安全分析报告: Yari v1.1.5

安全分数


安全分数 53/100

风险评级


等级

  1. A
  2. B
  3. C
  4. F

严重性分布 (%)


隐私风险

6

用户/设备跟踪器


调研结果

高危 2
中危 26
信息 2
安全 3
关注 2

高危 域配置不安全地配置为允许明文流量到达范围内的这些域。 

Scope:
127.0.0.1
im-1.test.funnymamu.com

高危 应用程序包含隐私跟踪程序 

此应用程序有多个6隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。

中危 应用程序数据可以被备份 

[android:allowBackup=true]
这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。

中危 Activity (com.funny.yari.YariFlutterBoostActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.increase.applog.util.SimulateLaunchActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.funny.yari.room.ui.BlockListActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.funny.yari.ui.activity.ActivityDeleteAccount) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.funny.yari.ui.activity.ActivityDeleteAccountConfirm) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.funny.yari.ui.activity.ActivityPhoneCodeSearch) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.funny.yari.ui.activity.BeforeDeleteAccountActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.funny.yari.im.ui.ActivityMessageList) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.funny.yari.im.ui.ActivityChat) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.funny.yari.tab.TabMainActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Activity (com.funny.yari.ui.activity.ActivityInvite) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护, 但是应该检查权限的保护级别。 

Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true]
发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护, 但是应该检查权限的保护级别。 

Permission: com.google.android.c2dm.permission.SEND [android:exported=true]
发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危 Activity (com.facebook.CustomTabActivity) 未被保护。 

[android:exported=true]
发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。

中危 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。 

Permission: android.permission.DUMP [android:exported=true]
发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。

中危 MD5是已知存在哈希冲突的弱哈希 

MD5是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/amazonaws/services/s3/AmazonS3Client.java, line(s) 2150
com/amazonaws/services/s3/internal/MD5DigestCalculatingInputStream.java, line(s) 28
com/amazonaws/util/Md5Utils.java, line(s) 20,63
com/nebula/uikit/svgaplayer/SVGACache.java, line(s) 46
o00O00o0/AbstractC5240OooO0O0.java, line(s) 27
xcrash/OooOO0.java, line(s) 292

中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
com/amazonaws/auth/CognitoCachingCredentialsProvider.java, line(s) 18,19,20,21,22
com/amazonaws/auth/policy/conditions/ConditionFactory.java, line(s) 8,9,10,11,12,13,14
com/amazonaws/auth/policy/conditions/S3ConditionFactory.java, line(s) 10,11,12,14,15,8,9,13
com/amazonaws/mobileconnectors/s3/transferutility/TransferTable.java, line(s) 29,35
com/amazonaws/services/s3/Headers.java, line(s) 23,28,65
com/amazonaws/services/s3/model/S3ObjectSummary.java, line(s) 71
com/funny/yari/im/db/NewsTable.java, line(s) 67
com/funny/yari/room/net/RoomSetting.java, line(s) 259
com/funny/yari/useage/UsageApiImpl.java, line(s) 223
com/idlefish/flutterboost/FlutterBoostPlugin.java, line(s) 22
com/idlefish/flutterboost/containers/FlutterActivityLaunchConfigs.java, line(s) 4
com/nebula/im/db/entity/ChatInfoEntity.java, line(s) 223
com/nebula/im/db/entity/ConversationInfoEntity.java, line(s) 177
com/nebula/rtm/util/encryption/AES.java, line(s) 9,10
com/nebula/rtm/util/encryption/HMACSHA1.java, line(s) 12
io/grpc/internal/o000OOo.java, line(s) 80
o000o00O/C2093OooO0OO.java, line(s) 71
o000o00O/C4648OooO0OO.java, line(s) 71

中危 IP地址泄露 

IP地址泄露


Files:
o00oo0o/AbstractC5385OooO0OO.java, line(s) 9
o00oo0o/OooO0OO.java, line(s) 9

中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
com/amazonaws/mobileconnectors/s3/transferutility/TransferTable.java, line(s) 3,50,51,52,53,54,58,62,66
o00Oo0o0/C1198Oooo0o.java, line(s) 5,6,208,248,257,290,409,442,575,758
o00Oo0o0/C5110Oooo0o.java, line(s) 5,6,218,258,267,300,419,452,585,768
o00Oo0o0/o000oOoO.java, line(s) 4,5,147
o00o0oOO/C2377OooO00o.java, line(s) 4,88,89,92,93,96,99,100,103,106
o00o0oOO/C4939OooO00o.java, line(s) 4,88,89,92,93,96,99,100,103,106
o00o0oOO/C5290OooOO0O.java, line(s) 9,10,11,12,13,228,372

中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞 

不安全的Web视图实现。可能存在WebView任意代码执行漏洞
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5

Files:
com/funny/yari/model/bean/GlobalWebView.java, line(s) 298,73
com/funny/yari/web/EmptyWebView.java, line(s) 174,67
com/funny/yari/web/WebViewActivity.java, line(s) 1314,843
o00OO0/C1060OooO0o0.java, line(s) 469,432
o00OO0/C1065OooOOOo.java, line(s) 472,410
o00OO0/C4950OooO0o0.java, line(s) 494,457
o00OO0/C4955OooOOOo.java, line(s) 493,431

中危 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 

可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6

Files:
com/funny/yari/model/bean/GlobalWebView.java, line(s) 82,73
com/funny/yari/web/EmptyWebView.java, line(s) 76,67
com/funny/yari/web/WebViewActivity.java, line(s) 851,843
o00OO0/C1060OooO0o0.java, line(s) 439,432
o00OO0/C1065OooOOOo.java, line(s) 417,410
o00OO0/C4950OooO0o0.java, line(s) 464,457
o00OO0/C4955OooOOOo.java, line(s) 438,431

中危 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
OooO/C2521OooO0O0.java, line(s) 14
OooO/C5759OooO0O0.java, line(s) 14
OooooOo/oo000o.java, line(s) 12
com/amazonaws/retry/PredefinedRetryPolicies.java, line(s) 9
com/appsflyer/internal/AFb1gSDK.java, line(s) 15
com/funny/yari/C1537OooOOoo.java, line(s) 15
com/funny/yari/C1539OooOo0O.java, line(s) 11
com/funny/yari/C1701OooOOoo.java, line(s) 15
com/funny/yari/C1703OooOo0O.java, line(s) 11
com/idlefish/flutterboost/example/RunBall.java, line(s) 14
com/idlefish/flutterboost/example/SimpleTextView.java, line(s) 12
io/agora/rtc/audio/MediaCodecAudioDecoder.java, line(s) 22
io/grpc/internal/AbstractC0412o00o0O.java, line(s) 18
io/grpc/internal/AbstractC4015o00o0O.java, line(s) 19
io/grpc/internal/C0370OooOoOO.java, line(s) 4
io/grpc/internal/C3973OooOoOO.java, line(s) 5
io/grpc/internal/DnsNameResolver.java, line(s) 23
io/grpc/okhttp/OooO0o.java, line(s) 47
o00O/C5209OooO00o.java, line(s) 21
o00O/OooO00o.java, line(s) 20
o00oo0o/C5476OooO00o.java, line(s) 3
o0ooOoO/InterfaceC2509OooOo0.java, line(s) 4
o0ooOoO/InterfaceC5742OooOo0.java, line(s) 4

中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
com/funny/yari/YariFlutterBoostActivity.java, line(s) 179
com/funny/yari/useage/UsageApiImplFun.java, line(s) 202,202
com/funny/yari/utils/C0781o0000oO0.java, line(s) 117
com/funny/yari/utils/C3380o0000oO0.java, line(s) 131
com/funny/yari/utils/PathUtil.java, line(s) 133,93,119,133,145
com/funny/yari/utils/ShareLiveRoom.java, line(s) 131
com/funny/yari/utils/ZipUtils.java, line(s) 18
com/funny/yari/web/WebViewActivity.java, line(s) 760
com/nebula/rtm/agora/AgoraRtmClient.java, line(s) 213,214
io/agora/rtc/internal/CommonUtility.java, line(s) 410,410
io/agora/rtm/internal/AgoraSysUtils.java, line(s) 18,18
io/agora/rtm/internal/CommonUtility.java, line(s) 275,275
o00OOOoO/OooO00o.java, line(s) 69
o00o0oOO/AbstractC5351OooO0Oo.java, line(s) 66

中危 SHA-1是已知存在哈希冲突的弱哈希 

SHA-1是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
o00OoO0/C1097OooO0o0.java, line(s) 32
o00OoO0/C4987OooO0o0.java, line(s) 35

中危 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
"account_auth_provider" : "com.funny.yari.provider"
"account_auth_type" : "com.funny.yari"
"account_token_type" : "com.funny.yari"
"com.google.firebase.crashlytics.mapping_file_id" : "1cbf22eb4f1f44b4bf2eb3301b8cfff1"
"facebook_app_id" : "1267460131147556"
"facebook_client_token" : "12599d32185901ffa1d04054b46b1268"
"google_api_key" : "AIzaSyCVBQCxOfFvbtAGYLUlXxN6s_KME19b3y8"
"google_app_id" : "1:576937704118:android:5e0240c15470c54c59c417"
"google_crash_reporting_api_key" : "AIzaSyCVBQCxOfFvbtAGYLUlXxN6s_KME19b3y8"
bb9c035329e8a236a4cf17a5997503db
e2719d58-a985-b3c9-781a-b030af78d30e
df6b721c8b4d3b6eb44c861d4415007e5a35fc95
8a3c4b262d721acd49a4bf97d5213199c86fa2b9
9a04f079-9840-4286-ab92-e65be0885f95
16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a
2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3
cc2751449a350f668590264ed76692694a80308a
3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F
a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc
FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901
edef8ba9-79d6-4ace-a3c8-27dcd51d21ed
c56fb7d591ba6704df047fd98f535372fea00211
FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212
E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1
9b8f518b086098de3d77736f9458a3d2f6f95a37
538e777513ca6c35facfac89b1b43520
9c66876b054eea4c746049239ebcd50e

信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
OooO0o/AbstractC0307OooO0o0.java, line(s) 94
OooO0o/AbstractC0449OooO0o0.java, line(s) 94
OooO0oO/C0309OooO00o.java, line(s) 317
OooO0oO/C0453OooO00o.java, line(s) 317
Oooo00O/AbstractC0273OooO0o0.java, line(s) 58,89
Oooo00O/AbstractC0412OooO0o0.java, line(s) 59,90
Oooo00O/C2528OooO0OO.java, line(s) 104,103
Oooo00O/C2530OooO0o0.java, line(s) 64,63
Oooo00O/C5766OooO0OO.java, line(s) 104,103
Oooo00O/C5768OooO0o0.java, line(s) 50,109,49,108
OoooO0O/OooO0OO.java, line(s) 154
OooooOo/C0342OooO00o.java, line(s) 178,183,190,194,210,220
OooooOo/C0497OooO00o.java, line(s) 178,183,190,194,210,220
OooooOo/OooO00o.java, line(s) 134,138
OooooOo/OooOOO0.java, line(s) 37,42,32,27
com/amazonaws/auth/CognitoCachingCredentialsProvider.java, line(s) 38,69,76,92,132,140,214,234,254,274,294,314,334,354,374,191,52
com/appsflyer/internal/AFf1cSDK.java, line(s) 141
com/appsflyer/internal/AFf1fSDK.java, line(s) 135
com/appsflyer/internal/AFf1uSDK.java, line(s) 63,68,113,119
com/appsflyer/internal/AFg1dSDK.java, line(s) 51,97,66,55,61,59
com/appsflyer/share/LinkGenerator.java, line(s) 83
com/contrarywind/view/WheelView.java, line(s) 452
com/funny/yari/C1539OooOo0O.java, line(s) 36,40,48,52
com/funny/yari/C1703OooOo0O.java, line(s) 36,41,51,56
com/funny/yari/YariApplication.java, line(s) 303
com/funny/yari/YariFlutterBoostActivity.java, line(s) 128,216
com/funny/yari/billing/BillingChannelWindowManager.java, line(s) 172
com/funny/yari/billing/BillingWindowManager.java, line(s) 223
com/funny/yari/billing/widget/RechargeBottomView.java, line(s) 235,472,706
com/funny/yari/flutter/FlutterEventManager.java, line(s) 599,333,596
com/funny/yari/im/adapter/AdapterMessage.java, line(s) 327
com/funny/yari/im/ui/ActivityChat.java, line(s) 1894
com/funny/yari/net/AccelerateApi.java, line(s) 160
com/funny/yari/net/NetWorkStateReceiver.java, line(s) 32
com/funny/yari/net/dns/DnsUtils.java, line(s) 54
com/funny/yari/net/dns/FunDns.java, line(s) 30,41,50,56,61,73,85,121,124,127
com/funny/yari/net/retrofit/HttpEventListener.java, line(s) 91,92
com/funny/yari/net/retrofit/RetrofitFactory.java, line(s) 76
com/funny/yari/room/net/UploadImageApiImpl.java, line(s) 79
com/funny/yari/room/presenter/GamePresenter.java, line(s) 626
com/funny/yari/room/presenter/MicPresenter.java, line(s) 385,1171,1303,1305,1308,907,507
com/funny/yari/room/presenter/RoomBasePresenter.java, line(s) 2608,1288,835,905,2354
com/funny/yari/room/ui/BaseRoomActivity.java, line(s) 521
com/funny/yari/room/ui/adapter/LiveRoomActivesPagerAdapter.java, line(s) 249,245
com/funny/yari/room/ui/service/ForegroundService.java, line(s) 66,103,110,117,123,126,138,146,149,156,157,172
com/funny/yari/rtm/rtmbase/RtmInfoApiImpl.java, line(s) 315,335
com/funny/yari/signin/DaySignManager.java, line(s) 105
com/funny/yari/tab/TabMainActivity.java, line(s) 166
com/funny/yari/ui/activity/ActivityDeleteAccount.java, line(s) 222
com/funny/yari/ui/activity/ActivityReport$loadData$1.java, line(s) 170
com/funny/yari/ui/adapter/AdapterStoreGoodsBackground.java, line(s) 247
com/funny/yari/ui/scroll/ScrollRelativeLayout.java, line(s) 102
com/funny/yari/upload/AwsUploadManager$uploadWithPresignedUrl$1.java, line(s) 79,111
com/funny/yari/useage/UsageApiImplFun.java, line(s) 120,141,156
com/funny/yari/utils/AbstractC0768o00000o0.java, line(s) 47,53,61
com/funny/yari/utils/AbstractC3367o00000o0.java, line(s) 52,58,66
com/funny/yari/utils/BatteryUtils.java, line(s) 55
com/funny/yari/utils/C0702OooOO0o.java, line(s) 113
com/funny/yari/utils/C0781o0000oO0.java, line(s) 47
com/funny/yari/utils/C0787o000O0o.java, line(s) 120,127,134
com/funny/yari/utils/C0794o0ooOoO.java, line(s) 206,225,241,247
com/funny/yari/utils/C3300OooO0oo.java, line(s) 63
com/funny/yari/utils/C3301OooOO0o.java, line(s) 122
com/funny/yari/utils/C3380o0000oO0.java, line(s) 61
com/funny/yari/utils/C3386o000O0o.java, line(s) 147,154,161
com/funny/yari/utils/C3393o0ooOoO.java, line(s) 212,231,247,253
com/funny/yari/utils/SvgaUtils.java, line(s) 218,223
com/funny/yari/utils/download/DownloadApiImpl$downloadFile$1.java, line(s) 53
com/funny/yari/utils/download/DownloadApiImpl.java, line(s) 378
com/funny/yari/voicerecord/RecordingService.java, line(s) 79
com/idlefish/flutterboost/FlutterBoostPlugin.java, line(s) 48,78,83,98,104,109,114,123,132,144,162,183,190,203,213,228,245,259,270,287,294,312,330,336,342,349,365,372,395,406,422,442,462,468,484,507
com/idlefish/flutterboost/containers/FlutterBoostActivity.java, line(s) 97,113,122,149,161,171,178,239,252,258,276,294,311,337,345,353,359,368,138,211,300,317
com/idlefish/flutterboost/containers/FlutterBoostFragment.java, line(s) 153,164,173,188,200,210,216,223,240,300,306,319,326,333,350,360,369,385,406,419,444,451,458,465,474,485,409,425
com/idlefish/flutterboost/containers/FlutterBoostView.java, line(s) 103
com/idlefish/flutterboost/containers/FlutterContainerManager.java, line(s) 46,53,107
com/idlefish/flutterboost/example/PerfTestActivity.java, line(s) 22
com/idlefish/flutterboost/example/SimpleTextView.java, line(s) 37,41,50,54
com/nebula/im/model/fun/FunImApiImpl.java, line(s) 118,122
com/nebula/rtm/util/LogUtils.java, line(s) 22
com/nebula/uikit/animplayer/AnimPlayer.java, line(s) 337,340
com/nebula/uikit/animplayer/Decoder.java, line(s) 233,237
com/nebula/uikit/animplayer/EGLUtil.java, line(s) 116
com/nebula/uikit/animplayer/HardDecoder.java, line(s) 195,218
com/nebula/uikit/animplayer/mix/MixAnimPlugin.java, line(s) 206
com/nebula/uikit/animplayer/mix/MixRender.java, line(s) 112,120
com/nebula/uikit/animplayer/util/ALog.java, line(s) 25,33,68,46
com/nebula/uikit/svgaplayer/utils/log/DefaultLogCat.java, line(s) 14,21,49,57,28,35,42
com/nebula/uikit/util/KeyWordUtil.java, line(s) 27
com/nebula/uikit/view/highlightpro/HighlightProImpl.java, line(s) 117,218,245
com/pairip/licensecheck/LicenseActivity.java, line(s) 93,71
com/pairip/licensecheck/LicenseClient.java, line(s) 77,90,121,138,168,196,187,112
com/yalantis/ucrop/UCropActivity.java, line(s) 568
com/yalantis/ucrop/view/OooO0O0.java, line(s) 114,55,233
io/agora/rtc/gdp/EglCore.java, line(s) 95,188,193,50,45,77
io/agora/rtc/gdp/EglSurfaceBase.java, line(s) 88,109
io/agora/rtc/gdp/GDPAndroid.java, line(s) 112,180,187,282,287
io/agora/rtc/gdp/GlUtil.java, line(s) 30,73,85,86,101,105,111,112,113
io/agora/rtc/gl/EglBase14.java, line(s) 136
io/agora/rtc/gl/EglRenderer.java, line(s) 144
io/agora/rtc/gl/GlShader.java, line(s) 77,30,48
io/agora/rtc/internal/Connectivity.java, line(s) 31,35
io/agora/rtc/mediaio/AgoraSurfaceView.java, line(s) 117
io/agora/rtc/mediaio/AgoraTextureView.java, line(s) 114
io/agora/rtc/mediaio/BaseVideoRenderer.java, line(s) 157,216
io/agora/rtc/mediaio/SurfaceTextureHelper.java, line(s) 127,179,216,281,54,113,246,265,317
io/agora/rtc/mediaio/VideoFrameConsumerImpl.java, line(s) 21,30,38,58
io/agora/rtc/utils/YuvUtils.java, line(s) 72,88,105,120
io/agora/rtc/video/TextureRenderer.java, line(s) 83
io/agora/rtc/video/ViEAndroidGLES20.java, line(s) 73,244
io/agora/rtc/video/ViETextureView.java, line(s) 237
io/agora/rtc/video/ViETextureViewWrapper.java, line(s) 231
io/agora/rtc/video/VideoCaptureCamera.java, line(s) 166
o0000oO0/OooOOO.java, line(s) 32
o000O00/C2074OooO0Oo.java, line(s) 93,145,92,144
o000O00/C4629OooO0Oo.java, line(s) 93,145,92,144
o000O00/C4630OooO0o0.java, line(s) 547,565,571,546,564,570,591
o000O000/C2077OooO0O0.java, line(s) 413
o000O000/C4632OooO0O0.java, line(s) 412
o000O0O0/C2133OooO0OO.java, line(s) 19,18
o000O0O0/C2134OooO0Oo.java, line(s) 53,52
o000O0O0/C2135OooO0o.java, line(s) 148,147
o000O0O0/C2148OooOOo.java, line(s) 83,86
o000O0O0/C2151OooOOoo.java, line(s) 39,38
o000O0O0/C4688OooO0OO.java, line(s) 19,18
o000O0O0/C4689OooO0Oo.java, line(s) 53,52
o000O0O0/C4690OooO0o.java, line(s) 148,147
o000O0O0/C4703OooOOo.java, line(s) 83,86
o000O0O0/C4706OooOOoo.java, line(s) 39,38
o000O0oo/AbstractC2169OooOOO0.java, line(s) 86,87
o000O0oo/AbstractC4724OooOOO0.java, line(s) 86,87
o000O0oo/C2111OooO.java, line(s) 123,107
o000O0oo/C2117OooO0o0.java, line(s) 52,58,86,96,110,53,87,59,99,111
o000O0oo/C4666OooO.java, line(s) 123,107
o000O0oo/C4672OooO0o0.java, line(s) 52,58,86,96,110,53,87,59,99,111
o000O0oo/ExecutorServiceC2121OooO00o.java, line(s) 239,236
o000O0oo/ExecutorServiceC4676OooO00o.java, line(s) 239,236
o000OO/C2189OooO0Oo.java, line(s) 49,56,67,72,48,55,60,66,71,61
o000OO/C4744OooO0Oo.java, line(s) 49,56,67,72,48,55,60,66,71,61
o000OOo0/AbstractC2261OooO0O0.java, line(s) 20
o000OOo0/AbstractC4816OooO0O0.java, line(s) 20
o000OOoO/AbstractC2264OooO00o.java, line(s) 68,69
o000OOoO/AbstractC4819OooO00o.java, line(s) 68,69
o000OOoO/C2176OooO0Oo.java, line(s) 131
o000OOoO/C2180OooO0oO.java, line(s) 184,79,99,111,112,127,131
o000OOoO/C4731OooO0Oo.java, line(s) 385,387,392,395,137
o000OOoO/C4735OooO0oO.java, line(s) 184,79,99,111,112,127,131
o000OOoO/OooO0o.java, line(s) 196
o000Oo0/AbstractC2017Oooo0o.java, line(s) 32
o000Oo0/AbstractC4570Oooo0o.java, line(s) 32
o000Oo0/C2191OooO00o.java, line(s) 88,94,101,110,89,95,102,111
o000Oo0/C2194OooO0Oo.java, line(s) 24,25
o000Oo0/C2199OooOO0.java, line(s) 42,45
o000Oo0/C4746OooO00o.java, line(s) 88,94,101,110,89,95,102,111
o000Oo0/C4749OooO0Oo.java, line(s) 24,25
o000Oo0/C4754OooOO0.java, line(s) 42,45
o000Oo0o/AbstractC2040OooOOoo.java, line(s) 93,97,102
o000Oo0o/AbstractC4593OooOOoo.java, line(s) 321,325,330
o000Oo0o/C2023OooO00o.java, line(s) 19
o000Oo0o/C2039OooOOo0.java, line(s) 57,89,93,169,172,180,186,194,208,350
o000Oo0o/C2044OooOo0o.java, line(s) 65
o000Oo0o/C2214OooO0o.java, line(s) 12,11
o000Oo0o/C2215OooO0o0.java, line(s) 36,35,58,76,59,77
o000Oo0o/C2224OooOOOo.java, line(s) 230,231,242
o000Oo0o/C2225OooOOo.java, line(s) 94,95
o000Oo0o/C2227OooOOoo.java, line(s) 151,158,152,159
o000Oo0o/C4576OooO00o.java, line(s) 19
o000Oo0o/C4592OooOOo0.java, line(s) 57,89,93,169,172,180,186,194,208,352
o000Oo0o/C4597OooOo0o.java, line(s) 65
o000Oo0o/C4769OooO0o.java, line(s) 12,11
o000Oo0o/C4770OooO0o0.java, line(s) 36,35,58,76,59,77
o000Oo0o/C4779OooOOOo.java, line(s) 230,231,242
o000Oo0o/C4780OooOOo.java, line(s) 94,95
o000Oo0o/C4782OooOOoo.java, line(s) 151,158,152,159
o000Oo0o/FragmentC2223OooOOOO.java, line(s) 141,142
o000Oo0o/FragmentC4778OooOOOO.java, line(s) 141,142
o000OoO/AbstractC2233OooO0Oo.java, line(s) 55,106,107,56
o000OoO/AbstractC2240OooOO0o.java, line(s) 57,108,109,58
o000OoO/AbstractC4788OooO0Oo.java, line(s) 55,106,107,56
o000OoO/AbstractC4795OooOO0o.java, line(s) 57,108,109,58
o000OoO/C1964OooO0o0.java, line(s) 33,40,27
o000OoO/C4517OooO0o0.java, line(s) 33,40,27
o000OoO/InterfaceC2058OooO0oo.java, line(s) 75,61,65
o000OoO/InterfaceC4612OooO0oo.java, line(s) 75,61,65
o000o00O/AbstractC2086OooO0oo.java, line(s) 12,31,13,34
o000o00O/AbstractC4641OooO0oo.java, line(s) 12,31,13,34
o000o00O/C2087OooOO0o.java, line(s) 81,80,160,195,205,161,196,252
o000o00O/C4642OooOO0o.java, line(s) 82,245,81,161,196,206,244,162,197,292
o000o00O/OooOO0.java, line(s) 161,169,178,191,291,139,160,168,177,190,290
o000o00O/OooOOO.java, line(s) 24,25
o000o0O/C1893OooO00o.java, line(s) 93
o000o0O/C4446OooO00o.java, line(s) 93
o000o0O/OooO.java, line(s) 115,151,116,152
o000o0O/OooO0O0.java, line(s) 91
o000o0O/OooOO0.java, line(s) 105,149,162,174,73,104,114,138,148,161,173,194,201,50,115,195,202,139
o00O0000/AbstractC0846OooO0oO.java, line(s) 15
o00O0000/AbstractC5225OooO0oO.java, line(s) 17
o00O0000/OooOOOO.java, line(s) 9
o00O00Oo/C0650OooO0o0.java, line(s) 22
o00O00Oo/C5247OooO0o0.java, line(s) 24
o00O0oo0/AbstractC2297OooO00o.java, line(s) 13
o00O0oo0/AbstractC4859OooO00o.java, line(s) 13
o00O0oo0/AsyncTaskC0715OooO00o.java, line(s) 157,115
o00O0oo0/AsyncTaskC0716OooO0O0.java, line(s) 46,83,123,52,61,69,215,218
o00O0oo0/AsyncTaskC5346OooO00o.java, line(s) 179,137
o00O0oo0/AsyncTaskC5347OooO0O0.java, line(s) 54,91,131,60,69,77,223,226
o00O0oo0/OooO00o.java, line(s) 68
o00OO00o/AbstractC1142OooO00o.java, line(s) 15,22,29,14,21,28,35,36,49,50
o00OO00o/AbstractC5054OooO00o.java, line(s) 15,22,29,14,21,28,35,36,49,50
o00OOO00/AbstractC0887OooO00o.java, line(s) 22,35
o00OOO00/AbstractC5600OooO00o.java, line(s) 24,37
o00OOO00/C0888OooO0O0.java, line(s) 55,57
o00OOO00/C5601OooO0O0.java, line(s) 58,60
o00OOOoO/C1239OooO.java, line(s) 31,60,67,70,83,86,89,92,95
o00OOOoO/C5151OooO.java, line(s) 36,65,72,75,88,91,94,97,100
o00Oo0oO/C1079OooO0o0.java, line(s) 39,104,115
o00Oo0oO/C4969OooO0o0.java, line(s) 44,110,121
o00Oo0oO/OooO00o.java, line(s) 48,19,32,44,58,66
o00OoO0/TextureViewSurfaceTextureListenerC0883OooO00o.java, line(s) 178,360,366,363,611
o00OoO0/TextureViewSurfaceTextureListenerC5596OooO00o.java, line(s) 205,389,395,392,640
o00o00/AbstractC5215OooO0O0.java, line(s) 7
o00o0o0O/AbstractC0662OooO0o0.java, line(s) 19
o00o0o0O/AbstractC5273OooO0o0.java, line(s) 19
o00o0o0O/C0661OooO0Oo.java, line(s) 14
o00o0o0O/C2294OooO0O0.java, line(s) 77
o00o0o0O/C4856OooO0O0.java, line(s) 77
o00o0o0O/C5272OooO0Oo.java, line(s) 15
o00o0oO/AbstractC0708OooO00o.java, line(s) 61,25,109
o00o0oO/AbstractC0710OooO0OO.java, line(s) 40
o00o0oO/AbstractC5339OooO00o.java, line(s) 62,26,110
o00o0oO/AbstractC5341OooO0OO.java, line(s) 40
o00o0oO/OooO0o.java, line(s) 135,148,155,162,171,182,185,196,222,239,249,261,275,291,301,304,307,310,313,327,332,345,350,238,248,260,274,290,300,303,306,309,312,326,331,344,349
o00o0oOO/AbstractC0684Oooo00O.java, line(s) 32
o00o0oOO/AbstractC0718OooO0O0.java, line(s) 34,36,38,40,42,45,59,68,81,84,91,101,107,119,139
o00o0oOO/AbstractC5310Oooo00O.java, line(s) 32
o00o0oOO/AbstractC5349OooO0O0.java, line(s) 35,37,39,41,43,46,60,69,82,85,92,102,108,120,140
o00o0oOO/C0683OooOooo.java, line(s) 69,83,93,155,225,292,308,339,352,358,378,383,73,87
o00o0oOO/C4948OooO0O0.java, line(s) 94,128,183
o00o0oOO/C5290OooOO0O.java, line(s) 126,151,234,242,293,378,418,566,648,257,401
o00o0oOO/C5309OooOooo.java, line(s) 86,100,110,172,242,309,325,356,369,375,395,400,90,104
o00o0oOO/OooO0O0.java, line(s) 88,120,175
o00oo000/OooO0OO.java, line(s) 60
o00oo0o/C1084OooO0Oo.java, line(s) 103,166
o00oo0o/C4974OooO0Oo.java, line(s) 113,179
o0OoOo0/C2495OooOO0o.java, line(s) 46
o0OoOo0/C5727OooOO0o.java, line(s) 47
xcrash/NativeHandler.java, line(s) 64,93
xcrash/OooO0OO.java, line(s) 21,26,16,11

信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 

此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard

Files:
com/funny/yari/ui/widget/CharmItemView.java, line(s) 4,129,137,145,130,138,146
com/funny/yari/ui/widget/CommonDialog.java, line(s) 7,696,697
o00o0o0O/C2373OooO0O0.java, line(s) 5,128,129
o00o0o0O/C4935OooO0O0.java, line(s) 5,132,133

安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
io/grpc/okhttp/OkHttpChannelBuilder.java, line(s) 287,286,330,283,285,285

安全 此应用程序可能具有Root检测功能 

此应用程序可能具有Root检测功能
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1

Files:
io/agora/rtc/video/VideoCapture.java, line(s) 209
o00o0oOO/AbstractC0718OooO0O0.java, line(s) 79,56,116,119
o00o0oOO/AbstractC5349OooO0O0.java, line(s) 80,57,117,120
xcrash/OooOO0.java, line(s) 23,23,23,23,23

安全 Firebase远程配置已禁用 

Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/576937704118/namespaces/firebase:fetch?key=AIzaSyCVBQCxOfFvbtAGYLUlXxN6s_KME19b3y8 ) 已禁用。响应内容如下所示:

{
    "state": "NO_TEMPLATE"
}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (fun.ngrok.swift4fun.com) 通信。 

{'ip': '119.130.206.155', 'country_short': 'CN', 'country_long': '中国', 'region': '广东', 'city': '广州', 'latitude': '23.127361', 'longitude': '113.264572'}

关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (live.ngrok.swift4fun.com) 通信。 

{'ip': '119.130.206.155', 'country_short': 'CN', 'country_long': '中国', 'region': '广东', 'city': '广州', 'latitude': '23.127361', 'longitude': '113.264572'}

安全评分: ( Yari 1.1.5)