移动应用安全检测报告:
安全基线评分
安全基线评分 43/100
综合风险等级
风险等级评定
- A
- B
- C
- F
漏洞与安全项分布(%)
隐私风险
3
检测到的第三方跟踪器数量
检测结果分布
高危安全漏洞
5
中危安全漏洞
21
安全提示信息
2
已通过安全项
1
重点安全关注
0
高危安全漏洞 基本配置不安全地配置为允许到所有域的明文流量。
Scope: *
高危安全漏洞 应用可被调试
[android:debuggable=true] 应用开启了可调试标志,攻击者可轻易附加调试器进行逆向分析,导出堆栈信息或访问调试相关类,极大提升被攻击风险。
高危安全漏洞 Activity (com.legendsoft.ui_cm.ui.MainActivity) 的启动模式非 standard
Activity 启动模式设置为 "singleTask" 或 "singleInstance" 时,可能成为根 Activity,导致其他应用可读取调用 Intent 内容。涉及敏感信息时应使用 "standard" 启动模式。
高危安全漏洞 已启用远程WebView调试
已启用远程WebView调试 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/just/agentweb/AgentWebConfig.java, line(s) 48,10
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/just/agentweb/UrlLoaderImpl.java, line(s) 116,120,5
中危安全漏洞 应用数据允许备份
[android:allowBackup=true] 该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据,存在数据泄露风险。
中危安全漏洞 Service (com.taobao.accs.ChannelService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.taobao.accs.data.MsgDistributeService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.taobao.accs.EventReceiver) 未受保护。
存在 intent-filter。 检测到 Broadcast Receiver 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Broadcast Receiver 被显式导出,存在安全风险。
中危安全漏洞 Broadcast Receiver (com.taobao.accs.ServiceReceiver) 未受保护。
存在 intent-filter。 检测到 Broadcast Receiver 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Broadcast Receiver 被显式导出,存在安全风险。
中危安全漏洞 Service (org.android.agoo.accs.AgooService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.umeng.message.UmengIntentService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.umeng.message.XiaomiIntentService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.taobao.agoo.AgooCommondReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.umeng.message.UmengMessageIntentReceiverService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/danikula/videocache/ProxyCacheUtils.java, line(s) 71 com/download/library/DownloadTask.java, line(s) 364 com/download/library/Downloader.java, line(s) 317,325,549 com/download/library/Runtime.java, line(s) 241,259 com/just/agentweb/AgentWebUtils.java, line(s) 796 org/litepal/util/cipher/CipherUtil.java, line(s) 39
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/danikula/videocache/StorageUtils.java, line(s) 24,43 com/download/library/Downloader.java, line(s) 152 com/just/agentweb/AgentWebUtils.java, line(s) 161,496 org/litepal/Operator.java, line(s) 93 org/litepal/tablemanager/Connector.java, line(s) 36,38
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/danikula/videocache/sourcestorage/DatabaseSourceInfoStorage.java, line(s) 6,7,28 com/legendsoft/ui_cm/core/data/ADSDao.java, line(s) 4,58,96,140 com/legendsoft/ui_cm/core/data/AdPlacesDao.java, line(s) 4,51,91 com/legendsoft/ui_cm/core/data/AdSortsDao.java, line(s) 4,40 com/legendsoft/ui_cm/core/data/BaseDao.java, line(s) 5,150 com/legendsoft/ui_cm/core/data/VideoCountDao.java, line(s) 5,53 com/legendsoft/ui_cm/core/data/VideoHistoryDao.java, line(s) 5,135,144,171,197,216,260,289,321,382 com/legendsoft/ui_cm/core/data/VideoIndicesDao.java, line(s) 4,43 com/legendsoft/ui_cm/core/data/VideoSortsDao.java, line(s) 4,66,96,126 com/legendsoft/ui_cm/core/data/VideoTopicListsDao.java, line(s) 4,31,52 com/legendsoft/ui_cm/core/data/VideoTopicsDao.java, line(s) 4,42,68 com/legendsoft/ui_cm/core/data/VideosDao.java, line(s) 5,260,263,266,269,273,392,456,459,462,524,646,712,787,851,900,903,906,1071,1090,1128,1132,1136,1177 org/litepal/Operator.java, line(s) 6,523 org/litepal/tablemanager/AssociationCreator.java, line(s) 5,114 org/litepal/tablemanager/Generator.java, line(s) 4,54 org/litepal/util/DBUtility.java, line(s) 4,78,79,82,83,96,97,105,135,176,182
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: me/zhanghai/android/patternlock/PatternUtils.java, line(s) 65
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/legendsoft/ui_cm/ui/utils/RandomUtils.java, line(s) 3 com/scwang/smartrefresh/header/FunGameBattleCityHeader.java, line(s) 15 com/scwang/smartrefresh/header/TaurusHeader.java, line(s) 25 com/scwang/smartrefresh/header/storehouse/StoreHouseBarItem.java, line(s) 8 io/netty/resolver/dns/ShuffledDnsServerAddressStream.java, line(s) 5 org/android/spdy/SpdyBytePool.java, line(s) 3
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/danikula/videocache/HttpProxyCacheServer.java, line(s) 28 io/netty/resolver/dns/DefaultDnsServerAddressStreamProvider.java, line(s) 62,62 jaygoo/local/server/NanoHTTPD.java, line(s) 518 org/android/spdy/SpdyRequest.java, line(s) 27,53,72,94,118,137,163,182,204,228
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/hdl/m3u8/utils/MUtils.java, line(s) 32 com/uuzuche/lib_zxing/decoding/Intents.java, line(s) 45 org/android/spdy/SpdyProtocol.java, line(s) 42 org/litepal/util/cipher/CipherUtil.java, line(s) 11
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/just/agentweb/AbsAgentWebSettings.java, line(s) 58,35
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: jaygoo/local/server/NanoHTTPD.java, line(s) 328,909,996
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个3隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 百度统计的=> "BaiduMobAd_STAT_ID" : "4d0309bb6d" 百度统计的=> "BaiduMobAd_CHANNEL" : "Baidu Market" 友盟统计的=> "UMENG_APPKEY" : "5e439a2acb23d2dbec000210" 友盟统计的=> "UMENG_CHANNEL" : "cm_short_video" "library_roundedimageview_authorWebsite" : "https://github.com/vinc3m1" 0000016742C00BDA259000000168CE0F13200000016588840DCE7118A0002FBF1C31C3275D78 EhMLxwqi3KFK4qzJlZG5ktmUVbTzT
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: cn/jzvd/JZTextureView.java, line(s) 51,79,80 cn/jzvd/JZUtils.java, line(s) 88 cn/jzvd/Jzvd.java, line(s) 100,115,222,248,425,513,572,918,429,205,240,264,274,292,310,316,364,374,380,399,405,411,417,438,450,594,606,682,691,703,929 com/AES.java, line(s) 25 com/C0461.java, line(s) 57 com/C0501.java, line(s) 57 com/DialogInterfaceOnClickListenerC0460.java, line(s) 22 com/DialogInterfaceOnClickListenerC0500.java, line(s) 22 com/a.java, line(s) 13 com/b.java, line(s) 50,55,577 com/danikula/videocache/HttpProxyCacheDebuger.java, line(s) 46,52,59,26,36 com/download/library/Runtime.java, line(s) 235,210 com/duck/AES.java, line(s) 23 com/duck/C0205.java, line(s) 59 com/duck/C0216.java, line(s) 59 com/duck/DialogInterfaceOnClickListenerC0204.java, line(s) 20,30 com/duck/DialogInterfaceOnClickListenerC0215.java, line(s) 20,30 com/duck/a.java, line(s) 12 com/duck/b.java, line(s) 48,53,210 com/hdl/m3u8/M3U8DownloadTask.java, line(s) 306,380 com/hdl/m3u8/utils/MUtils.java, line(s) 293 com/jakewharton/disklrucache/DiskLruCache.java, line(s) 113 com/just/agentweb/AgentWebUtils.java, line(s) 393,372,385,404,406 com/just/agentweb/AgentWebView.java, line(s) 59,193,208,231,48,51,243 com/just/agentweb/DefaultChromeClient.java, line(s) 203,209 com/just/agentweb/JsCallJava.java, line(s) 201,66,42,77 com/just/agentweb/JsCallback.java, line(s) 46 com/just/agentweb/LogUtils.java, line(s) 29,33,38,15,21 com/legendsoft/cm_patch_2_2_32/main/activity/shortvideo/ShortVideoFragment.java, line(s) 365 com/legendsoft/ui_cm/core/download/DownloadManager$checkAndDownloadM3U8$1.java, line(s) 125,155,164,214 com/legendsoft/ui_cm/core/download/DownloadManager.java, line(s) 300 com/legendsoft/ui_cm/ui/LoadingActivity$startDataBaseSync$1$1$job$1.java, line(s) 97,158,180 com/legendsoft/ui_cm/ui/PlattelLockActivity.java, line(s) 174 com/legendsoft/ui_cm/ui/SplashActivity.java, line(s) 126,134,138,140,143,145,147,149,170 com/legendsoft/ui_cm/ui/utils/Image64Utils.java, line(s) 145,150,181,239,244,275,322,327,361,438 com/legendsoft/ui_cm/ui/utils/LogUtil.java, line(s) 34,76,86,40,64,92,29,52,58,70,46 com/legendsoft/ui_cm/ui/utils/StringConvertList.java, line(s) 25 com/legendsoft/ui_cm/ui/utils/attack/AttackConfig.java, line(s) 65,80 com/legendsoft/ui_cm/ui/utils/nettyClient/HammerTcp.java, line(s) 73,76,132 com/legendsoft/ui_cm/ui/utils/nettyClient/HammerTcpUtil.java, line(s) 109 com/makeramen/roundedimageview/RoundedDrawable.java, line(s) 103 com/makeramen/roundedimageview/RoundedImageView.java, line(s) 264,302 com/scwang/smartrefresh/layout/SmartRefreshLayout.java, line(s) 1998,2008 com/taobao/tlog/adapter/TLogConfigSwitchReceiver.java, line(s) 39,41,49,56,62,75,27 com/taobao/tlog/adapter/TLogFileUploader.java, line(s) 33,37,45,49,78,82 com/uuzuche/lib_zxing/activity/CaptureActivity.java, line(s) 47 com/uuzuche/lib_zxing/camera/AutoFocusCallback.java, line(s) 28 com/uuzuche/lib_zxing/camera/CameraConfigurationManager.java, line(s) 33,37,47,52,83,45,107,124,176,187 com/uuzuche/lib_zxing/camera/FlashlightManager.java, line(s) 15,17,58,69,78,81,84 com/uuzuche/lib_zxing/camera/PreviewCallback.java, line(s) 39 com/uuzuche/lib_zxing/decoding/CaptureActivityHandler.java, line(s) 50,55,68,72 com/uuzuche/lib_zxing/decoding/DecodeHandler.java, line(s) 60 jaygoo/local/server/M3U8HttpServer.java, line(s) 28,30,54,65,73,48,51 jaygoo/local/server/M3U8HttpServerLog.java, line(s) 11,17 me/codeboy/android/aligntextview/CBAlignTextView.java, line(s) 125 org/android/spdy/NetTimeGaurd.java, line(s) 32,41 org/android/spdy/ProtectedPointerTest.java, line(s) 12,19,37 org/android/spdy/spduLog.java, line(s) 10,46,22,16,28,34,40 org/greenrobot/eventbus/Logger$SystemOutLogger.java, line(s) 7,11 org/greenrobot/eventbus/util/ErrorDialogConfig.java, line(s) 34 org/greenrobot/eventbus/util/ErrorDialogManager.java, line(s) 121 org/greenrobot/eventbus/util/ExceptionToResourceMapping.java, line(s) 25 org/litepal/crud/SaveHandler.java, line(s) 232 org/litepal/tablemanager/AssociationCreator.java, line(s) 62,99,110,233 org/litepal/tablemanager/AssociationUpdater.java, line(s) 37,87,129,151,229,231,233,235 org/litepal/tablemanager/Upgrader.java, line(s) 25,86,99,131,139,147,160,177,179,181 org/litepal/util/LitePalLog.java, line(s) 12,18 org/litepal/util/cipher/AESCrypt.java, line(s) 88,94,43,71 pub/devrel/easypermissions/EasyPermissions.java, line(s) 131,133,27 pub/devrel/easypermissions/helper/ActivityPermissionHelper.java, line(s) 34 pub/devrel/easypermissions/helper/BaseSupportPermissionsHelper.java, line(s) 21
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/legendsoft/ui_cm/ui/user/ContactActivity.java, line(s) 4,132 me/codeboy/android/aligntextview/CBAlignTextView.java, line(s) 4,123
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/legendsoft/ui_cm/core/api/ApiClient.java, line(s) 182,182 jaygoo/local/server/NanoHTTPD.java, line(s) 1456,1454,1456,1481,1453,1453