安全分析报告: 91重口 v1.4.2

安全分数


安全分数 44/100

风险评级


等级

  1. A
  2. B
  3. C
  4. F

严重性分布 (%)


隐私风险

1

用户/设备跟踪器


调研结果

高危 4
中危 18
信息 2
安全 1
关注 1

高危 基本配置不安全地配置为允许到所有域的明文流量。 

Scope:
*

高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 

应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
e/f/a/a/h1/k0/d.java, line(s) 58

高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 

如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7

Files:
com/just/agentweb/UrlLoaderImpl.java, line(s) 70,75,5

高危 已启用远程WebView调试 

已启用远程WebView调试
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing

Files:
com/just/agentweb/AgentWebConfig.java, line(s) 48,8

中危 应用程序数据可以被备份 

[android:allowBackup=true]
这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。

中危 Activity-Alias (com.grass.mh.FiveActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity-Alias (com.grass.mh.FourActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity-Alias (com.grass.mh.ThreeActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity-Alias (com.grass.mh.TwoActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity-Alias (com.grass.mh.OneActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity-Alias (com.grass.mh.Default) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity (com.grass.mh.ui.mine.activity.LoginActivity) 未被保护。 

存在一个intent-filter。
发现 Activity与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity是显式导出的。

中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
com/lv/downloadvideo/utils/SPHelper.java, line(s) 10
com/lzy/okgo/cache/CacheEntity.java, line(s) 14
com/lzy/okgo/exception/CacheException.java, line(s) 17,13
e/c/a/a/d/c.java, line(s) 102
e/d/a/m/o/o.java, line(s) 85

中危 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
com/grass/mh/SplashActivity.java, line(s) 70
com/grass/mh/ui/community/ReleaseActivity.java, line(s) 46
com/grass/mh/ui/home/HomeFeaturedFragment.java, line(s) 58
com/scwang/smartrefresh/header/FunGameBattleCityHeader.java, line(s) 15
com/scwang/smartrefresh/header/TaurusHeader.java, line(s) 26
e/f/a/a/l1/a0/l.java, line(s) 28
e/f/a/a/l1/a0/s.java, line(s) 17
e/g/a/f0/c/n5.java, line(s) 10
e/l/a/a/b/a.java, line(s) 7
i/q/a.java, line(s) 7
i/q/b.java, line(s) 4
i/q/c/a.java, line(s) 4

中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
c/o/a/n.java, line(s) 26,989
com/danikula/videocache/sourcestorage/DatabaseSourceInfoStorage.java, line(s) 6,7,63
e/f/a/a/l1/a0/l.java, line(s) 6,7,186,212,213
e/k/a/f/d.java, line(s) 3,4,26,27,28,29,40,43,46,49
m/b/b/f/f.java, line(s) 4,40

中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
com/danikula/videocache/StorageUtils.java, line(s) 14,34
com/grass/mh/utils/DownloadApkUtil.java, line(s) 51,51
com/just/agentweb/AgentWebUtils.java, line(s) 303,360,396
com/lv/downloadvideo/utils/DataCacheUtils.java, line(s) 69
com/lv/downloadvideo/utils/StorageUtils.java, line(s) 26,46,46,55,74
com/maning/updatelibrary/utils/MNUtils.java, line(s) 20
com/yalantis/ucrop/PictureMultiCuttingActivity.java, line(s) 115
e/j/b/g/f.java, line(s) 81
e/k/b/a.java, line(s) 28
org/dsq/library/callback/M3u8FileConvert.java, line(s) 18

中危 MD5是已知存在哈希冲突的弱哈希 

MD5是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/danikula/videocache/ProxyCacheUtils.java, line(s) 44
com/just/agentweb/AgentWebUtils.java, line(s) 587
com/lv/downloadvideo/utils/MD5Utils.java, line(s) 9

中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞 

不安全的Web视图实现。可能存在WebView任意代码执行漏洞
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5

Files:
com/grass/mh/ui/community/OnlineServiceChannelActivity.java, line(s) 51,55
com/grass/mh/ui/mine/activity/OnlineServiceActivity.java, line(s) 67,71

中危 IP地址泄露 

IP地址泄露


Files:
com/danikula/videocache/HttpProxyCacheServer.java, line(s) 30
e/m/a/e/b.java, line(s) 128

中危 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 

可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6

Files:
com/just/agentweb/AbsAgentWebSettings.java, line(s) 44,26

中危 应用程序包含隐私跟踪程序 

此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。

中危 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
友盟统计的=> "UMENG_CHANNEL" : "channel"
edef8ba9-79d6-4ace-a3c8-27dcd51d21ed

信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
c/b/a/n.java, line(s) 35
c/b/b/a/a.java, line(s) 72
c/b/e/b.java, line(s) 136,169,181,191,353
c/b/f/b0.java, line(s) 93,161
c/b/f/d.java, line(s) 253
c/b/f/e0.java, line(s) 22,32
c/b/f/h.java, line(s) 30
c/b/f/n.java, line(s) 95,104,176
c/b/f/o.java, line(s) 117
c/b/f/u.java, line(s) 85,119,211,225,269
c/b/f/v.java, line(s) 31
c/d/a/e2.java, line(s) 11,17,16,22,23,28,36,37
c/d/a/f2.java, line(s) 65
c/d/a/r2/f/a.java, line(s) 16
c/h/c/a/c.java, line(s) 37,115
c/h/c/a/e.java, line(s) 185,192
c/h/c/a/j.java, line(s) 331,362,599,734,831,866,200
c/h/c/a/o.java, line(s) 236,241
c/h/d/a.java, line(s) 218,110,267
c/h/d/c.java, line(s) 1046,1831,2590,2062,272,356,381,399,1062,1095,1651,1914,1960,1986,2678,2685
c/h/d/e.java, line(s) 89
c/j/a/d.java, line(s) 30
c/j/b/b/e.java, line(s) 42
c/j/c/c.java, line(s) 41,46
c/j/c/d.java, line(s) 60
c/j/c/e.java, line(s) 49
c/j/c/g/d.java, line(s) 25,48
c/j/d/b.java, line(s) 22
c/j/h/d.java, line(s) 184,216
c/j/h/l.java, line(s) 19,30
c/j/h/o.java, line(s) 124,201,537,549,556,565,48,190
c/k/a/b.java, line(s) 361
c/n/a/a.java, line(s) 355,538,670,680,689,695,726,812,876,938,1079,1090,1097,1199,1262,1454,1546,1615,1667,1701,1733,1763,1941,384,90,559,867,886,894,1129,1140,1407,1416,1592
c/o/a/a.java, line(s) 46,179,192,204
c/o/a/j0.java, line(s) 17
c/o/a/n.java, line(s) 290,390,750,1601,210,769,215,935,772,961
c/o/a/r.java, line(s) 103,117
c/o/a/u.java, line(s) 88,37,45,53,59
c/o/a/v.java, line(s) 70,121,241,265,352,379,418,439,456,468,556,631,672,767,777,232,338,498,516,522,567,604,702,811
c/o/a/w.java, line(s) 106,116
c/s/f.java, line(s) 39
c/s/i.java, line(s) 61
c/s/k.java, line(s) 37
c/s/n.java, line(s) 32
c/t/a.java, line(s) 176,190,43,62,76,80,90,68,84,94,138
c/x/d.java, line(s) 30
c/x/z.java, line(s) 44
com/contrarywind/view/WheelView.java, line(s) 334
com/danikula/videocache/HttpProxyCacheDebuger.java, line(s) 35,56,70,42,49
com/grass/mh/App.java, line(s) 126
com/grass/mh/player/BrushVideoPlayer.java, line(s) 139
com/grass/mh/player/tiktok/TikTokPlayer.java, line(s) 147
com/grass/mh/ui/comment/InputTextDialog.java, line(s) 101
com/grass/mh/ui/mine/activity/AddGroupActivity.java, line(s) 83
com/grass/mh/ui/mine/fragment/MineFansAddFragment.java, line(s) 63
com/grass/mh/ui/shortvideo/ShortVideoFollowListFragment.java, line(s) 287
com/grass/mh/ui/shortvideo/ShortVideoListFragment.java, line(s) 293
com/grass/mh/utils/CThreadPoolExecutor.java, line(s) 39,115,40,83,120
com/grass/mh/utils/KeyBoardChangeListener.java, line(s) 24
com/grass/mh/view/WheelView.java, line(s) 268
com/grass/mh/view/gridpager/PagerConfig.java, line(s) 13,19
com/grass/mh/view/gridpager/PagerGridLayoutManager.java, line(s) 415,419,502,506
com/just/agentweb/AgentWebUtils.java, line(s) 155,126,127,135,148
com/just/agentweb/AgentWebView.java, line(s) 56,87,100,35,225
com/just/agentweb/DefaultChromeClient.java, line(s) 253,259
com/just/agentweb/JsCallJava.java, line(s) 115,68,42,81
com/just/agentweb/JsCallback.java, line(s) 69
com/just/agentweb/LogUtils.java, line(s) 9,24,38,14,32
com/lv/downloadvideo/M3U8DownloadTask.java, line(s) 126,163,335,352
com/lv/downloadvideo/M3U8Downloader.java, line(s) 53,102,175,187,193,198,203,221,247,276,281,297
com/lv/downloadvideo/utils/DataCacheUtils.java, line(s) 55
com/lv/downloadvideo/utils/M3U8Log.java, line(s) 11,17
com/lv/downloadvideo/utils/SPHelper.java, line(s) 18
com/lxj/xpopup/util/XPermission.java, line(s) 86
com/maning/updatelibrary/InstallUtils.java, line(s) 147
com/maning/updatelibrary/http/DownloadFileUtils.java, line(s) 235
com/tbruyelle/rxpermissions2/RxPermissionsFragment.java, line(s) 46,89
com/yalantis/ucrop/UCropActivity.java, line(s) 508
com/yalantis/ucrop/view/OverlayView.java, line(s) 227,230
com/yalantis/ucrop/view/TransformImageView.java, line(s) 70,154,209
e/a/a/a/a.java, line(s) 214,233,251,306
e/c/a/a/a/a.java, line(s) 14,26
e/c/a/a/c/b/d.java, line(s) 78,77
e/c/a/a/d/b.java, line(s) 37,40
e/c/a/a/d/d/a.java, line(s) 140
e/d/a/c.java, line(s) 229,242,247,250,266,276,228,235,241,246,249,265,272,367,236,368
e/d/a/g.java, line(s) 333,296,297
e/d/a/h.java, line(s) 93,92
e/d/a/j/a.java, line(s) 293
e/d/a/k/d.java, line(s) 177,204,174,203
e/d/a/k/e.java, line(s) 81,102,120,80,101,119
e/d/a/l/a/c/h.java, line(s) 64,144,157,174,275,61,107,143,152,169
e/d/a/l/a/c/i.java, line(s) 327,298,326,354,378,314,364,403
e/d/a/l/a/c/j.java, line(s) 17,18
e/d/a/m/n/b.java, line(s) 47,46
e/d/a/m/n/j.java, line(s) 45,90,153,42,89,93,99,106,152,103,109
e/d/a/m/n/l.java, line(s) 48,47
e/d/a/m/n/o/b.java, line(s) 89,88
e/d/a/m/o/a0/e.java, line(s) 49,81,93,103,50,94,82,106
e/d/a/m/o/a0/k.java, line(s) 92,77
e/d/a/m/o/b0/a.java, line(s) 69,68
e/d/a/m/o/h.java, line(s) 137,138
e/d/a/m/o/j.java, line(s) 23,159
e/d/a/m/o/y.java, line(s) 45,46
e/d/a/m/o/z/i.java, line(s) 138,175,142,180
e/d/a/m/o/z/j.java, line(s) 58,69,170,214,53,57,68,104,112,135,165,182,201,213,105,113,155,187,202
e/d/a/m/p/c.java, line(s) 16,15
e/d/a/m/p/d.java, line(s) 41,40
e/d/a/m/p/f.java, line(s) 98,97
e/d/a/m/p/s.java, line(s) 101,102
e/d/a/m/p/t.java, line(s) 38,37
e/d/a/m/q/a.java, line(s) 81,121,92,131
e/d/a/m/q/c/j.java, line(s) 21,26,22,29
e/d/a/m/q/c/m.java, line(s) 49,52,50,53
e/d/a/m/q/c/q.java, line(s) 51,57,63,69,75,82,88,102,111,52,58,64,70,76,83,89,112,103
e/d/a/m/q/c/y.java, line(s) 85,94,101,86,95,102,103,104,108
e/d/a/m/q/g/a.java, line(s) 66,136,143,150,74,139,146,153
e/d/a/m/q/g/c.java, line(s) 19,20
e/d/a/m/q/g/i.java, line(s) 51,52
e/d/a/n/e.java, line(s) 38,35,79,100,80,101
e/d/a/n/o.java, line(s) 62,63
e/d/a/n/p.java, line(s) 208,209,220
e/d/a/q/i/d.java, line(s) 45,91,92,46
e/d/a/q/i/k.java, line(s) 66,115,116,67
e/d/a/s/j/a.java, line(s) 39,42
e/e/b/a.java, line(s) 90
e/f/a/a/b0.java, line(s) 224,433
e/f/a/a/c0.java, line(s) 363,369
e/f/a/a/c1/c0/d.java, line(s) 225
e/f/a/a/c1/c0/e.java, line(s) 41,58,65,98,110,124,134
e/f/a/a/c1/d0/i.java, line(s) 262
e/f/a/a/c1/f0/n.java, line(s) 30
e/f/a/a/c1/f0/r.java, line(s) 43,52
e/f/a/a/d1/e.java, line(s) 105,124
e/f/a/a/g0.java, line(s) 176
e/f/a/a/h1/i0/c.java, line(s) 32
e/f/a/a/h1/i0/g.java, line(s) 442
e/f/a/a/h1/k0/n.java, line(s) 172,297
e/f/a/a/i1/l/a.java, line(s) 212
e/f/a/a/i1/l/c.java, line(s) 274,324,341,571
e/f/a/a/i1/o/a.java, line(s) 166,189,220
e/f/a/a/i1/o/c.java, line(s) 47
e/f/a/a/i1/p/a.java, line(s) 71
e/f/a/a/i1/q/a.java, line(s) 174,93,166
e/f/a/a/i1/s/f.java, line(s) 215
e/f/a/a/l1/a0/s.java, line(s) 66,75,93,107,125,131,401,477
e/f/a/a/l1/p.java, line(s) 159
e/f/a/a/l1/r.java, line(s) 127
e/f/a/a/m1/b0.java, line(s) 477
e/f/a/a/m1/e.java, line(s) 36,88
e/f/a/a/o0.java, line(s) 56
e/f/a/a/t0.java, line(s) 414,459,602,641
e/f/a/a/x0/t.java, line(s) 94
e/f/a/b/a/g.java, line(s) 47
e/f/a/b/p/a.java, line(s) 315
e/f/a/b/t/b.java, line(s) 118,153
e/f/a/b/u/a.java, line(s) 41
e/g/a/f0/d/p0.java, line(s) 15
e/g/a/f0/g/a/u.java, line(s) 29
e/g/a/f0/g/a/v.java, line(s) 28
e/g/a/f0/g/a/w.java, line(s) 26
e/g/a/f0/g/a/y.java, line(s) 19
e/g/a/f0/g/b/a.java, line(s) 23
e/g/a/f0/g/c/a.java, line(s) 24
e/g/a/f0/g/c/b.java, line(s) 32
e/g/a/f0/g/c/c.java, line(s) 28
e/g/a/i0/g.java, line(s) 15
e/k/a/f/a.java, line(s) 62,70,89,94,115
e/k/b/a.java, line(s) 69,73
e/k/b/b/b.java, line(s) 182,186
e/o/a/l/b.java, line(s) 46,88,160,166,174,185,202
e/o/a/m/b.java, line(s) 78,82,91,111,133,163,176,182,39,75,81,84,90,108,130,143,158,172,175,178,181,184
j/a/y1/k.java, line(s) 45
m/b/a/f.java, line(s) 10,15
m/b/b/a.java, line(s) 325
org/dsq/library/widget/CacheM3u8FilePlayer.java, line(s) 64
org/dsq/library/widget/bigImage/SubsamplingScaleImageView.java, line(s) 639,208,212,388,392,460,795,800,811,820,1521,1730,2051
org/dsq/library/widget/bigImage/decoder/SkiaPooledImageRegionDecoder.java, line(s) 120
org/greenrobot/greendao/DaoException.java, line(s) 16,17

信息 此应用程序使用SQL Cipher。SQLCipher为sqlite数据库文件提供256位AES加密 

此应用程序使用SQL Cipher。SQLCipher为sqlite数据库文件提供256位AES加密


Files:
org/greenrobot/greendao/database/SqlCipherEncryptedHelper.java, line(s) 18,8,9

安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
e/k/a/g/a.java, line(s) 82,48,81,69,80,80

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (clsp.fun) 通信。 

{'ip': '143.92.53.201', 'country_short': 'HK', 'country_long': '中国', 'region': '香港', 'city': '香港', 'latitude': '22.285521', 'longitude': '114.157692'}

安全评分: ( 91重口 1.4.2)