher.java, line(s) 75,86,94,135,163 com/clockbyte/admobadapter/expressads/AdmobFetcherExpress.java, line(s) 60,69,96,105 com/gamedragontoha/pspwaruirengcom/Activity/Konten.java, line(s) 231 com/gamedragontoha/pspwaruirengcom/HttpHandler.java, line(s) 23,27,31,35 com/startapp/android/publish/ads/splash/c.java, line(s) 230 com/startapp/android/publish/ads/video/d.java, line(s) 39,64 com/startapp/android/publish/ads/video/h.java, line(s) 70,109 com/startapp/android/publish/adsCommon/b.java, line(s) 80,259 com/startapp/android/publish/adsCommon/k.java, line(s) 86 com/startapp/android/publish/common/b.java, line(s) 145,150,157,161,177,204 com/startapp/android/publish/common/commonUtils/j.java, line(s) 57,66,60,54,63 com/startapp/android/publish/common/commonUtils/r.java, line(s) 267,452
关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (googleads.g.doubleclick.net) 通信。
{'ip': '180.163.150.38', 'country_short': 'CN', 'country_long': 'China', 'region': 'Shanghai', 'city': 'Shanghai', 'latitude': '31.224333', 'longitude': '121.469139'}
关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (pagead2.googlesyndication.com) 通信。
{'ip': '180.163.151.38', 'country_short': 'CN', 'country_long': 'China', 'region': 'Shanghai', 'city': 'Shanghai', 'latitude': '31.224333', 'longitude': '121.469139'}
关注 应用程序可能与位于OFAC制裁国家 (Hong Kong) 的服务器 (d1byvlfiet2h9q.cloudfront.net) 通信。
{'ip': '13.226.123.184', 'country_short': 'HK', 'country_long': 'Hong Kong', 'region': 'Hong Kong', 'city': 'Hong Kong', 'latitude': '22.285521', 'longitude': '114.157692'}
关注 应用程序可能与位于OFAC制裁国家 (Hong Kong) 的服务器 (facebook.com) 通信。
{'ip': '157.240.211.35', 'country_short': 'HK', 'country_long': 'Hong Kong', 'region': 'Hong Kong', 'city': 'Hong Kong', 'latitude': '22.285521', 'longitude': '114.157692'}