应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Simple Préstamo v2.1.4
55
安全评分
安全基线评分
55/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
2
高危
16
中危
2
信息
3
安全
隐私风险评估
2
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
2
中危安全漏洞
16
安全提示信息
2
已通过安全项
3
重点安全关注
0
高危安全漏洞 该文件是World Readable。任何应用程序都可以读取文件
该文件是World Readable。任何应用程序都可以读取文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/datavisorobfus/h0.java, line(s) 29
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/simpleprestamomx/uthkhsjkytonhfgfils/i.java, line(s) 24
中危安全漏洞 应用数据允许备份
[android:allowBackup=true] 该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据,存在数据泄露风险。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/datavisor/vangogh/face/DVKeyName.java, line(s) 4
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: B0/m.java, line(s) 46 J1/W2.java, line(s) 36 T3/b.java, line(s) 3 T3/c.java, line(s) 3 U2/C1216a.java, line(s) 18 U2/C1350a.java, line(s) 18 ai/advance/liveness/lib/u.java, line(s) 8 com/datavisorobfus/l.java, line(s) 10 com/datavisorobfus/l0.java, line(s) 4 e4/x.java, line(s) 3
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/datavisor/vangogh/face/DVTokenClient.java, line(s) 286,285 com/simpleprestamomx/viofhwshjhuedrgew/ieajkge/YakIxNQrrO.java, line(s) 83,69
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/simpleprestamomx/viofhwshjhuedrgew/ieajkge/YakIxNQrrO.java, line(s) 76,69
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: F/C0873h.java, line(s) 219,227 F/C0908h.java, line(s) 745,753 com/datavisor/vangogh/face/DVTokenClient.java, line(s) 177 com/datavisor/vangogh/storage/local/a.java, line(s) 104 com/datavisor/vangogh/storage/local/b.java, line(s) 13,15 com/datavisorobfus/h.java, line(s) 1340 com/datavisorobfus/m.java, line(s) 363 com/simpleprestamomx/requestconfig/C0729n.java, line(s) 609,612,625,628,778,786
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: L2/c.java, line(s) 51 com/datavisorobfus/b0.java, line(s) 26 com/datavisorobfus/q0.java, line(s) 31,12
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: A/s.java, line(s) 23,309,321,354 J1/C0104i.java, line(s) 5,6,70,110 J1/S2.java, line(s) 7,8,499 N/g.java, line(s) 14,506 Z0/n.java, line(s) 6,67 Z0/o.java, line(s) 6,29 a1/u.java, line(s) 3,12,13,14,15,16,19,20,21,24,27,28,29,32,33,34,35,36 a1/v.java, line(s) 4,5,45
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: A/k.java, line(s) 165 E/B.java, line(s) 151
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: F/C0903c.java, line(s) 56 J1/W2.java, line(s) 234 O3/k.java, line(s) 14
中危安全漏洞 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/datavisorobfus/c.java, line(s) 94
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/datavisorobfus/g.java, line(s) 19 com/datavisorobfus/l.java, line(s) 100 com/datavisorobfus/m.java, line(s) 328
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "google_api_key" : "AIzaSyCjyc8ijCfCsFOb6qu92XNcdv0Xczkdswo" "google_app_id" : "1:997960286939:android:44dfa5ba9d6034a28d02fe" "google_crash_reporting_api_key" : "AIzaSyCjyc8ijCfCsFOb6qu92XNcdv0Xczkdswo" MJCR3nbjtc8ARKt9HOAI/AZAzrHiEyhubQ== KZGR3Uffq88OW6tuEewC9j5V3A== H6ik7UfoqtAwYIZxE9A68jVW8J/oAjw= dI2H2mzZqo8OQIQxI/oZ8itF3Lf7XC57dQ== MJCR3nbjtc8ARKt/AP825zhTxLPuFzw=
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: A/a.java, line(s) 828,823,827,248,261,309,312,352,372,382,424 A/d.java, line(s) 26,34,35,40,41 A/k.java, line(s) 267 A/s.java, line(s) 212 B0/j.java, line(s) 9,54,52 C0/C0475c.java, line(s) 136,139,140,141,145,247,253 C0/C0478f.java, line(s) 394,403 C0/C0481i.java, line(s) 56 C0/C0482c.java, line(s) 136,139,140,141,145,247,253 C0/C0485f.java, line(s) 394,403 C0/C0488i.java, line(s) 56 C0/k.java, line(s) 441,456,462 C0/o.java, line(s) 401,457,544,434,437,483 C0/s.java, line(s) 47 D/C0850e.java, line(s) 9 D/C0859e.java, line(s) 9 D/O.java, line(s) 85,332,220 D/RunnableC0010b0.java, line(s) 92 D/X.java, line(s) 16,23,30,39,49,56 D/Z.java, line(s) 270 E/I.java, line(s) 80,82,86,93,98 F0/P.java, line(s) 27,49 G/e.java, line(s) 90,449 G0/C0900j.java, line(s) 29 G0/C0938i.java, line(s) 34,55,63 G0/C0939j.java, line(s) 29 G2/f.java, line(s) 112 H0/C0915d.java, line(s) 36,41 H0/C0955d.java, line(s) 36,41 H0/g.java, line(s) 26 H0/h.java, line(s) 58 H0/i.java, line(s) 45 H0/j.java, line(s) 58,223 H0/n.java, line(s) 78 H2/C0919a.java, line(s) 40 H2/C0959a.java, line(s) 40 I0/C0924a.java, line(s) 64,75,93,103 I0/C0965a.java, line(s) 64,75,93,103 I0/e.java, line(s) 42,232 J1/AbstractBinderC0948r.java, line(s) 45 J1/AbstractBinderC0990r.java, line(s) 45 J1/AbstractC0951u.java, line(s) 109,113,44 J1/AbstractC0993u.java, line(s) 109,113,44 J1/C0126n1.java, line(s) 180 J1/C0173z1.java, line(s) 83 J1/C0934d.java, line(s) 58,103,110 J1/C0939i.java, line(s) 35 J1/C0940j.java, line(s) 195,197,99,121,125,192,49 J1/C0976d.java, line(s) 58,103,110 J1/C0977e.java, line(s) 86,96,130,136,141,147,155,164 J1/C0981i.java, line(s) 35 J1/C0982j.java, line(s) 216,218,120,142,146,213,49 J1/F2.java, line(s) 77 J1/HandlerC0943m.java, line(s) 27 J1/HandlerC0985m.java, line(s) 27 J1/W2.java, line(s) 840 J1/Y1.java, line(s) 47,41,126,44,55,58,61 J2/i.java, line(s) 123 K2/c.java, line(s) 32 K2/g.java, line(s) 167,343 L1/a.java, line(s) 111,115 L2/c.java, line(s) 44,55 M0/C0989c.java, line(s) 22 M0/C1090c.java, line(s) 22 M0/h.java, line(s) 22 M1/AbstractC0998e.java, line(s) 142,172,300,306,312,321 M1/AbstractC1010q.java, line(s) 84,87,90,93,96,99,107,110,113,116,171,176 M1/AbstractC1099e.java, line(s) 142,172,300,306,312,321 M1/AbstractC1111q.java, line(s) 84,87,90,93,96,99,107,110,113,116,171,176 M1/AbstractDialogInterfaceOnClickListenerC1012t.java, line(s) 16 M1/AbstractDialogInterfaceOnClickListenerC1113t.java, line(s) 16 M1/P.java, line(s) 39,54 M1/W.java, line(s) 40,45 M1/a.java, line(s) 97,104,182,258,270,111,199 M2/e.java, line(s) 80,81 N/C1029b.java, line(s) 101 N/C1133b.java, line(s) 101 N/g.java, line(s) 123,266,119,265 N/n.java, line(s) 185,239 N/x.java, line(s) 108 O1/h.java, line(s) 46 P2/A.java, line(s) 22 P2/C0183h.java, line(s) 24,27 P2/D.java, line(s) 69,69 P2/E.java, line(s) 24,37,23,23,36,36 P2/F.java, line(s) 57,106,56,119,132,149,156 P2/H.java, line(s) 22,21 P2/J.java, line(s) 44,48,56,69,86,115,140,94,99,123,43,47,55,68,83,114,139 P2/l.java, line(s) 34,83,114,123,102,105,126,132,135,33,82,113 P2/m.java, line(s) 41,60,40,59,32,57 P2/o.java, line(s) 125,120,103 P2/p.java, line(s) 52,26,29,41,51,42 P2/q.java, line(s) 61,72,60,45,53,69 P2/r.java, line(s) 171,215,96,159,187 P2/w.java, line(s) 42,52,41,51 P2/x.java, line(s) 78 P2/y.java, line(s) 33,49 P2/z.java, line(s) 23,35,22,22,34,34 Q0/C1076B.java, line(s) 31 Q0/C1078D.java, line(s) 33,45,52,61 Q0/C1088i.java, line(s) 31,44,96,159,202,219,243 Q0/C1184B.java, line(s) 31 Q0/C1186D.java, line(s) 33,45,52,61 Q0/C1189b.java, line(s) 90 Q0/C1196i.java, line(s) 31,44,96,159,202,219,243 Q0/H.java, line(s) 61,79,52 Q0/s.java, line(s) 53 Q0/w.java, line(s) 319,233,318 Q0/x.java, line(s) 20,34 R/MenuC1225k.java, line(s) 511 R/ViewOnKeyListenerC1110e.java, line(s) 455 R/ViewOnKeyListenerC1219e.java, line(s) 455 S1/b.java, line(s) 239 T0/C1332c.java, line(s) 34 U0/C1213i.java, line(s) 278 U0/C1347i.java, line(s) 279 U1/C1214a.java, line(s) 76,95 U1/C1348a.java, line(s) 76,95 V1/j.java, line(s) 37,36,30 V1/k.java, line(s) 59,66,99,108 W/f.java, line(s) 31 X/B.java, line(s) 100,105 X/C0.java, line(s) 122 X/C0209e.java, line(s) 120 X/C0213h.java, line(s) 188,352 X/C0220o.java, line(s) 33,35 X/C0230z.java, line(s) 32,55 X/C1320v.java, line(s) 640 X/C1324x.java, line(s) 213 X/C1470v.java, line(s) 833 X/C1474x.java, line(s) 213 X/E.java, line(s) 117,332 X/G.java, line(s) 126 X/H.java, line(s) 108,112,116 X/O.java, line(s) 146,171 X/Q.java, line(s) 94 X/W.java, line(s) 44,70 X/Y.java, line(s) 271,288,408,185,203 X/f0.java, line(s) 33,35 X/t0.java, line(s) 32,34 X0/a.java, line(s) 13,20,12,19 X0/b.java, line(s) 137 X0/f.java, line(s) 230,252,258,433,436,460,545,613,660,730,882,887,893,912,922,933,940,1038,1131,1287,1373,1447,1498,1519,1533,1567,1589,1660,1807,107,602,622,630,852,856,860,970,979,1246,1251,1422,1684 X3/C1485c.java, line(s) 34 X3/c.java, line(s) 34 Y/d.java, line(s) 246 Y2/C1350e.java, line(s) 68 Y2/C1503e.java, line(s) 68 Z0/e.java, line(s) 97,96 ai/advance/liveness/lib/C0245a.java, line(s) 44,69,83 ai/advance/liveness/lib/C0249a.java, line(s) 44,69,83 ai/advance/liveness/lib/M.java, line(s) 265 com/pairip/licensecheck/LicenseActivity.java, line(s) 93,71 com/pairip/licensecheck/LicenseClient.java, line(s) 77,90,121,138,168,196,187,112 com/simpleprestamomx/viofhwshjhuedrgew/ieajkge/W.java, line(s) 45,44 com/wang/avi/AVLoadingIndicatorView.java, line(s) 335 e0/b.java, line(s) 34 e0/c.java, line(s) 49 e0/k.java, line(s) 31 e0/u.java, line(s) 30 i1/C0926a.java, line(s) 102,119,97,118,142 i1/C0967a.java, line(s) 102,119,97,118,142 i1/c.java, line(s) 44,57,82,42,56,81,78,97,109 i1/e.java, line(s) 16,13,13 i1/f.java, line(s) 32,105,28,41 i1/g.java, line(s) 43,38 i1/h.java, line(s) 210,81,225,239 i1/i.java, line(s) 42,40,55,78,107,127,135,56,79,108,128,136 i1/j.java, line(s) 63,77,55,69 i1/l.java, line(s) 56,51 i1/m.java, line(s) 47,67 k1/C0969f.java, line(s) 253,494 k1/C1013f.java, line(s) 253,494 k1/HandlerC0968e.java, line(s) 32 k1/HandlerC1012e.java, line(s) 32 k1/t.java, line(s) 274,372 me/jessyan/autosize/AutoSize.java, line(s) 97 me/jessyan/autosize/AutoSizeConfig.java, line(s) 332,345,358,250 me/jessyan/autosize/DefaultAutoAdaptStrategy.java, line(s) 23,36,41,16,30 me/jessyan/autosize/utils/AutoSizeLog.java, line(s) 15,21,35 p/a.java, line(s) 89 q/h.java, line(s) 93,143,155,165 q/i.java, line(s) 165 t2/d.java, line(s) 48 t2/f.java, line(s) 199,217,70,74,80,83,150 z1/e.java, line(s) 70,76,250,308,333,303,73,100,159,195,210,218,228
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/simpleprestamomx/viofhwshjhuedrgew/ieajkge/C0755f2.java, line(s) 4,41,45 com/simpleprestamomx/viofhwshjhuedrgew/ieajkge/C0764f2.java, line(s) 4,42,46 com/simpleprestamomx/viofhwshjhuedrgew/ieajkge/Z1.java, line(s) 4,44,48 com/simpleprestamomx/viofhwshjhuedrgew/ieajkge/s2.java, line(s) 4,42,46
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: F/C0873h.java, line(s) 158,158,158,158 F/C0908h.java, line(s) 684,684,684,684
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/simpleprestamomx/requestconfig/Z.java, line(s) 28,28
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/997960286939/namespaces/firebase:fetch?key=AIzaSyCjyc8ijCfCsFOb6qu92XNcdv0Xczkdswo ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
Simple Préstamo v2.1.4
Android APK
55
综合安全评分
中风险