安全分析报告:
安全分数
安全分数 55/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
2
用户/设备跟踪器
调研结果
高危
0
中危
12
信息
1
安全
1
关注
1
中危 应用程序数据存在被泄露的风险
未设置[android:allowBackup]标志 这个标志 [android:allowBackup]应该设置为false。默认情况下它被设置为true,允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Broadcast Receiver (io.flutter.plugins.firebase.messaging.FlutterFirebaseMessagingReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: a3/w2.java, line(s) 19 fa/a.java, line(s) 3 fa/b.java, line(s) 4 ga/a.java, line(s) 4 j3/ya.java, line(s) 33 j9/c0.java, line(s) 17 j9/e0.java, line(s) 4 j9/z1.java, line(s) 14 k9/i.java, line(s) 37 q6/g0.java, line(s) 19 q9/e.java, line(s) 22 q9/h.java, line(s) 17
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: j3/ya.java, line(s) 149
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: j3/b.java, line(s) 6,291 j3/jb.java, line(s) 4,50 j3/n.java, line(s) 10,11,93 j3/o.java, line(s) 4,5,34 j3/qa.java, line(s) 20,21,414 j3/s3.java, line(s) 6,7,8,9,531 l6/y3.java, line(s) 6,7,283 l6/z2.java, line(s) 5,6,7,8,9,10,11,12,13,155 v7/i.java, line(s) 9,10,11,12,13,405 z1/m0.java, line(s) 6,7,76 z1/t0.java, line(s) 4,5,135
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: c9/h.java, line(s) 108,130 c9/i.java, line(s) 128 y/b.java, line(s) 216
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/dexterous/flutterlocalnotifications/FlutterLocalNotificationsPlugin.java, line(s) 130 com/dexterous/flutterlocalnotifications/models/NotificationDetails.java, line(s) 54,68 j9/m2.java, line(s) 79 k6/a.java, line(s) 71 m6/b.java, line(s) 53 m6/s.java, line(s) 176 n6/f.java, line(s) 97 p6/w0.java, line(s) 65 q5/e.java, line(s) 81
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: b7/c0.java, line(s) 72 s6/k.java, line(s) 73 x6/b.java, line(s) 52 z7/a.java, line(s) 113
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: x6/c.java, line(s) 52
中危 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 凭证信息=> "com.google.android.geo.API_KEY" : "AIzaSyBnZF0L4PqQ-WP8g0gBcAonH_tZryfUnA4" "com.google.firebase.crashlytics.mapping_file_id" : "848407eb425f4f6898aaa886938df802" "google_api_key" : "AIzaSyBnZF0L4PqQ-WP8g0gBcAonH_tZryfUnA4" "google_crash_reporting_api_key" : "AIzaSyBnZF0L4PqQ-WP8g0gBcAonH_tZryfUnA4" 470fa2b4ae81cd56ecbcda9735803434cec591fa VGhpcyBpcyB0aGUgcHJlZml4IGZvciBCaWdJbnRlZ2Vy
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a0/c.java, line(s) 394,399 a0/e.java, line(s) 70 a0/f.java, line(s) 41,73 a0/g.java, line(s) 56,216 a0/k.java, line(s) 104 a3/b1.java, line(s) 21 a3/h6.java, line(s) 61 a3/i6.java, line(s) 55,73 a3/j6.java, line(s) 19 a3/o6.java, line(s) 15 a3/p6.java, line(s) 18 a3/q6.java, line(s) 15 a3/u1.java, line(s) 60 a3/v0.java, line(s) 27,36,64,78,26,35,63 a3/v5.java, line(s) 37 a3/w2.java, line(s) 75,61,72,81,124,135,170,176 a3/z5.java, line(s) 102 a9/a.java, line(s) 15 a9/e.java, line(s) 107,159,66,69,99 a9/z.java, line(s) 214,219,252 b7/a1.java, line(s) 26,25 b7/c.java, line(s) 236,303,306,153,167,177,201,221,232,263,270 b7/c0.java, line(s) 124,101,119 b7/d.java, line(s) 69,68,91,95,97 b7/d1.java, line(s) 91,95,103,112,126,147,162,134,139,155,90,94,102,111,122,146,161,42 b7/e0.java, line(s) 58,49,50,57,79,80,35 b7/g.java, line(s) 89,88 b7/g0.java, line(s) 76,95,108 b7/j0.java, line(s) 27 b7/k.java, line(s) 26,25 b7/n.java, line(s) 27 b7/o0.java, line(s) 40,49,74,84,117,54,57,60,108,111,39,73,83,116 b7/q0.java, line(s) 63 b7/r0.java, line(s) 39,49,90,84,119,67,67,87,101,105 b7/s0.java, line(s) 36 b7/v0.java, line(s) 150,157,164,171,182,78,78 b7/w0.java, line(s) 42,55,97,148,96,114,114,142,163,176,192 b8/b.java, line(s) 10,14,28,32 c1/b.java, line(s) 25 c1/c.java, line(s) 67,56 c9/i.java, line(s) 172 com/baseflow/geolocator/GeolocatorLocationService.java, line(s) 83,97,100,112,117,180,190,197,203,208,219 com/dexterous/flutterlocalnotifications/ActionBroadcastReceiver.java, line(s) 71,80 com/dexterous/flutterlocalnotifications/FlutterLocalNotificationsPlugin.java, line(s) 1082,1143,1794 com/dexterous/flutterlocalnotifications/ScheduledNotificationReceiver.java, line(s) 36 d/e.java, line(s) 2014,1033,1039,1640,2041,2281 d/g.java, line(s) 94 d/h.java, line(s) 46,56,73,85,97,106,119,133,145 d/j.java, line(s) 60,75 d2/a.java, line(s) 104,200 d2/d.java, line(s) 23,41,50,60 d9/l.java, line(s) 132 e0/h.java, line(s) 42 e1/c.java, line(s) 49 e1/k.java, line(s) 274,262 e1/n.java, line(s) 135,52,63,67,95,98,124 e3/e.java, line(s) 33,58,68 e4/a.java, line(s) 673 e9/a.java, line(s) 63,52 e9/b.java, line(s) 35,38 e9/c.java, line(s) 15,33,48 f3/e0.java, line(s) 23,56,32 g1/j.java, line(s) 56,113 g3/d.java, line(s) 63 h/g.java, line(s) 168,211,270 h0/c.java, line(s) 19 h1/b.java, line(s) 99,109,129 h2/b.java, line(s) 85,98,74 h2/d.java, line(s) 84,97,122,191,235,250,82,96,121,186,230,249,118,134,146,257,278,298 h2/h.java, line(s) 15,12,12 h2/r.java, line(s) 38,77,137,34,75,90,132,181,205,230,261,91,182,206,231,262,46,172 h2/s.java, line(s) 25 h2/u.java, line(s) 35,49,27,41 h2/x.java, line(s) 67,62 h2/y.java, line(s) 50,33,70 i/c.java, line(s) 276 i0/b.java, line(s) 64 i0/c0.java, line(s) 373,389,128,140,147,156,43,62,364 i0/h.java, line(s) 69 i0/s.java, line(s) 993 i0/u.java, line(s) 41,52 i0/w.java, line(s) 43,52,66,86,100,115,129 i2/b0.java, line(s) 70,88,92,120,127,53 i2/e.java, line(s) 112,157,164 i2/g0.java, line(s) 31,34,55 i2/j.java, line(s) 37,105,50,88,148,154,163,166 i2/k.java, line(s) 41,77 i2/l0.java, line(s) 54,56,50 i2/o.java, line(s) 24 i2/x.java, line(s) 49 i4/d.java, line(s) 149,182 i5/g.java, line(s) 34,41,44,53,87 i5/o.java, line(s) 192 i9/a.java, line(s) 121,203,206,210 j0/c.java, line(s) 186 j1/a.java, line(s) 17 j1/n.java, line(s) 49,112,116,237,245,251,259 j1/o.java, line(s) 263,267,272 j1/p.java, line(s) 34 j3/b.java, line(s) 720 j3/kb.java, line(s) 55 j3/o6.java, line(s) 15 j3/qa.java, line(s) 709,878,1934 j3/z3.java, line(s) 177 j4/b.java, line(s) 40 k2/c1.java, line(s) 49 k2/e.java, line(s) 243,351 k2/e0.java, line(s) 145,545 k2/h0.java, line(s) 49 k2/i0.java, line(s) 50 k3/a.java, line(s) 55,74,73,32,49 l2/a.java, line(s) 18 l2/b1.java, line(s) 45 l2/c.java, line(s) 349,367,451,455,459,465 l2/c0.java, line(s) 95,98,102,106,110,114,123,127,130,133,165,173 l2/f0.java, line(s) 26 l2/h1.java, line(s) 53,58 l2/k1.java, line(s) 50 l2/u0.java, line(s) 33 l2/x0.java, line(s) 101 l2/y0.java, line(s) 28 l2/z0.java, line(s) 29 l4/g.java, line(s) 663 l5/f.java, line(s) 31,41,22,51,61,71 m3/a.java, line(s) 75,79 n3/a.java, line(s) 122,189,267,270,136,203 o2/a.java, line(s) 80,91 o5/m.java, line(s) 129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147 p0/c.java, line(s) 636 p2/f.java, line(s) 16 p2/n.java, line(s) 16,15 p2/o.java, line(s) 174,195,65,72,147,156,209 q3/h.java, line(s) 51 q6/v.java, line(s) 46,48 r/f.java, line(s) 96 r0/a.java, line(s) 31 s0/b.java, line(s) 34,42,60 s1/k.java, line(s) 37,44,47,55,85,90,95,100,105 s2/h.java, line(s) 25 s6/k.java, line(s) 134,106,129 s6/n.java, line(s) 76,96,114 s6/s.java, line(s) 30,40,29,39 t/a.java, line(s) 194,105,169 t2/b.java, line(s) 36,100 u0/a.java, line(s) 166,171,178,182,198,208 u8/a.java, line(s) 18,21 v1/a.java, line(s) 15,22,29,14,21,28,42,43,49,50 v6/b.java, line(s) 34,50,58,81 v7/c0.java, line(s) 82,131,180,243,258,316,329,335,352,357,445,454,86,449 v7/e0.java, line(s) 25 v7/i.java, line(s) 177,338,354,411,419,463,536,613,670,434,636 w8/n.java, line(s) 494 x/c.java, line(s) 91,247 x/h.java, line(s) 42 x/m.java, line(s) 183,199,205,253,284,294,305,313,182,198,204,252,283,293,304,312,136,208,258,275 x/q.java, line(s) 66 x0/a.java, line(s) 76 x6/b.java, line(s) 56,77 x8/b.java, line(s) 406,362 y0/e0.java, line(s) 41 y6/c.java, line(s) 97,275,278,105,106,309,315 z/c.java, line(s) 57 z/d.java, line(s) 65 z/h.java, line(s) 200,211,222,84,93 z0/g.java, line(s) 1017 z4/f.java, line(s) 264,363,367,230 z8/a.java, line(s) 29
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/MobSF/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: a3/i6.java, line(s) 30 o5/h.java, line(s) 81,81,82
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (firebase-settings.crashlytics.com) 通信。
{'ip': '180.163.150.34', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}