安全分析报告: 消防实操模拟软件 v1.6.9

安全分数


安全分数 52/100

风险评级


等级

  1. A
  2. B
  3. C
  4. F

严重性分布 (%)


隐私风险

1

用户/设备跟踪器


调研结果

高危 2
中危 15
信息 2
安全 2
关注 2

高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 

应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
v7/a.java, line(s) 89
y3/c.java, line(s) 30,79

高危 该文件是World Writable。任何应用程序都可以写入文件 

该文件是World Writable。任何应用程序都可以写入文件
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2

Files:
t3/c.java, line(s) 94,108,101

中危 应用程序数据存在被泄露的风险 

未设置[android:allowBackup]标志
这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。

中危 Activity设置了TaskAffinity属性 

(com.jarvan.fluwx.wxapi.FluwxWXEntryActivity)
如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名

中危 Activity设置了TaskAffinity属性 

(com.yaota.subjob.wxapi.WXEntryActivity)
如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名

中危 Activity-Alias (com.yaota.subjob.wxapi.WXEntryActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 Activity-Alias (com.yaota.subjob.wxapi.WXPayEntryActivity) 未被保护。 

存在一个intent-filter。
发现 Activity-Alias与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Activity-Alias是显式导出的。

中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
ef/OrderByCond.java, line(s) 83
g5/g.java, line(s) 89
j5/d.java, line(s) 42
j5/p.java, line(s) 103
j5/w.java, line(s) 85

中危 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
ad/a.java, line(s) 4
ad/b.java, line(s) 4
ad/c.java, line(s) 3
ad/d.java, line(s) 5
ad/e.java, line(s) 4
bd/a.java, line(s) 5
d9/i0.java, line(s) 7
j6/x1.java, line(s) 10
ja/g.java, line(s) 19
l3/b.java, line(s) 16
m8/w.java, line(s) 7
ne/e.java, line(s) 12
ne/i.java, line(s) 5
s7/b.java, line(s) 14
t3/c.java, line(s) 6
te/a.java, line(s) 5
te/f.java, line(s) 7
te/l.java, line(s) 6
u3/m.java, line(s) 40
x9/d.java, line(s) 44
xd/b0.java, line(s) 14
y8/p.java, line(s) 7
zb/c0.java, line(s) 6
zb/x.java, line(s) 10

中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
ja/g1.java, line(s) 4,30
ja/p1.java, line(s) 5,6,32
n6/f.java, line(s) 6,7,31
n6/g.java, line(s) 6,79
p8/b.java, line(s) 6,66
p8/i.java, line(s) 7,8,122
z9/f.java, line(s) 7,8,938

中危 IP地址泄露 

IP地址泄露


Files:
g4/b.java, line(s) 12
h9/e.java, line(s) 37,35
ja/b.java, line(s) 65
ja/h1.java, line(s) 83

中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
a4/c.java, line(s) 12,24,28
f0/d.java, line(s) 400
ff/e.java, line(s) 314,1063
h6/b.java, line(s) 100
ja/c.java, line(s) 755,771,837
ja/s.java, line(s) 1364,1365
ka/b.java, line(s) 592
qb/i.java, line(s) 132,154
u0/h.java, line(s) 29,43,43
v9/c.java, line(s) 361
v9/d.java, line(s) 91,176,233
z3/b.java, line(s) 527,809,810

中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件 

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
f9/q.java, line(s) 139
lf/UrlSource.java, line(s) 138
ob/f.java, line(s) 376
oc/n.java, line(s) 183,209
p1/a.java, line(s) 4142
pc/e.java, line(s) 451,474,478,502
r8/e1.java, line(s) 349
r9/c.java, line(s) 236
v9/d.java, line(s) 91

中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞 

不安全的Web视图实现。可能存在WebView任意代码执行漏洞
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5

Files:
da/b.java, line(s) 76,61
tb/d.java, line(s) 548,155

中危 SHA-1是已知存在哈希冲突的弱哈希 

SHA-1是已知存在哈希冲突的弱哈希
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
y3/c.java, line(s) 29,78

中危 应用程序包含隐私跟踪程序 

此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。

中危 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
e6b1bdcb890370f2f2419fe06d0fdf7628ad0083d52da1ecfe991164711bbf9297e75353de96f1740695d07610567b1240549af9cbd87d06919ac31c859ad37ab6907c311b4756e1e208775989a4f691bff4bbbc58174d2a96b1d0d970a05114d7ee57dfc33b1bafaf6e0d820e838427018b6435f903df04ba7fd34d73f843df9434b164e0220baabb10c8978c3f4c6b7da79d8220a968356d15090dea07df9606f665cbec14d218dd3d691cce2866a58840971b6a57b76af88b1a65fdffd2c080281a6ab20be5879e0330eb7ff70871ce684e7174ada5dc3159c461375a0796b17ce7beca83cf34f65976d237aee993db48d34a4e344f4d8b7e99119168bdd7
b6cbad6cbd5ed0d209afc69ad3b7a617efaae9b3c47eabe0be42d924936fa78c8001b1fd74b079e5ff9690061dacfa4768e981a526b9ca77156ca36251cf2f906d105481374998a7e6e6e18f75ca98b8ed2eaf86ff402c874cca0a263053f22237858206867d210020daa38c48b20cc9dfd82b44a51aeb5db459b22794e2d649
16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a
258EAFA5-E914-47DA-95CA-C5AB0DC85B11
e2719d58-a985-b3c9-781a-b030af78d30e
9a04f079-9840-4286-ab92-e65be0885f95
01360240043788015936020505

信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
a6/j.java, line(s) 150,99,547,573
aa/a.java, line(s) 15
af/b.java, line(s) 195,205,210,220,256,260,285,331,357,377,394,399,404,230,280,363
b1/c.java, line(s) 30,35,58,63,68,76,81,97
b1/k.java, line(s) 21
b6/f.java, line(s) 83,163,164,84
b6/r.java, line(s) 84,164,165,85
c1/b.java, line(s) 85
c1/b1.java, line(s) 83,98,123,158,183,208,233
c1/l1.java, line(s) 1021,1066,808,820,827,836,52,72,1057
c1/p.java, line(s) 50,59
c1/u0.java, line(s) 2539,2665,2939,1744,1751,1753,1755,2218,2407,2538
c1/w0.java, line(s) 49,60
c1/x.java, line(s) 138,221
cf/b.java, line(s) 313
d0/f.java, line(s) 96,252
d0/f0.java, line(s) 393,406,420
d0/h0.java, line(s) 100
d0/k.java, line(s) 49,58,72,81
d0/p.java, line(s) 57
d0/w.java, line(s) 103,106,147,179,225,239,243
d0/x.java, line(s) 233,246,252,307,334,344,355,363,232,245,251,306,333,343,354,362,186,255,301,325
d1/d.java, line(s) 308
d6/b.java, line(s) 25
da/a.java, line(s) 16,29,42,55,72,85
da/b.java, line(s) 138,160,236,543,581,616,626,638,650,673,695,705,727,754,784,808,823,835,847,890,316,327,340,349,378,387,556,134,158,172,176,185,189,232,254,258,262,274,278,282,294,298,302,314,323,325,338,347,370,374,376,385,415,437,451,455,476,485,514,516,524,541,565,577,612,624,634,646,669,681,683,691,703,723,752,767,772,780,792,804,819,831,843,886
e5/a.java, line(s) 349
e6/c.java, line(s) 42,41
f0/d.java, line(s) 326
f0/h0.java, line(s) 74,84
f0/m0.java, line(s) 37
f1/c.java, line(s) 217
f2/b.java, line(s) 63,78,86,111,219,239,351,398,404,425,447,70
f5/d.java, line(s) 151,181,150,180
f5/f.java, line(s) 196,217,235,195,216,234,358,367
f6/a.java, line(s) 61,62
ff/a.java, line(s) 756,761,796,800,805,812
ff/b.java, line(s) 712,717,752,756,761,768
ff/e.java, line(s) 852,857,864
g0/h.java, line(s) 111
g1/c.java, line(s) 32,41
g1/d.java, line(s) 64,73
g1/o.java, line(s) 74,85,126,135
g1/q.java, line(s) 702,693
g1/s.java, line(s) 61,60
g2/d.java, line(s) 96
g4/b.java, line(s) 19
g6/a.java, line(s) 49,63,73,78,88,97,108,110,118,122,125,129,155,266,270,278,299,304
g6/b.java, line(s) 118
g6/d.java, line(s) 87
h0/c.java, line(s) 71
h0/d.java, line(s) 75
h0/i.java, line(s) 420,438,444,187,196,374
h4/e.java, line(s) 23
h5/b.java, line(s) 50,49
h5/j.java, line(s) 89,110,88,109,113,119,126,123,127
h5/l.java, line(s) 51,50
h6/b.java, line(s) 154
i/d.java, line(s) 107
i/f.java, line(s) 54,64,80,90,108,120,132,141,155,169,181
i/h.java, line(s) 79,94
i2/a.java, line(s) 173,178,185,189,205,215
i4/a.java, line(s) 22,12
i4/c.java, line(s) 136,309,316,372,407,420,446,478,199,220,416
i5/c.java, line(s) 110,109
i5/e.java, line(s) 61,93,60,92
j/a.java, line(s) 114
j5/h.java, line(s) 530,346,360,529,477
j5/i.java, line(s) 63,64
j5/k.java, line(s) 38,179
j5/y.java, line(s) 115,116
ja/a1.java, line(s) 62
ja/h1.java, line(s) 46,65,36,61
ja/m.java, line(s) 28,36,24,42,32
je/c.java, line(s) 54,93,96
k/a.java, line(s) 304,307
k0/a0.java, line(s) 78,279
k0/d0.java, line(s) 107,110
k0/e0.java, line(s) 120
k0/f0.java, line(s) 33
k0/g0.java, line(s) 59
k0/h0.java, line(s) 51
k0/o.java, line(s) 571,576
k0/y.java, line(s) 84
k0/z.java, line(s) 55,87
k1/c.java, line(s) 232
k5/j.java, line(s) 162,212,163,213
k5/k.java, line(s) 139,151,246,285,138,150,173,180,218,245,255,274,284,174,181,224,256,275
ka/b.java, line(s) 275,291,557,596,599,636,657,686,730,736,776,786,113,122,220
l0/c.java, line(s) 195,204,262,272
l0/h.java, line(s) 55,64
l0/l.java, line(s) 45,69
l5/e.java, line(s) 56,65,75,89,95,127,66,90,57,78,96,128
l5/l.java, line(s) 186,170
m1/b.java, line(s) 58,119,133
m1/c.java, line(s) 30,79
m1/e.java, line(s) 146
m5/a.java, line(s) 167,164
m5/b.java, line(s) 45,44
n/g.java, line(s) 191,238,300
n2/h.java, line(s) 76,79,26
n5/a.java, line(s) 87,86
o/c.java, line(s) 319
o2/a.java, line(s) 170,455,466
o5/c.java, line(s) 20,19
o5/d.java, line(s) 43,42
o5/f.java, line(s) 105,104
o5/s.java, line(s) 115,118
o5/t.java, line(s) 40,39
ob/c.java, line(s) 24
ob/h.java, line(s) 39
oc/c.java, line(s) 16,21,26,31,36,41,46,51,56,62,67,72,77,82,87,92,97,102,107,112,118
od/b.java, line(s) 71
p/f0.java, line(s) 123
p/g0.java, line(s) 92
p/i.java, line(s) 88,47
p/i0.java, line(s) 29,40,58,60,62
p/m.java, line(s) 128,143,158,167,313,508
p/p.java, line(s) 154
p/u.java, line(s) 202,61,73,111,144,402
p/x.java, line(s) 104,228,439,210,243,303,317,395,398,445,448,500
p/y.java, line(s) 45
p000if/a.java, line(s) 16,22,28,34
p1/a.java, line(s) 963,1877,2130,2182,2229,2404,2481,2502,2515,2553,2573,2579,2650,2683,2753,2892,2900,2928,2967,3005,3078,3117,3122,3128,3212,3402,3682,3685,3723,3729,3787,3808,3822,3837,3861,3888,3906,3910,3916,3967,3974,3986,4005,4010,4017,4325,4340,4451,4574,4588,4753,4772,4779,1417,1425,1459,1471,1483,1495,1507,1519,1531,1543,1555,1562,1573,1585,1852,1856,731,1568,2121,2140,2148,2286,2383,2631,2640,3093,3145,3148,3499,3701,3708,4990
pa/c.java, line(s) 30,34,62,66,70,74
q5/a.java, line(s) 87,88
q9/b.java, line(s) 65,120
r1/a.java, line(s) 119,293,323,440,448,450,470
r1/f.java, line(s) 55,89,74,82,166,172
r1/p.java, line(s) 18
r5/e.java, line(s) 62,61,78,79
r5/f.java, line(s) 19,20
r5/f0.java, line(s) 354,171,176,221,230,237,351,172,177,222,231,238,239,240,244
r5/i0.java, line(s) 182,179
r5/p.java, line(s) 200,221,368,189,199,220,367,460,484,190,302,461
r5/q.java, line(s) 46,52,47,53
r5/v.java, line(s) 139,140
r8/a0.java, line(s) 49,54,59,64
r9/a.java, line(s) 94
r9/h.java, line(s) 65
rb/b.java, line(s) 107,96
rb/e.java, line(s) 32,52,66
t2/b.java, line(s) 95
t8/f.java, line(s) 102,108,114,120,134,156
tb/b.java, line(s) 81
tb/e.java, line(s) 232
tb/g.java, line(s) 65,94,113,105
u0/h.java, line(s) 45
u0/j.java, line(s) 50,54,58,85,89,93
u0/y.java, line(s) 75,87,106,126,140
u1/a.java, line(s) 267,298,306
u8/b.java, line(s) 136,170,137,171
v/a.java, line(s) 135,139
v5/a.java, line(s) 69,95,100,105,70,96,101,106
v5/d.java, line(s) 26,27
v5/j.java, line(s) 43,46
v9/c.java, line(s) 362,329,378
v9/d.java, line(s) 223,396,54,163,335,337,341,388,391,347,218
w2/c.java, line(s) 212,215
w2/e.java, line(s) 167,182
w2/i.java, line(s) 296,299,627,632,952
x5/e.java, line(s) 39,38,58,74,59,75
x5/f.java, line(s) 19,18
x5/k.java, line(s) 161,162
x5/l.java, line(s) 208,209,217
x5/n.java, line(s) 106,107
x5/o.java, line(s) 111,118,112,119
y5/e.java, line(s) 54,61,72,77,53,60,65,71,76,66
yd/d.java, line(s) 717
z4/a.java, line(s) 17
z4/p.java, line(s) 65,150,154,212,215,238,308,314,319,337
z4/q.java, line(s) 306,310,315
z4/s.java, line(s) 46
z9/c.java, line(s) 50
z9/f.java, line(s) 306,359,502,515,587,649,665,844,850,861,883,887,929,946,1013,1053,1062,1101,1182,1190,363,1036,1057,1205
z9/g.java, line(s) 60,71

信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 

此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard

Files:
lb/c.java, line(s) 8,363

安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
ie/c.java, line(s) 117,115,114
ie/d.java, line(s) 156,144,162,153,153,155
ie/g.java, line(s) 117,115,114,114
ie/h.java, line(s) 284,270,281,281

安全 此应用程序可能具有Root检测功能 

此应用程序可能具有Root检测功能
https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1

Files:
ja/c.java, line(s) 822,29,29,29,29,29
s3/b.java, line(s) 22,22,22,22,22,22

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (h5.m.taobao.com) 通信。 

{'ip': '119.28.121.133', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '镇江', 'latitude': '32.209366', 'longitude': '119.434372'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (mobilegw.alipaydev.com) 通信。 

{'ip': '110.75.132.131', 'country_short': 'CN', 'country_long': '中国', 'region': '浙江', 'city': '杭州', 'latitude': '30.293650', 'longitude': '120.161583'}

安全评分: ( 消防实操模拟软件 1.6.9)