安全分析报告:
安全分数
安全分数 47/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
6
用户/设备跟踪器
调研结果
高危
4
中危
22
信息
3
安全
2
关注
3
高危 应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文
应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode Files: com/subgraph/orchid/crypto/TorStreamCipher.java, line(s) 74 org/bitcoinj/crypto/BIP38PrivateKey.java, line(s) 96,123
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/nimbusds/jose/crypto/AESCBC.java, line(s) 29 com/nimbusds/jose/jca/JCASupport.java, line(s) 146 org/consenlabs/imtoken/walletapi/BiometricProtectedData.java, line(s) 166
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/reactnativecommunity/webview/RNCWebViewManager.java, line(s) 494,33,34
高危 应用程序包含隐私跟踪程序
此应用程序有多个6隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 应用程序存在Janus漏洞
应用程序使用了v1签名方案进行签名,如果只使用v1签名方案,那么它就容易受到安卓5.0-8.0上的Janus漏洞的攻击。在安卓5.0-7.0上运行的使用了v1签名方案的应用程序,以及同时使用了v2/v3签名方案的应用程序也同样存在漏洞。
中危 应用程序可以安装在有漏洞的已更新 Android 版本上
Android 5.0-5.0.2, [minSdk=21] 该应用程序可以安装在具有多个未修复漏洞的旧版本 Android 上。这些设备不会从 Google 接收合理的安全更新。支持 Android 版本 => 10、API 29 以接收合理的安全更新。
中危 应用程序已启用明文网络流量
[android:usesCleartextTraffic=true] 应用程序打算使用明文网络流量,例如明文HTTP,FTP协议,DownloadManager和MediaPlayer。针对API级别27或更低的应用程序,默认值为“true”。针对API级别28或更高的应用程序,默认值为“false”。避免使用明文流量的主要原因是缺乏机密性,真实性和防篡改保护;网络攻击者可以窃听传输的数据,并且可以在不被检测到的情况下修改它。
中危 Activity设置了TaskAffinity属性
(cn.jpush.android.service.JNotifyActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Activity设置了TaskAffinity属性
(cn.jpush.android.service.DActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Activity (cn.jpush.android.service.DActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此使其对设备上的任何其他应用程序都可访问。
中危 Service (cn.jiguang.plugins.service.JCoreModuleService) 未被保护。
存在一个intent-filter。 发现 Service与设备上的其他应用程序共享,因此让它可以被设备上的任何其他应用程序访问。intent-filter的存在表明这个Service是显式导出的。
中危 Broadcast Receiver (io.invertase.firebase.messaging.ReactNativeFirebaseMessagingReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Activity (androidx.biometric.DeviceCredentialHandlerActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此使其对设备上的任何其他应用程序都可访问。
中危 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Service (com.google.android.play.core.assetpacks.AssetPackExtractionService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此使其对设备上的任何其他应用程序都可访问。
中危 高优先级的Intent (1000)
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 IP地址泄露
IP地址泄露 Files: com/nimbusds/jose/jwk/Curve.java, line(s) 17,18,19 com/subgraph/orchid/dashboard/Dashboard.java, line(s) 28 com/subgraph/orchid/data/exitpolicy/Network.java, line(s) 6 org/bitcoinj/core/PeerAddress.java, line(s) 78 org/bitcoinj/core/PeerGroup.java, line(s) 955 org/consenlabs/imtoken/phobos/Phobos.java, line(s) 6
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: cl/json/RNSharePathUtil.java, line(s) 62 cl/json/ShareFile.java, line(s) 85 cl/json/ShareFiles.java, line(s) 128 com/imagepicker/utils/MediaUtils.java, line(s) 31,37,27,200 com/imagepicker/utils/RealPathUtil.java, line(s) 117,33 com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 374 com/lwansbrough/RCTCamera/RCTCameraModule.java, line(s) 616,620 com/reactnativecommunity/webview/RNCWebViewModule.java, line(s) 479,477 io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java, line(s) 113,124,125,126 io/sentry/android/core/DefaultAndroidEventProcessor.java, line(s) 274,524,556
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: coil/request/ImageRequest.java, line(s) 345 coil/request/ImageResult.java, line(s) 92 coil/request/Parameters.java, line(s) 167 com/bitgo/randombytes/RandomBytesModule.java, line(s) 12 com/bumptech/glide/load/Option.java, line(s) 73 com/bumptech/glide/load/engine/DataCacheKey.java, line(s) 33 com/bumptech/glide/load/engine/EngineResource.java, line(s) 89 com/bumptech/glide/load/engine/ResourceCacheKey.java, line(s) 79 com/bumptech/glide/manager/RequestManagerRetriever.java, line(s) 32 com/helpscout/beacon/ui/BeaconActivity.java, line(s) 17,15,16 com/helpscout/beacon/ui/BuildConfig.java, line(s) 11 com/helpscout/common/mvi/DefaultMviViewStateStore.java, line(s) 15 com/meituan/android/walle/ChannelReader.java, line(s) 10 com/microsoft/codepush/react/CodePushConstants.java, line(s) 4,30,6,18,27,19,11,17,25,26,20,21,24,28,22 com/microsoft/codepush/react/CodePushTelemetryManager.java, line(s) 18,22,15,17,19,20,21 com/pusher/client/example/ExampleApp.java, line(s) 21 com/pusher/client/example/PresenceChannelExampleApp.java, line(s) 28 com/pusher/client/example/PrivateChannelExampleApp.java, line(s) 25 com/pusher/client/example/PrivateEncryptedChannelExampleApp.java, line(s) 25 im/imkey/imkeylibrary/core/wallet/transaction/ImKeyBitcoinTransaction.java, line(s) 148 im/imkey/imkeylibrary/device/model/AppDownloadRequest.java, line(s) 24 im/imkey/imkeylibrary/device/model/CommonRequest.java, line(s) 52 im/imkey/imkeylibrary/device/model/CommonResponse.java, line(s) 66 im/imkey/imkeylibrary/device/model/SeActivateRequest.java, line(s) 24 im/imkey/imkeylibrary/device/model/SeSecureCheckRequest.java, line(s) 24 io/invertase/firebase/common/TaskExecutorService.java, line(s) 13,14 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingHeadlessService.java, line(s) 13,11 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingSerializer.java, line(s) 20 org/bitcoinj/crypto/EncryptedData.java, line(s) 30 org/bitcoinj/crypto/TrustStoreLoader.java, line(s) 13 org/bitcoinj/store/LevelDBBlockStore.java, line(s) 20 org/consenlabs/imtoken/BuildConfig.java, line(s) 5 org/consenlabs/imtoken/walletapi/BiometricProtectedData.java, line(s) 46 org/consenlabs/tokencore/wallet/model/Messages.java, line(s) 6,17,29,42,52 org/consenlabs/tokencore/wallet/transaction/BitcoinTransaction.java, line(s) 148 org/java_websocket/drafts/Draft_6455.java, line(s) 54 org/reactnative/facedetector/tasks/FileFaceDetectionAsyncTask.java, line(s) 25,27,28
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/lambdaworks/crypto/SCryptUtil.java, line(s) 35 com/nimbusds/jose/crypto/RSA_OAEP.java, line(s) 17,29 com/subgraph/orchid/crypto/HybridEncryption.java, line(s) 19 com/subgraph/orchid/crypto/PRNGFixes.java, line(s) 67,71 com/subgraph/orchid/crypto/TorRandom.java, line(s) 11 com/subgraph/orchid/data/RandomSet.java, line(s) 17 org/bitcoinj/script/Script.java, line(s) 1152 org/java_websocket/drafts/Draft_6455.java, line(s) 539
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/helpscout/beacon/internal/presentation/common/a.java, line(s) 92 com/helpscout/beacon/internal/presentation/common/i.java, line(s) 146 com/lambdaworks/jni/JarLibraryLoader.java, line(s) 59 com/lwansbrough/RCTCamera/RCTCameraModule.java, line(s) 646,648 com/reactnativecommunity/webview/RNCWebViewModule.java, line(s) 479 com/sun/jna/Native.java, line(s) 837 fr/greweb/reactnativeviewshot/RNViewShotModule.java, line(s) 141 org/bitcoinj/wallet/Wallet.java, line(s) 1008 org/bitcoinj/wallet/WalletFiles.java, line(s) 88
中危 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: io/sentry/android/core/util/RootChecker.java, line(s) 24,24,24,24,24
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: io/sentry/SentryClient.java, line(s) 21 io/sentry/TracesSampler.java, line(s) 4 org/bitcoinj/core/TransactionBroadcast.java, line(s) 12 org/java_websocket/drafts/Draft_6455.java, line(s) 17
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/reactnativecommunity/asyncstorage/ReactDatabaseSupplier.java, line(s) 4,5,6,40
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "firebase_database_url" : "https://imtoken-33f29.firebaseio.com" "google_api_key" : "AIzaSyC9_xzm_kakdrERhoxCqIQO9dFUwDbo2o8" "CodePushDeploymentKey" : "2i2gy1sFnpXeadGy2FuHdeoxCoZI9d5c5b08-ec09-423f-a28d-7c7f8da6a3ac" "google_crash_reporting_api_key" : "AIzaSyC9_xzm_kakdrERhoxCqIQO9dFUwDbo2o8" 585769C78764D58426B8B52B6651A5A71137189A niapJQQ53GmboEA5Dyxr2zGELWe5OuyNv84xirXsdEd+9TgVNGeM0k5GjH16JynIS e7adfaae647e4438813db82e877ecbd7 52b5b007e4b0a3b4e5ec64da 524db929e4b0c2199a391f39 16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a 49015F787433103580E3B66A1707A00E60F2D15B 525552b4e4b0fc33a10a7ca1 115792089210356248762697446949407573530086143415290314195533631308867097853948 26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087 36134250956749795798585127919587881956611106672985015071877198253568414405109 nNGmpNfSOuJjLq3LLOUw/7J5BY16ulUEHoXrHuMYyHY8XVa05FanSOY2yaKP2Qs7p 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151 c05edc2c23dc10432f9f796c27c7103e nkrc4ApV0XYlozFwtIjrGdQuwrKJ3c2h+nNdgZeR/QvSuAFRZvOV0a9dgZGpb0Rm6 00000007199508e34a9ff81e6ec0c477a4cccff2a4767a8eee39c11db367b008 387954142406c3c9cc13 115792089210356248762697446949407573529996955224135760342422259061068512044369 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057148 04302390343f91cc401d56d68b123028bf52e5fca1939df127f63c6467cdf9c8e2c14b61104cf817d0b780da337893ecc4aaff1309e536162dabbdb45200ca2b0a B888D25EC8C12BD5043777B1AC49F872 27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575 54f0a3e8e4b086c0c096a1de 48439561293906451759052585252797914202762949526041747995844080717082404635286 04ffff001d0104455468652054696d65732030332f4a616e2f32303039204368616e63656c6c6f72206f6e206272696e6b206f66207365636f6e64206261696c6f757420666f722062616e6b73 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f 1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984 2661740802050217063228768716723360960729859168756973147706671368418802944996427808491545080627771902352094241225065558662157113545570916814161637315895999846 00000000000271a2dc26e7667f8419f2e15416dc6955e5a6c6cdf3f2574dd08e 52b467e9e4b0a3b4e5ec644c efdd4707-098b-4e52-9cff-03e44463d855 80CABF2106A6048302151800 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxmJ6bwSFsz3cHKfgYsZO 3757180025770020463545507224491183603594455134769762486694567779615544477440556316691234405012945539562144444537289428522585666729196580810124344277578376784 39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643 ny+n4Ls1a1k6+3d5mYB3CuJHi/t33La9if6j6FvfGQNtmG+Fdy0J02VdtmNvrIMJT 000000000933ea01ad0ee984209779baaec3ced90fa3f408719526f8d77f4943 D586D18309DED4CD6D57C18FDB97EFA96D330566 EFCBE720AB3A82B99F9E953CD5BF50F7EEFC7B97 8d6754168cf402ac2482448358df257d 525216e7e4b00055e61de9d4 48eb9002-f352-5fa0-9b06-8fcaa22602cf aca376f206b8fc25a6ed44dbdc66547c36c6c33e3a119ffbeaef943642f0e906 41058363725152142129326129780047268409114441015993725554835256314039467401291 9C0C30889CBCC5E01AB5B2BB88715799 0238746c59d46d5408bf8b1d0af5740fe1a6e1703fcb56b2953f0b965c740d256f 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319 14C131DFC5C6F93646BE72FA1401C02A8DF2E8B4 00000000000af0aed4792b1acee3d966af36cf5def14935db8de83d6f9306f2f 48eb9001-f352-5fa0-9b06-8fcaa22602cf 80550987E1D626E3EBA5E5E75A458DE0626D088C 00FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF f11c3940bd4ed0ab3a85807232305749 80CB800005DFFE02814700 qpzry9x8gf2tvdw0s3jn54khce6mua7l 30820122300D06092A864886F70D01010105000382010F003082010A028201010088BFDFBE85067CD720583FA3F5659BBA629A2335A924F618001DF1B9B89DB769B1C75273493D51CDAD6588441E015226CAAB0D1319BFEAB9E257E6FE6C8227640DA2A5FCCC58963269C908EEEEEB0B7D14E312D15A104E81BC45D1112DCB978C3CA0D483FFB405D6CAC10909733B6B0A8D369B24611E4C284D05077901F36365B407DC3CB29C7B42664A8958063D93E87D405BEE692EDA4068A841D4EE12D7FC57494B24EE72537DAC29DCDCCD721D4AA8C1306D6613B8E04861844DB49DE10A140A7EB8C4D0351CAF5D76D44AADCC5C37E7504A24E31E92F6F3CBC133BF4EFFA889A14D6F1A684A9B471BC5B040F3C04D163158970EED5AE9A011F2A3DDB0810203010001 e65cc9bdc3ad15a9f6e0931b24fbf3cf 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f ad90bf3beb7b0eb7e5acd74727dc0da96e0a280a258354e7293fb7e211ac03db dcc703c0e500b653ca82273b7bfad8045d85a470 23D15D965BC35114467363C165C4F724B64B4F66 04fc9702847840aaf195de8442ebecedf5b095cdbb9bc716bda9110971b28a49e0ead8564ff0db22209e0374782c093bb899692d524e9d6a6956e7c5ecbcd68284 E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58 00000000000743f190a18c5577a3c2d2a1f610ae9601ac046a38084ccb7cd721 ED03BB616EB2F60BEC80151114BB25CEF515B226 30820122300D06092A864886F70D01010105000382010F003082010A0282010100880430F1269DC7388CF1E525A1FB400402D91880CEC25CCAA0F50142C6B45A9845483CCEF6416FE5807F76A128125AE26190C30C5C8BD105E5E25953B41234917CABAAD13DB9ECD94B4B52D76BC2B059BD7A304A6E72573BB46DE642F2F74E2FFA378E3D9FC9C02B8FF1A50823B1342EDE39193E98F00EC0B851BF1F1ADA83FF6BB6DCCC5080124FFC289BB2188ED33C05743C7F7485533C961E20F83357AC7E5C5E3A34557923BA9F5ECDF236714900455E9EA29E966D88F6802227A2CD9305A092D5A9EC4852FE6F07A75FF7A5E6C0ED6B16F6DB5C08ED036D4C07411360CA5DC58079ADB4AA5C2972F05A5C69EC6420267ACA44D89AF4ECFE490939C765770203010001 F1D0FFF2-DEAA-ECEE-B42F-C9BA7ED623BB 0f9188f13cb7b2c71f2a335e3a4fc328bf5beb436012afca590b1a11466e2206 48eb9003-f352-5fa0-9b06-8fcaa22602cf eyJzdWIiOiIyNlFwdGZNTVM4dHVrNnVPRTBocnpjZnRoYmNJRWpPODNBdTBnUFp0RzdDbHJJeE41eGFvZjFKdllnMjJSV2tldzRTcE1qSFJRRzkyV0JJQ2xGcEFwS2JSeTYvamsxcUNBMFVOelI5UnU2N2N1Lzk2QThlWllna2xHbTl3VjVHejRUcUFXUFZlWUM5cUdZY3VtNEJuUkZGNnFvQUZHRXlwOUJDMXVjV3FoZHhNT0tEZ3AzS0RKRUkzQXpKUmlreENEdzhQZHZDK0ZyK055UzRhK0VYSVBaM1NtRURtY3BReUY4bjBPRHZ3N1Vhekl5UGdmU2srNVRuSUJPNVFwYUZSOUMwN3JEakFiNmE2VXg5RERPS0tYTXdVSXlLdGhkRXpCUUZicEFiUE1kNVJ3MUhqWmxSc0VFRkx3NXdzckJTMlVaK2pNeWxSSzRGNGVxaEN5UHJRYXI3RzdkYTM0RmREeFdNVkJjQ1gxZ09razNIYm15NUpGR3hmS3h0ZVVndjNYK1NrZ3ZLR1ZFY2pKejJVKzNJdEtwODM4eXpjU09aQUZJQnY0a25jekxOM3JwazlOL0dHMktsTmlWT016RjJod0F0QkRMNndNVEQzcXlvUm9hT3NNeHpJUFlzOGw0MFZTOVp5U29PYzBJVEhzd0F1ZVN2TjFBQVk3NmkyNUd1ckNQZzJINjE1UDJyc2hFT2I0NmphaDdSTWF4eWNldlNmVy9ObHB4VmwyemlReXBWeVdId1hQSXpxdG1NZjl4SUptMkpVVzhJdUZvYUVJVVAyc3RTTEpGUFA5S0hzVGxobWI4dlFCV1FGcU1wcnBPSE5FUytNSUVzNlhHc3U5MHZhamozdU02L3l2dG9sUit1Nkx1LzJraWRQV2VEckR5bDQzMkVWZkVnUkpFNFFweDI0VjFycU44ZWR0YUVKK2hVTXhUMzlQZVkzMERGSU1RdXU0Kytjd3p1eTZuZXl4WGRFdVZWay8wQTBqalBCUW5lVlNnRks6Vm9KbE1RL3Rla0Jna1dOYyIsImlzcyI6ImJlYWNvbi1hcGkiLCJleHAiOjE1NTY3MTgxMDAsImlhdCI6MTU1NjcxNDUwMCwianRpIjoiOWU0MzczNmUtNjliNi00MWNkLWJiYTctN2U2MWUwZDcyMDc2In0 000000000000034a7dedef4a161fa058a2d67a173a90155f3a2fe6fc132e0ebf 258EAFA5-E914-47DA-95CA-C5AB0DC85B11 115792089210356248762697446949407573530086143415290314195533631308867097853951 niEETO5JGpB9A0HZ7rkTqsu9FPQCP+we42f380hiCSH7MTakzyX5JQkKto84CxaBR 8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871 6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449 00000000000a4d0a398161ffc163c503763b1f4360639393e0e4c8e300e0caec 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112316 F1D0FFF1-DEAA-ECEE-B42F-C9BA7ED623BB
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a/a/a/a/a/b.java, line(s) 16,29 a/a/a/a/a/c.java, line(s) 25,60 cl/json/RNShareModule.java, line(s) 182,183,186,187,194,205,206,210,211,240,241 cl/json/social/SingleShareIntent.java, line(s) 25,28,32 com/airbnb/lottie/LottieAnimationView.java, line(s) 400 com/airbnb/lottie/PerformanceTracker.java, line(s) 69,72 com/airbnb/lottie/utils/LogcatLogger.java, line(s) 19,40,33 com/brentvatne/react/ReactVideoView.java, line(s) 439,443 com/bumptech/glide/Glide.java, line(s) 211,220,138,137,210,217,249,250 com/bumptech/glide/gifdecoder/GifHeaderParser.java, line(s) 236,269,235,268 com/bumptech/glide/gifdecoder/StandardGifDecoder.java, line(s) 151,168,186,149,166,184,207,216 com/bumptech/glide/load/data/AssetPathFetcher.java, line(s) 36,35 com/bumptech/glide/load/data/HttpUrlFetcher.java, line(s) 56,136,55,59,64,71,135,68,72 com/bumptech/glide/load/data/LocalUriFetcher.java, line(s) 38,37 com/bumptech/glide/load/data/mediastore/ThumbFetcher.java, line(s) 52,51 com/bumptech/glide/load/data/mediastore/ThumbnailStreamOpener.java, line(s) 61,111,60,110 com/bumptech/glide/load/engine/DecodeJob.java, line(s) 341,387,448 com/bumptech/glide/load/engine/DecodePath.java, line(s) 56,57 com/bumptech/glide/load/engine/Engine.java, line(s) 27,110 com/bumptech/glide/load/engine/GlideException.java, line(s) 82 com/bumptech/glide/load/engine/SourceGenerator.java, line(s) 66,67 com/bumptech/glide/load/engine/bitmap_recycle/LruArrayPool.java, line(s) 89,143,90,144 com/bumptech/glide/load/engine/bitmap_recycle/LruBitmapPool.java, line(s) 127,157,165,189,72,79,126,136,156,164,178,188,197,73,80,137,203,179 com/bumptech/glide/load/engine/cache/DiskLruCacheWrapper.java, line(s) 52,62,76,82,112,123,53,77,63,83,113,124 com/bumptech/glide/load/engine/cache/MemorySizeCalculator.java, line(s) 64,48 com/bumptech/glide/load/engine/executor/GlideExecutor.java, line(s) 42,39 com/bumptech/glide/load/engine/executor/RuntimeCompat.java, line(s) 37,36 com/bumptech/glide/load/engine/prefill/BitmapPreFillRunner.java, line(s) 69,68 com/bumptech/glide/load/model/ByteBufferEncoder.java, line(s) 20,19 com/bumptech/glide/load/model/ByteBufferFileLoader.java, line(s) 59,58 com/bumptech/glide/load/model/FileLoader.java, line(s) 64,63 com/bumptech/glide/load/model/ResourceLoader.java, line(s) 40,41 com/bumptech/glide/load/model/StreamEncoder.java, line(s) 39,38 com/bumptech/glide/load/resource/ImageDecoderResourceDecoder.java, line(s) 64,65 com/bumptech/glide/load/resource/bitmap/BitmapEncoder.java, line(s) 62,61,78,79 com/bumptech/glide/load/resource/bitmap/BitmapImageDecoderResourceDecoder.java, line(s) 18,19 com/bumptech/glide/load/resource/bitmap/DefaultImageHeaderParser.java, line(s) 119,126,142,149,182,192,204,218,232,238,242,247,253,257,118,125,141,148,181,191,203,217,231,237,241,246,252,256 com/bumptech/glide/load/resource/bitmap/Downsampler.java, line(s) 203,324,361,152,176,202,286,323,360,153,287,388 com/bumptech/glide/load/resource/bitmap/DrawableToBitmapConverter.java, line(s) 44,49,45,50 com/bumptech/glide/load/resource/bitmap/HardwareConfigState.java, line(s) 122,123 com/bumptech/glide/load/resource/bitmap/TransformationUtils.java, line(s) 168,112,121,128,145,150,167,113,122,129,130,131,135,146,151 com/bumptech/glide/load/resource/bitmap/VideoDecoder.java, line(s) 129,128 com/bumptech/glide/load/resource/gif/ByteBufferGifDecoder.java, line(s) 80,85,90,99,81,86,91,100 com/bumptech/glide/load/resource/gif/GifDrawableEncoder.java, line(s) 25,26 com/bumptech/glide/load/resource/gif/StreamGifDecoder.java, line(s) 55,56 com/bumptech/glide/manager/DefaultConnectivityMonitor.java, line(s) 22,21,51,69,52,70 com/bumptech/glide/manager/DefaultConnectivityMonitorFactory.java, line(s) 15,14 com/bumptech/glide/manager/RequestManagerFragment.java, line(s) 150,151 com/bumptech/glide/manager/RequestManagerRetriever.java, line(s) 319,320,328 com/bumptech/glide/manager/RequestTracker.java, line(s) 24,25 com/bumptech/glide/manager/SupportRequestManagerFragment.java, line(s) 157,166,158,167 com/bumptech/glide/module/ManifestParser.java, line(s) 22,29,40,45,21,28,33,39,44,34 com/bumptech/glide/request/SingleRequest.java, line(s) 396,53,511,441 com/bumptech/glide/request/target/CustomViewTarget.java, line(s) 280,281,295,296 com/bumptech/glide/request/target/ViewTarget.java, line(s) 277,278,292,293 com/bumptech/glide/signature/ApplicationVersionSignature.java, line(s) 45 com/bumptech/glide/util/ContentLengthInputStream.java, line(s) 28,27 com/bumptech/glide/util/pool/FactoryPools.java, line(s) 89,90 com/drew/imaging/ImageMetadataReader.java, line(s) 274,209,210,224,235,243,244,245,246,247,248,249,250,251,252,253,254,265,267,269 com/drew/lang/CompoundException.java, line(s) 62 com/drew/tools/ExtractJpegSegmentTool.java, line(s) 21,29,64,65,66,69,72 com/drew/tools/ProcessAllImagesInFolderUtility.java, line(s) 81,93,100,101,102 com/drew/tools/ProcessUrlUtility.java, line(s) 17,30,35,52,54,23,48 com/fingerprints/service/FingerprintManager.java, line(s) 445,484,491,271,499,544,546,582,609,671,684,697 com/ftsafe/bluetooth/sdk/utils/a.java, line(s) 12,19,26,62,48,55 com/github/yamill/orientation/OrientationModule.java, line(s) 46,131,146 com/horcrux/svg/Brush.java, line(s) 142,152 com/horcrux/svg/ClipPathView.java, line(s) 33 com/horcrux/svg/ImageView.java, line(s) 141 com/horcrux/svg/LinearGradientView.java, line(s) 76 com/horcrux/svg/MaskView.java, line(s) 80 com/horcrux/svg/PatternView.java, line(s) 87 com/horcrux/svg/RadialGradientView.java, line(s) 90 com/horcrux/svg/UseView.java, line(s) 56,87,102 com/horcrux/svg/VirtualView.java, line(s) 368,299,333,337 com/imagepicker/utils/MediaUtils.java, line(s) 151 com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 219,300,410,415,528,563,840,920 com/learnium/RNDeviceInfo/RNInstallReferrerClient.java, line(s) 75,80,85,99,28 com/learnium/RNDeviceInfo/resolver/DeviceIdResolver.java, line(s) 19,22,23,27 com/lwansbrough/RCTCamera/MutableImage.java, line(s) 169,191,214 com/lwansbrough/RCTCamera/RCTCamera.java, line(s) 40,187,273,377,403,421 com/lwansbrough/RCTCamera/RCTCameraModule.java, line(s) 276,303,314,322,465,602,613,626,635,650,654 com/lwansbrough/RCTCamera/RCTCameraViewFinder.java, line(s) 177,438,460,274 com/masteratul/exceptionhandler/DefaultErrorScreen.java, line(s) 30,87 com/microsoft/codepush/react/CodePushUtils.java, line(s) 242,246 com/pusher/client/example/ExampleApp.java, line(s) 36,41,47,52,72,77,83,88 com/pusher/client/example/PresenceChannelExampleApp.java, line(s) 43,48,54,59,64,69,75,81,102,107,113,118,123,128,134,140,158 com/pusher/client/example/PrivateChannelExampleApp.java, line(s) 40,45,51,56,61,81,86,92,97,102 com/pusher/client/example/PrivateEncryptedChannelExampleApp.java, line(s) 40,45,51,56,61,66,86,91,97,102,107,112 com/pusher/client/example/SimpleWebSocket.java, line(s) 15,21,32,37 com/reactnativecommunity/art/ARTShapeShadowNode.java, line(s) 169,196 com/reactnativecommunity/art/ARTSurfaceViewShadowNode.java, line(s) 91 com/reactnativecommunity/asyncstorage/AsyncStorageModule.java, line(s) 153,193,206,219,237,244,250,255,293,297,302,322,352,365,378,391,404,408,413,429,449,482 com/reactnativecommunity/asyncstorage/ReactDatabaseSupplier.java, line(s) 87,90 com/reactnativecommunity/webview/RNCWebViewManager.java, line(s) 834,908,823,839,866,910,181 com/reactnativecommunity/webview/RNCWebViewModule.java, line(s) 301,306,330,335,222,246 com/samsung/android/sdk/pass/Spass.java, line(s) 52 com/samsung/android/sdk/pass/SpassFingerprint.java, line(s) 130,133,216,341,346,205,210,230,314,349,617,146,181,359,370,560,639 com/samsung/android/sdk/pass/d.java, line(s) 14 com/samsung/android/sdk/pass/support/SdkSupporter.java, line(s) 27 com/samsung/android/sdk/pass/support/v1/FingerprintManagerProxyFactory.java, line(s) 73 com/subgraph/orchid/TorClient.java, line(s) 203 com/sun/jna/Native.java, line(s) 1607 com/swmansion/gesturehandler/react/RNGestureHandlerRootHelper.java, line(s) 41,55 com/swmansion/gesturehandler/react/RNGestureHandlerRootView.java, line(s) 36 com/swmansion/reanimated/nodes/DebugNode.java, line(s) 21 com/th3rdwave/safeareacontext/SafeAreaView.java, line(s) 73 fr/greweb/reactnativeviewshot/DebugViews.java, line(s) 24 fr/greweb/reactnativeviewshot/RNViewShotModule.java, line(s) 125,83 fr/greweb/reactnativeviewshot/ViewShot.java, line(s) 104,126 im/imkey/imkeylibrary/bluetooth/Ble.java, line(s) 167 im/shimo/react/prompt/RNPromptModule.java, line(s) 71,79 io/invertase/firebase/app/ReactNativeFirebaseApp.java, line(s) 15 io/invertase/firebase/common/RCTConvertFirebase.java, line(s) 157 io/invertase/firebase/common/ReactNativeFirebaseEventEmitter.java, line(s) 147 io/invertase/firebase/common/SharedUtils.java, line(s) 86,339,446,149 io/invertase/firebase/crashlytics/ReactNativeFirebaseCrashlyticsInitProvider.java, line(s) 19,22,25,27,38,41,44,46,57,60,63,65,77,74 io/invertase/firebase/crashlytics/ReactNativeFirebaseCrashlyticsModule.java, line(s) 55,58,73,147,156 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingModule.java, line(s) 80 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingReceiver.java, line(s) 20,41 io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java, line(s) 70 io/sentry/SystemOutLogger.java, line(s) 13,21,30 io/sentry/android/core/AndroidLogger.java, line(s) 65,61,57,59,63 io/sentry/transport/StdoutTransport.java, line(s) 34 org/bitcoinj/store/DatabaseFullPrunedBlockStore.java, line(s) 1096,1106,1124,1137 org/bitcoinj/store/LevelDBFullPrunedBlockStore.java, line(s) 941,309 org/consenlabs/imtoken/dappbrowser/DAppBrowser.java, line(s) 174 org/consenlabs/imtoken/dappbrowser/JsInjectorClient.java, line(s) 38,55 org/consenlabs/imtoken/urlhook/CustomURLStreamHandler.java, line(s) 37,29 org/consenlabs/tokencore/wallet/WalletManager.java, line(s) 538 org/koin/android/logger/AndroidLogger.java, line(s) 52,56,58,54 org/koin/core/time/MeasureKt.java, line(s) 20,29 org/reactnative/facedetector/tasks/FileFaceDetectionAsyncTask.java, line(s) 85 timber/log/Timber.java, line(s) 509,527
信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: com/helpscout/beacon/a/b/c/a.java, line(s) 20,20
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/helpscout/common/extensions/ContextExtensionsKt.java, line(s) 4,112 com/reactnativecommunity/clipboard/ClipboardModule.java, line(s) 4,47
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/helpscout/beacon/internal/data/remote/BeaconUiApiService.java, line(s) 55,55 com/helpscout/beacon/internal/data/remote/chat/ChatApiService.java, line(s) 40,40
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: io/sentry/android/core/DefaultAndroidEventProcessor.java, line(s) 94 io/sentry/android/core/util/RootChecker.java, line(s) 63,42,24,24,24,24,24,24,36
关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (ce3e75d5.jpush.cn) 通信。
{'ip': '120.233.118.242', 'country_short': 'CN', 'country_long': 'China', 'region': 'Guangdong', 'city': 'Shenzhen', 'latitude': '22.545540', 'longitude': '114.068298'}
关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (imkey.online) 通信。
{'ip': '54.222.175.235', 'country_short': 'CN', 'country_long': 'China', 'region': 'Beijing', 'city': 'Beijing', 'latitude': '39.907501', 'longitude': '116.397232'}
关注 应用程序可能与位于OFAC制裁国家 (China) 的服务器 (imkeyserver.com) 通信。
{'ip': '52.80.70.16', 'country_short': 'CN', 'country_long': 'China', 'region': 'Beijing', 'city': 'Beijing', 'latitude': '39.907501', 'longitude': '116.397232'}