应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
TodoCrédito v1.4
49
安全评分
安全基线评分
49/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
3
高危
13
中危
2
信息
2
安全
隐私风险评估
1
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
3
中危安全漏洞
13
安全提示信息
2
已通过安全项
2
重点安全关注
0
高危安全漏洞 已启用远程WebView调试
已启用远程WebView调试 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/tdcd/mx/bowlines/collared/Bedding.java, line(s) 47,9,10
高危安全漏洞 该文件是World Readable。任何应用程序都可以读取文件
该文件是World Readable。任何应用程序都可以读取文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/appsflyer/internal/AFb1tSDK.java, line(s) 908
高危安全漏洞 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: com/tdcd/mx/app/nrfboyv/corroborate/gfhwore/cmhjrcne/Nibbled.java, line(s) 78,65
中危安全漏洞 应用数据允许备份
[android:allowBackup=true] 该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据,存在数据泄露风险。
中危安全漏洞 Activity (com.tdcd.mx.bowlines.nobleman.Hamlin) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.tdcd.mx.bowlines.nobleman.Keypad) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: coil/decode/o0.java, line(s) 36 o1/a.java, line(s) 1928 u/r.java, line(s) 135 u1/e.java, line(s) 68
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/appsflyer/internal/AFa1tSDK.java, line(s) 15 com/appsflyer/internal/AFb1cSDK.java, line(s) 17 com/appsflyer/internal/AFc1gSDK.java, line(s) 17 d8/k0.java, line(s) 6 i7/a.java, line(s) 20 i7/b.java, line(s) 3 j7/a.java, line(s) 3
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: p4/k.java, line(s) 25,36,125 t4/m.java, line(s) 476
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/tdcd/mx/app/heartbeat/disasters/Orientalize.java, line(s) 395 com/tdcd/mx/app/heartbeat/fahey/Norfolk.java, line(s) 147 com/tdcd/mx/app/nrfboyv/corroborate/e0.java, line(s) 88 com/tdcd/mx/app/nrfboyv/corroborate/ywfwut/karol/Jumps.java, line(s) 64
中危安全漏洞 IP地址泄露
IP地址泄露 Files: q4/c.java, line(s) 130
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: z1/a.java, line(s) 4,5,6,7,117
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: coil/memory/MemoryCache.java, line(s) 207 coil/request/l.java, line(s) 89
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 ay+VtoKl5tH+VrtzJB8h1oUWrdnlp/8PY6T7HfHLzNcjNIWDh61c T9YOJ9cbI0yX4ItqxZaRdN7THwitlcEffLsRDVo6aAO0sdU2qBCAQaVaZ78ODJiTPw== yobmepaddG7etasDw4eNMAREJVyYfVWM/zIgRYSvxhkYLfge5YNtxg4N4Vfpa8H7 6ff7e9ff0ec3b8bf1725f6684d9b7a3b 5cdc1d5843358943a1b0fdd7c16443e5 YW5kcm9pZC5wZXJtaXNzaW9uLlJFQURfU01T FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212 E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1 FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901 8c4c1036dfbd41079367a1b8aa769daa 3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: b1/h.java, line(s) 36,40,44 b1/t.java, line(s) 43 b2/b.java, line(s) 32 c2/l0.java, line(s) 42 com/appsflyer/internal/AFg1aSDK.java, line(s) 51,97,66,55,61,59 com/kongzue/dialogx/DialogX.java, line(s) 82 com/kongzue/dialogx/interfaces/BaseDialog.java, line(s) 545,309 com/kongzue/dialogx/util/views/BlurView.java, line(s) 201 com/kongzue/dialogx/util/views/DialogXBaseRelativeLayout.java, line(s) 235 com/kongzue/dialogx/util/views/a.java, line(s) 386 com/nick/permission/utils/a.java, line(s) 118,123,128,131,272,280,347 com/tdcd/mx/app/heartbeat/Zionism.java, line(s) 137 com/tdcd/mx/app/heartbeat/fahey/byl/CmlyxHzzqj.java, line(s) 43 com/tdcd/mx/app/heartbeat/fahey/byl/jajknpu/Unintentional.java, line(s) 154,423 com/tdcd/mx/app/heartbeat/fahey/byl/jajknpu/Vacationing.java, line(s) 39 com/tdcd/mx/app/heartbeat/fahey/pc/Manipulator.java, line(s) 141,529,384 com/tdcd/mx/app/nrfboyv/Mqzalkxnecc.java, line(s) 48 com/tdcd/mx/app/nrfboyv/Vatican.java, line(s) 1410 com/tdcd/mx/app/nrfboyv/Vaunt.java, line(s) 168 com/tdcd/mx/app/nrfboyv/corroborate/GatorXeroxingjtja.java, line(s) 34 com/tdcd/mx/app/nrfboyv/corroborate/eldjzinmgg/Jablonsky.java, line(s) 887,897 com/tdcd/mx/app/nrfboyv/corroborate/gfhwore/gw/Keywords.java, line(s) 367,370 com/tdcd/mx/app/nrfboyv/corroborate/hqnhahgwgh/Respectively.java, line(s) 259 com/tdcd/mx/app/nrfboyv/corroborate/hqnhahgwgh/Uqrtvgn.java, line(s) 28 com/tdcd/mx/app/nrfboyv/corroborate/ywfwut/karol/Mfaadigd.java, line(s) 26 com/tdcd/mx/app/nrfboyv/costume/Zealousnesskmmw.java, line(s) 28 com/tdcd/mx/bowlines/Interns.java, line(s) 769,779 com/tdcd/mx/bowlines/petting/Trowel.java, line(s) 102 d1/b.java, line(s) 58,61 d2/c.java, line(s) 188,191 d2/h.java, line(s) 267,270 d4/a.java, line(s) 25,40,26,41 e4/a.java, line(s) 53 e8/f.java, line(s) 16,21 f1/b.java, line(s) 68 f1/b1.java, line(s) 1376,1279,1375 f1/k0.java, line(s) 96 f1/n3.java, line(s) 871,888,637,649,656,665,49,68,862 f1/s2.java, line(s) 50,61 f1/w2.java, line(s) 44,53,67,87,101,116,130 g1/u.java, line(s) 269 h/g.java, line(s) 170,217,276 i/c.java, line(s) 276 i1/f.java, line(s) 143 i3/d.java, line(s) 162,195 i4/a.java, line(s) 18 j3/b.java, line(s) 71 j4/a.java, line(s) 27,36,145 k0/c.java, line(s) 117 k0/l.java, line(s) 48,49 k0/o.java, line(s) 128 k1/c.java, line(s) 169 k5/d.java, line(s) 146 l3/i.java, line(s) 517 me/jessyan/autosize/AutoSize.java, line(s) 107 me/jessyan/autosize/AutoSizeConfig.java, line(s) 321,334,347,243 me/jessyan/autosize/DefaultAutoAdaptStrategy.java, line(s) 21,31,34,15,28 me/jessyan/autosize/utils/AutoSizeLog.java, line(s) 15,21,35 o1/a.java, line(s) 331,1116,1242,1247,1253,1323,1487,1609,1612,1621,1627,1656,1677,1691,1707,1740,1756,1763,1766,1810,1817,1828,1845,1850,1857,2099,2198,2251,2454,2511,2564,2751,2762,2769,2793,2915,2941,2958,2980,2987,3146,3319,3370,3390,3403,3451,3503,3512,3550,3571,3595,3662,769,777,811,823,835,847,859,871,883,895,907,914,925,937,141,920,1212,1216,1220,1542,2445,2464,2472,2674,2684,2835,2843,3232,3294,3747 o1/b.java, line(s) 47 p0/a.java, line(s) 96,99 p0/c.java, line(s) 78,80 p0/d.java, line(s) 128,130 p0/f.java, line(s) 163,165 p5/e.java, line(s) 35,38 p5/g.java, line(s) 68,80 q0/a.java, line(s) 71 q0/e.java, line(s) 93 q0/f.java, line(s) 181,246,305 q0/g.java, line(s) 32,108 q0/h.java, line(s) 122,127 q0/j.java, line(s) 96,362 q0/k.java, line(s) 97,397,404 q0/l.java, line(s) 211,218 q0/m.java, line(s) 1005 q2/i.java, line(s) 53 r0/a.java, line(s) 229,118,274 r0/c.java, line(s) 113 r1/b.java, line(s) 38,46,64 r5/e.java, line(s) 37 r7/d.java, line(s) 446 t/l1.java, line(s) 14,21,28,35,42,51,70,77 t0/d.java, line(s) 92,248 t0/k.java, line(s) 43 t0/p.java, line(s) 80 u/l0.java, line(s) 98,100,104,108,113 u1/e.java, line(s) 120,123,128 u4/x.java, line(s) 40 w0/c.java, line(s) 64 w0/d.java, line(s) 68 w0/h.java, line(s) 334,340,346,144,153,274 w5/c.java, line(s) 104 x0/e.java, line(s) 564,569 x0/e0.java, line(s) 105 x0/g.java, line(s) 70 x0/h.java, line(s) 41,74 x0/m.java, line(s) 56,228 y1/c.java, line(s) 40,28,32 z/c.java, line(s) 21 z7/e.java, line(s) 54,91,91
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/tdcd/mx/unhappiness/dwarf/Simulators.java, line(s) 4,93 t5/h.java, line(s) 5,87
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: y7/d.java, line(s) 119,118,117 y7/e.java, line(s) 138,127,137,150,136,136 y7/j.java, line(s) 121,120,119,119 y7/k.java, line(s) 240,227,239,238,238
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: t4/m.java, line(s) 213,214
综合安全基线评分总结
TodoCrédito v1.4
Android APK
49
综合安全评分
中风险