应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Eze v5.0
49
安全评分
安全基线评分
49/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
3
高危
11
中危
4
信息
2
安全
隐私风险评估
2
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
3
中危安全漏洞
11
安全提示信息
4
已通过安全项
2
重点安全关注
0
高危安全漏洞 基本配置配置为信任用户安装的证书。
Scope: *
高危安全漏洞 域配置不安全地配置为允许明文流量到达范围内的这些域。
Scope: ocsp.usertrust.com ocsp.sectigo.com ezesoft.net 127.0.0.1 10.0.0.1 10.0.1.1 10.0.2.2 localhost
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/reactnativecommunity/webview/RNCWebViewManager.java, line(s) 480,31,32
中危安全漏洞 基本配置配置为信任系统证书。
Scope: *
中危安全漏洞 Activity (androidx.biometric.DeviceCredentialHandlerActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/oblador/keychain/KeychainModule.java, line(s) 45,82,87 io/invertase/firebase/common/TaskExecutorService.java, line(s) 14,15 net/time4j/tz/spi/WinZoneProviderSPI.java, line(s) 26
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/RNFetchBlob/RNFetchBlobFS.java, line(s) 178,200,170,171,172,173,174,175,176,177,190,191,198,712 com/RNFetchBlob/Utils/PathResolver.java, line(s) 25 com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 392 com/reactnativecommunity/webview/RNCWebViewModule.java, line(s) 461 io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java, line(s) 113,122,123,124
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/reactnativecommunity/webview/RNCWebViewModule.java, line(s) 461
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/RNFetchBlob/RNFetchBlobUtils.java, line(s) 24
中危安全漏洞 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/gantix/JailMonkey/HookDetection/HookDetectionCheck.java, line(s) 13,34,13 com/scottyab/rootbeer/Const.java, line(s) 10,10,10,12,10,12,10,10
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/reactnativecommunity/asyncstorage/AsyncLocalStorageUtil.java, line(s) 6,88 com/reactnativecommunity/asyncstorage/ReactDatabaseSupplier.java, line(s) 4,5,6,42
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "com.google.firebase.crashlytics.mapping_file_id" : "00000000000000000000000000000000" "firebase_database_url" : "https://eze-mobile.firebaseio.com" "google_api_key" : "AIzaSyAeToG_iqcHGjPcnTRNuxemRsomrgkt3fM" "google_app_id" : "1:828521447677:android:3aa827137dd39be2527e94" "google_crash_reporting_api_key" : "AIzaSyAeToG_iqcHGjPcnTRNuxemRsomrgkt3fM"
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/gantix/JailMonkey/AdbEnabled/AdbEnabled.java, line(s) 9 com/gantix/JailMonkey/MockLocation/MockLocationCheck.java, line(s) 27 com/henninghall/date_picker/DerivedData.java, line(s) 77 com/henninghall/date_picker/pickers/AndroidNative.java, line(s) 81,83,85 com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 245,322,420,425,534,586,673,861,937,941 com/learnium/RNDeviceInfo/RNInstallReferrerClient.java, line(s) 76,82,87,100,27,43,94 com/learnium/RNDeviceInfo/resolver/DeviceIdResolver.java, line(s) 35,41 com/lugg/RNCConfig/RNCConfigModule.java, line(s) 34,38 com/masteratul/exceptionhandler/DefaultErrorScreen.java, line(s) 29,83 com/oblador/keychain/KeychainModule.java, line(s) 413,425,136,160,163,166,187,200,203,206,226,229,244,282,285,562,569,129,134,376,476 com/oblador/keychain/cipherStorage/CipherStorageBase.java, line(s) 225,281,255,273,399 com/oblador/keychain/cipherStorage/CipherStorageFacebookConceal.java, line(s) 86 com/oblador/keychain/cipherStorage/CipherStorageKeystoreAesCbc.java, line(s) 122 com/oblador/keychain/cipherStorage/CipherStorageKeystoreRsaEcb.java, line(s) 117 com/proyecto26/inappbrowser/RNInAppBrowser.java, line(s) 297,310 com/reactcommunity/rndatetimepicker/Common.java, line(s) 134 com/reactcommunity/rndatetimepicker/MinuteIntervalSnappableTimePickerDialog.java, line(s) 113,179 com/reactnativecommunity/asyncstorage/AsyncLocalStorageUtil.java, line(s) 80,83,90,92 com/reactnativecommunity/asyncstorage/AsyncStorageExpoMigration.java, line(s) 26,32,38,40,46,48 com/reactnativecommunity/asyncstorage/AsyncStorageModule.java, line(s) 119,159,173,187,205,210,215,254,259,275,304,318,332,346,357,362,378,399,427 com/reactnativecommunity/asyncstorage/ReactDatabaseSupplier.java, line(s) 91,94 com/reactnativecommunity/webview/RNCWebViewManager.java, line(s) 826,896,184,197,815,831,858,898 com/reactnativecommunity/webview/RNCWebViewModule.java, line(s) 301,306,330,335,218,242,256 com/scottyab/rootbeer/RootBeer.java, line(s) 119,132,143,187,255,99,165,206 com/scottyab/rootbeer/RootBeerNative.java, line(s) 17 com/scottyab/rootbeer/util/QLog.java, line(s) 64,20,21,22,23,29,30,58,70,42,43,44,45,51,52 com/swmansion/gesturehandler/react/RNGestureHandlerModule.java, line(s) 706 com/swmansion/gesturehandler/react/RNGestureHandlerRootHelper.java, line(s) 46,64 com/swmansion/gesturehandler/react/RNGestureHandlerRootView.java, line(s) 34 com/swmansion/reanimated/NativeMethodsHelper.java, line(s) 46 com/swmansion/reanimated/ReanimatedModule.java, line(s) 101 com/swmansion/reanimated/ReanimatedUIManagerFactory.java, line(s) 20 com/swmansion/reanimated/layoutReanimation/AnimationsManager.java, line(s) 200,214 com/swmansion/reanimated/layoutReanimation/ReanimatedNativeHierarchyManager.java, line(s) 37 com/swmansion/reanimated/layoutReanimation/SharedTransitionManager.java, line(s) 91 com/swmansion/reanimated/nativeProxy/NativeProxyCommon.java, line(s) 188 com/swmansion/reanimated/sensor/ReanimatedSensorContainer.java, line(s) 35 com/swmansion/rnscreens/ScreenStackHeaderConfigViewManager.java, line(s) 179 com/swmansion/rnscreens/ScreensModule.java, line(s) 45,92,48 com/swmansion/rnscreens/SearchBarManager.java, line(s) 119 com/th3rdwave/safeareacontext/SafeAreaView.java, line(s) 106 io/invertase/firebase/app/ReactNativeFirebaseApp.java, line(s) 16 io/invertase/firebase/app/ReactNativeFirebaseAppModule.java, line(s) 53 io/invertase/firebase/common/RCTConvertFirebase.java, line(s) 115 io/invertase/firebase/common/ReactNativeFirebaseEventEmitter.java, line(s) 130 io/invertase/firebase/common/SharedUtils.java, line(s) 85,264,322,122 io/invertase/firebase/crashlytics/ReactNativeFirebaseCrashlyticsInitProvider.java, line(s) 20,23,26,28,39,42,45,47,58,61,64,66,78,75 io/invertase/firebase/crashlytics/ReactNativeFirebaseCrashlyticsModule.java, line(s) 54,57,72,146,155 io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java, line(s) 70 net/time4j/android/ApplicationStarter.java, line(s) 105,54,58,84,100,101,102,103 net/time4j/base/ResourceLoader.java, line(s) 90,116 net/time4j/format/expert/ChronoFormatter.java, line(s) 499,539,588,592,1004,1031,1274,1280,561,586,589,948,951,1009,1024,1032,1147,1167,1173,1217,1298,1331 net/time4j/format/expert/CustomizedProcessor.java, line(s) 101,107 net/time4j/format/expert/FormatStep.java, line(s) 296 net/time4j/format/expert/IgnorableWhitespaceProcessor.java, line(s) 49 net/time4j/format/expert/Iso8601Format.java, line(s) 79,93 net/time4j/format/expert/LiteralProcessor.java, line(s) 113,152,294 net/time4j/format/expert/LocalizedGMTProcessor.java, line(s) 197,241,244,258,261,274,286,289,308,311,316,353,356 net/time4j/format/expert/LookupProcessor.java, line(s) 78,79,98,110,118 net/time4j/format/expert/MultiFormatParser.java, line(s) 37,50,65,35,48,54,63,69 net/time4j/format/expert/SkipProcessor.java, line(s) 75 net/time4j/format/expert/StyleProcessor.java, line(s) 79 net/time4j/format/expert/TextProcessor.java, line(s) 97,83,84,100,103,108 net/time4j/format/expert/TimezoneGenericProcessor.java, line(s) 120,142,183,188,190 net/time4j/format/expert/TimezoneIDProcessor.java, line(s) 44,59,63,68,73,78,94,100 net/time4j/format/expert/TimezoneNameProcessor.java, line(s) 115,141,212,229,232 net/time4j/i18n/WeekdataProviderSPI.java, line(s) 141 net/time4j/tz/spi/ZoneNameProviderSPI.java, line(s) 152 org/greenrobot/eventbus/Logger.java, line(s) 82,87 org/greenrobot/eventbus/util/ErrorDialogConfig.java, line(s) 34 org/greenrobot/eventbus/util/ErrorDialogManager.java, line(s) 181 org/greenrobot/eventbus/util/ExceptionToResourceMapping.java, line(s) 25 org/wonday/orientation/OrientationActivityLifecycle.java, line(s) 34,39,44,48,54,60,69,75 org/wonday/orientation/OrientationModule.java, line(s) 55,81,91,94,102,276,290,268,284,302
安全提示信息 此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改
此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/reactnativecommunity/clipboard/ClipboardModule.java, line(s) 30,244,244,4
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/reactnativecommunity/clipboard/ClipboardModule.java, line(s) 4,103
安全提示信息 应用与Firebase数据库通信
该应用与位于 https://eze-mobile.firebaseio.com 的 Firebase 数据库进行通信
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/gantix/JailMonkey/Rooted/GreaterThan23.java, line(s) 26,14,14,14,14,14,14 com/gantix/JailMonkey/Rooted/LessThan23.java, line(s) 20,20,20,20,20,20 com/scottyab/rootbeer/RootBeer.java, line(s) 42
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/828521447677/namespaces/firebase:fetch?key=AIzaSyAeToG_iqcHGjPcnTRNuxemRsomrgkt3fM ) 已禁用。响应内容如下所示: 响应码是 403
综合安全基线评分总结
Eze v5.0
Android APK
49
综合安全评分
中风险