移动应用安全检测报告:
安全基线评分
安全基线评分 42/100
综合风险等级
风险等级评定
- A
- B
- C
- F
漏洞与安全项分布(%)
隐私风险
2
检测到的第三方跟踪器数量
检测结果分布
高危安全漏洞
4
中危安全漏洞
13
安全提示信息
1
已通过安全项
1
重点安全关注
2
高危安全漏洞 基本配置不安全地配置为允许到所有域的明文流量。
Scope: *
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/amap/loc/bz.java, line(s) 54,87,150,163 com/amap/loc/m.java, line(s) 79
高危安全漏洞 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: com/client/dmo100/wxapi/Util.java, line(s) 149,22,23,24
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/client/dmo100/uniwebview/UniWebViewDialog.java, line(s) 245,40,41 com/client/dmo100/uniwebview/VideoEnabledWebView.java, line(s) 73,10
中危安全漏洞 应用程序数据存在被泄露的风险
未设置[android:allowBackup]标志 这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: org/xianliao/im/sdk/constants/SGConstants.java, line(s) 44,47,60
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/amap/loc/bp.java, line(s) 139
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/amap/loc/bp.java, line(s) 12 com/amap/loc/cr.java, line(s) 28 com/client/dmo100/util/OrderInfoUtil2_0.java, line(s) 14
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: cn/magicwindow/common/http/m.java, line(s) 11 cn/magicwindow/common/util/o.java, line(s) 13 com/amap/loc/n.java, line(s) 64 com/tencent/apollo/ApolloVoiceUDID.java, line(s) 60 com/tencent/mm/a/a.java, line(s) 9
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/client/dmo100/uniwebview/UniWebView.java, line(s) 31,16
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: cn/magicwindow/common/b/a.java, line(s) 4,5,14 cn/magicwindow/common/b/b.java, line(s) 6,99 com/amap/loc/aj.java, line(s) 3,14,15,16,17,18 com/amap/loc/ay.java, line(s) 3,30 com/amap/loc/cc.java, line(s) 5,36 com/amap/loc/cf.java, line(s) 3,14,15
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: cn/magicwindow/common/util/d.java, line(s) 133 com/amap/loc/ac.java, line(s) 37 com/amap/loc/cr.java, line(s) 412,560 com/amap/loc/l.java, line(s) 154,155 com/client/dmo100/uniwebview/UniWebChromeClient.java, line(s) 101 com/tencent/a/a/a/a/b.java, line(s) 19,21,33 com/yasirkula/unity/NativeGallery.java, line(s) 94 com/yasirkula/unity/NativeGalleryMediaPickerFragment.java, line(s) 115,182
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: cn/magicwindow/ProgressWebView.java, line(s) 61,63,41 cn/magicwindow/WebViewActivity.java, line(s) 200,213 com/client/dmo100/uniwebview/VideoEnabledWebView.java, line(s) 66,72,78,84,90,94,96,57
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/amap/loc/i.java, line(s) 72 com/client/dmo100/wxapi/Util.java, line(s) 268
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/client/dmo100/uniwebview/UniWebChromeClient.java, line(s) 102
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 高德地图的=> "com.amap.api.v2.apikey" : "076b86f0972208d72518b23cb861a9e2" FB923EE67A8B4032DAA517DD8CD7A26FF7C25B0C3663F92A0B61251C4FFFA858DF169D61321C3E7919CB67DF8EFEC827 b2e8bd171989cb2c3c13bd89b4c1067a fe643c382e5c3b3962141f1a2e815a78 a9a9d23668a1a7ea93de9b21d67e436a 6X8Y4XdM2Vhvn0KfzcEatGnWaNU= 668319f11506def6208d6afe320dfd52 AF2228680EDC323FBA035362EB7E1E38A0C33E1CF6F6FB805EE553A230CBA754CD9552EB9B546542CBE619E8293151BE 9a571aa113ad987d626c0457828962e6 256b0f26bb2a9506be6cfdb84028ae08 239CE372F804D4BE4EAFFD183668379BDF274440E6F246AB16BBE6F5D1D30DEACFBBF0C942485727FF12288228760A9E 53E53D46011A6BBAEA4FAE5442E659E0577CDD336F930C28635C322FB3F51C3C63F7FBAC9EAE448DFA2E5E5D716C4807 D2FF99A88BEB04683D89470D4FA72B1749DA456AB0D0F1A476477CE5A6874F53A9106423D905F9D808C0FCE8E7F1E04AC642F01FE41D0C7D933971F45CBA72B7 F13160D440C7D0229DA95450F66AF92154AC84DF088F8CA3100B2E8131D57F3DC67124D4C466056E7A3DFBE035E1B9A4B9DA4DB68AE65A43EDFD92F5C60EF0C9
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: bitter/jnibridge/JNIBridge.java, line(s) 62 cn/magicwindow/AdTrack.java, line(s) 18,33 cn/magicwindow/common/c/a.java, line(s) 43,31,37,55,49,61,75,78 cn/magicwindow/common/http/ae.java, line(s) 46 com/amap/loc/r.java, line(s) 270 com/client/dmo100/sgapi/SGEntryActivity.java, line(s) 23,31,43,55,58 com/client/dmo100/uniwebview/UniWebChromeClient.java, line(s) 69 com/client/dmo100/uniwebview/UniWebViewDialog.java, line(s) 125,163,214,224,233,294,340,396,450,487,498,504,605,640,669,757 com/client/dmo100/uniwebview/VideoEnabledWebView.java, line(s) 23 com/client/dmo100/util/SignalStrengthUtil.java, line(s) 14,15 com/client/dmo100/wxapi/AndroidPlugin.java, line(s) 45,46,54,65,81,125,129,135,141,163,184,198,243,256,269,282,295,308,321,334,347,360,373,376,379,394,407,420,433,446,475,488,501,519,532,545,558,571,584,597,619,750,762,766 com/client/dmo100/wxapi/Util.java, line(s) 175,213,216,66,73,78,88,98,103,177,181,185,197,241,257,169,238,244,254 com/client/dmo100/wxapi/WXEntryActivity.java, line(s) 107,123,126,132,136,141,147,148,150,188,199,201,278,280,328,335,340,384,388,390,392,394,398,400,402,405,407,417,419,423,425,428,432,438,439,441,445,458,461,466,476,479,509,533,598,632,678,682,691,473,523,524,560,563,611,614,699,702,706,708,709,712,714,715,185,195,289,293,294,299,302,305,308,311,345 com/client/dmo100/wxapi/WXPayEntryActivity.java, line(s) 24 com/tencent/a/a/a/a/b.java, line(s) 18,26 com/tencent/a/a/a/a/c.java, line(s) 31,45 com/tencent/a/a/a/a/d.java, line(s) 16,32 com/tencent/a/a/a/a/e.java, line(s) 15,29 com/tencent/a/a/a/a/h.java, line(s) 29,20,49,56,23 com/tencent/apollo/ApolloVoiceConfig.java, line(s) 26 com/tencent/apollo/ApolloVoiceDeviceMgr.java, line(s) 50,80,249,253,56,61,69,92,97,111,114,131,138,174,192,197,202,206,218,231,244,31 com/tencent/apollo/ApolloVoiceEngine.java, line(s) 14 com/tencent/apollo/ApolloVoiceNetStatus.java, line(s) 21,46 com/tencent/apollo/ApolloVoiceUDID.java, line(s) 23,33,72 com/tencent/apollo/apollovoice/httpclient/URLRequest.java, line(s) 58,164,174,190,208,257,285,286,63,65,107,270,295,298 com/yasirkula/unity/NativeGallery.java, line(s) 111,35,87,119,147,154,158,169,248,413 com/yasirkula/unity/NativeGalleryMediaPickerFragment.java, line(s) 104,175,245,327 com/yasirkula/unity/NativeGalleryPermissionFragment.java, line(s) 40,70 org/fmod/FMODAudioDevice.java, line(s) 71 org/fmod/a.java, line(s) 82 org/xianliao/im/sdk/api/ActivityLifeCallbacks.java, line(s) 21,30,50,57 org/xianliao/im/sdk/api/ISGAPIImpl.java, line(s) 190,85,94,107,124,183,187,233 org/xianliao/im/sdk/modelmsg/SGGameObject.java, line(s) 49,84,88,92,96,100,104,108,112 org/xianliao/im/sdk/modelmsg/SGImageObject.java, line(s) 39,70,74,78,82 org/xianliao/im/sdk/modelmsg/SGMediaMessage.java, line(s) 47,53,57,61,65,69,73,77 org/xianliao/im/sdk/modelmsg/SGTextObject.java, line(s) 26 org/xianliao/im/sdk/modelmsg/SGVideoObject.java, line(s) 16,20 org/xianliao/im/sdk/modelmsg/SendAuth.java, line(s) 30,34,82 org/xianliao/im/sdk/modelmsg/SendMessageToSG.java, line(s) 48 org/xianliao/im/sdk/net/NetUtils.java, line(s) 37,48,109,129 org/xianliao/im/sdk/net/model/GetBilIdlRequest.java, line(s) 71 org/xianliao/im/sdk/net/model/LoginInfoRequest.java, line(s) 70
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: cn/magicwindow/common/http/ai.java, line(s) 55,145 cn/magicwindow/common/util/d.java, line(s) 39,58 com/amap/loc/bi.java, line(s) 67,177 com/client/dmo100/wxapi/Util.java, line(s) 130,149
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (ssgw.updrips.com) 通信。
{'ip': '154.215.122.55', 'country_short': 'HK', 'country_long': '中国', 'region': '香港', 'city': '香港', 'latitude': '22.285521', 'longitude': '114.157692'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (logs.amap.com) 通信。
{'ip': '49.79.227.241', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '南通', 'latitude': '32.030296', 'longitude': '120.874779'}