应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
逼多多 v3.6.2
44
安全评分
安全基线评分
44/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
3
高危
12
中危
2
信息
1
安全
隐私风险评估
2
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
3
中危安全漏洞
12
安全提示信息
2
已通过安全项
1
重点安全关注
0
高危安全漏洞 默认情况下,调用Cipher.getInstance("AES")将返回AES ECB模式。众所周知,ECB模式很弱,因为它导致相同明文块的密文相同
默认情况下,调用Cipher.getInstance("AES")将返回AES ECB模式。众所周知,ECB模式很弱,因为它导致相同明文块的密文相同
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode
Files:
com/sz/movie/app/utils/AESCrypt.java, line(s) 27,44
高危安全漏洞 已启用远程WebView调试
已启用远程WebView调试 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/juneRain/jy/baselib/utils/base/BaseApplication.java, line(s) 156,11
高危安全漏洞 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: com/juneRain/jy/commonlib/ui/activity/web/CommonWebActivity.java, line(s) 122,121
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: cc/shinichi/library/glide/cache/DataCacheKey.java, line(s) 43 io/grpc/internal/DnsNameResolver.java, line(s) 70,68,69,71 io/grpc/internal/PickFirstLoadBalancerProvider.java, line(s) 13 io/grpc/internal/TransportFrameUtil.java, line(s) 83
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: f2/a.java, line(s) 11 io/grpc/internal/DnsNameResolver.java, line(s) 24 io/grpc/internal/ExponentialBackoffPolicy.java, line(s) 4 io/grpc/internal/PickFirstLeafLoadBalancer.java, line(s) 22 io/grpc/internal/PickFirstLoadBalancer.java, line(s) 11 io/grpc/internal/RetriableStream.java, line(s) 21 io/grpc/okhttp/OkHttpClientTransport.java, line(s) 61 io/grpc/util/OutlierDetectionLoadBalancer.java, line(s) 28 io/grpc/util/RoundRobinLoadBalancer.java, line(s) 12 org/minidns/a.java, line(s) 11 org/minidns/iterative/a.java, line(s) 12 q2/c.java, line(s) 4
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/juneRain/jy/util/MessageDigetUtils.java, line(s) 34 org/minidns/a.java, line(s) 80 org/repackage/a/a/a/a/c.java, line(s) 67
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: cc/shinichi/library/tool/file/FileUtil.java, line(s) 45 cc/shinichi/library/tool/image/DownloadPictureUtil.java, line(s) 48 com/juneRain/jy/baselib/utils/c.java, line(s) 27 com/juneRain/jy/baselib/utils/g.java, line(s) 48,120 com/juneRain/jy/commonlib/ui/activity/web/CommonWebActivity.java, line(s) 98
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/juneRain/jy/commonlib/ui/activity/web/CommonWebActivity.java, line(s) 253,294,295
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/juneRain/jy/commonlib/ui/activity/web/CommonWebActivity.java, line(s) 300,294,295
中危安全漏洞 IP地址泄露
IP地址泄露 Files: io/grpc/okhttp/OkHttpClientTransport.java, line(s) 1097 io/grpc/okhttp/OkHttpServerTransport.java, line(s) 350,358,367,363 org/minidns/b.java, line(s) 79
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: c0/a.java, line(s) 9 com/juneRain/jy/util/MessageDigetUtils.java, line(s) 23
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 openinstall统计的=> "com.openinstall.APP_KEY" : "fdsa" 67894d748f232a05f1fb792d 1628686155461064465348252249725010996177649738666492500572664444461532807739744536029771810659241049343994038053541290419968870563183856865780916376571550372513476957870843322273120879361960335192976656756972171258658400305760429696147778001233984421619267530978084631948434496468785021389956803104620471232008587410372348519229650742022804219634190734272506220018657920136902014393834092648785514548876370028925405557661759399901378816916683122474038734912535425670533237815676134840739565610963796427401855723026687073600445461090736240030247906095053875491225879656640052743394090544036297390104110989318819106653199917493 6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296 5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7 B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F 4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5 8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: cc/shinichi/library/ImagePreview.java, line(s) 652 cc/shinichi/library/glide/ImageLoader.java, line(s) 52 cc/shinichi/library/tool/image/ImageUtil.java, line(s) 190,201,296,363,384,387,391,393,395,397,399,431 cc/shinichi/library/tool/ui/PhoneUtil.java, line(s) 38,45,60 cc/shinichi/library/view/ImagePreviewActivity.java, line(s) 148,169 cc/shinichi/library/view/ImagePreviewAdapter.java, line(s) 191,194,489,493,498,501,536,549 cc/shinichi/library/view/subsampling/SubsamplingScaleImageView.java, line(s) 640,211,215,394,398,466,794,799,810,825,1532,1750,2123 cc/shinichi/library/view/subsampling/decoder/SkiaPooledImageRegionDecoder.java, line(s) 120 com/click/marquee_lib/view/AutoPollRecyclerView.java, line(s) 35 com/eesu/doak/LoadGenerator.java, line(s) 191 com/juneRain/jy/baselib/baseWidget/loadingView/AVLoadingIndicatorView.java, line(s) 335 com/juneRain/jy/baselib/utils/c.java, line(s) 44 com/juneRain/jy/baselib/utils/k.java, line(s) 85,96,98,103,87,83,89 com/juneRain/jy/commonlib/ui/photoview/PhotoViewPager.java, line(s) 49,60,65 com/juneRain/jy/commonlib/ui/viewmodel/SingleLiveEvent.java, line(s) 29 com/juneRain/jy/ui/widget/NestedScrollableHost.java, line(s) 90 com/juneRain/jy/viewmodel/HomeViewModel.java, line(s) 120,172,221 i/c.java, line(s) 264 io/grpc/internal/ManagedChannelImpl.java, line(s) 1427 io/grpc/okhttp/internal/Platform.java, line(s) 420 me/jessyan/autosize/AutoSize.java, line(s) 92 me/jessyan/autosize/AutoSizeConfig.java, line(s) 332,345,358,250 me/jessyan/autosize/DefaultAutoAdaptStrategy.java, line(s) 21,31,34,15,28 me/jessyan/autosize/utils/AutoSizeLog.java, line(s) 15,21,35
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/juneRain/jy/ui/activity/DetailAppActivity.java, line(s) 4,168,183
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: io/grpc/okhttp/OkHttpChannelBuilder.java, line(s) 372,373,613,386,612,628,609,611,611 io/grpc/okhttp/OkHttpServerBuilder.java, line(s) 244,245,258 io/grpc/util/AdvancedTlsX509TrustManager.java, line(s) 138,137,196,136,136,155
综合安全基线评分总结
逼多多 v3.6.2
Android APK
44
综合安全评分
中风险