移动应用安全检测报告:
安全基线评分
安全基线评分 48/100
综合风险等级
风险等级评定
- A
- B
- C
- F
漏洞与安全项分布(%)
隐私风险
2
检测到的第三方跟踪器数量
检测结果分布
高危安全漏洞
2
中危安全漏洞
12
安全提示信息
2
已通过安全项
1
重点安全关注
2
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: K1/a.java, line(s) 54
高危安全漏洞 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: com/j/facebook/C0239.java, line(s) 194,34,35,36,37
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 应用数据允许备份
[android:allowBackup=true] 该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据,存在数据泄露风险。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.microsoft.appcenter.distribute.DeepLinkActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.microsoft.appcenter.distribute.DownloadManagerReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: D1/N.java, line(s) 24 D1/V.java, line(s) 20 E1/D.java, line(s) 6 R1/h0.java, line(s) 4 V4/j.java, line(s) 6 X0/C3825d0.java, line(s) 7 X0/C3835d0.java, line(s) 7 X0/K.java, line(s) 43 Z5/AbstractC4026a.java, line(s) 3 Z5/AbstractC4036a.java, line(s) 3 Z5/C4027b.java, line(s) 4 Z5/C4037b.java, line(s) 4 a5/a.java, line(s) 4 b1/z.java, line(s) 14 gh/C2399qi.java, line(s) 14 gh/C2409qi.java, line(s) 14 gh/iN.java, line(s) 30 l1/z.java, line(s) 39
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: G5/C1967a.java, line(s) 4,5,20,22,28,29,30 G5/C1977a.java, line(s) 4,5,20,22,28,29,30 Z1/AbstractC4015c.java, line(s) 7,43 Z1/AbstractC4025c.java, line(s) 7,43 Z1/C4014b.java, line(s) 5,6,24 Z1/C4024b.java, line(s) 5,6,24 b1/j.java, line(s) 6,55,56 b1/q.java, line(s) 7,8,184,216,217 c3/j.java, line(s) 6,7,28 v2/b.java, line(s) 5,6,94
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: H4/d.java, line(s) 285 I7/C2617a.java, line(s) 43 I7/C2627a.java, line(s) 43 P/C1186k0.java, line(s) 23 P/C1196k0.java, line(s) 23 W3/C3771a.java, line(s) 51 W3/C3781a.java, line(s) 51 Y1/C3977a.java, line(s) 87 Y1/C3987a.java, line(s) 87 Z6/T.java, line(s) 53 gh/tL.java, line(s) 84 k3/C2678c.java, line(s) 45 k3/C2688c.java, line(s) 45
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: gh/C2444s.java, line(s) 73 gh/C2454s.java, line(s) 73 gh/fK.java, line(s) 320
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: gh/C2443rz.java, line(s) 219 gh/C2453rz.java, line(s) 219
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "password" : "password" "privacy_private" : "Private" "username" : "username" d5b0e5ef-46d3-4f1a-8297-9c91b78508d7 1786e897bf45e044128ee27b5553f67c d8d39603eef0a8dd2b97c7e78d4d1e41 CqbzDyV5EGH0lhfrkWfIeHsBTs4 16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a a2ee7da35741aa8a68349d16677381c9c06aff54 edef8ba9-79d6-4ace-a3c8-27dcd51d21ed
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: A1/AbstractC1441e.java, line(s) 22 A1/AbstractC1451e.java, line(s) 22 B7/B.java, line(s) 310,315 C/RunnableC1616j.java, line(s) 112,116 C/RunnableC1626j.java, line(s) 112,116 C0/e.java, line(s) 23 C5/AbstractC1663c.java, line(s) 259,270,276,92,181,187,193 C5/AbstractC1673c.java, line(s) 1534,1545,1551,134,1000,1006,1012 C5/E.java, line(s) 1870,1882 D7/d.java, line(s) 41 E0/q.java, line(s) 34,43 E1/AbstractC1783G.java, line(s) 20,31 E1/AbstractC1793G.java, line(s) 20,31 E1/AbstractC1798W.java, line(s) 31 E1/AbstractC1808W.java, line(s) 31 E1/AbstractC1823v.java, line(s) 78 E1/AbstractC1833v.java, line(s) 79 E1/C1799X.java, line(s) 32,44,51,60 E1/C1808g.java, line(s) 73,152,194 E1/C1809X.java, line(s) 32,44,51,60 E1/C1818g.java, line(s) 73,152,198,220,244 E1/b0.java, line(s) 77,93,68 E4/r.java, line(s) 31,43,55,67 F2/AbstractC0834x.java, line(s) 316,323,375 F2/AbstractC0844x.java, line(s) 316,323,375 F2/C0773a1.java, line(s) 111 F2/C0783a1.java, line(s) 180 F2/C0805l0.java, line(s) 1237,1256 F2/C0815l0.java, line(s) 1958,1977 F2/O0.java, line(s) 410 F2/RunnableC0781d0.java, line(s) 33 F2/RunnableC0791d0.java, line(s) 33 H2/AbstractC0893q.java, line(s) 517 H2/AbstractC0903q.java, line(s) 484,582,548,927 H2/C0891o.java, line(s) 127,231 H2/C0901o.java, line(s) 127,231 J0/I.java, line(s) 190,211 J0/x.java, line(s) 267 J2/B0.java, line(s) 57 J2/C0949b0.java, line(s) 31 J2/C0956a0.java, line(s) 90 J2/C0959b0.java, line(s) 31 J2/C0979i0.java, line(s) 104 J2/M0.java, line(s) 103,153,151 J2/T0.java, line(s) 49 J2/m1.java, line(s) 17 K1/C2673b.java, line(s) 44 K1/C2683b.java, line(s) 44 K2/d.java, line(s) 66,97 L0/i.java, line(s) 133,143,922,931,900,1017 L2/d.java, line(s) 1776,3495 L4/c.java, line(s) 1394,1502,1506,1510 N1/C2876b.java, line(s) 128 N1/C2881g.java, line(s) 182,188,254,330,356,406,426,440,474,492,552,593,596,702,718,729,764,855,48,240,713,785,799 N1/C2886b.java, line(s) 128 N1/C2887c.java, line(s) 197,205,248,260,272,284,296,308,320,332,339,350,362,345 N1/C2891g.java, line(s) 200,308,314,380,456,471,491,498,659,847,897,917,931,965,983,1043,1084,1087,1123,1147,1151,1166,1178,1191,1225,1241,1250,1258,1304,1328,1356,1449,1465,1476,1511,1602,52,217,366,809,1460,1532,1546 O2/C1132c.java, line(s) 47 O2/C1142c.java, line(s) 47 O2/s.java, line(s) 177,267 O2/v.java, line(s) 73,121 O2/w.java, line(s) 30,45 P/I0.java, line(s) 362 R1/AbstractC3253D.java, line(s) 44 R1/AbstractC3263D.java, line(s) 44 R1/AbstractServiceC3278v.java, line(s) 17 R1/AbstractServiceC3288v.java, line(s) 17 R1/C3259c.java, line(s) 37,50 R1/C3269c.java, line(s) 37,50 R1/C3281y.java, line(s) 9 R1/C3291y.java, line(s) 9 R1/RunnableC3272p.java, line(s) 49 R1/RunnableC3274r.java, line(s) 57,62,76,105 R1/RunnableC3276t.java, line(s) 82,87 R1/RunnableC3277u.java, line(s) 48,67,80 R1/RunnableC3282p.java, line(s) 49 R1/RunnableC3284r.java, line(s) 57,62,76,105 R1/RunnableC3286t.java, line(s) 82,87 R1/RunnableC3287u.java, line(s) 48,67,80 U2/b.java, line(s) 41,45 V0/A.java, line(s) 59,168,178,200,208,58,167,177,199,207,72,157 V0/i.java, line(s) 141,109,114 V3/J.java, line(s) 236,295,298 W2/a.java, line(s) 61 X0/C3863x.java, line(s) 1455 X0/C3873x.java, line(s) 2146 X0/K.java, line(s) 99,81 X1/AbstractC3895s.java, line(s) 42,48,54,60,66,72,78 X1/AbstractC3905s.java, line(s) 42,48,54,60,66,72,78 Y0/f.java, line(s) 36,41 Y0/g.java, line(s) 26 Y0/i.java, line(s) 39 Y0/j.java, line(s) 55,106 Y1/g.java, line(s) 59 Y1/i.java, line(s) 299,305,311,317 Z0/d.java, line(s) 19,22,25 c3/j.java, line(s) 30 com/cnl/kikoeru/MainActivity.java, line(s) 122,149,158,174,245 com/cnl/kikoeru/MainService.java, line(s) 199 com/j/facebook/Utils.java, line(s) 23 com/j/facebook/a.java, line(s) 15 com/j/facebook/c.java, line(s) 24 com/j/facebook/f.java, line(s) 16 com/j/facebook/fm.java, line(s) 10,18 com/j/facebook/hh.java, line(s) 11 com/j/facebook/ho.java, line(s) 16 com/j/facebook/in.java, line(s) 27,52,77,106,135,147,202,231,277,295,310,319,366,375,384,440,449 com/j/facebook/j.java, line(s) 16,40 com/j/facebook/ja.java, line(s) 16 com/j/facebook/jast.java, line(s) 44,51,58,65,72,79,86,93,112,123,142,149,378 com/j/facebook/java.java, line(s) 13 com/j/facebook/k.java, line(s) 16 com/j/facebook/kl.java, line(s) 11,22 com/j/facebook/mh.java, line(s) 11 com/j/facebook/mm.java, line(s) 18,62 com/j/facebook/nnn.java, line(s) 16 com/j/facebook/p.java, line(s) 17 com/j/facebook/vc.java, line(s) 14,65 f/c.java, line(s) 58,65 gh/AbstractC2265lh.java, line(s) 18 gh/AbstractC2275lh.java, line(s) 18 gh/C1977ad.java, line(s) 43,57,126,149,163,169,174 gh/C1985al.java, line(s) 24 gh/C1987ad.java, line(s) 43,57,126,149,163,169,174 gh/C1995al.java, line(s) 24 gh/C2007bh.java, line(s) 22 gh/C2017bh.java, line(s) 22 gh/C2027cb.java, line(s) 57,71,76,81 gh/C2037cb.java, line(s) 57,71,76,81 gh/C2109fg.java, line(s) 39 gh/C2119fg.java, line(s) 42,101,145 gh/C2171hq.java, line(s) 9 gh/C2181hq.java, line(s) 9 gh/C2190ik.java, line(s) 58 gh/C2200ik.java, line(s) 58 gh/C2200iu.java, line(s) 40 gh/C2209jd.java, line(s) 43 gh/C2210iu.java, line(s) 40 gh/C2219jd.java, line(s) 43 gh/C2256ky.java, line(s) 26 gh/C2264lg.java, line(s) 62 gh/C2266ky.java, line(s) 26 gh/C2274lg.java, line(s) 62 gh/C2341oe.java, line(s) 134 gh/C2351oe.java, line(s) 134 gh/C2355oi.java, line(s) 57,72 gh/C2441rx.java, line(s) 446 gh/C2451rx.java, line(s) 446 gh/C2452sh.java, line(s) 22 gh/C2453si.java, line(s) 36,63 gh/C2462sh.java, line(s) 22 gh/C2463si.java, line(s) 36,63 gh/FragmentC2056de.java, line(s) 52 gh/FragmentC2066de.java, line(s) 52 gh/RunnableC2324no.java, line(s) 94,172,382 gh/RunnableC2334no.java, line(s) 94,172,382 gh/ViewTreeObserverOnPreDrawListenerC2199it.java, line(s) 20 gh/ViewTreeObserverOnPreDrawListenerC2209it.java, line(s) 20 gh/aK.java, line(s) 32 gh/bI.java, line(s) 39,179 gh/bP.java, line(s) 35,45,56,88 gh/bV.java, line(s) 25 gh/cP.java, line(s) 163,179,194 gh/cQ.java, line(s) 30 gh/cV.java, line(s) 39 gh/cZ.java, line(s) 48,58 gh/dW.java, line(s) 114 gh/eH.java, line(s) 18 gh/fQ.java, line(s) 37 gh/fT.java, line(s) 74 gh/fY.java, line(s) 43,49 gh/jD.java, line(s) 206,211,213,219,222,237,244,393 gh/jI.java, line(s) 15 gh/lS.java, line(s) 34 gh/lY.java, line(s) 54,57,63,70,75 gh/nB.java, line(s) 87 gh/oQ.java, line(s) 113,154 gh/pC.java, line(s) 72,202 gh/pL.java, line(s) 22 gh/pO.java, line(s) 63,80,92,105,147,154,168,170,181,192 gh/tK.java, line(s) 46,50,52,58,122 k/C2667b.java, line(s) 21,31,42,54 k/C2669d.java, line(s) 226 k/C2677b.java, line(s) 21,31,42,54 k/C2679d.java, line(s) 227 v2/e.java, line(s) 49,166
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: E4/r.java, line(s) 9,98,99 E4/w.java, line(s) 5,29,30 X0/C3840l.java, line(s) 6,21,128 X0/C3850l.java, line(s) 6,21,128
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: C7/f.java, line(s) 71,70,69 C7/i.java, line(s) 84,74,83,91,82,82 C7/n.java, line(s) 72,71,70,70 C7/o.java, line(s) 103,91,102,101,101 gh/eO.java, line(s) 121,120,128,119,119
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (dashif.org) 通信。
{'ip': '221.228.32.13', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '无锡', 'latitude': '31.569349', 'longitude': '120.288788'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (wwp.lanzoul.com) 通信。
{'ip': '58.221.70.116', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '南通', 'latitude': '32.030296', 'longitude': '120.874779'}