安全分析报告:
安全分数
安全分数 57/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
0
用户/设备跟踪器
调研结果
高危
1
中危
9
信息
3
安全
2
关注
1
高危 基本配置不安全地配置为允许到所有域的明文流量。
Scope: *
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 IP地址泄露
IP地址泄露 Files: expo/modules/network/NetworkModule.java, line(s) 287 expo/modules/updates/codesigning/CertificateChain.java, line(s) 100 expo/modules/updates/codesigning/CertificateChainKt.java, line(s) 7 org/ejbca/cvc/CVCObjectIdentifiers.java, line(s) 4,8,9,11,12,10,13,7,14,6,15,16,17,18,19,20,21,5 org/jmrtd/lds/ActiveAuthenticationInfo.java, line(s) 18,13,14,15,16,17,12 org/jmrtd/lds/CardSecurityFile.java, line(s) 33 org/jmrtd/lds/SODFile.java, line(s) 41,39,38 org/jmrtd/lds/SecurityInfo.java, line(s) 19,18,27,41,32,46,37,20,21,22,23,24,25,28,29,30,31,42,43,44,45,33,34,35,36,47,48,49,50,38,39,40,26 org/jmrtd/lds/SignedDataUtil.java, line(s) 72,73,74,75,55,62,61,65,66,67,64,57,58,59,63,60,70,68,69
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: expo/modules/updates/UpdatesUtils.java, line(s) 39 org/jmrtd/lds/CBEFFDataGroup.java, line(s) 10 org/jmrtd/protocol/BACProtocol.java, line(s) 5 org/jmrtd/protocol/PACEProtocol.java, line(s) 28
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/authme/lib/ocr/data/api/response/InitScanParameter.java, line(s) 229 expo/modules/adapters/react/NativeModulesProxy.java, line(s) 32,34,36,40 expo/modules/constants/ExponentInstallationId.java, line(s) 19 expo/modules/easclient/EASClientIDKt.java, line(s) 7 expo/modules/interfaces/permissions/PermissionsResponse.java, line(s) 9,10,11,15,17 expo/modules/systemui/SystemUIModuleKt.java, line(s) 7 expo/modules/updates/UpdatesConfiguration.java, line(s) 24,29,32,34,36,37,38,39,40,41,178 expo/modules/updates/UpdatesModule.java, line(s) 319,364 expo/modules/updates/codesigning/CodeSigningAlgorithmKt.java, line(s) 7,9 expo/modules/updates/codesigning/ExpoProjectInformation.java, line(s) 52 expo/modules/updates/db/BuildData.java, line(s) 20 expo/modules/updates/loader/SigningInfo.java, line(s) 52 expo/modules/updates/manifest/ManifestMetadata.java, line(s) 25,26,27 expo/modules/webbrowser/OpenBrowserOptions.java, line(s) 40 expo/modules/webbrowser/WebBrowserModuleKt.java, line(s) 7,12,11 org/jmrtd/lds/PACEDomainParameterInfo.java, line(s) 30 org/jmrtd/protocol/EACTAResult.java, line(s) 76
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/alpha0010/fs/FileAccessModule$cpExternal$1.java, line(s) 100,147 com/alpha0010/fs/FileAccessModule$df$1.java, line(s) 57
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/authme/common/AuthMeCrypt.java, line(s) 42 org/jmrtd/protocol/EACCAProtocol.java, line(s) 137 org/jmrtd/protocol/EACTAProtocol.java, line(s) 171
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: expo/modules/filesystem/FileSystemModule.java, line(s) 254,376,3066
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "sdk.ocr.verify.result.authority" : "Authority" 87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597 F518AA8781A8DF278ABA4E7D64B7CB9D49462353 AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFAAB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7C17669101999024AF4D027275AC1348BB8A762D0521BC98AE247150422EA1ED409939D54DA7460CDB5F6C6B250717CBEF180EB34118E98D119529A45D6F834566E3025E316A330EFBB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC017981BC087F2A7065B384B890D3191F2BFA 801C0D34C58D93FE997177101F80535A4738CEBCBF389A99B36371EB 3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659 0123456789abcdefABCDEF 44e91f336617a878939030a5de33f923 A4D1CBD5C3FD34126765A442EFB99905F8104DD258AC507FD6406CFF14266D31266FEA1E5C41564B777E690F5504F213160217B4B01B886A5E91547F9E2749F4D7FBD7D3B9A92EE1909D0D2263F80A76A6A24C087A091F531DBF0A0169B6A28AD662A4D18E73AFA32D779D5918D08BC8858F4DCEF97C2A24855E6EEB22B3B2E5 B10B8F96A080E01DDE92DE5EAE5D54EC52C99FBCFB06A3C69A6A9DCA52D23B616073E28675A23D189838EF1E2EE652C013ECB4AEA906112324975C3CD49B83BFACCBDD7D90C4BD7098488E9C219A73724EFFD6FAE5644738FAA31A4FF55BCCC0A151AF5F0DC8B4BD45BF37DF365C1A65E68CFDA76D4DA708DF1FB2BC2E4A4371 8CF83642A709A097B447997640129DA299B1A47D1EB3750BA308B0FE64F5FBD3 AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC2129037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708B3BF8A317091883681286130BC8985DB1602E714415D9330278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486DCDF93ACC44328387315D75E198C641A480CD86A1B9E587E8BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71CF9DE5384E71B81C0AC4DFFE0C10E64F 472340246d291854f67ce4b51e48fb0b
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/authme/enginelib/engine/CardOCRService.java, line(s) 182 com/authme/enginelib/engine/IDCardAntiFraudService.java, line(s) 201 com/authme/enginelib/engine/ModelObject.java, line(s) 114,124,143 com/authme/enginelib/engine/PassportService.java, line(s) 189 com/authme/sdk/ocr/plugin/nfc/jp2/JP2Decoder.java, line(s) 93,118,175 com/awesomemodule/AwesomeModuleModule.java, line(s) 111 com/caverock/androidsvg/CSSParser.java, line(s) 1132,359 com/caverock/androidsvg/SVG.java, line(s) 545 com/caverock/androidsvg/SVGAndroidRenderer.java, line(s) 114,347,1282,170,175,343 com/caverock/androidsvg/SVGImageView.java, line(s) 113,120,146,164,191,222 com/caverock/androidsvg/SVGParser.java, line(s) 617,641,661,973,531,4038,4064,4082,4103,4129,4154,4181,4199,646,3039,3075,3092 com/caverock/androidsvg/SimpleAssetResolver.java, line(s) 40,54,69 com/horcrux/svg/Brush.java, line(s) 137,148 com/horcrux/svg/ClipPathView.java, line(s) 34 com/horcrux/svg/ImageView.java, line(s) 173 com/horcrux/svg/LinearGradientView.java, line(s) 111 com/horcrux/svg/PatternView.java, line(s) 122 com/horcrux/svg/RadialGradientView.java, line(s) 143 com/horcrux/svg/UseView.java, line(s) 92,123,138 com/horcrux/svg/VirtualView.java, line(s) 393,319,357,361 com/swmansion/reanimated/NativeMethodsHelper.java, line(s) 44 com/swmansion/reanimated/ReanimatedModule.java, line(s) 108 com/swmansion/reanimated/ReanimatedUIManagerFactory.java, line(s) 20 com/swmansion/reanimated/layoutReanimation/AnimationsManager.java, line(s) 201,215 com/swmansion/reanimated/layoutReanimation/ReanimatedNativeHierarchyManager.java, line(s) 37 com/swmansion/reanimated/layoutReanimation/SharedTransitionManager.java, line(s) 125 com/swmansion/reanimated/nativeProxy/NativeProxyCommon.java, line(s) 189 com/swmansion/reanimated/sensor/ReanimatedSensorContainer.java, line(s) 35 com/swmansion/rnscreens/ScreenStackHeaderConfigViewManager.java, line(s) 202 com/th3rdwave/safeareacontext/SafeAreaView.java, line(s) 106 community/revteltech/nfc/NfcManager.java, line(s) 122,131,139,213,235,252,276,304,333,681,759,763,885,890,976,980,1033,1045,1051,1068,1079,1119,1139,1153,1159,1168,1175,1197,1252,1257,1271,1273,1361,1376,1382,1397,1406,1364,1179,1188,1218,1227 community/revteltech/nfc/TagTechnologyRequest.java, line(s) 65,83,88,198 community/revteltech/nfc/Util.java, line(s) 38,42,55,143 expo/modules/ExpoModulesPackage.java, line(s) 40 expo/modules/adapters/react/services/UIManagerModuleWrapper.java, line(s) 82 expo/modules/apploader/AppLoaderProvider.java, line(s) 23 expo/modules/constants/ConstantsService.java, line(s) 94,151 expo/modules/constants/ExponentInstallationId.java, line(s) 80,109 expo/modules/core/logging/OSLogHandler.java, line(s) 31,41,46,35,39,22,24 expo/modules/devlauncher/helpers/DevLauncherInstallationIDHelper.java, line(s) 56,72 expo/modules/devlauncher/launcher/configurators/DevLauncherExpoActivityConfigurator.java, line(s) 170,184 expo/modules/devmenu/devtools/DevMenuDevToolsDelegate$openJSInspector$1$1.java, line(s) 64 expo/modules/devmenu/extensions/DevMenuExtension.java, line(s) 75,82 expo/modules/devmenu/react/DevMenuPackagerCommandHandlersSwapper$swapCurrentCommandHandlers$1.java, line(s) 62 expo/modules/devmenu/react/DevMenuPackagerCommandHandlersSwapper.java, line(s) 36 expo/modules/devmenu/react/DevMenuShakeDetectorListenerSwapper.java, line(s) 24 expo/modules/devmenu/websockets/DevMenuCommandHandlersProvider.java, line(s) 126 expo/modules/filesystem/FileSystemModule$definition$1$17$1$1.java, line(s) 32 expo/modules/filesystem/FileSystemModule$definition$1$18$1.java, line(s) 33 expo/modules/filesystem/FileSystemModule$definition$1$19$4.java, line(s) 42 expo/modules/filesystem/FileSystemModule$downloadResumableTask$2.java, line(s) 108 expo/modules/filesystem/FileSystemModule.java, line(s) 2602 expo/modules/localization/LocalizationModule.java, line(s) 266 expo/modules/network/NetworkModule.java, line(s) 250 expo/modules/splashscreen/singletons/SplashScreen.java, line(s) 119,165,206 expo/modules/systemui/singletons/SystemUI.java, line(s) 71 expo/modules/updates/DisabledUpdatesController.java, line(s) 84 expo/modules/updates/EnabledUpdatesController.java, line(s) 140,176 expo/modules/updates/UpdatesModule$definition$1$4$1.java, line(s) 27 expo/modules/updates/UpdatesPackage.java, line(s) 96 expo/modules/updates/UpdatesUtils.java, line(s) 152,155,177,180,296 expo/modules/updates/codesigning/CodeSigningConfiguration.java, line(s) 105 expo/modules/updates/db/Converters.java, line(s) 86 expo/modules/updates/db/DatabaseHolder.java, line(s) 24 expo/modules/updates/db/Reaper.java, line(s) 30,38,43,47,56,60 expo/modules/updates/errorrecovery/ErrorRecovery.java, line(s) 129,157 expo/modules/updates/launcher/NoDatabaseLauncher.java, line(s) 91,115 expo/modules/updates/loader/FileDownloader.java, line(s) 822 expo/modules/updates/loader/Loader.java, line(s) 261,282,285,309,358 expo/modules/updates/loader/LoaderFiles.java, line(s) 67,88 expo/modules/updates/loader/LoaderTask$launchRemoteUpdateInBackground$1$1.java, line(s) 53,178 expo/modules/updates/loader/LoaderTask.java, line(s) 275,340,407 expo/modules/updates/loader/RemoteLoader.java, line(s) 140 expo/modules/updates/manifest/BareUpdateManifest.java, line(s) 238 expo/modules/updates/manifest/EmbeddedManifest.java, line(s) 42 expo/modules/updates/manifest/LegacyUpdateManifest.java, line(s) 141,226,265 expo/modules/updates/manifest/ManifestMetadata.java, line(s) 44 expo/modules/updates/manifest/NewUpdateManifest.java, line(s) 300,396,450 expo/modules/updates/manifest/ResponseHeaderData.java, line(s) 182,185 expo/modules/updates/procedures/RelaunchProcedure$run$1.java, line(s) 67 expo/modules/updates/selectionpolicy/SelectionPolicies.java, line(s) 49 org/ejbca/cvc/example/FileHelper.java, line(s) 37,46 org/ejbca/cvc/example/GenerateCert.java, line(s) 27 org/ejbca/cvc/example/GenerateRequest.java, line(s) 27,29 org/ejbca/cvc/example/Parse.java, line(s) 12 timber/log/Timber.java, line(s) 389,408
信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: expo/modules/adapters/react/permissions/PermissionsService.java, line(s) 112,112 expo/modules/constants/ExponentInstallationId.java, line(s) 29,29 expo/modules/devlauncher/launcher/DevLauncherRecentlyOpenedAppsRegistry.java, line(s) 28,28
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: expo/modules/devmenu/modules/DevMenuInternalModule.java, line(s) 5,287,314,288,315
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/authme/lib/network/RetrofitManager.java, line(s) 56,54,34 com/authme/lib/ui/AuthClientSetting.java, line(s) 81,81
安全 此应用程序没有隐私跟踪程序
此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (www.android.com) 通信。
{'ip': '34.110.201.56', 'country_short': 'HK', 'country_long': '中国', 'region': '香港', 'city': '香港', 'latitude': '22.285521', 'longitude': '114.157692'}