安全分析报告:
安全分数
安全分数 56/100
风险评级
等级
- A
- B
- C
- F
严重性分布 (%)
隐私风险
5
用户/设备跟踪器
调研结果
高危
1
中危
11
信息
4
安全
2
关注
3
高危 应用程序包含隐私跟踪程序
此应用程序有多个5隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危 应用程序数据可以被备份
[android:allowBackup=true] 这个标志允许任何人通过adb备份你的应用程序数据。它允许已经启用了USB调试的用户从设备上复制应用程序数据。
中危 Content Provider (com.facebook.FacebookContentProvider) 未被保护。
[android:exported=true] 发现 Content Provider与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Activity (com.facebook.CustomTabActivity) 未被保护。
[android:exported=true] 发现 Activity与设备上的其他应用程序共享,因此可被设备上的任何其他应用程序访问。
中危 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护, 但是应该检查权限的保护级别。
Permission: android.permission.DUMP [android:exported=true] 发现一个 Broadcast Receiver被共享给了设备上的其他应用程序,因此让它可以被设备上的任何其他应用程序访问。它受到一个在分析的应用程序中没有定义的权限的保护。因此,应该在定义它的地方检查权限的保护级别。如果它被设置为普通或危险,一个恶意应用程序可以请求并获得这个权限,并与该组件交互。如果它被设置为签名,只有使用相同证书签名的应用程序才能获得这个权限。
中危 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: L1/C1414f.java, line(s) 43 N1/d.java, line(s) 39 N1/n.java, line(s) 85 N1/u.java, line(s) 96 g4/b.java, line(s) 56 h4/C1299f0.java, line(s) 40
中危 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: C/C0024z.java, line(s) 4,242,254 E5/q.java, line(s) 4,95 G/e.java, line(s) 4,36 Z2/C0127k.java, line(s) 7,8,306,548,1279 Z2/F0.java, line(s) 7,8,75 Z3/b.java, line(s) 5,64 x2/i.java, line(s) 4,5,78
中危 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: F/b.java, line(s) 9 G1/C1235b.java, line(s) 31 Z2/P1.java, line(s) 37 a5/a.java, line(s) 3 u3/a.java, line(s) 17 z5/a.java, line(s) 3 z5/b.java, line(s) 3
中危 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: E4/f.java, line(s) 101 z4/b.java, line(s) 50
中危 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: T1/k.java, line(s) 30 Z2/P1.java, line(s) 136
中危 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: V/C1719n.java, line(s) 215
中危 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "firebase_database_url" : "https://buchhai-1328.firebaseio.com" "pref_key_camerax_rear_camera_target_resolution" : "crctas" "pref_key_info_hide" : "ih" "pref_key_enable_auto_zoom" : "eaz" "com.google.firebase.crashlytics.mapping_file_id" : "2ad16fe6c1f34e829aab539ae7e3351d" "facebook_app_id" : "154229804990294" "google_api_key" : "AIzaSyBTctfdscexJVzB0LmYb5xhgSj4YJcASP8" "google_app_id" : "1:208761341481:android:eec808f958514617" "google_crash_reporting_api_key" : "AIzaSyBTctfdscexJVzB0LmYb5xhgSj4YJcASP8" "facebook_client_token" : "109b9e786e30400831dea2129119afe4" "pref_key_camera_live_viewport" : "clv" "pref_key_camerax_front_camera_target_resolution" : "cfctas" "pref_category_key_camera" : "pckc" a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 70138c4c-8649-11eb-8dcd-0242ac130003 cc2751449a350f668590264ed76692694a80308a 9b8f518b086098de3d77736f9458a3d2f6f95a37 470fa2b4ae81cd56ecbcda9735803434cec591fa c56fb7d591ba6704df047fd98f535372fea00211 df6b721c8b4d3b6eb44c861d4415007e5a35fc95
信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: A0/C0170c.java, line(s) 247 A0/f.java, line(s) 241 A3/C0200e.java, line(s) 148 A3/f.java, line(s) 416 B/e.java, line(s) 361,375 B/f.java, line(s) 487,193,236,490,314 C/C0024z.java, line(s) 108,353,135,138,174,175,352,333 C/G.java, line(s) 101 C/P.java, line(s) 87,114,331 C/X.java, line(s) 183 C2/b.java, line(s) 85,187 C2/c.java, line(s) 42,58,67,77 C3/e.java, line(s) 100,134 D/f.java, line(s) 788,799 D/g.java, line(s) 89 D/h.java, line(s) 51,53,68,73 D1/d.java, line(s) 29,30 D1/e.java, line(s) 38,39 E0/b.java, line(s) 128 E0/g.java, line(s) 188,194,262,338,415,465,485,499,533,551,611,652,655,741,746,752,769,779,790,797,893,57,233,238,390,713,717,721,827,836 E4/d.java, line(s) 369,376,367 E4/f.java, line(s) 36,105 E4/g.java, line(s) 30 E4/h.java, line(s) 35 E4/i.java, line(s) 39,46,47,55 E4/l.java, line(s) 62,70,35,61,65,36,66 E4/o.java, line(s) 72,94,82,99,102,104,120,63,71,93,64,77,118 E4/q.java, line(s) 38,53,57,62,84,89,27,31,70,37,52,56,61,83,88 E4/r.java, line(s) 31,36,44,30,35,43 E4/t.java, line(s) 45,46 E5/p.java, line(s) 90,93 F0/c.java, line(s) 57,66 F0/g.java, line(s) 50 F0/h.java, line(s) 254,274,240,241 F0/k.java, line(s) 371,431,434 F0/o.java, line(s) 556,1127,1463,1468,1475,1653,1660,1669,1683,1689,1697,1835,1837,1537,325,642,1233,1246,1380 F2/e.java, line(s) 62,115,122 F2/f.java, line(s) 28 F2/g.java, line(s) 34 F2/h.java, line(s) 244,246,135,168,172,241,55 F2/j.java, line(s) 28 F2/m.java, line(s) 66 F2/p.java, line(s) 73,77,38 F3/C1221d.java, line(s) 43 F3/e.java, line(s) 152,269,200,234,170 F3/g.java, line(s) 123 F4/c.java, line(s) 12,11 F5/C1226c.java, line(s) 25 F5/C1227d.java, line(s) 60,109 F5/k.java, line(s) 17 G/h.java, line(s) 653,569 G2/A.java, line(s) 51,52 G2/B.java, line(s) 115,119 G2/p.java, line(s) 261,354 G2/r.java, line(s) 53,52 G5/s.java, line(s) 63,89,97,98,103,104 H2/AbstractC0034e.java, line(s) 148,177,271,278,284,293 H2/AbstractC1284b.java, line(s) 71 H2/C0036g.java, line(s) 79 H2/C0038i.java, line(s) 39,40,57,71,58,72 H2/D.java, line(s) 37 H2/F.java, line(s) 38,53 H2/K.java, line(s) 47 H2/r.java, line(s) 78,81,84,87,90,93,101,104,107,110,147,154 H2/s.java, line(s) 50 H3/f.java, line(s) 60 H3/k.java, line(s) 236,240 I1/C0046c.java, line(s) 71,76,81 I1/D.java, line(s) 252,257 I4/a.java, line(s) 193 J0/C1345d.java, line(s) 49 J0/f.java, line(s) 40 J0/t.java, line(s) 30 J1/C1349c.java, line(s) 82 J1/d.java, line(s) 56 J1/e.java, line(s) 135 J1/m.java, line(s) 113,128 J3/m.java, line(s) 155,182 J4/a.java, line(s) 13,20,27,36,46,53 K4/C1378a.java, line(s) 119 K4/C1380c.java, line(s) 207,239,364,442,212,101,206,238,363,441,102,120,392 K4/b.java, line(s) 254,260,252 K4/c.java, line(s) 21,18 L0/b.java, line(s) 27 L1/k.java, line(s) 66,86,101 L4/c.java, line(s) 71,70 M/C1431g.java, line(s) 92,142,154,164 M/C1432h.java, line(s) 164 M/f.java, line(s) 79,318 M/m.java, line(s) 147 M0/AbstractC1439b.java, line(s) 61,222,231 M0/c.java, line(s) 84,89,96,100,111,123 M5/l.java, line(s) 11 M5/m.java, line(s) 70 N0/e.java, line(s) 38,43 N0/f.java, line(s) 30 N0/g.java, line(s) 67 N0/h.java, line(s) 43 N0/i.java, line(s) 55,82,118,184 N0/k.java, line(s) 44,98,112,134,150 N1/h.java, line(s) 162,163 N1/j.java, line(s) 116 N1/v.java, line(s) 81,71,80,72 N2/b.java, line(s) 123,122,114 O/AbstractC1497a0.java, line(s) 20 O/C1505e0.java, line(s) 91,100,204 O/C1531s.java, line(s) 65 O/C1535u.java, line(s) 179 O/D0.java, line(s) 282,87,92,99,196,265 O/DialogInterfaceOnClickListenerC1495H.java, line(s) 36,101,106,116 O/I0.java, line(s) 22 O/K0.java, line(s) 30,39,49,59 O/L0.java, line(s) 263 O/Q0.java, line(s) 34 O/d1.java, line(s) 128,218 O/h.java, line(s) 130 O3/d.java, line(s) 81,103,80,102 P0/D.java, line(s) 30 P0/x.java, line(s) 195 Q4/h.java, line(s) 123,161 R/c.java, line(s) 103,102 R2/e.java, line(s) 60,66,295,320,96,106,125,155,196,290,143,63,146,170,173,191 S3/a.java, line(s) 296,295 T1/C1678b.java, line(s) 71,72 T1/b.java, line(s) 112,91 T1/e.java, line(s) 26 T1/j.java, line(s) 63 T3/e.java, line(s) 21 T3/g.java, line(s) 192,201,118 T3/i.java, line(s) 216,79 U0/AbstractC0065c0.java, line(s) 156 U0/J.java, line(s) 149,120 U0/n0.java, line(s) 45 U0/s0.java, line(s) 159 V/C1719n.java, line(s) 294 V/C1721p.java, line(s) 185 V0/AbstractC1757z.java, line(s) 63 V0/C1734b.java, line(s) 81 V0/C1744l.java, line(s) 29,41,88,137,186,203,229 V0/I.java, line(s) 279,204,278 V0/J.java, line(s) 20,31 V0/W.java, line(s) 30 V0/X.java, line(s) 31,43,50,59 V0/b.java, line(s) 70 V0/c0.java, line(s) 77,94,69 W1/b.java, line(s) 41 Y0/i.java, line(s) 18,17 Y3/d.java, line(s) 34 Y3/h.java, line(s) 76 Z2/C0100b.java, line(s) 239,332,137,238,250,138,251,98 Z2/C0122i0.java, line(s) 51,61,130,136,52,131,64,137 Z2/F.java, line(s) 148,151 Z2/G.java, line(s) 75,74 Z2/Z.java, line(s) 162 Z3/d.java, line(s) 89,97,98,101,109,127,145,150,155,163,164,167,168,169,170,171,172,173,174,175,176,177,178,179,180 Z3/h.java, line(s) 276,279,290,307,341,312,314,328,353,306,340,364,365,113,430,434 a1/r.java, line(s) 486 a2/E.java, line(s) 81 a2/L.java, line(s) 827 a2/RunnableC0194u.java, line(s) 89,293 a4/C0202a.java, line(s) 55,54,59 a4/c.java, line(s) 83,84 b1/e.java, line(s) 215,219,225,228 b4/a.java, line(s) 40,41 b4/b.java, line(s) 83,78,93,99 d0/C1182i.java, line(s) 61 d3/d.java, line(s) 39 d4/b.java, line(s) 10,9 de/whsoft/buchhai/billing/BillingDataSource.java, line(s) 157,226,277,303,314,345,356,420,184,198,203,299,310,341,352,374,387,397,187,207,176,210 de/whsoft/buchhai/billing/a.java, line(s) 50,61,29,59 de/whsoft/buchhai/main/MainActivity.java, line(s) 99,98 de/whsoft/buchhai/mlkit/CameraXLivePreviewActivity.java, line(s) 122,133,154,159,218,366,322 g0/b.java, line(s) 27 g4/e.java, line(s) 34,62 g4/h.java, line(s) 145,172,77,83,144,171,55,68,105,151,201 g4/m.java, line(s) 27,61 h/LayoutInflaterFactory2C1255A.java, line(s) 814,816,818,400,458,461 h/f.java, line(s) 664 h/o.java, line(s) 42,69 h/q.java, line(s) 69,77 h/x.java, line(s) 66,83,113 k1/C1367c.java, line(s) 179,207,178,206 m1/C1442b.java, line(s) 118,149,117,148 m1/e.java, line(s) 81,285 m2/a.java, line(s) 69,88 o0/c.java, line(s) 43,230 o1/f.java, line(s) 52,117,53,118 o1/g.java, line(s) 72,102,137,224,68,84,90,101,120,132,139,192,198,205,223,53,88,196,213,121 p1/b.java, line(s) 59,70,80 q/d.java, line(s) 106 r0/i.java, line(s) 22 r1/C1599A.java, line(s) 85,82 r1/C1606b.java, line(s) 63,83,88,96,110,64,84,91,99,113 r1/C1608d.java, line(s) 58,57 r1/d.java, line(s) 51 s4/b.java, line(s) 74 u1/C1695c.java, line(s) 49,50 u1/i.java, line(s) 22,27,23,28 u1/l.java, line(s) 31,35,145,166,173,183,187,190,193,200,203,30,34,144,165,172,182,186,189,192,199,202 u1/q.java, line(s) 48,51,49,52 u1/u.java, line(s) 65,80,92,96,99,103,107,66,93,97,100,104,108,81 u1/w.java, line(s) 48,61,64,49,50,51,54,62,65 u4/a.java, line(s) 35,36 u4/c.java, line(s) 22,21 w2/f.java, line(s) 45 w4/d.java, line(s) 260 y1/C1804a.java, line(s) 49,82,91,96,104,50,85,92,99,105 y1/b.java, line(s) 716,729,730 y1/h.java, line(s) 50,51 z4/b.java, line(s) 43,54
信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: I1/C0045b.java, line(s) 13,18,13,18 I1/D.java, line(s) 156,156 X1/b.java, line(s) 82,82
信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: P0/o.java, line(s) 4,37
信息 应用与Firebase数据库通信
该应用与位于 https://buchhai-1328.firebaseio.com 的 Firebase 数据库进行通信
安全 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: E4/f.java, line(s) 92,92,93 O3/f.java, line(s) 53
安全 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/208761341481/namespaces/firebase:fetch?key=AIzaSyBTctfdscexJVzB0LmYb5xhgSj4YJcASP8 ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (pagead2.googlesyndication.com) 通信。
{'ip': '142.250.72.174', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (app-measurement.com) 通信。
{'ip': '222.246.139.208', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (apps.apple.com) 通信。
{'ip': '222.246.139.208', 'country_short': 'CN', 'country_long': '中国', 'region': '湖南', 'city': '长沙', 'latitude': '28.200001', 'longitude': '112.966667'}