安全分析报告:
安全分数
安全分数 48/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
4
用户/设备跟踪器
调研结果
高危
5
中危
27
信息
4
安全
3
关注
2
高危 基本配置配置为信任用户安装的证书。
Scope: *
高危 App 链接 assetlinks.json 文件未找到
[android:name=com.accepttomobile.common.ui.start.StartActivity][android:host=https://eg.coupang.acceptto.com] App Link 资产验证 URL (https://eg.coupang.acceptto.com/.well-known/assetlinks.json) 未找到或配置不正确。(状态代码:None)。应用程序链接允许用户从 Web URL/电子邮件重定向到移动应用程序。如果此文件丢失或为 App Link 主机/域配置不正确,则恶意应用程序可以劫持此类 URL。这可能会导致网络钓鱼攻击,泄露 URI 中的敏感数据,例如 PII、OAuth 令牌、魔术链接/密码重置令牌等。您必须通过托管 assetlinks.json 文件并通过 Activity intent-filter 中的 [android:autoVerify=“true”] 启用验证来验证 App Link 网域。
高危 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: pj/b.java, line(s) 197,193
高危 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: kd/k.java, line(s) 252,12 t5/k.java, line(s) 262,12
高危 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: r3/f.java, line(s) 152
中危 基本配置配置为信任系统证书。
Scope: *
中危 Activity设置了TaskAffinity属性
(com.accepttomobile.common.ui.start.StartActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Activity (com.accepttomobile.common.ui.start.StartActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity设置了TaskAffinity属性
(com.accepttomobile.common.ui.splash.SplashActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Activity设置了TaskAffinity属性
(com.accepttomobile.common.ui.MainActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Activity设置了TaskAffinity属性
(com.accepttomobile.common.ui.notification.NotificationActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Activity设置了TaskAffinity属性
(com.accepttomobile.common.ui.lock.PasscodeActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Activity设置了TaskAffinity属性
(com.accepttomobile.basic.BasicModeActivity) 如果设置了 taskAffinity,其他应用程序可能会读取发送到属于另一个任务的 Activity 的 Intent。为了防止其他应用程序读取发送或接收的 Intent 中的敏感信息,请始终使用默认设置,将 affinity 保持为包名
中危 Service (com.accepttomobile.common.wear.WearableReceiverService) 未被保护。
[android:exported=true] 发现 Service与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Service (com.assaabloy.mobilekeys.api.hce.HceService) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.BIND_NFC_SERVICE [android:exported=true] 发现一个 Service被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 Broadcast Receiver (no.nordicsemi.android.support.v18.scanner.PendingIntentReceiver) 未被保护。
[android:exported=true] 发现 Broadcast Receiver与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 高优先级的Intent (500) - {1} 个命中
[android:priority] 通过设置一个比另一个Intent更高的优先级,应用程序有效地覆盖了其他请求。
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: a9/d.java, line(s) 37 a9/p.java, line(s) 95 a9/x.java, line(s) 84 com/acceptto/accepttofidocore/util/Constants.java, line(s) 49 com/acceptto/accepttopinauthenticator/utils/PinSettings.java, line(s) 13,14 com/acceptto/android/sdk/api/models/request/AuthenticateWithOptionsRequest.java, line(s) 116 com/acceptto/android/sdk/api/models/request/InviteRequest.java, line(s) 187 com/acceptto/android/sdk/api/models/request/SendQrCodeRequestContainer.java, line(s) 166 com/acceptto/android/sdk/api/models/request/UserRegisterRequest.java, line(s) 377 com/acceptto/android/sdk/api/models/response/ApplicationResponse.java, line(s) 161 com/acceptto/android/sdk/api/models/response/UserRegisterResponse.java, line(s) 279,279 com/acceptto/android/sdk/api/models/response/UserSettingsResponse.java, line(s) 659 com/acceptto/android/sdk/api/models/response/WorkstationResponse.java, line(s) 296,296 com/acceptto/android/sdk/api/models/response/auditLog/AuditLogWorkstation.java, line(s) 187 com/acceptto/fidoandroidclient/models/fido2/AuthenticatorSelection.java, line(s) 119 com/acceptto/fidoandroidclient/models/fido2/RequestAssertionOptions.java, line(s) 59 com/acceptto/fidoandroidclient/models/fido2/Result.java, line(s) 164 com/acceptto/fidoandroidclient/models/fido2/authentication/AuthenticationOptionsRequest.java, line(s) 80 com/acceptto/fidoandroidclient/models/fido2/registration/RegistrationOptionsRequest.java, line(s) 121 com/accepttomobile/basic/dashboard/ui/b.java, line(s) 153,257,318 com/accepttomobile/common/ui/qrcode/SmartQRCodeFragmentArgs.java, line(s) 115 com/assaabloy/seos/access/domain/KeyPermission.java, line(s) 59 h4/BasicTotpBottomSheetDialogFragmentArgs.java, line(s) 92 h4/BasicWorkstationBottomSheetDialogFragmentArgs.java, line(s) 92 io/jsonwebtoken/JwsHeader.java, line(s) 12 oj/AuthenticateLoginQrCode.java, line(s) 137 oj/AuthenticatePairingQrCode.java, line(s) 176,176 pf/b.java, line(s) 73 qf/e.java, line(s) 76 qf/w.java, line(s) 113 x8/g.java, line(s) 70
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/acceptto/accepttobaseauthenticator/asm/BaseAsm.java, line(s) 382 jg/b.java, line(s) 54 qi/b.java, line(s) 62 u7/d.java, line(s) 33 v3/f.java, line(s) 120 wi/d.java, line(s) 178 x3/m.java, line(s) 23
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/journeyapps/barcodescanner/CaptureManager.java, line(s) 109 f1/c.java, line(s) 116 jg/c.java, line(s) 78
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/mixpanel/android/mpmetrics/u.java, line(s) 3 hd/ce.java, line(s) 6 hd/cg.java, line(s) 4 j$/util/concurrent/ThreadLocalRandom.java, line(s) 10 kkkkkk/ckkkkk.java, line(s) 5 mmmmmm/daaadd.java, line(s) 5 o8/a.java, line(s) 3 qi/b.java, line(s) 11 qi/d.java, line(s) 6 qi/e.java, line(s) 11 qn/a.java, line(s) 3
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: qi/e.java, line(s) 29
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/acceptto/accepttobaseauthenticator/utils/BaseDatabaseHelper.java, line(s) 6,7,58,72,96,119 com/mixpanel/android/mpmetrics/j.java, line(s) 5,6,7,58,72 p1/a.java, line(s) 4,5,6,7,89,138 rb/m0.java, line(s) 5,6,259,296,315,324,374,518,553,777 rb/t0.java, line(s) 4,5,135
中危 IP地址泄露
IP地址泄露 Files: com/assaabloy/mobilekeys/api/BuildConfig.java, line(s) 4 io/jsonwebtoken/impl/security/EcSignatureAlgorithm.java, line(s) 43,44,45 io/jsonwebtoken/impl/security/RsaSignatureAlgorithm.java, line(s) 38,40,41,42
中危 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/github/mikephil/charting/charts/Chart.java, line(s) 564,611 com/github/mikephil/charting/utils/FileUtils.java, line(s) 141,169 z3/h.java, line(s) 75
中危 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: dj/a.java, line(s) 7,7,7,9,7,9,7,7 mmmmmm/bgbbgb.java, line(s) 13,13,13,13,13
中危 应用程序包含隐私跟踪程序
此应用程序有多个4隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 谷歌地图的=> "com.google.android.maps.v2.API_KEY" : "AIzaSyCm6qW8icucXnfdxyoUYQcEO49AhUcbzME" "about_cognitive_authenticator" : "AB0002" "auth_before_pair_biometric_authenticate_title" : "SP0011" "biometrics_authentication_not_strong_enough" : "ES0125" "biometrics_authentication_too_many_attempts" : "ES0126" "com.google.firebase.crashlytics.mapping_file_id" : "95b8f769b32741599facde76cfc2c07e" "fido_authenticate_to" : "FS0030" "fido_fido_authenticator" : "FS0004" "fido_now_you_can_enable_a_fido2_pin_biometric_authenticator_inside_it_sme_and_authorize_your_mfa_requests" : "FS0005" "fido_please_authenticate_with_biometrics" : "FS0022" "fido_row_authenticate" : "FS0018" "fido_would_you_like_to_enable_acceptto_s_fido_authenticator" : "FS0006" "fido_your_acceptto_fido_authenticator_has_been_registered_successfully" : "FS0017" "firebase_database_url" : "https://secureauth-com-sagpservice.firebaseio.com" "google_api_key" : "AIzaSyAC2sPRyQZ2OJ_LF11x3UD7tDB28k9DQKc" "google_app_id" : "1:567393951382:android:b650293461019f38" "google_crash_reporting_api_key" : "AIzaSyAC2sPRyQZ2OJ_LF11x3UD7tDB28k9DQKc" "hid_key_office_door" : "HK0001" "mfa_authenticate_to" : "MF0004" "mirana_secrets_amount_of_data_sent" : "MI0014" "mirana_secrets_angle_delta" : "MI0002" "mirana_secrets_end_now" : "MI0015" "mirana_secrets_latest_notification_received_at" : "MI0005" "mirana_secrets_latest_record" : "MI0011" "mirana_secrets_location_lat_lon" : "MI0012" "mirana_secrets_records_count" : "MI0016" "mirana_secrets_screen_title" : "MI0001" "mirana_secrets_share_str" : "MI0008" "mirana_secrets_time_iso_utc" : "MI0003" "mirana_secrets_time_ms" : "MI0013" "mirana_sync_authorities" : "us.acceptto.mirana.syncadapter.provider" "profile_auth_profile" : "DC0011" "profile_v3_auth_profile" : "DC0015" "quick_access_header_authentication_methods" : "QA0002" "quick_access_header_force_authentication" : "QA0006" "settings_dialog_are_you_sure_you_want_to_unpair_your_device_you_will_no_longer_be_able_to_use_it_for_it_sme_authentication" : "SE0014" "sso_detail_dialog_remove_session" : "SD0006" "sso_no_active_sessions" : "SO0003" "start_offline_authenticator" : "LS0005" "start_system_requirements_secret_key_not_hardware_backed" : "SS0005" "token" : "Token:" "totp_manual_key" : "TA0006" "totp_manual_username" : "TA0005" "username" : "Username" "vault_password" : "VS0006" "vault_please_enter_password" : "VS0004" "vault_your_password_in_your_hand" : "VS0002" "workstations_sorting_username" : "WS0014" fca682ce8e12caba26efccf7110e526db078b05edecbcd1eb4a208f3ae1617ae01f35b91a47e6df63413c5e12ed0899bcd132acd50d99151bdc43ee737592e17 RtQsRUaCaDLvh8bvSWcUmajSPfdo2YeP 85053bf24bba75239b16a601d9387e17 e054eb924eacca0bf94379f8f6035f77 5c3e45889c6eee60aa97e4717464654f 5c320f72a95ae1fd8ca04ca71606e415 962eddcc369cba8ebb260ee6b6a126d9346e38c5 b869c82b35d70e1b1ff91b28e37a62ecdc34409b 77d0f8c4dad15eb8c4f2f8d6726cefd96d5bb399 8d5155894229d5e689ee01e6018a237e2cae64cd 82c62205f0ef0ea96608a8 3a5d27488be6cb161e322f8d8b1b13f8 818dd5cb7a3dfbb3eecc94634dabba70 520bc9aa3899e8154622a96a5b342b5d ff29052e-75b8-40cb-b41c-2404a5a31a53 9747ba803239cf475ca29faa108fe278 4747474752450653d7387d8f42698bfa3557f0d9e791a83231d0a8aec6f69d70 2c94422adaeef51dfab90706db997894 c5c8a58e2309dd4f500de460a0ace695c579c4bc8f693e91d66a7d56c1d3cf58 47474747487408fb703a79fe63c967f7120da0fe92b5b2a2c43c303524533f19 MIICEjCCAbgCCQDJPP0w3hWewzAKBggqhkjOPQQDAjCBkDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk9SMREwDwYDVQQHDAhQb3J0bGFuZDERMA8GA1UECgwIQWNjZXB0dG8xETAPBgNVBAsMCEFjY2VwdHRvMREwDwYDVQQDDAhBY2NlcHR0bzEoMCYGCSqGSIb3DQEJARYZbWF0dC5yb3NhbmlvQGFjY2VwdHRvLmNvbTAeFw0xODA1MDIwNDU1MDZaFw0yODA0MjkwNDU1MDZaMIGQMQswCQYDVQQGEwJVUzELMAkGA1UECAwCT1IxETAPBgNVBAcMCFBvcnRsYW5kMREwDwYDVQQKDAhBY2NlcHR0bzERMA8GA1UECwwIQWNjZXB0dG8xETAPBgNVBAMMCEFjY2VwdHRvMSgwJgYJKoZIhvcNAQkBFhltYXR0LnJvc2FuaW9AYWNjZXB0dG8uY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAjPvAFRLCz3PiQXJIxPBbOna9IFPkmMgbTrp+UPzmulUDKJaMjlQrspfVcdJs+0QOSVLQ2BRKFhe29MTBZRlwzAKBggqhkjOPQQDAgNIADBFAiEA6rSGiWOjPBOjZUFs81qiH8xzLCMrTaAfD3H+LWzJyLECIA8wQEJ7OFnq6ZfGiK2qVUkGSnQB75yns7EDmsGeOV11 678471b27a9cf44ee91a49c5147db1a9aaf244f05a434d6486931d2d14271b9e35030b71fd73da179069b32e2935630e1c2062354d0da20a6c416e50be794ca4 9cdbd84c9f1ac2f38d0f80f42ab952e7338bf511 258EAFA5-E914-47DA-95CA-C5AB0DC85B11 9760508f15230bccb292b982a2eb840bf0581cf5 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAjPvAFRLCz3PiQXJIxPBbOna9IFPkmMgbTrp+UPzmulUDKJaMjlQrspfVcdJs+0QOSVLQ2BRKFhe29MTBZRlww== f7e1a085d69b3ddecbbcab5c36b857b97994afbbfa3aea82f9574c0b3d0782675159578ebad4594fe67107108180b449167123e84c281613b7cf09328cc8a6e13c167a8b547c8d28e0a3ae1e2bb3a675916ea37f0bfa213562f1fb627a01243bcca4f1bea8519089a883dfe15ae59f06928b665e807b552564014c3bfecf492a 470fa2b4ae81cd56ecbcda9735803434cec591fa xJXZd/zR0io4+XWtcwbtnyYutpO4NX7DhE3xBg4 30470ad5a005fb14ce2d9dcd87e38bc7d1b1c5facbaecbe95f190aa7a31d23c4dbbcbe06174544401a5b2c020965d8c2bd2171d3668445771f74ba084d2029d83c1c158547f3a9f1a2715be23d51ae4d3e5a1f6a7064f316933a346d3f529252 fd7f53811d75122952df4a9c2eece4e7f611b7523cef4400c31e3f80b6512669455d402251fb593d8d58fabfc5f5ba30f6cb9b556cd7813b801d346ff26660b76b9950a5a49f9fe8047b1022c24fbba9d7feb7c61bf83b57e7c6a8a6150f04fb83f6d3c51ec3023554135a169132f675f3ae2b61d72aeff22203199dd14801c7 a5f769eb00efe33e201404c96c2b4fc3 ad120db145bc5b77a39da92b11ba417fa7fb0480e2c0d9248728a5c80111e9e4 e9e642599d355f37c97ffd3567120b8e25c9cd43e927b3a9670fbec5d890141922d2c3b3ad2480093799869d1e846aab49fab0ad26d2ce6a22219d470bce7d777d4a21fbe9c270b57f607002f3cef8393694cf45ee3688c11a8c56ab127a3daf xBkDPNxUEiMRX5vPP2wqvCR4Grb8GZQqrKNyC0Y 14201c8e11cc41dd9c9c98d5d7b72f6d5404a8f233c9fc8b1930bd8f3fb547b9 d61496402910791465933c3d81ab4f80 acce6770-163d-11e8-b642-0ed5f89f718b -11e8-b642-0ed5f89f718b
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a1/a.java, line(s) 31 a4/a.java, line(s) 313,319,336,415,419 a9/h.java, line(s) 651,415,430,650,271 a9/i.java, line(s) 51,52 a9/k.java, line(s) 14,199 a9/q.java, line(s) 102 a9/z.java, line(s) 61,62 aj/a.java, line(s) 34 aj/b.java, line(s) 174,229,234,109,114,188,201,238,336,248,259 b4/a.java, line(s) 32,42 b9/i.java, line(s) 110,150,111,151 b9/k.java, line(s) 108,149,160,172,72,107,117,138,148,159,171,192,199,78,118,193,200,139 c9/e.java, line(s) 41,51,65,71,42,66,54,72 c9/i.java, line(s) 124,108 cc/d0.java, line(s) 41 cj/a.java, line(s) 71 com/acceptto/android/sdk/api/models/response/auditLog/AuditLogSa.java, line(s) 7 com/acceptto/android/sdk/api/models/response/auditLog/secureauth/AuditLogSAInfo.java, line(s) 1 com/acceptto/android/sdk/api/models/response/auditLog/secureauth/Features.java, line(s) 1,30 com/acceptto/android/sdk/api/models/response/auditLog/secureauth/WasNotMe.java, line(s) 1 com/accepttomobile/basic/dashboard/model/BasicDashboardItem.java, line(s) 50,89 com/accepttomobile/basic/dashboard/ui/BasicDashboardFragment.java, line(s) 38,39,40 com/accepttomobile/common/ui/transaction/TransactionDetailFragment.java, line(s) 38,39,40 com/accepttomobile/common/ui/transaction/x.java, line(s) 9,10,11 com/assaabloy/seos/access/SessionImpl.java, line(s) 179,184,182 com/github/mikephil/charting/charts/BarChart.java, line(s) 62 com/github/mikephil/charting/charts/BarLineChartBase.java, line(s) 269,273,573,579,679,720 com/github/mikephil/charting/charts/Chart.java, line(s) 334,461,535,539,635,840,543 com/github/mikephil/charting/charts/CombinedChart.java, line(s) 105 com/github/mikephil/charting/charts/HorizontalBarChart.java, line(s) 113,69,73 com/github/mikephil/charting/components/AxisBase.java, line(s) 51 com/github/mikephil/charting/data/ChartData.java, line(s) 54 com/github/mikephil/charting/data/CombinedData.java, line(s) 175,196,208 com/github/mikephil/charting/data/LineDataSet.java, line(s) 186,194 com/github/mikephil/charting/data/PieEntry.java, line(s) 27,39 com/github/mikephil/charting/listener/BarLineChartTouchListener.java, line(s) 224 com/github/mikephil/charting/renderer/ScatterChartRenderer.java, line(s) 45 com/github/mikephil/charting/utils/FileUtils.java, line(s) 33,52,65,92,118,132,163,174,185 com/github/mikephil/charting/utils/Utils.java, line(s) 65,80,255 com/journeyapps/barcodescanner/CameraPreview.java, line(s) 537,575,93,206,290,312 com/journeyapps/barcodescanner/CaptureManager.java, line(s) 68,94,115 com/journeyapps/barcodescanner/DecoderThread.java, line(s) 74 com/journeyapps/barcodescanner/camera/AutoFocusManager.java, line(s) 58,81,99 com/journeyapps/barcodescanner/camera/CameraInstance.java, line(s) 25,37,52,65,156,29,44,57,69 com/journeyapps/barcodescanner/camera/CameraManager.java, line(s) 50,63,195,296,87,129,159,125,131,169,177 com/journeyapps/barcodescanner/camera/CenterCropStrategy.java, line(s) 27 com/journeyapps/barcodescanner/camera/FitCenterStrategy.java, line(s) 27 com/journeyapps/barcodescanner/camera/LegacyPreviewScalingStrategy.java, line(s) 59,60,67 com/journeyapps/barcodescanner/camera/PreviewScalingStrategy.java, line(s) 29,30 com/mixpanel/android/mpmetrics/InAppButton.java, line(s) 38 d6/b.java, line(s) 5 d9/a.java, line(s) 238,235 e0/f.java, line(s) 121 e9/c.java, line(s) 16,15 e9/d.java, line(s) 53,52 e9/f.java, line(s) 149,148 e9/s.java, line(s) 82,85 e9/t.java, line(s) 35,34 ec/b.java, line(s) 12,20 ec/d.java, line(s) 31,37,43,26,49,55 ec/i0.java, line(s) 29 ec/n0.java, line(s) 47,52 ec/v.java, line(s) 93,96,99,102,105,108,116,119,122,125,157,165 ec/y.java, line(s) 26 ej/a.java, line(s) 16,17,39 em/i.java, line(s) 53,57,58 f1/a.java, line(s) 183,219,263,265,63,70,72,78,205,207,213,216,252,36,66,74,81,92,100,111,172,186 f1/c.java, line(s) 57,68,70,97,99,117,133,173,215,237,287,299,303,305,310,93,101,110,225,241,256,295 ff/f.java, line(s) 227,166,170,182 g9/l.java, line(s) 82,83 h7/e.java, line(s) 14,40,29 h9/e.java, line(s) 15,16 h9/g0.java, line(s) 116,121,133,142,149,117,122,134,143,150,151,152,156 h9/j0.java, line(s) 143,140 h9/m.java, line(s) 175,182,273,283,295,307,325,335,338,341,344,347,361,366,174,181,272,282,294,306,324,334,337,340,343,346,360,365 h9/t.java, line(s) 97,117,96,116,197,265,299,198,266,373 h9/u.java, line(s) 35,41,36,42 h9/y.java, line(s) 58,59 hd/ce.java, line(s) 17 hd/ge.java, line(s) 45,47,49,53,158,63,66,70,145,79,135,87,97,106,110 hd/rf.java, line(s) 41,53,63,67 hd/sf.java, line(s) 185,80,111,189,183 hd/xf.java, line(s) 115,63,67,127,75,101,31,40,43,83 hd/zd.java, line(s) 83,140,142,147,149,153,230,232,236,60,73,102,165,177,251,260,138 i1/c.java, line(s) 190,210,244 i1/e.java, line(s) 203,216,250,258 j7/a.java, line(s) 113,115,121,123,39,41,47,49,55,57 jg/b.java, line(s) 58,75 jm/a.java, line(s) 100,118 k0/f.java, line(s) 140 kb/k.java, line(s) 36,65,72,75,88,91,94,97,100 kc/b.java, line(s) 52,63 kg/c.java, line(s) 91,94,116,124,125,145,147 kj/a.java, line(s) 4,5,164,165 l6/InternalLog.java, line(s) 45 l7/a.java, line(s) 64,161,39,172 l9/a.java, line(s) 79,84,89,98,80,85,90,99 l9/d.java, line(s) 21,22 l9/j.java, line(s) 39,42 lc/f.java, line(s) 15 lc/p.java, line(s) 17,16 lc/q.java, line(s) 55,63,81,36,45,95 lf/g.java, line(s) 28,38,15,48,58,68 lh/d.java, line(s) 117,167,386,120,125 lh/f.java, line(s) 35 m0/c.java, line(s) 111 m1/b.java, line(s) 82 mh/f.java, line(s) 128,187,100 n9/e.java, line(s) 36,35,58,87,59,88 n9/f.java, line(s) 12,11 n9/k.java, line(s) 147,148 n9/m.java, line(s) 242,243,254 n9/o.java, line(s) 92,93 n9/p.java, line(s) 109,116,110,117 nb/a.java, line(s) 15,22,29,14,21,28,42,43,49,50 ne/a.java, line(s) 31,50 o1/j.java, line(s) 115,106,110 o9/d.java, line(s) 29,36,47,52,28,35,40,46,51,41 of/r.java, line(s) 164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182 oi/c.java, line(s) 119,217,387 p0/c0.java, line(s) 120,122 p0/f0.java, line(s) 101,114,190,204,227,236,286,289,312,130,318 p0/g.java, line(s) 25 p0/h0.java, line(s) 30 p0/k.java, line(s) 59,66 p0/x.java, line(s) 178,116 p000if/g.java, line(s) 27,34,37,46,84 p000if/o.java, line(s) 54 p8/d.java, line(s) 7,11,15,19,23 pc/b.java, line(s) 34,98 pe/d.java, line(s) 146,179 pm/d.java, line(s) 59 q9/h.java, line(s) 111,14,229,261 qe/b.java, line(s) 60 r9/i.java, line(s) 57,98,99,58 rn/c.java, line(s) 33,44,41 se/g.java, line(s) 257 sg/c0.java, line(s) 247,316,332,338,249,288 sg/f0.java, line(s) 103,116,194,208,231,240,290,293,316,132,322 sg/g.java, line(s) 21 sg/h0.java, line(s) 29 sg/k.java, line(s) 73,99,119,126 sg/x.java, line(s) 183,116 sh/b.java, line(s) 35,66 sh/d.java, line(s) 37,31 t/c.java, line(s) 20 t1/a.java, line(s) 39,47,71 td/a.java, line(s) 102,167,173,246,189,260 tg/a.java, line(s) 111,116,136,140 th/a.java, line(s) 25,26,30,35,41,60,63,68,78,96,102,105,120,127,130,132,138,150,153,155,164,167,175,177,179 u1/b.java, line(s) 31 ug/c.java, line(s) 130 ug/f.java, line(s) 49 us/acceptto/mirana/jobs/worker/LocationWorker.java, line(s) 104 us/acceptto/tools/ble/services/AccepttoBLEAdvertiserService.java, line(s) 245 v1/m0.java, line(s) 44 v8/b.java, line(s) 328 v9/a.java, line(s) 64,65 vb/a.java, line(s) 219,252 vb/b.java, line(s) 39,53,63,73 vb/c.java, line(s) 15,28,41,51 vd/g.java, line(s) 45,46 vd/k.java, line(s) 41,40 w0/a.java, line(s) 301,792,814,971,974,983,989,1062,1073,1080,1163,1235,1306,1399,1451,1472,1485,1517,1543,1614,1657,1662,1668,1724,128,863,1127,1135,1374,1627,1631,1635,1851,1861,1913,1930 w8/d.java, line(s) 76,103,75,102 w8/e.java, line(s) 525,546,564,524,545,563 wd/e1.java, line(s) 32,31,35 wd/h2.java, line(s) 20,28,33,47,19,27,32,46,41 wd/i2.java, line(s) 90,91,121 wd/n2.java, line(s) 32,42 wd/p2.java, line(s) 29 wd/q2.java, line(s) 35,45,73 wd/z.java, line(s) 34 wi/f.java, line(s) 10,16,22,28,34,40,54,60,66,72,78,84 x5/c.java, line(s) 24 y0/c.java, line(s) 100,121,115 y8/b.java, line(s) 48,47 y8/j.java, line(s) 52,152,51,151,155,161,168,165,169 y8/l.java, line(s) 49,48 z1/l.java, line(s) 24,26,35,37,46,48,57,59,68,70 z8/c.java, line(s) 108,107 z8/e.java, line(s) 64,63 zb/d.java, line(s) 16,13,13 zb/l.java, line(s) 31,66,129,30,65,79,128,173,202,231,264,80,174,203,232,265,37,163 zb/n.java, line(s) 21 zb/p.java, line(s) 24,31,23,30 zb/s.java, line(s) 43,42 zb/t.java, line(s) 44,26,65 zd/h.java, line(s) 49
信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: f3/h2.java, line(s) 21,24,21,24 q4/d.java, line(s) 116,116 x3/n.java, line(s) 48,48
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/accepttomobile/basic/dashboard/ui/BasicDashboardFragment.java, line(s) 4,1868,1887,1869,1888 v5/m.java, line(s) 4,1028,1029
信息 应用与Firebase数据库通信
该应用与位于 https://secureauth-com-sagpservice.firebaseio.com 的 Firebase 数据库进行通信
安全 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/accepttomobile/common/localization/f.java, line(s) 26,26 d4/a.java, line(s) 19,19 m3/d.java, line(s) 72,72 mmmmmm/juujuu.java, line(s) 41,40,39 ql/c.java, line(s) 123,122,121,121 t3/a.java, line(s) 60,60 t3/c.java, line(s) 50,53,43,45,50,39,44,44
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: dj/b.java, line(s) 239 mmmmmm/bgbbgb.java, line(s) 20,57,78,21 of/i.java, line(s) 288,288,289
安全 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/567393951382/namespaces/firebase:fetch?key=AIzaSyAC2sPRyQZ2OJ_LF11x3UD7tDB28k9DQKc ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (pagead2.googlesyndication.com) 通信。
{'ip': '180.163.151.166', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (firebase-settings.crashlytics.com) 通信。
{'ip': '180.163.150.34', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}