移动应用安全检测报告:
安全基线评分
安全基线评分 52/100
综合风险等级
风险等级评定
- A
- B
- C
- F
漏洞与安全项分布(%)
隐私风险
1
检测到的第三方跟踪器数量
检测结果分布
高危安全漏洞
2
中危安全漏洞
11
安全提示信息
3
已通过安全项
2
重点安全关注
3
高危安全漏洞 该文件是World Readable。任何应用程序都可以读取文件
该文件是World Readable。任何应用程序都可以读取文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/cloudwise/agent/app/util/DeviceUtil.java, line(s) 332,336
高危安全漏洞 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: com/cloudwise/agent/app/mobile/h5/webview/CWWebViewClient.java, line(s) 46,21,22,23 com/cloudwise/agent/app/mobile/h5/x5webview/CWX5WebViewClient.java, line(s) 48,22,23,24 com/cloudwise/agent/app/mobile/h5/xwalkview/CWXWalkResourceClient.java, line(s) 52,119,20,21,22
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: coil/decode/GifDecoder.java, line(s) 30,33,36,39 coil/memory/MemoryCache.java, line(s) 203 coil/memory/MemoryCacheService.java, line(s) 45 com/cloudwise/agent/app/constant/SDKConst.java, line(s) 11 com/cloudwise/agent/app/db/EventsDatasource.java, line(s) 17 com/cloudwise/agent/app/encryption/AES128Encode.java, line(s) 14 com/cloudwise/agent/app/util/DeviceUtil.java, line(s) 27 com/paulkman/nova/core/common/OSSProtectionKt.java, line(s) 10 com/paulkman/nova/data/DecrypterKt.java, line(s) 24 com/paulkman/nova/data/FeedbackRepositoryImpl.java, line(s) 22 com/paulkman/nova/data/json/StationInfoResponse.java, line(s) 123 com/paulkman/nova/data/remote/AESResponseDecryptorKt.java, line(s) 10 com/paulkman/nova/domain/SettingKeys.java, line(s) 19 com/paulkman/nova/feature/comic/data/json/ComicChapterKeyResponse.java, line(s) 86 com/paulkman/nova/feature/novel/data/json/NovelChapterKeyResponse.java, line(s) 86 com/paulkman/nova/feature/video/ui/VideoViewModel.java, line(s) 1768
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/cloudwise/agent/app/db/EventsDatasource.java, line(s) 7,137 com/cloudwise/agent/app/db/MySQLiteHelper.java, line(s) 4,5,27,28,33,34 com/cloudwise/agent/app/mobile/sqlite/SQLiteProcessor.java, line(s) 6,45,88,90,93,178,180,183
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/cloudwise/agent/app/minidns/client/AbstractDnsClient.java, line(s) 26 com/cloudwise/agent/app/minidns/core/constants/DnsRootServer.java, line(s) 13 com/cloudwise/agent/app/minidns/core/util/CollectionsUtil.java, line(s) 4 com/cloudwise/agent/app/minidns/resolver/iterative/IterativeDnsClient.java, line(s) 28 org/codehaus/plexus/util/FileUtils.java, line(s) 26
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/cloudwise/agent/app/util/CWUtil.java, line(s) 41 com/paulkman/nova/data/MD5Kt.java, line(s) 16
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/cloudwise/agent/app/log/CLog.java, line(s) 11 com/cloudwise/agent/app/util/DeviceUUIDProcessor.java, line(s) 105 com/cloudwise/agent/app/util/DeviceUtil.java, line(s) 420,407,408,420 com/github/gzuliyujiang/oaid/DeviceID.java, line(s) 96,97 org/acra/file/Directory.java, line(s) 40,78
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/cloudwise/agent/app/minidns/client/DnsClient.java, line(s) 90 com/cloudwise/agent/app/mobile/http/HttpNativeCollection.java, line(s) 117
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/cloudwise/agent/app/minidns/client/AbstractDnsClient.java, line(s) 91 com/github/gzuliyujiang/oaid/impl/OppoImpl.java, line(s) 70
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: coil/decode/SourceImageSource.java, line(s) 70
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296 m620syncVideoExtrasnTDK9SQ B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF 4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5 4f54469a6638ef9d031c23cd6709bcf9 2NO5K9R2I59G431vUqmaSBJ1HjRdg4egFUK24fWe6 m1369LazyGridPaginationNoAdContent5KhJULg 8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14 b6173d737d32962dd07cbca48f5994af 8ffc8ca8aeac08dc2fecffe1002dda3d 1628686155461064465348252249725010996177649738666492500572664444461532807739744536029771810659241049343994038053541290419968870563183856865780916376571550372513476957870843322273120879361960335192976656756972171258658400305760429696147778001233984421619267530978084631948434496468785021389956803104620471232008587410372348519229650742022804219634190734272506220018657920136902014393834092648785514548876370028925405557661759399901378816916683122474038734912535425670533237815676134840739565610963796427401855723026687073600445461090736240030247906095053875491225879656640052743394090544036297390104110989318819106653199917493 m401AddSuggestionComicCoversqKj4JfE m290ProvideAppResourcesThemeDataOCqH9h0 77ecf5b9a365be72fdadf6a86f4195fa 5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/cloudwise/agent/app/CWSDK.java, line(s) 138,57,65,54,62,144,145,164,166 com/cloudwise/agent/app/base/AbstractRetryThread.java, line(s) 42,73 com/cloudwise/agent/app/callback/CWActivityLifecycleCallbacks.java, line(s) 16,30,38,46 com/cloudwise/agent/app/config/ConfManager.java, line(s) 24,15 com/cloudwise/agent/app/config/ConfigModel.java, line(s) 132,136,156,160 com/cloudwise/agent/app/config/ConfigOption.java, line(s) 11 com/cloudwise/agent/app/config/JSCodeWorker.java, line(s) 51,54,38 com/cloudwise/agent/app/config/LocalConfig.java, line(s) 75,78 com/cloudwise/agent/app/config/ManualConfig.java, line(s) 33 com/cloudwise/agent/app/config/SPConfig.java, line(s) 48,127,151,201 com/cloudwise/agent/app/config/SPJSCode.java, line(s) 49,62 com/cloudwise/agent/app/config/SPStartupConfig.java, line(s) 56,72,53 com/cloudwise/agent/app/config/ServerCdn.java, line(s) 49,45 com/cloudwise/agent/app/config/ServerCdnWorker.java, line(s) 72,75,47,64 com/cloudwise/agent/app/config/ServerConfig.java, line(s) 62 com/cloudwise/agent/app/config/ServerConfigWorker.java, line(s) 81,84,47,68,74 com/cloudwise/agent/app/data/DataProcessor.java, line(s) 34,24,27,19 com/cloudwise/agent/app/data/DataSendImpl.java, line(s) 158,160,222,225,49,54,120,168,170,173,182,214,215,216,250,252,254,267,269,65,70,80,127,136,150,163,245 com/cloudwise/agent/app/data/DataSendWorker.java, line(s) 14 com/cloudwise/agent/app/data/SendPolicyUtil.java, line(s) 27,13,24,16,20,23 com/cloudwise/agent/app/data/UserInfoSendWorker.java, line(s) 113,116,62,92,105,106 com/cloudwise/agent/app/db/CloudwiseSharedPreferences.java, line(s) 35,42,53 com/cloudwise/agent/app/db/EventsDatasource.java, line(s) 161,175,254,262,164,173,177,184,187,190,200,206,236,252 com/cloudwise/agent/app/log/CLog.java, line(s) 106,109,135,137,115,118,97,100,124,127 com/cloudwise/agent/app/minidns/client/AbstractDnsClient.java, line(s) 276 com/cloudwise/agent/app/minidns/client/source/NetworkDataSource.java, line(s) 125,162 com/cloudwise/agent/app/mobile/anr/ANRWatchDog.java, line(s) 37,88 com/cloudwise/agent/app/mobile/anr/AnrListener.java, line(s) 109,110,111,115,152,169,172,208,102,107,180,181,183,184,202 com/cloudwise/agent/app/mobile/app/AppProcessor.java, line(s) 231,285,287,65,233 com/cloudwise/agent/app/mobile/crash/CrashManager.java, line(s) 24,32 com/cloudwise/agent/app/mobile/crash/CrashUtil.java, line(s) 25,61,62,66,91,130,144,165,88,139,189,234,239,247 com/cloudwise/agent/app/mobile/crash/JavaCrash.java, line(s) 45,46,27,31,35 com/cloudwise/agent/app/mobile/crash/NativeHandler.java, line(s) 42 com/cloudwise/agent/app/mobile/h5/CalledByWebview.java, line(s) 114,120,34,45,166,173 com/cloudwise/agent/app/mobile/h5/H5Util.java, line(s) 19,54 com/cloudwise/agent/app/mobile/h5/webview/CWWebView.java, line(s) 14,22,30,38 com/cloudwise/agent/app/mobile/h5/webview/CWWebViewClient.java, line(s) 91,93,132,134,31,36,41,47,55,82,87,103,110,117,125,141,147 com/cloudwise/agent/app/mobile/h5/x5webview/CWX5Utils.java, line(s) 33 com/cloudwise/agent/app/mobile/h5/x5webview/CWX5WebView.java, line(s) 14,22,30 com/cloudwise/agent/app/mobile/h5/x5webview/CWX5WebViewClient.java, line(s) 93,95,32,36,38,43,49,57,84,89,107,113 com/cloudwise/agent/app/mobile/h5/xwalkview/CWXWalkResourceClient.java, line(s) 99,101,160,162,201,203,36,41,47,53,61,90,95,109,114,120,124,151,156,172,179,186,194,210,220 com/cloudwise/agent/app/mobile/h5/xwalkview/CWXWalkView.java, line(s) 19 com/cloudwise/agent/app/mobile/http/HttpCDNUtil.java, line(s) 47,49,96,98,125,128,167,192,194,45,54,60,64,80,107,111,121,143,155,158,70,73 com/cloudwise/agent/app/mobile/http/HttpHeaderUtil.java, line(s) 52,54,83,85,15,17,29,41,60,63,69,75,93,102 com/cloudwise/agent/app/mobile/http/HttpIPUtil.java, line(s) 43,55,108,129,157,160,175,22,25,27,32,35,49,61,64,67,71,74,80,83,90,93,97,100,104,114,121,137,164,171 com/cloudwise/agent/app/mobile/http/HttpManager.java, line(s) 162,164 com/cloudwise/agent/app/mobile/http/HttpNativeCollection.java, line(s) 121,130,132,178,77,114,124,125 com/cloudwise/agent/app/mobile/http/HttpUtil.java, line(s) 76,126,138 com/cloudwise/agent/app/mobile/http/NativeHttpHandler.java, line(s) 28,17 com/cloudwise/agent/app/mobile/http/okhttp2/CloudwiseCall.java, line(s) 92 com/cloudwise/agent/app/mobile/http/urlconnection/HttpUrlConnectionDelegate.java, line(s) 41 com/cloudwise/agent/app/mobile/http/urlconnection/HttpsUrlConnectionDelegate.java, line(s) 50 com/cloudwise/agent/app/mobile/http/urlconnection/URLConnectionProcessor.java, line(s) 18,24,34,40 com/cloudwise/agent/app/mobile/interaction/InteractionManager.java, line(s) 38,40 com/cloudwise/agent/app/mobile/session/SessionProcessor.java, line(s) 164 com/cloudwise/agent/app/mobile/socket/CloudwiseInputStream.java, line(s) 77,106 com/cloudwise/agent/app/mobile/socket/CloudwiseOutputStream.java, line(s) 101,128 com/cloudwise/agent/app/mobile/socket/NIOSocketProcessor.java, line(s) 179,224,292,331,373,415 com/cloudwise/agent/app/mobile/view/ViewProcessor.java, line(s) 42,194,196,231,301,35,181,184 com/cloudwise/agent/app/util/BroadcastListener.java, line(s) 21,33,30,58,60,63 com/cloudwise/agent/app/util/CWUtil.java, line(s) 152 com/cloudwise/agent/app/util/CloudwiseTimer.java, line(s) 54,56,58,60,99,102,110,113,46 com/cloudwise/agent/app/util/CpuMemMonitor.java, line(s) 91,97,103,112,118,126 com/cloudwise/agent/app/util/DeviceUUIDProcessor.java, line(s) 130,148,170,204,217,226,229,45,51,57 com/cloudwise/agent/app/util/DeviceUtil.java, line(s) 153,239,131,151,191,226,259,271,308,376,392,400,488 com/cloudwise/agent/app/util/NetworkUtil.java, line(s) 25,27 com/cloudwise/agent/app/util/UploadUtil.java, line(s) 12,15,26,29 com/github/gzuliyujiang/oaid/OAIDLog.java, line(s) 18 com/paulkman/nova/feature/develop/ui/CDNDomainViewModel$setCDNDomain$1.java, line(s) 44 com/paulkman/nova/feature/game/ui/WithdrawScreenKt.java, line(s) 805 io/github/aakira/napier/DebugAntilog.java, line(s) 96,114 org/acra/ACRA.java, line(s) 182 org/acra/builder/ReportExecutor.java, line(s) 217 org/acra/collector/LogCatCollector.java, line(s) 72 org/acra/log/AndroidLogDelegate.java, line(s) 15,58,22,66,36,74,43,82,50,90,97 org/acra/reporter/ErrorReporterImpl.java, line(s) 157,141 org/acra/sender/SendingConductor.java, line(s) 118 org/codehaus/plexus/util/DirectoryScanner.java, line(s) 164 org/codehaus/plexus/util/SweeperPool.java, line(s) 35 org/codehaus/plexus/util/cli/CommandLineUtils.java, line(s) 104 org/codehaus/plexus/util/cli/Commandline.java, line(s) 49,86,351 org/codehaus/plexus/util/cli/DefaultConsumer.java, line(s) 8 org/codehaus/plexus/util/xml/pull/XmlPullParserException.java, line(s) 33 org/joda/time/tz/DateTimeZoneBuilder.java, line(s) 358,359,384 org/joda/time/tz/ZoneInfoCompiler.java, line(s) 63,245,246,247,248,249,329,348,361,379,384,450,463,479 org/koin/android/logger/AndroidLogger.java, line(s) 51,61,63,55,59
安全提示信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: org/acra/collector/SharedPreferencesCollector.java, line(s) 79,79 org/acra/file/ReportLocator.java, line(s) 33,59,33,59 org/acra/prefs/SharedPreferencesFactory.java, line(s) 58
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/paulkman/nova/data/SystemSettingRepositoryImpl.java, line(s) 4,94
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/cloudwise/agent/app/minidns/sec/dane/X509TrustManagerUtil.java, line(s) 21,20,17,19 com/paulkman/nova/data/remote/RetrofitFactory.java, line(s) 82,82
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/cloudwise/agent/app/util/DeviceUtil.java, line(s) 65,48,52,52,52,52,52,52
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (www.mmtv.com.cn) 通信。
{'ip': '180.168.88.65', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (portal.toushibao.com) 通信。
{'ip': '180.168.88.65', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (seagull-data.toushibao.com) 通信。
{'ip': '119.3.240.48', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}