应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Niza v1.4.3
57
安全评分
安全基线评分
57/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
1
高危
18
中危
3
信息
3
安全
隐私风险评估
2
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
1
中危安全漏洞
18
安全提示信息
3
已通过安全项
3
重点安全关注
0
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/reactnativecommunity/webview/RNCWebViewManagerImpl.java, line(s) 445,17 com/sumsub/sns/internal/features/presentation/dialogs/bottomsheet/a.java, line(s) 223,5
中危安全漏洞 Broadcast Receiver (io.invertase.firebase.messaging.ReactNativeFirebaseMessagingReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (app.notifee.core.NotificationReceiverActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (app.notifee.core.AlarmPermissionBroadcastReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/RNFetchBlob/RNFetchBlobFS.java, line(s) 179,201,171,172,173,174,175,176,177,178,191,192,199,713 com/RNFetchBlob/Utils/PathResolver.java, line(s) 25 com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 367 com/reactnativecommunity/webview/RNCWebViewModuleImpl.java, line(s) 462 com/sumsub/sentry/android/c.java, line(s) 497,285 com/sumsub/sns/internal/features/presentation/camera/photo/document/SNSPhotoDocumentPickerViewModel.java, line(s) 3083 com/sumsub/sns/internal/fingerprint/a.java, line(s) 196 com/sumsub/sns/internal/ml/docdetector/b.java, line(s) 134 com/sumsub/sns/internal/ml/docdetector/d.java, line(s) 88 io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java, line(s) 113,122,123,124 io/sentry/android/core/DeviceInfoUtil.java, line(s) 165,340
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/mrousavy/camera/CameraView_TakePhotoKt.java, line(s) 59 com/mrousavy/camera/core/RecordingSession.java, line(s) 67 com/reactnativecommunity/webview/RNCWebViewModuleImpl.java, line(s) 462 com/sumsub/sns/internal/core/common/p0.java, line(s) 240 io/sentry/react/RNSentryModuleImpl.java, line(s) 776
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: io/sentry/util/StringUtils.java, line(s) 70
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/sumsub/sns/core/presentation/base/b.java, line(s) 71,72 com/sumsub/sns/core/widget/applicantData/SNSApplicantDataSelectionCountryFieldView.java, line(s) 45,46 com/sumsub/sns/core/widget/autocompletePhone/PhoneNumberKit.java, line(s) 41,42 com/sumsub/sns/core/widget/autocompletePhone/bottomsheet/SNSPickerDialog.java, line(s) 67,68 com/sumsub/sns/internal/core/presentation/base/adapter/e.java, line(s) 37 com/sumsub/sns/internal/core/presentation/intro/c.java, line(s) 56 com/sumsub/sns/internal/features/data/model/common/e.java, line(s) 261 com/sumsub/sns/internal/features/data/model/common/remote/a.java, line(s) 272 com/sumsub/sns/internal/features/data/model/common/remote/k.java, line(s) 46 com/sumsub/sns/internal/features/data/model/common/remote/r.java, line(s) 177 com/sumsub/sns/internal/features/data/model/common/remote/response/f.java, line(s) 1937 com/sumsub/sns/internal/features/data/model/common/remote/x.java, line(s) 769 com/sumsub/sns/internal/features/domain/c.java, line(s) 148 com/sumsub/sns/internal/features/domain/f.java, line(s) 75 com/sumsub/sns/internal/features/presentation/camera/photo/b.java, line(s) 358,476,172 com/sumsub/sns/internal/features/presentation/consent/b.java, line(s) 91 com/sumsub/sns/internal/features/presentation/preview/ekyc/eid/pin/b.java, line(s) 105 com/sumsub/sns/internal/features/presentation/videoident/presentation/SNSVideoIdentFragment.java, line(s) 127,130 io/invertase/firebase/common/TaskExecutorService.java, line(s) 14,15 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingHeadlessService.java, line(s) 12,10 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingSerializer.java, line(s) 23 io/invertase/notifee/NotifeeEventSubscriber.java, line(s) 17,25 io/niza/app/BuildConfig.java, line(s) 11 io/noties/markwon/html/CssProperty.java, line(s) 30 io/noties/markwon/html/jsoup/nodes/DocumentType.java, line(s) 4,5 io/sentry/Baggage.java, line(s) 35 io/sentry/RequestDetailsResolver.java, line(s) 22 io/sentry/SpanDataConvention.java, line(s) 4,5,8,9,15,17,16,20,18 io/sentry/TraceContext.java, line(s) 25 io/sentry/protocol/User.java, line(s) 41
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/sumsub/sns/internal/ff/a.java, line(s) 77 io/sentry/SpotlightIntegration.java, line(s) 85
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/sumsub/sns/internal/log/utils/a.java, line(s) 9
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/RNFetchBlob/RNFetchBlobUtils.java, line(s) 24
中危安全漏洞 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/scottyab/rootbeer/Const.java, line(s) 10,10,10,12,10,12,10,10 com/sumsub/sentry/android/h.java, line(s) 103,103,103,103,103 io/sentry/android/core/internal/util/RootChecker.java, line(s) 22,22,22,22,22
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 Google_Drive_API_Key: AIza3RBtkXFabmhdEd9oCKJQ7Ia4U2MIa93onkS "NIZA_PUSHER_WEBSOCKET_APP_KEY" : "cd02139a35ead0a82ef6" "REACT_APP_API_URL" : "https://app.niza.io/api" "google_api_key" : "AIzaSyDIc2xawbRjqiy2nMOIJykLUQcQntlsogY" "google_app_id" : "1:884950648277:android:6478422b471109024da95c" "google_crash_reporting_api_key" : "AIzaSyDIc2xawbRjqiy2nMOIJykLUQcQntlsogY" 1ddaa4b892e61b0f7010597ddc582ed3 5ed67192b2104fb682468a5be4dee5da 41058363725152142129326129780047268409114441015993725554835256314039467401291 36134250956749795798585127919587881956611106672985015071877198253568414405109 115792089210356248762697446949407573530086143415290314195533631308867097853951 115792089210356248762697446949407573529996955224135760342422259061068512044369 24b2477514809255df232947ce7928c4 a43dcc70a3a7b7ed52405377b6d52850 115792089210356248762697446949407573530086143415290314195533631308867097853948 48439561293906451759052585252797914202762949526041747995844080717082404635286
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: app/notifee/core/AlarmPermissionBroadcastReceiver.java, line(s) 12 app/notifee/core/Logger.java, line(s) 13,17,34,39,22,26,30 app/notifee/core/RebootBroadcastReceiver.java, line(s) 12 app/notifee/core/b.java, line(s) 129 cl/json/RNShareImpl.java, line(s) 234,238,255,260,273,287 cl/json/RNSharePathUtil.java, line(s) 51 cl/json/social/InstagramShare.java, line(s) 42,51 cl/json/social/SingleShareIntent.java, line(s) 29,32,41 com/horcrux/svg/Brush.java, line(s) 139,150 com/horcrux/svg/ClipPathView.java, line(s) 33 com/horcrux/svg/FilterView.java, line(s) 93 com/horcrux/svg/ImageView.java, line(s) 134 com/horcrux/svg/LinearGradientView.java, line(s) 71 com/horcrux/svg/PatternView.java, line(s) 82 com/horcrux/svg/RadialGradientView.java, line(s) 83 com/horcrux/svg/SvgViewManager.java, line(s) 244 com/horcrux/svg/UseView.java, line(s) 51,82,97 com/horcrux/svg/VirtualView.java, line(s) 389,315,353,357 com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 220,297,395,400,509,541,628,816,892,896 com/learnium/RNDeviceInfo/RNInstallReferrerClient.java, line(s) 77,83,88,101,28,44,95 com/learnium/RNDeviceInfo/resolver/DeviceIdResolver.java, line(s) 35,41 com/lugg/RNCConfig/RNCConfigModule.java, line(s) 34,38 com/mrousavy/camera/CameraDevicesManager.java, line(s) 76,87 com/mrousavy/camera/CameraView$update$1.java, line(s) 70 com/mrousavy/camera/CameraView.java, line(s) 325 com/mrousavy/camera/CameraViewModule.java, line(s) 91,106,133 com/mrousavy/camera/CameraView_EventsKt.java, line(s) 53,28,36,44 com/mrousavy/camera/core/CameraSession.java, line(s) 181,185,200,211,241,251,257,266,271,273,286,384,397,411,420 com/mrousavy/camera/core/PreviewView.java, line(s) 47,70,106 com/mrousavy/camera/core/RecordingSession.java, line(s) 204,234,70,84,87,106,214,219,229,249,257 com/mrousavy/camera/core/VideoPipeline.java, line(s) 140,174,83,92,94,98,155,208,233,235,245,249 com/mrousavy/camera/core/outputs/BarcodeScannerOutput.java, line(s) 22 com/mrousavy/camera/core/outputs/PhotoOutput.java, line(s) 23 com/mrousavy/camera/core/outputs/SurfaceOutput.java, line(s) 81,85 com/mrousavy/camera/core/outputs/VideoPipelineOutput.java, line(s) 32 com/mrousavy/camera/extensions/CameraDevice_createCaptureSessionKt.java, line(s) 61,47,52,73,85,88 com/mrousavy/camera/extensions/CameraManager_openCameraKt.java, line(s) 60,32,37,46 com/mrousavy/camera/extensions/RecordingSession_getRecommendedBitRateKt.java, line(s) 33 com/mrousavy/camera/frameprocessor/FrameProcessorPluginRegistry.java, line(s) 18,22,25,28 com/mrousavy/camera/frameprocessor/VisionCameraProxy.java, line(s) 54,61,48 com/mrousavy/camera/types/PixelFormat.java, line(s) 78 com/pairip/licensecheck/LicenseActivity.java, line(s) 93,71 com/pairip/licensecheck/LicenseClient.java, line(s) 77,90,121,138,168,196,187,112 com/reactcommunity/rndatetimepicker/Common.java, line(s) 134 com/reactcommunity/rndatetimepicker/MinuteIntervalSnappableTimePickerDialog.java, line(s) 111,177 com/reactnativecommunity/webview/RNCWebView.java, line(s) 352 com/reactnativecommunity/webview/RNCWebViewClient.java, line(s) 97,170,86,102,130,172 com/reactnativecommunity/webview/RNCWebViewManagerImpl.java, line(s) 138,151 com/reactnativecommunity/webview/RNCWebViewModuleImpl.java, line(s) 302,307,331,336,210,238,241,255 com/reactnativedocumentpicker/RNDocumentPickerModule.java, line(s) 73 com/reactnativemmkv/MmkvModule.java, line(s) 38,27,33,35 com/scottyab/rootbeer/RootBeer.java, line(s) 120,133,144,188,256,100,166,207 com/scottyab/rootbeer/RootBeerNative.java, line(s) 17 com/scottyab/rootbeer/util/QLog.java, line(s) 65,21,22,23,24,30,31,59,71,43,44,45,46,52,53 com/sumsub/msdk/plugins/reactnative/SNSMobileSdkReactNativeModule.java, line(s) 59,65,71,84,95,104,108,115,159,162,171,175,274,278,231,249 com/sumsub/sns/internal/core/common/t0.java, line(s) 316 com/sumsub/sns/internal/core/presentation/camera/CameraX.java, line(s) 750 com/sumsub/sns/internal/log/logger/d.java, line(s) 12,14,21,23,30,32,39,41,48,50 com/sumsub/sns/internal/ml/docdetector/d.java, line(s) 97 com/swmansion/gesturehandler/react/RNGestureHandlerModule.java, line(s) 700 com/swmansion/gesturehandler/react/RNGestureHandlerRootHelper.java, line(s) 47,65 com/swmansion/gesturehandler/react/RNGestureHandlerRootView.java, line(s) 34 com/swmansion/reanimated/NativeMethodsHelper.java, line(s) 47 com/swmansion/reanimated/ReanimatedModule.java, line(s) 102 com/swmansion/reanimated/ReanimatedUIManagerFactory.java, line(s) 20 com/swmansion/reanimated/keyboard/WindowsInsetsManager.java, line(s) 42,61,81,116 com/swmansion/reanimated/layoutReanimation/AnimationsManager.java, line(s) 200,214 com/swmansion/reanimated/layoutReanimation/ReanimatedNativeHierarchyManager.java, line(s) 39 com/swmansion/reanimated/layoutReanimation/ScreensHelper.java, line(s) 17 com/swmansion/reanimated/layoutReanimation/SharedTransitionManager.java, line(s) 122 com/swmansion/reanimated/layoutReanimation/TabNavigatorObserver.java, line(s) 34,54,111 com/swmansion/reanimated/nativeProxy/NativeProxyCommon.java, line(s) 190 com/swmansion/reanimated/sensor/ReanimatedSensorContainer.java, line(s) 35 com/swmansion/rnscreens/ScreenStackHeaderConfigViewManager.java, line(s) 178 com/th3rdwave/safeareacontext/SafeAreaView.java, line(s) 106 eightbitlab/com/blurview/BlurView.java, line(s) 64 io/invertase/firebase/app/ReactNativeFirebaseApp.java, line(s) 16 io/invertase/firebase/app/ReactNativeFirebaseAppModule.java, line(s) 52 io/invertase/firebase/common/RCTConvertFirebase.java, line(s) 114 io/invertase/firebase/common/ReactNativeFirebaseEventEmitter.java, line(s) 130 io/invertase/firebase/common/SharedUtils.java, line(s) 84,263,321,121 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingModule.java, line(s) 80 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingReceiver.java, line(s) 21,42 io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java, line(s) 70 io/invertase/notifee/NotifeeReactUtils.java, line(s) 192,207 io/noties/markwon/LinkResolverDef.java, line(s) 23 io/noties/markwon/PrecomputedTextSetterCompat.java, line(s) 35 io/sentry/SystemOutLogger.java, line(s) 14,22,31 io/sentry/android/core/AndroidLogger.java, line(s) 87,83,75,79,85 io/sentry/android/core/SentryLogcatAdapter.java, line(s) 43,48,78,83,53,58,33,38,63,68,73,88,93,98 io/sentry/android/replay/WindowManagerSpy.java, line(s) 26,86 io/sentry/android/replay/WindowSpy.java, line(s) 27,47 io/sentry/transport/StdoutTransport.java, line(s) 40 org/greenrobot/eventbus/Logger.java, line(s) 32,37
安全提示信息 此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改
此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/reactnativecommunity/clipboard/ClipboardModule.java, line(s) 30,190,190,4
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/reactnativecommunity/clipboard/ClipboardModule.java, line(s) 4,72 com/sumsub/sns/internal/core/common/j.java, line(s) 7,22
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/sumsub/sns/internal/core/common/t0.java, line(s) 193,193 com/sumsub/sns/internal/core/domain/a.java, line(s) 608,637,579,608,637
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/scottyab/rootbeer/RootBeer.java, line(s) 43 com/sumsub/sentry/android/h.java, line(s) 103,103,103,103,103,103 io/sentry/android/core/DeviceInfoUtil.java, line(s) 136 io/sentry/android/core/internal/util/RootChecker.java, line(s) 40,22,22,22,22,22,22,34
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/884950648277/namespaces/firebase:fetch?key=AIzaSyDIc2xawbRjqiy2nMOIJykLUQcQntlsogY ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
Niza v1.4.3
Android APK
57
综合安全评分
中风险