安全分析报告:
安全分数
安全分数 51/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
8
用户/设备跟踪器
调研结果
高危
2
中危
29
信息
3
安全
2
关注
0
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: bolts/WebViewAppLinkResolver.java, line(s) 233,6,7 com/perimeterx/msdk/internal/enforcers/a.java, line(s) 55,11
高危 应用程序包含隐私跟踪程序
此应用程序有多个8隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Activity (com.auth0.android.provider.RedirectActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.facebook.CustomTabActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Activity (androidx.compose.ui.tooling.PreviewActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Service (com.calm.android.services.AudioService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.calm.android.services.WearListenerService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.calm.android.util.BootCompletedReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.calm.android.util.UpgradeReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.appsflyer.SingleInstallBroadcastReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.calm.android.widgets.DailyCalmWidgetUpdateJob) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Service (com.calm.android.widgets.SleepStoryWidgetUpdateJob) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (com.calm.android.widgets.DailyCalmWidget) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.calm.android.widgets.RecommendedSleepStoryWidget) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Activity (com.calm.android.mini.ui.home.MainMiniActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: bolts/MeasurementEvent.java, line(s) 16,17 coil/memory/MemoryCache.java, line(s) 153 coil/memory/MemoryCacheService.java, line(s) 39 coil/request/Parameters.java, line(s) 108 com/amplitude/api/AmplitudeClient.java, line(s) 36,38,39,40,41,42,43,46 com/amplitude/experiment/Exposure.java, line(s) 109 com/amplitude/experiment/Variant.java, line(s) 149 com/amplitude/experiment/evaluation/EvaluationFlag.java, line(s) 184 com/amplitude/experiment/evaluation/EvaluationVariant.java, line(s) 192 com/auth0/android/authentication/AuthenticationAPIClient.java, line(s) 34,35,37,47,42,46,50,49,52,53,54,55,60,61,62,66,64 com/auth0/android/authentication/AuthenticationException.java, line(s) 22,24,26,25,30 com/auth0/android/authentication/ParameterBuilder.java, line(s) 15,16,17,21,30,31,32,35,25 com/auth0/android/management/ManagementException.java, line(s) 14,17,19,18 com/auth0/android/management/UsersAPIClient.java, line(s) 30,32 com/auth0/android/util/Auth0UserAgent.java, line(s) 19,22,20,23,24 com/calm/android/core/data/network/ErrorResponse.java, line(s) 12 com/calm/android/core/utils/notifications/NotificationsManager.java, line(s) 11,22,12,23,16,27 com/calm/android/mini/data/AppConfig.java, line(s) 10 com/calm/android/ui/tooltips/Tooltips.java, line(s) 27,38 com/iterable/iterableapi/IterableConstants.java, line(s) 53,84,239,240,241,242,244,247,249,251 com/iterable/iterableapi/IterableKeychain.java, line(s) 26,24,25 com/segment/analytics/Analytics.java, line(s) 46,47,50,51 com/segment/analytics/AnalyticsContext.java, line(s) 288,287,28,40,27,32,41,42,222,49,33,50,289,365,34,322,35,366,38,39,323,290,223,291,30,36,46,224,292,367,29,43,45,48,51,225,324,226,53,293,54,294,368,369,55,31,37,47,52,44 com/segment/analytics/GetDeviceIdTask.java, line(s) 18 com/segment/analytics/Options.java, line(s) 9 com/segment/analytics/ProjectSettings.java, line(s) 9,10,11,12,13 com/segment/analytics/Properties.java, line(s) 10,11,12,13,14,238,15,239,16,17,18,240,241,19,20,21,22,23,24,242,25,26,27,28,29,30 com/segment/analytics/SegmentIntegration.java, line(s) 42 com/segment/analytics/Traits.java, line(s) 14,15,16,17,18,259,260,19,20,21,22,23,24,25,26,27,28,29,261,262,263,30,32,31,33 com/segment/analytics/integrations/AliasPayload.java, line(s) 10 com/segment/analytics/integrations/BasePayload.java, line(s) 14,15,16,17,19,20,21 com/segment/analytics/integrations/GroupPayload.java, line(s) 12,13 com/segment/analytics/integrations/IdentifyPayload.java, line(s) 12 com/segment/analytics/integrations/ScreenPayload.java, line(s) 12,13,14 com/segment/analytics/integrations/TrackPayload.java, line(s) 12,13 io/bitdrift/capture/events/lifecycle/AppExitLogger.java, line(s) 32,33,35,36,37,38,39,40,41,42,43 io/bitdrift/capture/network/okhttp/OkHttpNetworkKt.java, line(s) 10 io/bitdrift/capture/providers/Field.java, line(s) 54 org/jcodec/containers/mxf/model/KLV.java, line(s) 56
中危 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: bolts/WebViewAppLinkResolver.java, line(s) 223,199 com/calm/android/auth/apple/SignInWebViewDialogFragment.java, line(s) 124,115
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/appsflyer/internal/AFb1gSDK.java, line(s) 16 com/calm/android/audio/utils/PlaylistShuffleOrder.java, line(s) 10 com/calm/android/ui/mood/MoodNoteFormViewModel.java, line(s) 35 com/calm/android/ui/utils/MoodNoteFormViewModel.java, line(s) 33 com/calm/android/util/binding/ViewBindingsKt.java, line(s) 36 com/flaviofaria/kenburnsview/RandomTransitionGenerator.java, line(s) 6 com/perimeterx/msdk/a/o/h/b.java, line(s) 3
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/calm/android/base/downloads/DownloadManager.java, line(s) 95,101 com/calm/android/base/downloads/DownloadWorker.java, line(s) 188 com/calm/android/core/data/downloads/GenericDownloadWorker.java, line(s) 75 io/bitdrift/capture/events/performance/DiskUsageMonitor.java, line(s) 66
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/calm/android/base/extensions/StringKt.java, line(s) 38 org/jcodec/common/tools/MD5.java, line(s) 22
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/amplitude/api/DatabaseHelper.java, line(s) 6,7,8,9,10,366,367,368,369,667,668,669,670,700,711,712 com/calm/android/core/data/db/DatabaseHelper.java, line(s) 6,125 com/iterable/iterableapi/IterableDatabaseManager.java, line(s) 4,5,21 com/iterable/iterableapi/IterableTaskStorage.java, line(s) 8,134,175,197
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: coil/decode/SourceImageSource.java, line(s) 67 org/jcodec/testing/TestTool.java, line(s) 33,34,35
中危 IP地址泄露
IP地址泄露 Files: io/bitdrift/capture/replay/ReplayPreviewClient.java, line(s) 57
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/perimeterx/msdk/a/o/a.java, line(s) 12
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 凭证信息=> "com.crashlytics.ApiKey" : "caa65ee3019290eca0486809f5bb3ff83c09d632" 凭证信息=> "apptentive_api_key" : "f63174ed5efc0ac45fe156013cdfb650e9c8713afa098c9f1304c66f6e24e6b4" "player_author" : "Autor" "player_author" : "Autor:in" "player_author" : "Author" "player_author" : "Auteur(e)" "player_author" : "Autore" "player_author" : "Autor(a)" ef109ea5-76f6-47e8-833d-f47a18a7ad1f 8e1a1800c097d6b1bb7de05ed3bd9052 a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc e1da5ca063ef45cdf7e5a674799ad01d 055e237d-3472-4ecf-84a1-35c020f2acb6 dcffc2a8b6997c3cd4c9cf015069dc31 nU5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME= f3aaedf3-530b-4072-9883-ac3baca07b1a 18c30246e7ff09396f408817d6ec491d b0f658f8-4fd1-461d-9870-79f15a381338 6e13dcb94c16f3fd1fd100d0535f1392 c813d28440138ffd0d59a04e6797ccbd ce4a68f97081f223faaeb88d608822a5 b5be02e104a0848d61995dff1dbbc0e7 588e69be-73ed-4c4b-9d2e-ee02f152a9d3 358216eaaa77ed59e8c688940ee10831 4e46229138fb205d1df433118eb90383 62efd4d9caf43a75db8127401c78df23 216ba054-a3e1-4a72-ba44-8142ab94c8ae d4449a40-f0e1-4435-a666-f086a33b7932 fcb2571b-ee88-4ab5-a3b5-9e2dc50e104c 056054bf-56a9-4a44-96c4-444ff32bcd32 nADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 20d5d1f3-abaa-45ac-9c77-eea358e24e71 fdbe8b5bbebdde13be7144b263c6f187 2b58313b7da5ae09335a8719ca3f7261 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 b025715c-a74b-435a-becf-bb7ae3cab52b 5261d3bb-01e7-4f62-a822-eab639d19d00 526ba0ba-e803-49b9-befc-a50e8191ee64 5ee12a14-9c11-404d-ba72-b58cb2dd76ee 45f23b3056672cb79484e985060a8ca0 6e0ed52af8992b0330913fb76d89314e 694653c4473a13631006ba46e8a53ee3 E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1 2dea826b192a60962f36bde898ed8b87 feb0e518-74fa-44eb-b015-e427f4e7bce0 7ffab41b-6e3f-4d1b-a8f3-39cc9085b651 7b2ec234-7dc1-415c-9e3a-a066a9e15cb4 e219f6435bfe790012f31ad62a71e54e 5d2b29e0d91a85921279300c194d8e0c e110529e667c6952f7dfec9d94907edc eb7780e3-358d-4c48-be3a-69a6a1b0464f abd04af6-e6c0-498c-9cd0-5c310030496d 5a3af76d2fa9114980acd1d9c4e83bdd 49bfa1f3ff84e6d1c19d87726cd8f349 1e24884d-be95-4c5d-8d5d-cda025f8325f 0785bed1-424c-4262-8900-dce446d49544 e521700f-0eec-4428-89b8-5781c258a397 ebad1e9609c921b827936a680b1e9e33 40478a30-7827-4b5f-93d6-d1cba74f3af5 a883d7a3-6884-4c0e-8820-592b6de54507 aaf764eade43946661391ae8204118bc 3abb3137-aacf-456c-983e-3ffbda91c67d cfbc5efcdfff3bfa5372ed9fb5e5022e 43675c9e-d934-4f34-8e0f-2c1811476552 b04951c9e9f6cb6eacd7d556cdd437b8 1560bfd6934461afbee29821c784b3f1 b8fb0a23f9984a192e89d272c4bd5c0d 24ffee44-d44a-4b9c-a123-c087a7fa5543 9f2bbf8b99c99923a3eb4da8d6b3ab9f 801da2d48b6de06d881afc893a3b560e 60060333299a87f58755304f21f832bc 935bb279-3cc4-486d-b01c-42bf07aa8643 37c06cd3-dd94-4081-98c7-29fb5cd546af nca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM 3699e66eae42bb966f9a89f71b687b4a 5c68da3b-3273-4ee5-bcb0-b81ae1fee675 3d120268-7c8a-4df8-b27f-25b14cd88163 4a58f87cafd7a82bcab454712dfd1480 5d4487c9-9f00-4f8a-8cf2-b24b203fd692 e478f63b37bbdcecff3346375912ce82 cf24a9cb49774a947282f3feda36f212 d815ec0e-c5ca-4a63-b386-12b827b9690e 01e7acb9-b5f3-4392-bde8-ef230f77e23e 39ff920a-2592-452e-9ea0-767fa978358a sha256/V5L96iSCz0XLFgvKi7YVo6M4SIkOP9zSkDjZ0EoU6b8= 9b8f518b086098de3d77736f9458a3d2f6f95a37 3afda542-b719-4f10-94ca-b5b68beb4f49 7755e8bff4ccb8b88e8c6610dd16d1fb e9ef67ecf947b86ab727a64fd32e8a4a 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 96456c9e34de7c1094aff63a936a6cff 0ded6174-c107-4d72-987e-b673ce9f4eb7 nAYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA nb3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj fc953e0da669bf35ec732bb43fe618a7 1b876572aafa758c5129c5e148713ab0 ebd8235c-4262-4118-ac08-4eeb40941efc 063a5cdeb6d69d8ebdac6943c8b2058e 68b996a85ac09d383ad6ed85d3491dfb d6b3aef8-0b17-4d9c-a19f-31a7239518ab 9a8a5f18-ec0a-461b-8fcc-7dadffec9f33 FragmentSleepCheckinTagsEditorBindingSw680dpImpl 52843d0516242591cd9ef3a7ce05ab74 m137MultiStepProgressIndicatorgeL5tGQ d1028ebd-c0d9-47d2-845c-1568ed8e7395 ea83ddd3-98a0-43e4-813b-acaf5c5fe779 cd38df2f-95d2-40c9-a529-264500281f70 f5788efeff46c1a1abd87298fef6151e 593af6c7-8aa4-4118-8dc6-516a2ce7459a 66d48ec4b6c341bb45ec6ece7ce8dedb 3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F ebc4dd74-8692-42d8-872b-8fe54739ddd7 c6326170-4c81-4e8d-a6b5-2b95325920b0 0504f7efc3e5589f124656848c86eaf1 a08c1973-9205-44b5-8688-24278b0b3aae f76e8a98-5565-460f-9b9d-63ca2e231d4c 7afa8099-bd64-4bf2-8e60-5a281c68dc7e 60d204e1-4ab0-4820-a156-5f454eb7303c 21f6fe7f11b0b3cbe27f0c9951fd90a5 0c70f671-033b-4dff-a2ec-2c1d801f4426 ffb19aebe29344965f86edebd9e4b85a 4c84a401-9393-45a3-a20e-1576d4ec614e 742add7aa79fd2096e0b046018693765 FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901 no/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU aeae6097-1f0f-4ad0-b1f0-394ad69e89b7 2b9b4a99-d916-4398-a573-1058ce5c5a51 nVOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L ea55d6f9-32e1-461e-a3f0-4491ebef51e9 8440cc74-0945-4251-aae7-160970e1209b b6b30478b8ff7bee469475f63e5f5247 40597278e658c3f3e287fe716bd95a61 nb24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL ce1f90f47c3fc108adf7814dac8f9762 2cf50a74a946dd67cb3af5f90d0975a7 7f9eef53a0414cd7c808fb18a18f7eb9 0393fed17873bfc6b07c6d70a556e08d 09a0cbe3-ccae-4535-8703-b19f28328ade 2eea9373-52e2-4560-b049-da22e11464ac 3d970d528dfb37d3a3be052cb7001290 cccd293d-70a5-4d69-b0da-85a883d0fb8e b525853b-d651-415a-9b0a-78eeeac2fe64 d26f2f35-972c-4e5a-b169-22c9993493a9 c0683536-1d6a-45a8-bb45-2e0a6d1ee22d 1dc92446-d2c7-4a3b-9955-12123f526157 cadf9501-2266-43f0-a388-b3905acf0f32 559df082c393af2a2876cff7331440d2 26d249ce-c300-4950-a387-87f6bd7b8800 99e3f855-476f-4a0a-a993-ffb532ab17f5 n5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy 7294fea4-ce56-42af-8ec1-1f83e9eb7c6a e5c811c3-a925-48d7-8d8c-5d9011fdca20 4cdfb3aeb06ca3ab91a2e6ed4c78ad9a d04ffa859ab107086789a8ac94bc26a4 4ccbd776-76e0-4484-8d5b-d8c58e2e3004 43fa88de-04ad-46d3-8a63-899202894ab2 1a73a5be-cba0-4751-8fd1-a05a40556754 58a29ce44814e6c58f4c88b88b2cc0b4 7a1c73f4-b9fa-49d2-ad08-8f47375bcca3 19060cbb-7808-469d-9356-d5720dbd0025 6b9a55569ceb6f2789c7d1a2d7cd8bc6 eb4f0540-dc49-4136-953a-dd7d28b7e591 0e9f67dc-fc2f-402f-a62c-152653c2b601 nMAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv b4284da1cb69f413478b86b3f7ec17da f2bc3363-f52a-454d-bb1a-79217a00e17c e3e669df499b5ece32c06bbc5354de7d c0da0d04ca7297bb8e89a5ac08ba59b9 4c2edf0e706ad7d411429d34e718d7d5 a389398e-e35c-4079-9a36-15a645b194ad e8405db43cde4dbdc8b7d050f00fda0e 0777f84e-076a-4b7c-92b9-a5dd35cd282f 7938da8d-2c3a-40d3-a7de-69c25fe2f771 2dcb298d-5361-409c-9f25-19e602a10646 FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212 557cb7a0a6a54eeca4066e300f5cd365 nIFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 8a8aea6d-36be-4c69-aafe-b16f1f345893 nN+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv 18b80d60-78b0-4169-8454-30777ddb186d e0c79896-fa85-40e6-9645-c9548332d282 523b67a94e70d28d825cd376acdaeefd 34b1d5cf-67fa-4b0b-b799-758aedcd7442 55a67d0940e32ee948f8a7e0951d8339 ac53e4a6-914b-4f96-b888-510e62934090 cc2634766b545dfbcdb0c591601ae79e 36342097-3e15-42a1-b55c-2b3cfa7ae671 c56fb7d591ba6704df047fd98f535372fea00211 5fdcca3d74f79f3565c5bbac1e3ca616 5b027ee1-7ec7-4b5c-9d00-557122efa2ac 86a2f5877c5ac3f7be71e34c62f5f32b df6b721c8b4d3b6eb44c861d4415007e5a35fc95 3a902d53-689c-4ee9-9985-3161954f1ce2 7908a56d-f742-4e2a-a2a1-3ec1027338de 75f80450e280c6a9a0f9593b91db339b 25d42994-e1d4-4d8e-946f-bb272ae3ca11 cbdc6e7f9a78ef498781cfdaefd0bb9a e00abbcb-e937-4d73-9ec5-98e81e6bab94 cc196b21-c877-480b-8fe8-210d58abc641 MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF f1afd867-88e0-4515-bf10-1235ce45f209 635480ea-022f-46ad-98d5-4881475a43fd 357e96fda0f537703f328e8958da3557 b9b453300bd34854445a9c2f6df2dec8 7cd622eb-f0d5-4049-a4ed-f77edb400c33 af112362b693428b4152251e2ea9d624 e1b5cb4d-a451-4135-8bb1-12395f20d709 40ec0f89-4474-4f3a-8a67-e86bfea9ffa5 3d1e9e8e-7932-4389-831a-ed5e965472d7 1213ddc908efc065a9b7aad2cd153d95 1411e424-4d56-45f7-ad68-6f7c409bc801 7658ced9-d729-42bb-908e-ab2168a22728 e49b5a985c1f659a1504235b4d7784b3 df4a529a-ed86-45e3-be31-4d973a66cb58 c0ed0c85-7c64-45d3-a717-6a3ad84ecf9f 52f143a8-a81a-4757-9a65-03cb7c715585 m1267DrawVideoPlayerBackgroundAjpBEmI 0036bcbb4156df26677b6333810687e9 17e54f92-136c-4ccb-873d-326c32d0ed82 5ec8694404c547e289609eb2fdb347bf cb8ef125-a77a-49d1-a8f7-1d9a1b63aac1 94b131f38c9039bbb7ddbcd3cb79c937 8c72a423-4312-4b21-b52f-74c65a1251a0 2515a9ff2a3d3a0a78e9f35dfc365564 75db4430f2cddad6d8dbf53aeca1ecff 07a100a2491e03d46129b1f1cf5d9310 8595e159-7186-4ab5-9142-b3c4b0ccd5f3 1f8adca8ac412d6c6a4ce1b894e0bff7 cc2751449a350f668590264ed76692694a80308a
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: bolts/MeasurementEvent.java, line(s) 49,61 com/amplitude/api/AmplitudeLog.java, line(s) 22,29,40,51,62,69,73,98,105,112,119,126,133,140,147 com/amplitude/experiment/evaluation/DefaultLogger.java, line(s) 33,42,45,53,61,70,80 com/amplitude/experiment/util/AndroidLogger.java, line(s) 20,27,34,42,49 com/appsflyer/internal/AFh1ySDK.java, line(s) 72,102,68,55,62,59 com/auth0/android/authentication/AuthenticationException.java, line(s) 114 com/auth0/android/authentication/storage/CryptoUtil.java, line(s) 76,78,106,110,122,135,139,151,171,175,179,189,204,208,218,239,272,276,280,284,288,297 com/auth0/android/authentication/storage/SecureCredentialsManager.java, line(s) 135,262,295,349 com/auth0/android/provider/AlgorithmHelper.java, line(s) 41 com/auth0/android/provider/AuthProvider.java, line(s) 87,68,64,84 com/auth0/android/provider/CallbackHelper.java, line(s) 36,40 com/auth0/android/provider/CustomTabsController.java, line(s) 50,112,119,85,60,69,100,124 com/auth0/android/provider/LogoutManager.java, line(s) 61 com/auth0/android/provider/OAuthManager.java, line(s) 250,293,99,160,314,145,280,290 com/auth0/android/provider/PermissionHandler.java, line(s) 35,63,29,55,39,49 com/auth0/android/provider/WebAuthProvider.java, line(s) 189,286,320 com/auth0/android/request/internal/BaseAuthenticationRequest.java, line(s) 70 com/auth0/android/request/internal/JwksDeserializer.java, line(s) 53,55 com/calm/android/audio/PackageValidator.java, line(s) 420 com/calm/android/base/analytics/Analytics.java, line(s) 275 com/calm/android/base/di/NetworkModule.java, line(s) 106 com/calm/android/base/util/Calm.java, line(s) 210 com/calm/android/core/data/db/DatabaseHelper.java, line(s) 692 com/calm/android/core/data/hawk/KeyStoreCryptography.java, line(s) 138,186,120,188 com/calm/android/core/utils/viewmodels/BaseComposeViewModel.java, line(s) 51,54 com/calm/android/core/utils/viewmodels/BaseReducer.java, line(s) 57,60 com/calm/android/feat/hiltontv/composables/HiltonPlayerScreensKt$BlurredImage$1.java, line(s) 84 com/calm/android/media/WearListenerService.java, line(s) 435 com/calm/android/packs/utils/PackCellViewModel.java, line(s) 358 com/calm/android/services/WearListenerService.java, line(s) 445 com/calm/android/ui/endofsession/scrollable/ScrollableSessionEndFragment.java, line(s) 754 com/calm/android/ui/view/VideoPlayerView.java, line(s) 92,143,194 com/calm/android/ui/view/breathe/BreatheTechniqueItem.java, line(s) 95 com/calm/android/ui/webview/WebviewActivity.java, line(s) 80 com/calm/android/util/binding/TextViewBindingsKt.java, line(s) 94 com/calm/android/wearable/data/WearSyncManager.java, line(s) 115,138,158,212 com/iterable/iterableapi/IterableActionRunner.java, line(s) 60 com/iterable/iterableapi/IterableLogger.java, line(s) 8,14,38,44,20,26,32 com/makeramen/roundedimageview/RoundedDrawable.java, line(s) 117 com/makeramen/roundedimageview/RoundedImageView.java, line(s) 268,308 com/perimeterx/msdk/a/o/b.java, line(s) 38,132,28,32,82,100,114,123,126 com/segment/analytics/integrations/Logger.java, line(s) 30,36,24,18 com/wang/avi/AVLoadingIndicatorView.java, line(s) 204 dagger/android/AndroidInjection.java, line(s) 30,29 io/bitdrift/capture/Capture.java, line(s) 278,286,290 io/bitdrift/capture/DeviceCodeService.java, line(s) 99 io/bitdrift/capture/ErrorHandler.java, line(s) 29 io/bitdrift/capture/error/ErrorReporterService.java, line(s) 89,129,81,86 io/bitdrift/capture/network/okhttp/OkHttpApiClient$perform$2.java, line(s) 59 io/bitdrift/capture/providers/MetadataProvider.java, line(s) 80,48 io/bitdrift/capture/replay/ReplayPreviewClient.java, line(s) 66,124,130,136,142,148,154 io/bitdrift/capture/replay/internal/WindowSpy.java, line(s) 25,44 io/github/douglasjunior/androidSimpleTooltip/SimpleTooltip.java, line(s) 694 org/greenrobot/eventbus/BackgroundPoster.java, line(s) 41 org/greenrobot/eventbus/EventBus.java, line(s) 290,429,431,440,172 org/greenrobot/eventbus/util/AsyncExecutor.java, line(s) 98 org/greenrobot/eventbus/util/ErrorDialogConfig.java, line(s) 34 org/greenrobot/eventbus/util/ErrorDialogManager.java, line(s) 181 org/greenrobot/eventbus/util/ExceptionToResourceMapping.java, line(s) 26 org/jcodec/audio/Audio.java, line(s) 46,48 org/jcodec/codecs/aac/blocks/BlockICS.java, line(s) 213,229 org/jcodec/codecs/mpeg12/FixHLSTimestamps.java, line(s) 15 org/jcodec/codecs/mpeg12/HLSFixPMT.java, line(s) 15,16,64 org/jcodec/codecs/mpeg12/MTSMediaInfo.java, line(s) 25 org/jcodec/codecs/prores/ProresDecoder.java, line(s) 275 org/jcodec/codecs/prores/ProresToThumb.java, line(s) 63 org/jcodec/codecs/vp8/Macroblock.java, line(s) 372,637 org/jcodec/common/tools/Debug.java, line(s) 18,21,28,30,38,41,49,52 org/jcodec/common/tools/MainUtils.java, line(s) 217,230,231,232 org/jcodec/common/tools/WavMerge.java, line(s) 8 org/jcodec/common/tools/WavSplit.java, line(s) 50 org/jcodec/containers/mkv/CuesFactory.java, line(s) 74,103 org/jcodec/containers/mkv/MKVParser.java, line(s) 124 org/jcodec/containers/mkv/MKVType.java, line(s) 465 org/jcodec/containers/mkv/SeekHeadFactory.java, line(s) 89,96,56 org/jcodec/containers/mkv/boxes/EbmlMaster.java, line(s) 28 org/jcodec/containers/mkv/boxes/MkvBlock.java, line(s) 237 org/jcodec/containers/mkv/boxes/MkvSegment.java, line(s) 24 org/jcodec/containers/mps/MPSDump.java, line(s) 88,92,100,102,136,145,162,188,217,221,237,241,245,249,253,261,265 org/jcodec/containers/mps/MTSDump.java, line(s) 79,98,133 org/jcodec/containers/mps/index/MPSIndexer.java, line(s) 20 org/jcodec/containers/mps/index/MTSIndexer.java, line(s) 54 org/jcodec/containers/mxf/model/WaveAudioDescriptor.java, line(s) 132 org/jcodec/movtool/ChangeTimescale.java, line(s) 13,18 org/jcodec/movtool/Cut.java, line(s) 36 org/jcodec/movtool/Flattern.java, line(s) 60 org/jcodec/movtool/MovDump.java, line(s) 62,63,90,95,108 org/jcodec/movtool/Paste.java, line(s) 56 org/jcodec/movtool/QTEdit.java, line(s) 56,67,71,76,83,84,85,87 org/jcodec/movtool/QTRefEdit.java, line(s) 32,43,47,52,57,61,66,70,71,72,74 org/jcodec/movtool/ReExport.java, line(s) 13 org/jcodec/movtool/Remux.java, line(s) 65 org/jcodec/movtool/SetPAR.java, line(s) 17 org/jcodec/movtool/Strip.java, line(s) 54 org/jcodec/movtool/Undo.java, line(s) 38,39,54,48 org/jcodec/movtool/WebOptimize.java, line(s) 10 org/jcodec/movtool/streaming/MovieRange.java, line(s) 30,34 org/jcodec/movtool/streaming/VirtualMovie.java, line(s) 86 org/jcodec/movtool/streaming/tracks/TranscodeTrack.java, line(s) 82 org/jcodec/testing/TestTool.java, line(s) 44,111,136,137 org/jcodec/testing/VerifyTool.java, line(s) 29,33,36,44 org/joda/time/tz/DateTimeZoneBuilder.java, line(s) 880,881,906 org/joda/time/tz/ZoneInfoCompiler.java, line(s) 58,59,60,61,62,195,214,227,239,242,247,266,282,338,562 timber/log/Timber.java, line(s) 398,417
信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: com/auth0/android/authentication/storage/SharedPreferencesStorage.java, line(s) 38,38 com/iterable/iterableapi/IterableKeychain.java, line(s) 81
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/amplitude/eventexplorer/EventExplorerInfoActivity.java, line(s) 5,25 com/calm/android/debug/DebugActivity.java, line(s) 8,479,664,480,665
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/calm/android/core/utils/DeviceUtils.java, line(s) 67,54,54,54,54,54,54 com/perimeterx/msdk/a/l/d.java, line(s) 120,23,23,23,23,23,23
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/amplitude/api/PinnedAmplitudeClient.java, line(s) 65,135,64,133,135,61,130,53,53,124,124 com/calm/android/base/util/Calm.java, line(s) 134,151,158,202 com/calm/android/core/data/network/NetworkManager.java, line(s) 42,42 com/perimeterx/msdk/a/c.java, line(s) 71,216,216,216,216,216,216,236,301,306,216 com/perimeterx/msdk/a/o/g.java, line(s) 35,20,34,33,33