应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Online Loans v421.2.42
52
安全评分
安全基线评分
52/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
3
高危
16
中危
1
信息
3
安全
隐私风险评估
4
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
3
中危安全漏洞
16
安全提示信息
1
已通过安全项
3
重点安全关注
0
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: H5/L5.java, line(s) 113,12,13 com/pichillilorenzo/flutter_inappwebview_android/in_app_browser/InAppBrowserActivity.java, line(s) 384,16 com/pichillilorenzo/flutter_inappwebview_android/webview/in_app_webview/FlutterWebView.java, line(s) 134,9
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: S4/h.java, line(s) 73 T/i.java, line(s) 103
高危安全漏洞 该文件是World Readable。任何应用程序都可以读取文件
该文件是World Readable。任何应用程序都可以读取文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/appsflyer/internal/AFa1zSDK.java, line(s) 474
中危安全漏洞 Broadcast Receiver (io.flutter.plugins.firebase.messaging.FlutterFirebaseMessagingReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: E1/M.java, line(s) 6,7,128,146,202,548,606,618,675,769 E1/W.java, line(s) 4,5,152 M2/AbstractC2561y.java, line(s) 4,5,41 M2/C2103x.java, line(s) 7,8,369,477,503 M2/C2402e.java, line(s) 6,7,259 M2/C2524t2.java, line(s) 6,7,8,9,760 M2/C2553x.java, line(s) 7,8,625,994,1150,1258,1284,2173,2234,2343 M2/S3.java, line(s) 7,241 com/pichillilorenzo/flutter_inappwebview_android/credential_database/CredentialDatabaseHelper.java, line(s) 4,5,18,19,25,26,36,37 m0/c.java, line(s) 5,6,7,8,9,146 org/infobip/mobile/messaging/dal/sqlite/BaseDatabaseHelper.java, line(s) 7,8,86,97 org/infobip/mobile/messaging/dal/sqlite/PushDatabaseHelperImpl.java, line(s) 4,67,68,39,40,41,53,61 z4/k.java, line(s) 9,10,11,12,13,530
中危安全漏洞 IP地址泄露
IP地址泄露 Files: e6/C1619l.java, line(s) 139 e6/l.java, line(s) 111 io/seon/androidsdk/service/AbstractC1599d.java, line(s) 127,127 io/seon/androidsdk/service/AbstractC1851d.java, line(s) 130,130 io/seon/androidsdk/service/M.java, line(s) 117,105 io/seon/androidsdk/service/N3.java, line(s) 18,19,20,24,21,23,22 juicylab/juicyscore/fvtiv.java, line(s) 76 juicylab/juicyscore/kcgca.java, line(s) 21,21,21
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: G2/W.java, line(s) 9 G6/C0214b.java, line(s) 10 G6/C1755b.java, line(s) 10 M2/C2502q3.java, line(s) 25 M2/o7.java, line(s) 38 V6/AbstractC0292a.java, line(s) 3 V6/AbstractC3144a.java, line(s) 3 V6/C0293b.java, line(s) 3 V6/C3145b.java, line(s) 3 W6/C0297a.java, line(s) 4 W6/C3195a.java, line(s) 4 Z2/i.java, line(s) 8 Z2/m.java, line(s) 5 b7/M.java, line(s) 4 j$/util/C0021g.java, line(s) 5 j$/util/C0023i.java, line(s) 3 j$/util/C0028n.java, line(s) 4 j$/util/C0162t.java, line(s) 3 j$/util/C2008g.java, line(s) 5 j$/util/C2010i.java, line(s) 3 j$/util/C2015n.java, line(s) 4 j$/util/C2149t.java, line(s) 3 j$/util/D.java, line(s) 12 j$/util/DesugarCollections.java, line(s) 3 j$/util/concurrent/ThreadLocalRandom.java, line(s) 11
中危安全漏洞 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: I4/c.java, line(s) 36,110 com/bureau/devicefingerprint/datacollectors/E0.java, line(s) 8,8,8,12,8,12,8,8 e6/A.java, line(s) 20,20,20,24,20,24,20,20 e6/C1608a.java, line(s) 20,20,20,24,20,24,20,20 w4/AbstractC2705a.java, line(s) 8,8,8,12,8,12,8,8 w4/AbstractC3193a.java, line(s) 8,8,8,12,8,12,8,8
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: E3/b.java, line(s) 78 V/AbstractC2642b.java, line(s) 18 V/AbstractC3125b.java, line(s) 18 com/appsflyer/appsflyersdk/AppsFlyerConstants.java, line(s) 7 com/dexterous/flutterlocalnotifications/FlutterLocalNotificationsPlugin.java, line(s) 143 com/dexterous/flutterlocalnotifications/models/NotificationDetails.java, line(s) 54,68 com/juicy/juicy_score_flutter/JuicyScoreFlutterPlugin.java, line(s) 18 com/pichillilorenzo/flutter_inappwebview_android/credential_database/URLCredentialContract.java, line(s) 8,10 com/pichillilorenzo/flutter_inappwebview_android/types/ClientCertResponse.java, line(s) 96 com/pichillilorenzo/flutter_inappwebview_android/types/HttpAuthResponse.java, line(s) 88 com/pichillilorenzo/flutter_inappwebview_android/types/URLCredential.java, line(s) 85 f3/C0397e.java, line(s) 79 f3/C0508e.java, line(s) 79 f3/w.java, line(s) 124 org/infobip/mobile/messaging/api/support/Generator.java, line(s) 863 org/infobip/mobile/messaging/api/support/http/client/Request.java, line(s) 170 org/infobip/mobile/messaging/cloud/firebase/FirebaseMessageMapper.java, line(s) 14 org/infobip/mobile/messaging/platform/MobileMessagingJob.java, line(s) 12
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: V4/C2659b.java, line(s) 11,21 V4/C3142b.java, line(s) 11,21 com/bureau/devicefingerprint/datacollectors/B.java, line(s) 50,54 e5/h.java, line(s) 139,161 e6/C1614g.java, line(s) 41,42,43,44 e6/g.java, line(s) 40,41,42,43 io/seon/androidsdk/service/F.java, line(s) 256,392 m/b.java, line(s) 224 o1/G3.java, line(s) 20 org/infobip/mobile/messaging/chat/attachments/InAppChatAttachmentHelper.java, line(s) 87
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: juicylab/juicyscore/Juicyscore.java, line(s) 2021,2022 org/infobip/mobile/messaging/chat/view/InAppChatWebView.java, line(s) 49,43 org/infobip/mobile/messaging/interactive/inapp/view/InAppWebViewDialog.java, line(s) 465,458
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: T5/o.java, line(s) 18 x3/b.java, line(s) 50
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: G0/z.java, line(s) 84 x3/c.java, line(s) 55
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: M2/o7.java, line(s) 75
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: juicylab/juicyscore/Juicyscore.java, line(s) 2026,2022
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个4隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "app_id" : "102461289" "google_api_key" : "AIzaSyBiDP6LVktbIgd0gm2PpTW9e9qK20MANwY" "google_app_id" : "1:742200262878:android:599f0aae9d1722cafa024f" "google_crash_reporting_api_key" : "AIzaSyBiDP6LVktbIgd0gm2PpTW9e9qK20MANwY" VGhpcyBpcyB0aGUga2V5IGZvciBhIHNlY3VyZSBzdG9yYWdlIEFFUyBLZXkK 7ce180772162edad1efb2e3b20e732b7 VGhpcyBpcyB0aGUgcHJlZml4IGZvciBhIHNlY3VyZSBzdG9yYWdlCg ab067ac0965a4d7bc82b2ac966036da3 3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F VGhpcyBpcyB0aGUga2V5IGZvcihBIHNlY3XyZZBzdG9yYWdlIEFFUyBLZXkK FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212 FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901 470fa2b4ae81cd56ecbcda9735803434cec591fa E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1 MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgyDuy2d0i9oygI9czIibKoJiU0RDEvCfxItNTQAjbynZ6bC1ygeeiX/Ymn9XY3jYR5iu2IGjkr8ZtRJ3wrhZ5A==
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: A1/a.java, line(s) 13,19,36,42 C/d.java, line(s) 462 C0/C0961j.java, line(s) 34 C0/C1121j.java, line(s) 34 J5/v1.java, line(s) 17,23,31 L/m.java, line(s) 1751 L/u.java, line(s) 201,222,230,283,327,339,352,362 M2/C1973g4.java, line(s) 17 M2/C2.java, line(s) 207 M2/C2378b.java, line(s) 59 M2/C2402e.java, line(s) 749 M2/C2423g4.java, line(s) 17 M2/S3.java, line(s) 200 M2/e7.java, line(s) 1885 O0/C2167a.java, line(s) 128 O0/C2621a.java, line(s) 129 O2/C2434a.java, line(s) 88 O2/C2888a.java, line(s) 88 P1/AbstractC0657i.java, line(s) 117 P1/AbstractC0788i.java, line(s) 117 P1/I.java, line(s) 49 P2/C2500a.java, line(s) 143 P2/C2955a.java, line(s) 143 R1/C0686e.java, line(s) 253 R1/C0817e.java, line(s) 253 R1/I.java, line(s) 65 R1/b0.java, line(s) 50 S1/U.java, line(s) 34 S1/X.java, line(s) 103 S1/Z.java, line(s) 29 T2/s.java, line(s) 31,38,45,30,37,44,51,52,58,59 T4/C2620o.java, line(s) 137 T4/C2622q.java, line(s) 19 T4/C3100o.java, line(s) 138 T4/C3102q.java, line(s) 19 W1/q.java, line(s) 48,57,117 X6/e.java, line(s) 47,84,84 Y/S.java, line(s) 705 Z3/g.java, line(s) 22 f4/G.java, line(s) 56 o1/A.java, line(s) 29,42 o1/C.java, line(s) 60 o1/C0644c.java, line(s) 91,104,125,222,271 o1/C0775c.java, line(s) 91,104,125,222,271 o1/x.java, line(s) 36,81,148 o6/d.java, line(s) 447 org/infobip/mobile/messaging/api/support/http/client/UntrustedSSLHelper.java, line(s) 32
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: C3/AbstractC0353i.java, line(s) 320,320,321 C3/AbstractC0461i.java, line(s) 320,320,321 I4/b.java, line(s) 26,14,14,14,14,14,14 I4/c.java, line(s) 25,64,123,36,53,36,110,36,53,36,53,36,53,36,53 T2/AbstractC0745c.java, line(s) 25 T2/AbstractC0876c.java, line(s) 25 e6/A.java, line(s) 180 e6/C1608a.java, line(s) 180 juicylab/juicyscore/fvtiv.java, line(s) 64 w4/b.java, line(s) 199
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: W6/d.java, line(s) 102,101,100 W6/e.java, line(s) 116,106,115,125,114,114 W6/j.java, line(s) 104,103,102,102 W6/k.java, line(s) 224,212,223,222,222
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/742200262878/namespaces/firebase:fetch?key=AIzaSyBiDP6LVktbIgd0gm2PpTW9e9qK20MANwY ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
Online Loans v421.2.42
Android APK
52
综合安全评分
中风险