移动应用安全检测报告:
安全基线评分
安全基线评分 49/100
综合风险等级
风险等级评定
- A
- B
- C
- F
漏洞与安全项分布(%)
隐私风险
0
检测到的第三方跟踪器数量
检测结果分布
高危安全漏洞
3
中危安全漏洞
14
安全提示信息
2
已通过安全项
2
重点安全关注
1
高危安全漏洞 Activity (com.stardust.auojs.inrt.SplashActivity) 易受 StrandHogg 2.0 攻击
检测到 Activity 存在 StrandHogg 2.0 任务劫持漏洞。攻击者可将恶意 Activity 置于易受攻击应用的任务栈顶部,使应用极易成为钓鱼攻击目标。可通过将启动模式设置为 "singleInstance" 并将 taskAffinity 设为空(taskAffinity=""),或将应用的 target SDK 版本(28)升级至 29 及以上,从平台层面修复该漏洞。
高危安全漏洞 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: jackpal/androidterm/BuildConfig.java, line(s) 3,6
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/stardust/util/AdvancedEncryptionStandard.java, line(s) 138
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(com.stardust.autojs.core.permission.PermissionRequestActivity) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 Activity 设置了 TaskAffinity 属性
(com.stardust.autojs.core.image.capture.ScreenCaptureRequestActivity) 设置 taskAffinity 后,其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露,建议保持默认 affinity(包名)。
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/baidu/paddle/lite/demo/ocr/Predictor.java, line(s) 643 com/baidu/paddle/lite/demo/ocr/Utils.java, line(s) 79 com/linsh/utilseverywhere/CleanUtils.java, line(s) 37 com/linsh/utilseverywhere/FileUtils.java, line(s) 42,46,101 com/linsh/utilseverywhere/SDCardUtils.java, line(s) 13,26,32,39,51 com/linsh/utilseverywhere/UriUtils.java, line(s) 39,57 com/stardust/auojs/inrt/Pref.java, line(s) 73 com/stardust/auojs/inrt/util/UpdateUtil.java, line(s) 159 com/stardust/pio/PFiles.java, line(s) 571,673,678 jackpal/androidterm/shortcuts/AddShortcut.java, line(s) 104 jackpal/androidterm/shortcuts/FSNavigator.java, line(s) 96,153
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/fanjun/keeplive/config/NotificationUtils.java, line(s) 12 com/linsh/utilseverywhere/RandomUtils.java, line(s) 3 com/stardust/auojs/inrt/pluginclient/JsonWebSocket.java, line(s) 17 com/stardust/automator/test/TestUiObject.java, line(s) 7
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: jackpal/androidterm/TermPreferences.java, line(s) 13,14 jackpal/androidterm/util/TermSettings.java, line(s) 8,40,14,22,23,24,39,26,28,30,31,32,35,41,42,43,45,46
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/afollestad/materialdialogs/BuildConfig.java, line(s) 9 com/stardust/auojs/inrt/SplashActivity$onCreate$1.java, line(s) 141 com/stardust/autojs/rhino/debug/Dim.java, line(s) 156
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/stardust/util/DeveloperUtils.java, line(s) 152 com/stardust/util/HashUtils.java, line(s) 10 com/stardust/util/MD5.java, line(s) 9
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/stardust/auojs/inrt/FeatureActivity.java, line(s) 69,58 com/stardust/autojs/core/web/InjectableWebClient.java, line(s) 48,50
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/stardust/autojs/core/database/Database.java, line(s) 6,7,8,16 com/stardust/autojs/core/database/Transaction.java, line(s) 3,17
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/stardust/pio/PFiles.java, line(s) 513
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/stardust/autojs/core/web/InjectableWebClient.java, line(s) 51,50
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: jackpal/androidterm/compat/PRNGFixes.java, line(s) 63,67
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "pref_controlkey_default" : "5" "key_use_volume_control_running" : "key_use_volume_control_running" "key_stable_mode" : "key_stable_mode" "key_enable_floating_window" : "key_enable_floating_window" "key_print_java_stack_trace" : "key_print_java_stack_trace" "library_roundedimageview_authorWebsite" : "https://github.com/vinc3m1" "key_dont_show_main_activity" : "key_dont_show_main_activity" "key_keep_running_with_foreground_service" : "key_keep_running_with_foreground_service" "pref_fnkey_default" : "4" "special_keys" : "Spezialtasten" "key_enable_accessibility_service_by_root" : "key_enable_accessibility_service_by_root" "key_enable_accessibility_service" : "key_enable_accessibility_service"
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/afollestad/materialdialogs/MaterialDialog.java, line(s) 1488 com/baidu/paddle/lite/demo/ocr/OCRPredictorNative.java, line(s) 36,49,141 com/baidu/paddle/lite/demo/ocr/Predictor.java, line(s) 295,301,305,309,313,317,422,446,267,283,337,344,350,358,368,414,484,491,533,548,577,632,658,753,760,803,845 com/dhh/websocket/RxWebSocketUtil.java, line(s) 111,234,278,286,262 com/linsh/utilseverywhere/ContextUtils.java, line(s) 56 com/linsh/utilseverywhere/DrawableUtils.java, line(s) 143 com/linsh/utilseverywhere/FragmentUtils.java, line(s) 262 com/linsh/utilseverywhere/LogUtils.java, line(s) 115,121,144 com/linsh/utilseverywhere/UriUtils.java, line(s) 34,41,49,90,92,106,119,127,133,145,149,156,159 com/makeramen/roundedimageview/RoundedDrawable.java, line(s) 117 com/makeramen/roundedimageview/RoundedImageView.java, line(s) 268,308 com/stardust/ToastKt.java, line(s) 40 com/stardust/app/GlobalAppContext.java, line(s) 61 com/stardust/app/permission/PermissionsSettingsUtil.java, line(s) 32,110 com/stardust/auojs/inrt/App.java, line(s) 138 com/stardust/auojs/inrt/SettingsActivity.java, line(s) 56,57 com/stardust/auojs/inrt/SplashActivity$onCreate$1.java, line(s) 133 com/stardust/auojs/inrt/launch/AssetsProjectLauncher.java, line(s) 63,67 com/stardust/auojs/inrt/pluginclient/AutoXKeepLiveService.java, line(s) 12,19,24 com/stardust/auojs/inrt/pluginclient/DevPluginResponseHandler.java, line(s) 58,96 com/stardust/auojs/inrt/pluginclient/DevPluginService.java, line(s) 176,245,178,185 com/stardust/auojs/inrt/pluginclient/JsonWebSocket.java, line(s) 55,60,70,77,100,84 com/stardust/auojs/inrt/pluginclient/Router.java, line(s) 29,32,53 com/stardust/auojs/inrt/util/UpdateUtil.java, line(s) 157,180 com/stardust/autojs/core/accessibility/UiSelector.java, line(s) 68 com/stardust/autojs/core/activity/ActivityInfoProvider.java, line(s) 144,213,132 com/stardust/autojs/core/console/ConsoleImpl.java, line(s) 168,182 com/stardust/autojs/core/console/GlobalConsole.java, line(s) 44 com/stardust/autojs/core/floaty/RawWindow.java, line(s) 43 com/stardust/autojs/core/graphics/ScriptCanvasView.java, line(s) 149,253,264 com/stardust/autojs/core/image/capture/CaptureForegroundService.java, line(s) 54 com/stardust/autojs/core/inputevent/InputDevices.java, line(s) 20 com/stardust/autojs/core/inputevent/RootAutomator.java, line(s) 271,275 com/stardust/autojs/core/looper/Loopers$servantLooper$1.java, line(s) 105 com/stardust/autojs/core/looper/Loopers.java, line(s) 179,228,236,242,246,255,118,193 com/stardust/autojs/core/record/inputevent/InputEventToAutoFileRecorder.java, line(s) 54,87,94,99,105,108 com/stardust/autojs/core/ui/ViewExtras.java, line(s) 20 com/stardust/autojs/core/ui/inflater/DynamicLayoutInflater.java, line(s) 311 com/stardust/autojs/core/util/ProcessShell.java, line(s) 61 com/stardust/autojs/core/util/Shell.java, line(s) 152 com/stardust/autojs/core/web/InjectableWebClient.java, line(s) 26,103,105 com/stardust/autojs/core/web/JsBridge.java, line(s) 305 com/stardust/autojs/engine/RhinoJavaScriptEngine.java, line(s) 129,136 com/stardust/autojs/engine/RootAutomatorEngine.java, line(s) 50 com/stardust/autojs/execution/RunnableScriptExecution.java, line(s) 57 com/stardust/autojs/execution/ScriptExecuteActivity.java, line(s) 248 com/stardust/autojs/rhino/AndroidClassLoader.java, line(s) 42,100,133 com/stardust/autojs/rhino/AndroidContextFactory.java, line(s) 81,87 com/stardust/autojs/rhino/debug/Debugger.java, line(s) 63 com/stardust/autojs/rhino/debug/Dim.java, line(s) 168 com/stardust/autojs/runtime/ScriptRuntime.java, line(s) 363 com/stardust/autojs/runtime/api/AppUtils.java, line(s) 84,115 com/stardust/autojs/runtime/api/GoogleMLKit.java, line(s) 146,190 com/stardust/autojs/workground/WrapContentLinearLayoutManager.java, line(s) 26 com/stardust/automator/UiObject.java, line(s) 443 com/stardust/automator/simple_action/ScrollMaxAction.java, line(s) 84 com/stardust/util/ResourceMonitor.java, line(s) 79 com/stardust/view/accessibility/AccessibilityNodeInfoAllocator.java, line(s) 126,121 com/stardust/view/accessibility/AccessibilityNotificationObserver.java, line(s) 112,117,133,147 com/stardust/view/accessibility/AccessibilityService.java, line(s) 159,170 com/stardust/view/accessibility/LayoutInspector.java, line(s) 45,51 com/stardust/view/accessibility/OnKeyListener.java, line(s) 28 com/stericson/RootShell/RootShell.java, line(s) 268,266,262,273 com/stericson/RootShell/containers/RootClass.java, line(s) 178,44,58,61,118,131,175 curtains/internal/WindowManagerSpy.java, line(s) 25,90 curtains/internal/WindowSpy.java, line(s) 27,48 de/mindpipe/android/logging/log4j/LogCatAppender.java, line(s) 45,48,72,75,54,57,36,39,63,66,83,85 de/mindpipe/android/logging/log4j/LogConfigurator.java, line(s) 75 ezy/assist/compat/SettingsCompat.java, line(s) 90,101 jackpal/androidterm/GenericTermSession.java, line(s) 117,130 jackpal/androidterm/RemoteInterface.java, line(s) 52 jackpal/androidterm/RunShortcut.java, line(s) 24,30,46 jackpal/androidterm/ShellTermSession.java, line(s) 142,146,73,75 jackpal/androidterm/Term.java, line(s) 108,263,581 jackpal/androidterm/TermService.java, line(s) 80,142,51,59,62 jackpal/androidterm/WindowList.java, line(s) 81 jackpal/androidterm/compat/PRNGFixes.java, line(s) 99 jackpal/androidterm/compat/ServiceForegroundCompat.java, line(s) 25,27 jackpal/androidterm/emulatorview/EmulatorView.java, line(s) 651,908 jackpal/androidterm/emulatorview/TerminalEmulator.java, line(s) 391 jackpal/androidterm/emulatorview/UnicodeTranscript.java, line(s) 60,398,604 leakcanary/LogcatSharkLog.java, line(s) 19,24 me/zhanghai/android/materialprogressbar/HorizontalProgressDrawable.java, line(s) 78 me/zhanghai/android/materialprogressbar/MaterialProgressBar.java, line(s) 343,351 org/greenrobot/eventbus/Logger.java, line(s) 32,37 org/mozilla/classfile/TypeInfo.java, line(s) 176,177,178,179,180 org/opencv/android/AsyncServiceHelper.java, line(s) 29,32,40,41,43,47,50,53,54,56,61,64,65,67,80,84,85,88,89,90,92,97,98,100,107,108,109,111,134,136,137,139,145,148,149,150,153,155,159,160,162,170,171,173,216,233,236,239,240,241,242,248,249,250,260,282,284,285,298,301,304,311,314,324,117,129,256,277,58 org/opencv/android/BaseLoaderCallback.java, line(s) 37,42,22,56 org/opencv/android/Camera2Renderer.java, line(s) 63,70,88,276,78,101,104,107,119,141,143,145,147,186,191,195,213,220,226,253,76,94,114,137,153,178,211,233,242,259 org/opencv/android/CameraBridgeViewBase.java, line(s) 115,169,248,259,280,292,375,158,331,332,335,382 org/opencv/android/CameraGLRendererBase.java, line(s) 99,141,150,177,216,221,231,250,289,295,301,302,305,311,316,327,184,193,206,212,253,108,116,123,370,374 org/opencv/android/CameraGLSurfaceView.java, line(s) 70,77 org/opencv/android/CameraRenderer.java, line(s) 18 org/opencv/android/FpsMeter.java, line(s) 61,51 org/opencv/android/JavaCamera2View.java, line(s) 309,111,121,150,153,156,170,174,213,219,223,267,279,282,285,91,100,116,136,139,164,202,211,229,241,265,272,292 org/opencv/android/JavaCameraView.java, line(s) 80,85,95,99,103,198 org/opencv/android/StaticHelper.java, line(s) 26,34,35,37,43,48,51,54,61,63,31,39
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/linsh/utilseverywhere/ClipboardUtils.java, line(s) 4,16 com/stardust/util/ClipboardUtil.java, line(s) 4,9 jackpal/androidterm/emulatorview/compat/ClipboardManagerCompatV11.java, line(s) 4,26
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/dhh/websocket/SSLHelper.java, line(s) 101,149,40,100,115,148,89,99,99,147,147
已通过安全项 此应用程序没有隐私跟踪程序
此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (mk.autoxjs.com) 通信。
{'ip': '120.25.164.233', 'country_short': 'CN', 'country_long': '中国', 'region': '广东', 'city': '深圳', 'latitude': '22.545673', 'longitude': '114.068108'}