安全分析报告:
安全分数
安全分数 51/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
0
用户/设备跟踪器
调研结果
高危
1
中危
10
信息
2
安全
1
关注
0
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: z2/a.java, line(s) 75
中危 应用程序数据存在被泄露的风险
未设置[android:allowBackup]标志 这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Broadcast Receiver (com.hvkjr.iqajbt.BootReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 高优先级的Intent (1000) - {1} 个命中
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/journeyapps/barcodescanner/b.java, line(s) 258 e6/l.java, line(s) 551
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: t1/q1.java, line(s) 6 u2/p0.java, line(s) 4 x2/b.java, line(s) 12 x4/i0.java, line(s) 12 y6/a.java, line(s) 3 y6/b.java, line(s) 3 z6/a.java, line(s) 3
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: b5/b.java, line(s) 288 b5/d.java, line(s) 92 c5/a.java, line(s) 45 f6/i.java, line(s) 129,151 f6/j.java, line(s) 143 w/g.java, line(s) 241
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: h5/c.java, line(s) 74
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: d5/i.java, line(s) 9,10,11,12,13,518
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "library_zxingandroidembedded_authorWebsite" : "https://journeyapps.com/" "library_zxingandroidembedded_author" : "JourneyApps" 16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a edef8ba9-79d6-4ace-a3c8-27dcd51d21ed
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: b5/b.java, line(s) 87,95,115,132,289,305,194 b5/d.java, line(s) 139,265,37,81,197,201,206,261,214,134 c0/e.java, line(s) 32 c4/e.java, line(s) 34,72 c4/g.java, line(s) 39,32 com/hvkjr/iqajbt/BootReceiver.java, line(s) 22,44 com/hvkjr/iqajbt/FloatingWindowService.java, line(s) 379,432,441,443,574 com/hvkjr/iqajbt/InputService.java, line(s) 194,253,269,277,360,371,396,442,503,504,513,521,712 com/hvkjr/iqajbt/MainActivity.java, line(s) 124,131,222,459,485,462,488,683 com/hvkjr/iqajbt/MainService.java, line(s) 112,271,284,287,301,304,330,402,489,509,523,549,559,573,602,611,747,759,163,502,692,702,267,593 com/hvkjr/iqajbt/PermissionRequestTransparentActivity.java, line(s) 16,43 com/hvkjr/iqajbt/RdClipboardManager.java, line(s) 75,114,162,169,194,199 com/hvkjr/iqajbt/a.java, line(s) 148 com/journeyapps/barcodescanner/a.java, line(s) 604,654,117,302,404,466 com/journeyapps/barcodescanner/b.java, line(s) 110,181,264 d0/e.java, line(s) 56,87 d1/a.java, line(s) 77 d4/a.java, line(s) 13 d5/c0.java, line(s) 81,142,199,262,277,335,348,354,371,376,535,544,85,539 d5/e0.java, line(s) 24 d5/i.java, line(s) 176,312,328,374,447,524,581,547 e/d.java, line(s) 167,171 e1/g.java, line(s) 1018 e6/p.java, line(s) 81,65 f6/j.java, line(s) 187 g0/a2.java, line(s) 43,52,66,86,100,115,129 g0/b.java, line(s) 64 g0/b0.java, line(s) 95 g0/g2.java, line(s) 377,393,132,144,151,160,47,66,368 g0/q0.java, line(s) 820,797,819 g0/y1.java, line(s) 45 g6/j.java, line(s) 14,29,44 h/e.java, line(s) 1917,1070,1076,1555,1944,2162 h/i.java, line(s) 100 h/k.java, line(s) 49,59,74,84,101,113,125,134,147,161,173 h/m.java, line(s) 60,75 h0/h.java, line(s) 181 h1/a.java, line(s) 13 h1/e.java, line(s) 24,32 j5/a.java, line(s) 311,316 k0/d.java, line(s) 138 k1/f.java, line(s) 50 k1/n.java, line(s) 161,214,242 k5/b.java, line(s) 10,14,28,32,36 l/g.java, line(s) 168,211,270 l0/a0.java, line(s) 34,33 l0/d.java, line(s) 53,62 l0/o.java, line(s) 53,62 m/c.java, line(s) 276 n/b2.java, line(s) 104,137,363,119,152,235,249,301,367,370,423 n/c2.java, line(s) 38 n/f1.java, line(s) 105,114,218,395 n/l2.java, line(s) 111 n/m2.java, line(s) 86 n/o2.java, line(s) 22,32,50,52,55 n/p0.java, line(s) 47 n/s0.java, line(s) 136,141,146,151 n/s1.java, line(s) 395,205,210,217,310,510 n/x1.java, line(s) 149,183 n/y1.java, line(s) 181,48,60,94,123,383 p3/r.java, line(s) 40,35,30,25 p7/b.java, line(s) 87 q1/d.java, line(s) 53,87,114,126,144,163 r/b.java, line(s) 42 r0/a.java, line(s) 364,948,1076,1198,1201,1210,1216,1272,1355,1401,1584,1640,1697,1777,1813,1890,1977,2149,2231,2277,2328,2348,2361,2393,2431,2498,2543,2548,2554,2620,131,1131,1575,1599,1857,1871,2132,2511,2515,2519 r0/b.java, line(s) 47 r1/b.java, line(s) 1383,1268 r1/h.java, line(s) 490,587,2760,617,1008,1014 r1/k.java, line(s) 2767,2816,2840,3855,1897,2845 t0/a.java, line(s) 29,55,64,80 t0/a1.java, line(s) 585,131,144,266,275,280,291,295,383,444,452,461,631,639,647,655,700,708,714,725,785 t0/b.java, line(s) 138 t0/f.java, line(s) 723,1330,68,81,100,134,207,243,258,276,287,462,502,543,568,585,586,592,594,600,651,696,717,864,865,870,876,877,882,905,1081,1096,1106,1221,1229,1235,1237,1249,1282,1444 t0/k0.java, line(s) 176,187,213,643,649,680,681,1812,1818,1757,1758,1769,435,195,701,1283,1416,1426,1436,1458,1491,1539,1563,1600,1609,1721,1910,1918,164,299,309,321,331 t0/n0.java, line(s) 51,74,92,59,67,157,163 t0/q0.java, line(s) 114,136,222,243,280,322,372,391,406,416,477,482,529,594,639,736,744,86,215,310,462,654,715 t0/r.java, line(s) 576,1071,1193,962 t0/r0.java, line(s) 237,247,293,313,331 t0/u0.java, line(s) 280,289 t0/v0.java, line(s) 127 t0/x0.java, line(s) 18 u0/d.java, line(s) 176,198,94 v/c1.java, line(s) 72 v/e.java, line(s) 91,247 v/n.java, line(s) 27 v/p.java, line(s) 549,548 x/c.java, line(s) 56 x/d.java, line(s) 66 x/h.java, line(s) 140,149,247 y/e.java, line(s) 386,391 y/g.java, line(s) 70 y/h.java, line(s) 41,73 y/i.java, line(s) 57,228 y/m.java, line(s) 96 y0/b.java, line(s) 31,39,51 y4/l.java, line(s) 98 z/a.java, line(s) 102,111,153,163 z/m.java, line(s) 45,68 z4/a.java, line(s) 83,106,124 z4/c.java, line(s) 24,25,29,34,40,61,63,69,79,103,109,123,129,132,134,140,151,154,156,165,168,179,185 z4/g.java, line(s) 46,62,81,98,132,50,69,86,102 z4/h.java, line(s) 65,84,310,128,222,252,218,224,266,274 z4/l.java, line(s) 28 z4/n.java, line(s) 28 z4/q.java, line(s) 39,40
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/hvkjr/iqajbt/RdClipboardManager.java, line(s) 5,204
安全 此应用程序没有隐私跟踪程序
此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。