移动应用安全检测报告:
安全基线评分
安全基线评分 51/100
综合风险等级
风险等级评定
- A
- B
- C
- F
漏洞与安全项分布(%)
隐私风险
0
检测到的第三方跟踪器数量
检测结果分布
高危安全漏洞
1
中危安全漏洞
10
安全提示信息
2
已通过安全项
1
重点安全关注
1
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: z2/a.java, line(s) 75
中危安全漏洞 应用数据存在泄露风险
未设置[android:allowBackup]标志 建议将 [android:allowBackup] 显式设置为 false。默认值为 true,允许通过 adb 工具备份应用数据,存在数据泄露风险。
中危安全漏洞 Broadcast Receiver (com.hvkjr.iqajbt.BootReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 高优先级 Intent(1000) - {1} 个命中
[android:priority] 通过设置较高的 Intent 优先级,应用可覆盖其他请求,可能导致安全风险。
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: b5/b.java, line(s) 288 b5/d.java, line(s) 92 c5/a.java, line(s) 45 f6/i.java, line(s) 129,151 f6/j.java, line(s) 143 w/g.java, line(s) 241
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: h5/c.java, line(s) 74
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: t1/q1.java, line(s) 6 u2/p0.java, line(s) 4 x2/b.java, line(s) 12 x4/i0.java, line(s) 12 y6/a.java, line(s) 3 y6/b.java, line(s) 3 z6/a.java, line(s) 3
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: d5/i.java, line(s) 9,10,11,12,13,518
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/journeyapps/barcodescanner/b.java, line(s) 258 e6/l.java, line(s) 551
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "library_zxingandroidembedded_author" : "JourneyApps" "library_zxingandroidembedded_authorWebsite" : "https://journeyapps.com/" edef8ba9-79d6-4ace-a3c8-27dcd51d21ed 16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: b5/b.java, line(s) 87,95,115,132,289,305,194 b5/d.java, line(s) 139,265,37,81,197,201,206,261,214,134 c0/e.java, line(s) 32 c4/e.java, line(s) 34,72 c4/g.java, line(s) 39,32 com/hvkjr/iqajbt/BootReceiver.java, line(s) 22,44 com/hvkjr/iqajbt/FloatingWindowService.java, line(s) 379,432,441,443,574 com/hvkjr/iqajbt/InputService.java, line(s) 194,253,269,277,360,371,396,442,503,504,513,521,712 com/hvkjr/iqajbt/MainActivity.java, line(s) 124,131,222,459,485,462,488,683 com/hvkjr/iqajbt/MainService.java, line(s) 112,271,284,287,301,304,330,402,489,509,523,549,559,573,602,611,747,759,163,502,692,702,267,593 com/hvkjr/iqajbt/PermissionRequestTransparentActivity.java, line(s) 16,43 com/hvkjr/iqajbt/RdClipboardManager.java, line(s) 75,114,162,169,194,199 com/hvkjr/iqajbt/a.java, line(s) 148 com/journeyapps/barcodescanner/a.java, line(s) 604,654,117,302,404,466 com/journeyapps/barcodescanner/b.java, line(s) 110,181,264 d0/e.java, line(s) 56,87 d1/a.java, line(s) 77 d4/a.java, line(s) 13 d5/c0.java, line(s) 81,142,199,262,277,335,348,354,371,376,535,544,85,539 d5/e0.java, line(s) 24 d5/i.java, line(s) 176,312,328,374,447,524,581,547 e/d.java, line(s) 167,171 e1/g.java, line(s) 1018 e6/p.java, line(s) 81,65 f6/j.java, line(s) 187 g0/a2.java, line(s) 43,52,66,86,100,115,129 g0/b.java, line(s) 64 g0/b0.java, line(s) 95 g0/g2.java, line(s) 377,393,132,144,151,160,47,66,368 g0/q0.java, line(s) 820,797,819 g0/y1.java, line(s) 45 g6/j.java, line(s) 14,29,44 h/e.java, line(s) 1917,1070,1076,1555,1944,2162 h/i.java, line(s) 100 h/k.java, line(s) 49,59,74,84,101,113,125,134,147,161,173 h/m.java, line(s) 60,75 h0/h.java, line(s) 181 h1/a.java, line(s) 13 h1/e.java, line(s) 24,32 j5/a.java, line(s) 311,316 k0/d.java, line(s) 138 k1/f.java, line(s) 50 k1/n.java, line(s) 161,214,242 k5/b.java, line(s) 10,14,28,32,36 l/g.java, line(s) 168,211,270 l0/a0.java, line(s) 34,33 l0/d.java, line(s) 53,62 l0/o.java, line(s) 53,62 m/c.java, line(s) 276 n/b2.java, line(s) 104,137,363,119,152,235,249,301,367,370,423 n/c2.java, line(s) 38 n/f1.java, line(s) 105,114,218,395 n/l2.java, line(s) 111 n/m2.java, line(s) 86 n/o2.java, line(s) 22,32,50,52,55 n/p0.java, line(s) 47 n/s0.java, line(s) 136,141,146,151 n/s1.java, line(s) 395,205,210,217,310,510 n/x1.java, line(s) 149,183 n/y1.java, line(s) 181,48,60,94,123,383 p3/r.java, line(s) 40,35,30,25 p7/b.java, line(s) 87 q1/d.java, line(s) 53,87,114,126,144,163 r/b.java, line(s) 42 r0/a.java, line(s) 364,948,1076,1198,1201,1210,1216,1272,1355,1401,1584,1640,1697,1777,1813,1890,1977,2149,2231,2277,2328,2348,2361,2393,2431,2498,2543,2548,2554,2620,131,1131,1575,1599,1857,1871,2132,2511,2515,2519 r0/b.java, line(s) 47 r1/b.java, line(s) 1383,1268 r1/h.java, line(s) 490,587,2760,617,1008,1014 r1/k.java, line(s) 2767,2816,2840,3855,1897,2845 t0/a.java, line(s) 29,55,64,80 t0/a1.java, line(s) 585,131,144,266,275,280,291,295,383,444,452,461,631,639,647,655,700,708,714,725,785 t0/b.java, line(s) 138 t0/f.java, line(s) 723,1330,68,81,100,134,207,243,258,276,287,462,502,543,568,585,586,592,594,600,651,696,717,864,865,870,876,877,882,905,1081,1096,1106,1221,1229,1235,1237,1249,1282,1444 t0/k0.java, line(s) 176,187,213,643,649,680,681,1812,1818,1757,1758,1769,435,195,701,1283,1416,1426,1436,1458,1491,1539,1563,1600,1609,1721,1910,1918,164,299,309,321,331 t0/n0.java, line(s) 51,74,92,59,67,157,163 t0/q0.java, line(s) 114,136,222,243,280,322,372,391,406,416,477,482,529,594,639,736,744,86,215,310,462,654,715 t0/r.java, line(s) 576,1071,1193,962 t0/r0.java, line(s) 237,247,293,313,331 t0/u0.java, line(s) 280,289 t0/v0.java, line(s) 127 t0/x0.java, line(s) 18 u0/d.java, line(s) 176,198,94 v/c1.java, line(s) 72 v/e.java, line(s) 91,247 v/n.java, line(s) 27 v/p.java, line(s) 549,548 x/c.java, line(s) 56 x/d.java, line(s) 66 x/h.java, line(s) 140,149,247 y/e.java, line(s) 386,391 y/g.java, line(s) 70 y/h.java, line(s) 41,73 y/i.java, line(s) 57,228 y/m.java, line(s) 96 y0/b.java, line(s) 31,39,51 y4/l.java, line(s) 98 z/a.java, line(s) 102,111,153,163 z/m.java, line(s) 45,68 z4/a.java, line(s) 83,106,124 z4/c.java, line(s) 24,25,29,34,40,61,63,69,79,103,109,123,129,132,134,140,151,154,156,165,168,179,185 z4/g.java, line(s) 46,62,81,98,132,50,69,86,102 z4/h.java, line(s) 65,84,310,128,222,252,218,224,266,274 z4/l.java, line(s) 28 z4/n.java, line(s) 28 z4/q.java, line(s) 39,40
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/hvkjr/iqajbt/RdClipboardManager.java, line(s) 5,204
已通过安全项 此应用程序没有隐私跟踪程序
此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (dashif.org) 通信。
{'ip': '221.228.32.13', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '无锡', 'latitude': '31.569349', 'longitude': '120.288788'}