应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Video Downloader v74.0
57
安全评分
安全基线评分
57/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
0
高危
18
中危
1
信息
2
安全
隐私风险评估
3
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
0
中危安全漏洞
18
安全提示信息
1
已通过安全项
2
重点安全关注
1
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 Activity (com.fane.videodownloader.FilesActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.fane.videodownloader.WebDownloadActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.ms.MyService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Content Provider (com.yandex.metrica.PreloadInfoContentProvider) 未受保护。
[android:exported=true] 检测到 Content Provider 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/yandex/metrica/impl/ob/A8.java, line(s) 6,20 com/yandex/metrica/impl/ob/B8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C0144b.java, line(s) 7,25 com/yandex/metrica/impl/ob/C0274g8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C0298h8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C0322i8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C0345j8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C0369k8.java, line(s) 3,9,10,11,12 com/yandex/metrica/impl/ob/C0393l8.java, line(s) 3,8,9,10 com/yandex/metrica/impl/ob/C0417m8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C0441n8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C0465o8.java, line(s) 3,9,10,11,12,13 com/yandex/metrica/impl/ob/C0489p8.java, line(s) 3,9,10,11,12,13,14,15 com/yandex/metrica/impl/ob/C0513q8.java, line(s) 4,10 com/yandex/metrica/impl/ob/C0536r8.java, line(s) 3,8,9 com/yandex/metrica/impl/ob/C0560s8.java, line(s) 3,8,9 com/yandex/metrica/impl/ob/C0584t8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C0608u8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C0632v8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0656w8.java, line(s) 3,9 com/yandex/metrica/impl/ob/C0680x8.java, line(s) 3,8 com/yandex/metrica/impl/ob/C0704y8.java, line(s) 6,22 com/yandex/metrica/impl/ob/C0728z8.java, line(s) 3,8,9,13,18,19,20,21 com/yandex/metrica/impl/ob/C8.java, line(s) 3,8,9 com/yandex/metrica/impl/ob/D8.java, line(s) 3,8,9 com/yandex/metrica/impl/ob/E7.java, line(s) 5,50 com/yandex/metrica/impl/ob/E8.java, line(s) 3,8,9 com/yandex/metrica/impl/ob/F8.java, line(s) 3,8 com/yandex/metrica/impl/ob/G7.java, line(s) 7,261,280,456 com/yandex/metrica/impl/ob/G8.java, line(s) 3,10,11,12 com/yandex/metrica/impl/ob/H8.java, line(s) 3,9,10 com/yandex/metrica/impl/ob/I8.java, line(s) 3,8 com/yandex/metrica/impl/ob/K8.java, line(s) 3,10,11 com/yandex/metrica/impl/ob/L8.java, line(s) 3,8 com/yandex/metrica/impl/ob/M8.java, line(s) 3,11,12,13 com/yandex/metrica/impl/ob/N8.java, line(s) 3,9 com/yandex/metrica/impl/ob/O8.java, line(s) 3,9 com/yandex/metrica/impl/ob/P8.java, line(s) 3,9 com/yandex/metrica/impl/ob/Q7.java, line(s) 4,27 com/yandex/metrica/impl/ob/Q8.java, line(s) 3,9 com/yandex/metrica/impl/ob/R8.java, line(s) 3,10 d1/a.java, line(s) 4,5,6,7,43 k4/i.java, line(s) 6,7,160,199 k4/t6.java, line(s) 7,8,455 l2/c0.java, line(s) 4,5,83 l2/q.java, line(s) 3,25 l2/w.java, line(s) 5,6,103,142,184,232,273,334,450
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: l5/c.java, line(s) 49
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/ms/MyService.java, line(s) 34 k4/a7.java, line(s) 32 r5/p.java, line(s) 10 v6/a.java, line(s) 3 v6/b.java, line(s) 3 w2/r.java, line(s) 9 w6/a.java, line(s) 3
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/yandex/metrica/impl/ob/Cl.java, line(s) 54 com/yandex/metrica/impl/ob/Gl.java, line(s) 411 k4/a7.java, line(s) 278 w2/r.java, line(s) 35
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/yandex/metrica/impl/ob/H.java, line(s) 54 l5/b.java, line(s) 52 o5/t.java, line(s) 92 x3/a.java, line(s) 23
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/yandex/metrica/impl/ob/C0318i4.java, line(s) 85 com/yandex/metrica/impl/ob/C0712yg.java, line(s) 406 com/yandex/metrica/impl/ob/D4.java, line(s) 117 com/yandex/metrica/impl/ob/yn.java, line(s) 18
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: y1/e.java, line(s) 34
中危安全漏洞 Firebase远程配置已启用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/814992085248/namespaces/firebase:fetch?key=AIzaSyDpnYEFKIFgcPwMP3QcydpPCrNg9THqz9w ) 已启用。请确保这些配置不包含敏感信息。响应内容如下所示:
{
"entries": {
"AD_LOAD_TIMEOUT_MS": "30000",
"APPOPEN_CLICK_LIMIT": "0",
"APP_OPEN_AD_UNIT": "",
"INTERSTITIAL_CLICK_LIMIT": "0",
"INTER_AD_UNIT": "",
"MAX_CLICKS": "0",
"MAX_CLICKS_PERIOD_SEC": "43200",
"MAX_REQUESTS": "2",
"MAX_REQUESTS_PERIOD_SEC": "30",
"NATIVE_AD_UNIT": "",
"RETRY_MAX_COUNT": "2",
"RETRY_MAX_TIMEOUT_MS": "10000",
"RETRY_MIN_TIMEOUT_MS": "2000",
"RETRY_TIMEOUT_INC_MS": "2000",
"SPLASH_CHAIN_TIMEOUT_SEC": "30",
"SPLASH_TIMEOUT_SEC": "30",
"aduint_appopen_id": "ca-app-pub-9891994624824845/7039815985",
"aduint_native_id": "ca-app-pub-9891994624824845/8687166460",
"adunit_interstitial_id": "ca-app-pub-9891994624824845/1266375439"
},
"state": "UPDATE",
"templateVersion": "70"
}
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个3隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "@string/ADMOB_APPLICATION_ID" "google_api_key" : "AIzaSyDpnYEFKIFgcPwMP3QcydpPCrNg9THqz9w" "google_app_id" : "1:814992085248:android:e762a8174eda2dc4f2e3e5" "google_crash_reporting_api_key" : "AIzaSyDpnYEFKIFgcPwMP3QcydpPCrNg9THqz9w" 01528cc0-dd34-494d-9218-24af1317e1ee 4e610cd2-753f-4bfc-9b05-772ce8905c5e 20799a27-fa80-4b36-b2db-0f8141f24180 e4250327-8d3c-4d35-b9e8-3c1720a64b91 c103703e120ae8cc73c9248622f3cd1e e44a8b69c7d76049d312caec6fb8a01b60982d8f 0e5e9c33-f8c3-4568-86c5-2e4f57523f72 6c5f504e-8928-47b5-bfb5-73af8d8bf4b4 67bb016b-be40-4c08-a190-96a3f3b503d3 7d962ba4-a392-449a-a02d-6c5be5613928 296112e4-6263-4554-9032-3a3d5bcc6848 B3EEABB8EE11C2BE770B684D95219ECB
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a3/l.java, line(s) 25,34,36,45,52,61,63,72,79,88,90,136,100,109,111,120 b7/p0.java, line(s) 121,127,122,128 c0/r.java, line(s) 33 c1/c.java, line(s) 23,27 c2/b.java, line(s) 61,62,98,99 c2/d.java, line(s) 145,146 com/fane/videodownloader/FilesActivity.java, line(s) 127,131 com/fane/videodownloader/SplashActivity.java, line(s) 45 com/lama/AppOpenManager.java, line(s) 52,62,143,156,174,198,263,332,93 com/lama/RemoteConfig.java, line(s) 60,77,115,122 com/lama/d.java, line(s) 27 com/lama/f.java, line(s) 70,76,78 com/lama/g.java, line(s) 25,35,93,101,127,133,164,185,197,66,114 com/lama/h.java, line(s) 40 com/lama/i.java, line(s) 27,41,78 com/lama/j.java, line(s) 175,184,54,65 com/lama/k.java, line(s) 23,38 com/ms/MyService.java, line(s) 376,380,416,420,504,362 com/yandex/metrica/gpllibrary/a.java, line(s) 59,67,74 com/yandex/metrica/impl/ob/C0292h2.java, line(s) 36,32,80,84 com/yandex/metrica/impl/ob/Cf.java, line(s) 83 com/yandex/metrica/impl/ob/If.java, line(s) 109 com/yandex/metrica/impl/ob/Jf.java, line(s) 737 com/yandex/metrica/impl/ob/R1.java, line(s) 121 com/yandex/metrica/impl/ob/T2.java, line(s) 182 d3/e.java, line(s) 73 d4/g.java, line(s) 32 e0/a.java, line(s) 57 f/d.java, line(s) 92 f/i.java, line(s) 73,87,97 f1/a.java, line(s) 33 g/a.java, line(s) 53 g0/b.java, line(s) 42 g0/b0.java, line(s) 30 g0/e0.java, line(s) 251,268,80,92,99,108,47,242 g0/m.java, line(s) 31,44,91,153 g0/w.java, line(s) 874,846,873,391 h7/c.java, line(s) 336 i0/d.java, line(s) 87,82,60 i2/a.java, line(s) 10,17,9,16 j/b.java, line(s) 151,188,200,210,375 j0/f.java, line(s) 59,68 j2/a.java, line(s) 57,53 j5/e.java, line(s) 166,336 k1/h.java, line(s) 21,23,32,34,43,45,54,56 k2/d.java, line(s) 99,98 k4/h3.java, line(s) 184 l/b0.java, line(s) 133 l/c0.java, line(s) 46,61,85,107 l/e.java, line(s) 147 l/f.java, line(s) 106 l/f0.java, line(s) 96,119,217,231 l/g0.java, line(s) 33 l/k0.java, line(s) 94,111,117 l/q0.java, line(s) 82,156 l/r.java, line(s) 95,178,187,284 l/t0.java, line(s) 24 l/z.java, line(s) 388,200,205,212,300,371 l1/a.java, line(s) 33,39,45 l2/g.java, line(s) 29 l2/w.java, line(s) 352,351 l5/b.java, line(s) 45,56 m4/a.java, line(s) 114,119 m5/c.java, line(s) 84,94 n4/a.java, line(s) 96,187,111,119,204 o5/e.java, line(s) 40,43 o5/g0.java, line(s) 35,45,34,44 o5/h0.java, line(s) 34 o5/i0.java, line(s) 37,47,83,79,124,36,36,46,46,82,99,103 o5/j.java, line(s) 66,65 o5/j0.java, line(s) 23 o5/m.java, line(s) 30,76,104,113,95,98,116,122,125,29,75,103 o5/m0.java, line(s) 69,69 o5/n0.java, line(s) 42,78,130,41,41,77,124,143,156,173 o5/p0.java, line(s) 28,27 o5/r0.java, line(s) 54,58,66,75,99,127,149,107,112,135,53,57,65,74,96,126,148,86 o5/t.java, line(s) 105,61,100 o5/u.java, line(s) 53,27,30,42,52,43 o5/v.java, line(s) 94,103,34,93,78,86,100 o5/w.java, line(s) 79,67,96 p3/b.java, line(s) 37,50,107,110 p3/c.java, line(s) 81,98,80,97,120 p3/f.java, line(s) 45,61,91,44,60,90,57,78,109 p3/h.java, line(s) 16,13,13 p3/o.java, line(s) 32,64,31,63,77,96,121,141,149,78,97,122,142,150,38 p3/p.java, line(s) 22 p3/r.java, line(s) 28,35,27,34 p3/u.java, line(s) 38,37 p3/v.java, line(s) 47,29,68 p7/d.java, line(s) 43 q3/c0.java, line(s) 36,39,60 q3/e.java, line(s) 49,116,123 q3/f.java, line(s) 28 q3/i.java, line(s) 37 q3/j.java, line(s) 37 q3/l.java, line(s) 33 q3/t.java, line(s) 36 q3/x.java, line(s) 84,88,39 q4/e.java, line(s) 67,198,222,124 s3/d.java, line(s) 240,454 s3/u.java, line(s) 223,328 s3/w.java, line(s) 42 s5/i.java, line(s) 33 s5/k.java, line(s) 48,80 t3/b.java, line(s) 156,186,241,245,251,260 t3/e.java, line(s) 76 t3/r0.java, line(s) 46 t3/s.java, line(s) 79,82,111,114,117,156,161 t3/v.java, line(s) 16 t3/x0.java, line(s) 40,45 t3/z0.java, line(s) 43 u/n.java, line(s) 132,163,169,192,295,305,327,335,128,162,168,191,294,304,326,334,147,172,205,284 u0/a.java, line(s) 195 u5/c.java, line(s) 17,25,35,45,51 u5/g.java, line(s) 54 u5/h.java, line(s) 75 v3/b.java, line(s) 139,930,947,966 v5/o.java, line(s) 26 w2/s2.java, line(s) 202,208 w3/a.java, line(s) 73,93 x/i.java, line(s) 24 x3/d.java, line(s) 13 x3/k.java, line(s) 32,31,25 x3/l.java, line(s) 50,57 x4/k.java, line(s) 66 y/d.java, line(s) 50,55 y/e.java, line(s) 40 y/f.java, line(s) 56 y/g.java, line(s) 43 y/h.java, line(s) 55,262 y/m.java, line(s) 85 y0/g.java, line(s) 171,265 y0/h.java, line(s) 92 y2/o.java, line(s) 92,104 z/a.java, line(s) 110,119,136,146 z/d.java, line(s) 27,59,117 z1/a.java, line(s) 29,90 z1/x.java, line(s) 22,51,64,66,70 z2/f1.java, line(s) 13,22,24,33 z2/j.java, line(s) 92 z2/k.java, line(s) 28 z2/l.java, line(s) 42
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/yandex/metrica/impl/ob/X1.java, line(s) 17
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: o7/c.java, line(s) 82,81,80 o7/d.java, line(s) 116,106,115,128,114,114 o7/g.java, line(s) 81,80,79,79 o7/h.java, line(s) 140,128,139,138,138
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (app-measurement.com) 通信。
{'ip': '142.250.176.14', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
综合安全基线评分总结
Video Downloader v74.0
Android APK
57
综合安全评分
中风险