应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Говорим по-английски v1.13
62
安全评分
安全基线评分
62/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用安全状况良好,可正常使用
漏洞与安全项分布
0
高危
9
中危
2
信息
2
安全
隐私风险评估
1
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
0
中危安全漏洞
9
安全提示信息
2
已通过安全项
2
重点安全关注
0
中危安全漏洞 Broadcast Receiver (com.axidep.polyglotenglishreading.BootReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: E/h.java, line(s) 9 P2/AbstractC0553a.java, line(s) 3 P2/C0554b.java, line(s) 3 Q2/C0568a.java, line(s) 3 com/parse/LocalIdManager.java, line(s) 5
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: I/c.java, line(s) 5,26 com/parse/OfflineSQLiteOpenHelper.java, line(s) 4,12,13 com/parse/ParseSQLiteDatabase.java, line(s) 5,6,119 o0/o.java, line(s) 10,11,105,256,283,315,363,404,446 o0/q.java, line(s) 4,9,10,11 o0/r.java, line(s) 4,9 o0/s.java, line(s) 4,9,10,11 o0/t.java, line(s) 4,5,92
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: c0/a.java, line(s) 231 com/parse/ParseDigestUtils.java, line(s) 11 com/parse/ParseRESTCommand.java, line(s) 200,200
中危安全漏洞 IP地址泄露
IP地址泄露 Files: d0/g.java, line(s) 22
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "answerResultSoundKey" : "answerResultSound" "app_id_for_server_purchases" : "com.axidep.polyglotenglishreading" "dark_from_key" : "DarkTo" "dark_to_key" : "DarkFrom" "firebase_database_url" : "https://api-project-70698519652.firebaseio.com" "google_api_key" : "AIzaSyDHE_DUs1FOZRDADQdaxUAp0OEBddi1tGY" "google_app_id" : "1:70698519652:android:cac81b413f73d259552371" "google_crash_reporting_api_key" : "AIzaSyDHE_DUs1FOZRDADQdaxUAp0OEBddi1tGY" "startAnswerSoundKey" : "startAnswerSound" "testSettingsCategoryKey" : "testSettingsCategory" "voice_settings_engine_key" : "voiceSettingsEngine" 1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: B0/AbstractC0221a.java, line(s) 121 B0/AbstractC0223c.java, line(s) 59 B0/b.java, line(s) 29 B0/h.java, line(s) 137,160 B0/l.java, line(s) 12 C/e.java, line(s) 68,73 C/g.java, line(s) 51 C/h.java, line(s) 56,226 C/m.java, line(s) 75 C1/C0231a.java, line(s) 57,67 E/e.java, line(s) 146 E/g.java, line(s) 113 E/i.java, line(s) 471,488,970,972,974,518,1583,1592,1639,1751,1754,871 E2/c.java, line(s) 361 G/g.java, line(s) 23 H/a.java, line(s) 58,75 H/e.java, line(s) 82 I/C0418f.java, line(s) 138,187,199,209,389 J0/C0432a.java, line(s) 33 J0/b.java, line(s) 64,72 K/AbstractC0115b.java, line(s) 43 K/C0114a.java, line(s) 213 K/C0438D.java, line(s) 62,144,154,247 K/C0447M.java, line(s) 362,192,197,345 K/C0449O.java, line(s) 124 K/C0454U.java, line(s) 33 K/C0472j.java, line(s) 194 K/C0473k.java, line(s) 156 K/C0487y.java, line(s) 90,164,169,189 K/L.java, line(s) 847,817,846,255 K/ViewOnClickListenerC0453T.java, line(s) 61,74,85 K/a0.java, line(s) 233,250,780,792,799,808,50,224 K/r.java, line(s) 31,44,92,155,198,215,239 K1/d.java, line(s) 123,157 L1/a.java, line(s) 32 M2/d.java, line(s) 39 N0/d.java, line(s) 89,88 N1/C0510a.java, line(s) 69,74 P/b.java, line(s) 40 Q/C0559d.java, line(s) 253 Q/i.java, line(s) 19,18 U0/e.java, line(s) 37,43,47 U0/t.java, line(s) 73,72,56,63 V0/d.java, line(s) 62,107,114 V0/h.java, line(s) 33,50 V0/j.java, line(s) 29 V0/q.java, line(s) 69 X0/C0157t.java, line(s) 248,348 X0/I.java, line(s) 24,33 X0/RunnableC0159v.java, line(s) 43 X0/r.java, line(s) 34 Y0/AbstractC0161b.java, line(s) 156,184,314,320,326,335 Y0/AbstractDialogInterfaceOnClickListenerC0181w.java, line(s) 17 Y0/C0164e.java, line(s) 75 Y0/C0178t.java, line(s) 78,81,84,87,90,93,101,104,107,110,149,154 Y0/C0622g.java, line(s) 41,50,52 Y0/Q.java, line(s) 39,54 Y0/X.java, line(s) 40,45 Y0/Z.java, line(s) 47 Z/C0629d.java, line(s) 72 Z/j.java, line(s) 28 Z/n.java, line(s) 35,34 Z/q.java, line(s) 133,165,171,195,304,314,336,344,130,164,170,194,303,313,335,343,148,174,208,293 b/l.java, line(s) 30 b1/C0224a.java, line(s) 49,38 c0/C0230a.java, line(s) 176,181,188,192,207,215 c0/a.java, line(s) 303,380 com/axidep/polyglotenglishreading/Alarm.java, line(s) 182 com/parse/CachedCurrentInstallationController.java, line(s) 24 com/parse/ConnectivityNotifier.java, line(s) 51 com/parse/InstallationId.java, line(s) 22,35,38 com/parse/ManifestInfo.java, line(s) 45,58 com/parse/NetworkQueryController.java, line(s) 29,38 com/parse/Parse.java, line(s) 247 com/parse/ParseCacheDirMigrationUtils.java, line(s) 26,74,85 com/parse/ParseDateFormat.java, line(s) 39 com/parse/ParseImpreciseDateFormat.java, line(s) 31 com/parse/ParseInstallation.java, line(s) 108 com/parse/ParseKeyValueCache.java, line(s) 81,115 com/parse/ParsePinningEventuallyQueue.java, line(s) 136 com/parse/ParseRequest.java, line(s) 102 d0/C0360e.java, line(s) 196 k0/p.java, line(s) 61 l0/a.java, line(s) 9,16,8,15 l0/f.java, line(s) 752 o0/RunnableC0524k.java, line(s) 78 o0/o.java, line(s) 427,426 o1/f.java, line(s) 154 q1/d.java, line(s) 36 r/b.java, line(s) 28 t/c.java, line(s) 249 u/d.java, line(s) 721,155,636 v/C0599a.java, line(s) 104 x/b.java, line(s) 80,79
安全提示信息 应用与Firebase数据库通信
该应用与位于 https://api-project-70698519652.firebaseio.com 的 Firebase 数据库进行通信
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: L2/c.java, line(s) 59,58,57 L2/d.java, line(s) 103,93,102,112,101,101 L2/g.java, line(s) 56,55,54,54 L2/h.java, line(s) 140,128,139,138,138
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/70698519652/namespaces/firebase:fetch?key=AIzaSyDHE_DUs1FOZRDADQdaxUAp0OEBddi1tGY ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
Говорим по-английски v1.13
Android APK
62
综合安全评分
低风险