应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Bitroo v3.0.0
48
安全评分
安全基线评分
48/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
4
高危
24
中危
5
信息
2
安全
隐私风险评估
5
第三方跟踪器
高隐私风险
检测到大量第三方跟踪器
检测结果分布
高危安全漏洞
4
中危安全漏洞
24
安全提示信息
5
已通过安全项
2
重点安全关注
0
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/nimbusds/jose/crypto/impl/AESCBC.java, line(s) 31 com/nimbusds/jose/jca/JCASupport.java, line(s) 174
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/reactnativecommunity/webview/RNCWebViewManagerImpl.java, line(s) 445,17
高危安全漏洞 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/pushsdk/BuildConfig.java, line(s) 3,6
高危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个5隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 Activity (com.bitroo.up.MainActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.engagelab.privates.common.component.MTCommonActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.xiaomi.mipush.sdk.NotificationClickedActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.xiaomi.mipush.sdk.PushMessageHandler) 受权限保护,但应检查权限保护级别。
Permission: com.xiaomi.xmsf.permission.MIPUSH_RECEIVE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.engagelab.privates.push.platform.mi.callback.MTMiCallback) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.meizu.cloud.pushsdk.NotificationService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.engagelab.privates.push.platform.meizu.callback.MTMeizuCallback) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.heytap.msp.push.service.CompatibleDataMessageCallbackService) 受权限保护,但应检查权限保护级别。
Permission: com.coloros.mcs.permission.SEND_MCS_MESSAGE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.heytap.msp.push.service.DataMessageCallbackService) 受权限保护,但应检查权限保护级别。
Permission: com.heytap.mcs.permission.SEND_PUSH_MESSAGE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.vivo.push.sdk.service.CommandClientService) 受权限保护,但应检查权限保护级别。
Permission: com.push.permission.UPSTAGESERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.huawei.hms.support.api.push.service.HmsMsgService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Content Provider (com.huawei.hms.support.api.push.PushProvider) 未受保护。
[android:exported=true] 检测到 Content Provider 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: coil/decode/GifDecoder.java, line(s) 24,25,26,27 coil/decode/SvgDecoder.java, line(s) 34 coil/memory/MemoryCache.java, line(s) 125 coil/memory/MemoryCacheService.java, line(s) 39 coil/request/Parameters.java, line(s) 160 com/bitroo/up/BuildConfig.java, line(s) 6 com/engagelab/privates/common/global/MTGlobal.java, line(s) 38 com/engagelab/privates/core/constants/MTCoreConstants.java, line(s) 7 com/engagelab/privates/push/constants/MTPushConstants.java, line(s) 206,208,211,213,209 com/engagelab/privates/push/platform/meizu/business/MTMeizuBusiness.java, line(s) 20 com/engagelab/privates/push/platform/mi/business/MTMiBusiness.java, line(s) 21 com/engagelab/privates/push/platform/oppo/business/MTOppoBusiness.java, line(s) 17,18 com/engagelab/privates/push/platform/vivo/business/MTVivoBusiness.java, line(s) 20 com/microsoft/appcenter/AppCenter.java, line(s) 42,50 com/microsoft/appcenter/Constants.java, line(s) 8 com/microsoft/appcenter/channel/DefaultChannel.java, line(s) 454 com/microsoft/appcenter/crashes/utils/ErrorLogHelper.java, line(s) 40,52 com/microsoft/appcenter/http/DefaultHttpClient.java, line(s) 16,18 com/microsoft/appcenter/ingestion/OneCollectorIngestion.java, line(s) 26,28,33 com/microsoft/appcenter/ingestion/models/WrapperSdk.java, line(s) 9 com/microsoft/appcenter/ingestion/models/one/CommonSchemaLog.java, line(s) 15 com/microsoft/appcenter/persistence/DatabasePersistence.java, line(s) 33 com/microsoft/appcenter/reactnative/appcenter/ReactNativeUtils.java, line(s) 26 com/microsoft/appcenter/reactnative/shared/AppCenterReactNativeShared.java, line(s) 13,14 com/microsoft/appcenter/utils/context/SessionContext.java, line(s) 14 com/microsoft/appcenter/utils/storage/DatabaseManager.java, line(s) 16 com/microsoft/codepush/react/CodePushConstants.java, line(s) 5,32,7,8,20,29,21,13,19,27,28,22,23,26,30,24 com/microsoft/codepush/react/CodePushTelemetryManager.java, line(s) 12,17,21,14,16,18,19,20,22 com/nimbusds/jose/HeaderParameterNames.java, line(s) 13 com/nimbusds/jose/jwk/JWKParameterNames.java, line(s) 6,16,17 io/invertase/firebase/common/TaskExecutorService.java, line(s) 14,15 zendesk/android/ZendeskCredentials.java, line(s) 51 zendesk/android/internal/di/ZendeskComponentConfig.java, line(s) 70 zendesk/conversationkit/android/model/ActivityEvent.java, line(s) 108 zendesk/messaging/android/internal/conversationscreen/ConversationActivityIntentBuilder.java, line(s) 16 zendesk/messaging/android/push/PushNotifications.java, line(s) 38,41
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/RNFetchBlob/RNFetchBlobFS.java, line(s) 178,200,170,171,172,173,174,175,176,177,190,191,198,631 com/RNFetchBlob/Utils/PathResolver.java, line(s) 26 com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 375 com/rnfs/RNFSManager.java, line(s) 933,841,922,924,927 io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java, line(s) 113,124,125,126
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/microsoft/appcenter/persistence/DatabasePersistence.java, line(s) 6,7,64,69,70,71 com/microsoft/appcenter/utils/storage/DatabaseManager.java, line(s) 7,8,9,10,40 com/reactnativecommunity/asyncstorage/AsyncLocalStorageUtil.java, line(s) 6,88 com/reactnativecommunity/asyncstorage/ReactDatabaseSupplier.java, line(s) 4,5,6,43
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/RNFetchBlob/RNFetchBlobUtils.java, line(s) 23 com/engagelab/privates/common/utils/StringUtil.java, line(s) 41,64,98,151
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/engagelab/privates/common/utils/StringUtil.java, line(s) 81
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/engagelab/privates/push/platform/honor/BuildConfig.java, line(s) 7 com/engagelab/privates/push/platform/huawei/BuildConfig.java, line(s) 7 com/engagelab/privates/push/platform/vivo/BuildConfig.java, line(s) 7 com/nimbusds/jose/jwk/Curve.java, line(s) 19,20,23,24,25
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: coil/decode/SourceImageSource.java, line(s) 71 fr/greweb/reactnativeviewshot/RNViewShotModule.java, line(s) 150,152 zendesk/messaging/android/internal/permissions/RuntimePermission.java, line(s) 147
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/microsoft/appcenter/http/HttpClientRetryer.java, line(s) 9
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 小米推送的=> "XIAOMI_APPKEY" : "MI-您的,对应平台信息" Engagelab-推送SDK的=> "ENGAGELAB_PRIVATES_CHANNEL" : "bitroo" 小米推送的=> "XIAOMI_APPID" : "MI-您的,对应平台信息" vivo推送的=> "com.vivo.push.app_id" : "您的,对应平台信息" OPPO推送的=> "OPPO_APPKEY" : "OP-您的,对应平台信息" 魅族推送的=> "MEIZU_APPID" : "MZ-您的,对应平台信息" vivo推送的=> "com.vivo.push.api_key" : "您的,对应平台信息" OPPO推送的=> "OPPO_APPSECRET" : "OP-您的,对应平台信息" 魅族推送的=> "MEIZU_APPKEY" : "MZ-您的,对应平台信息" 荣耀推送的=> "com.hihonor.push.app_id" : "您的,对应平台信息" Engagelab-推送SDK的=> "ENGAGELAB_PRIVATES_APPKEY" : "8193455208d15f4545966c1a" OPPO推送的=> "OPPO_APPID" : "OP-您的,对应平台信息" vivo推送的=> "local_iv" : "MzMsMzQsMzUsMzYsMzcsMzgsMzksNDAsNDEsMzIsMzgsMzcsMzYsMzUsMzQsMzMsI0AzNCwzMiwzMywzNywzMywzNCwzMiwzMywzMywzMywzNCw0MSwzNSwzNSwzMiwzMiwjQDMzLDM0LDM1LDM2LDM3LDM4LDM5LDQwLDQxLDMyLDM4LDM3LDMzLDM1LDM0LDMzLCNAMzQsMzIsMzMsMzcsMzMsMzQsMzIsMzMsMzMsMzMsMzQsNDEsMzUsMzIsMzIsMzI" "CodePushDeploymentKey" : "gCSA80FK6eR0lAOn-0erqCdfdri7hwpTt8COb" "ENGAGELAB_PRIVATES_CHANNEL_high" : "HIGH" "ENGAGELAB_PRIVATES_CHANNEL_low" : "LOW" "ENGAGELAB_PRIVATES_CHANNEL_normal" : "NORMAL" "ENGAGELAB_PRIVATES_CHANNEL_silence" : "SILENCE" "com.google.firebase.crashlytics.mapping_file_id" : "00000000000000000000000000000000" "google_api_key" : "AIzaSyAp17uB9n4iklHZQ1MOrRiIjf1cIa3XMD8" "google_app_id" : "1:265290532228:android:ce37221e04932a8bb7c9d1" "google_crash_reporting_api_key" : "AIzaSyAp17uB9n4iklHZQ1MOrRiIjf1cIa3XMD8" 32670510020758816978083085130507043184471273380659243275938904335757337482424 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151 1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984 115792089210356248762697446949407573530086143415290314195533631308867097853948 383F2407-53F9-475B-87BD-6D2F1CE12105 115792089210356248762697446949407573530086143415290314195533631308867097853951 55066263022277343669578718895168534326250603453777594175500187360389116729240 27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575 36134250956749795798585127919587881956611106672985015071877198253568414405109 6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112316 2661740802050217063228768716723360960729859168756973147706671368418802944996427808491545080627771902352094241225065558662157113545570916814161637315895999846 3757180025770020463545507224491183603594455134769762486694567779615544477440556316691234405012945539562144444537289428522585666729196580810124344277578376784 115792089237316195423570985008687907853269984665640564039457584007908834671663 39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643 26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319 115792089237316195423570985008687907852837564279074904382605163141518161494337 41058363725152142129326129780047268409114441015993725554835256314039467401291 48439561293906451759052585252797914202762949526041747995844080717082404635286 8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871 115792089210356248762697446949407573529996955224135760342422259061068512044369 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057148
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: cl/json/RNShareImpl.java, line(s) 234,238,255,260,273,287 cl/json/RNSharePathUtil.java, line(s) 52 cl/json/social/InstagramShare.java, line(s) 43,52 cl/json/social/SingleShareIntent.java, line(s) 30,33,42 cn/engagelab/plugins/push/common/MTLogger.java, line(s) 10,22,40,16,28,34 cn/engagelab/plugins/push/receiver/MTPushModuleReceiver.java, line(s) 48,52,58,61 com/RNFetchBlob/RNFetchBlobReq.java, line(s) 363 com/aigestudio/wheelpicker/WheelPicker.java, line(s) 213,218,231,555 com/caverock/androidsvg/CSSParser.java, line(s) 1000,368 com/caverock/androidsvg/SVG.java, line(s) 340 com/caverock/androidsvg/SVGAndroidRenderer.java, line(s) 118,351,1286,174,179,347 com/caverock/androidsvg/SVGImageView.java, line(s) 113,120,146,164,186,216 com/caverock/androidsvg/SVGParser.java, line(s) 616,640,660,960,527,645,2934,2970,2987 com/caverock/androidsvg/SimpleAssetResolver.java, line(s) 44,58,73 com/engagelab/privates/common/a.java, line(s) 89,96 com/engagelab/privates/common/a0.java, line(s) 145,169,239,297,333,65,82,155,174,200,226,302,343 com/engagelab/privates/common/api/MTCommonPrivatesApi.java, line(s) 25,39,43,49,53,57,71,75,79,85,89,93,99,107 com/engagelab/privates/common/b.java, line(s) 26,37 com/engagelab/privates/common/b0.java, line(s) 31,48,53 com/engagelab/privates/common/binder/MTMessenger.java, line(s) 50,51,45,60,98,104,83,125,140,167,174,76,115,135,159,194,196,217,219 com/engagelab/privates/common/binder/MainMessengerHandler.java, line(s) 24 com/engagelab/privates/common/binder/RemoteMessengerHandler.java, line(s) 32 com/engagelab/privates/common/business/lifecycle/MTLifecycleBusiness.java, line(s) 67,81,101 com/engagelab/privates/common/business/network/MTNetworkBusiness.java, line(s) 86,97,131 com/engagelab/privates/common/business/network/MTNetworkListener.java, line(s) 21,28 com/engagelab/privates/common/c.java, line(s) 30,37,44,51,57 com/engagelab/privates/common/component/MTCommonActivity.java, line(s) 56,21,41,81 com/engagelab/privates/common/component/MTCommonReceiver.java, line(s) 62 com/engagelab/privates/common/component/MTCommonService.java, line(s) 19,25 com/engagelab/privates/common/component/TransferCheck.java, line(s) 18 com/engagelab/privates/common/d.java, line(s) 50,56,66,72,77,83,105,117,107,46 com/engagelab/privates/common/e.java, line(s) 32,66,79,69,72,25,50,53,62 com/engagelab/privates/common/e0.java, line(s) 24,47,61 com/engagelab/privates/common/f.java, line(s) 47,49,62,69,93,97,108,117,124,137,152,155,159,195,203,210,216,224,245,249,275,288,295,304,306,347,348,353,381,421,430,44,40,59,66,114,121,143,237,252,258,261,301 com/engagelab/privates/common/g.java, line(s) 29,54,66,70,75,79,84,89,109,114,51,44,102,105,119,124,130,136,141,147,155,162,170,171,172 com/engagelab/privates/common/global/MTGlobal.java, line(s) 561,88,97,106,115,124,133,142,151,160,169,178,187,227,241,249,280,288,319,341,352,372,380,387,395,403,446,459,484,523,543 com/engagelab/privates/common/handler/CommonHandler.java, line(s) 38 com/engagelab/privates/common/handler/CommonHandlerThread.java, line(s) 18 com/engagelab/privates/common/handler/MTHandler.java, line(s) 47,131,136,38,60,72,89,106,139 com/engagelab/privates/common/i.java, line(s) 74,80,115,128,143,147,167,184,201,245,67,90,93,96,99,102,105,242,255,260,265,270,275,280,135,160,163,171,179,193 com/engagelab/privates/common/j.java, line(s) 43,62,68,77,82,106,107,108,116,150,160,173,195,219,241,270,93,97,222,251,280 com/engagelab/privates/common/k.java, line(s) 78,83,89,127,131,135,139,178,183,188,211,221,224,239,110,170,229,259,305 com/engagelab/privates/common/l.java, line(s) 34,36,41,44,50,55,58,76,78,82,92,94,100,101,105,118,121,67,124 com/engagelab/privates/common/log/MTCommonLog.java, line(s) 17,22,48,73 com/engagelab/privates/common/n.java, line(s) 30,57,114,32,39,49,77 com/engagelab/privates/common/observer/MTObservable.java, line(s) 68,39,40,143 com/engagelab/privates/common/p.java, line(s) 45,54,58,85,94,97,101,105,108,114,117,121,125,129,132,137,141,145,149,152,155,164,186,189,195,220,233,238,244,252,258,261,285,294,339,361,208,348,403,406,70,80,180,210,228,288,324,375,393 com/engagelab/privates/common/q.java, line(s) 67,91,47,83,105 com/engagelab/privates/common/r.java, line(s) 63,65,42,46,47,51,69,80 com/engagelab/privates/common/s.java, line(s) 40,46,66,54,87,102 com/engagelab/privates/common/t.java, line(s) 62,70,94,112,153,156,190,194,198,202,234,243,254,327,336,344,368,371,387,391,450,462,484,490,497,501,508,512,520,528,532,544,552,563,568,573,578,582,608,628,125,138,165,214,251,260,264,361,379,402,428,447,479,647 com/engagelab/privates/common/utils/FileUtils.java, line(s) 56,78,87,117,137,157,168,201,212,227,265 com/engagelab/privates/common/utils/GZipUtil.java, line(s) 19,42,67 com/engagelab/privates/common/utils/Guard.java, line(s) 19,20,21,23 com/engagelab/privates/common/utils/RsaUitl.java, line(s) 22,27,30,39,48 com/engagelab/privates/common/utils/Utils.java, line(s) 141 com/engagelab/privates/common/v.java, line(s) 67,70,78,91,111,118,124,134,145,156,167,178,189,215,218,255,257,264,279,284,291,323,331,336,338,345,354,209,237,313,357,370,405,84,228,232,301,383,432 com/engagelab/privates/common/w.java, line(s) 20,121,37,110,114,118,139,22,26,45,50,64,82 com/engagelab/privates/common/x.java, line(s) 19,23 com/engagelab/privates/common/y.java, line(s) 94,118,152,180,42,56,104,123,185 com/engagelab/privates/common/z.java, line(s) 52,59,82,107,113,42,65,87,93,118 com/engagelab/privates/core/api/MTCorePrivatesApi.java, line(s) 23,27,40,44,57,61,103,111,119,135,141,157,163,177,191,205,241,245 com/engagelab/privates/push/api/MTPushPrivatesApi.java, line(s) 97,184,48,52,56,60,71,81,91,103,116,120,130,134,144,148,152,156,167,177,186,190,202,206,216,220,224,235,239,250,254,265,269,280,284,295,303,311,321,329,337,341,352,360,364,374,378,388,398,402,406,416,420,431,435,439,443,447,451,465,469,473,477,481,496,507,511,517,525,529,535,543,547,551,555,566,570,581,592 com/engagelab/privates/push/platform/google/business/MTGoogleBusiness.java, line(s) 36,45,32,39 com/engagelab/privates/push/platform/google/callback/MTGoogleCallback.java, line(s) 21,29 com/engagelab/privates/push/platform/google/callback/MTGoogleCallbackImp.java, line(s) 33,37,62,66,75,120 com/engagelab/privates/push/platform/google/callback/MTGoogleListener.java, line(s) 21,26,32,36 com/engagelab/privates/push/platform/honor/business/MTHonorBusiness.java, line(s) 38,43,47,52,70,73,80,35,59,66 com/engagelab/privates/push/platform/honor/callback/MTHonorCallback.java, line(s) 21,29 com/engagelab/privates/push/platform/honor/callback/MTHonorCallbackImp.java, line(s) 29,33,39,41,61,63,71 com/engagelab/privates/push/platform/huawei/business/MTHuaweiBusiness.java, line(s) 40,43,47,57,35,51,85,96 com/engagelab/privates/push/platform/huawei/callback/MTHuaweiCallback.java, line(s) 22,30,38 com/engagelab/privates/push/platform/huawei/callback/MTHuaweiCallbackImp.java, line(s) 29,33,39,43,50,67,76 com/engagelab/privates/push/platform/meizu/business/MTMeizuBusiness.java, line(s) 54,58,119,146,152,155,158,161,43,50,65,82,106,76,100,188,199,210,220 com/engagelab/privates/push/platform/meizu/callback/MTMeizuCallback.java, line(s) 39 com/engagelab/privates/push/platform/mi/business/MTMiBusiness.java, line(s) 53,57,61,119,144,150,152,154,38,43,49,65,82,106,76,100,166,177,188,198 com/engagelab/privates/push/platform/mi/callback/MTMiCallback.java, line(s) 30,34,51,55 com/engagelab/privates/push/platform/oppo/business/MTOppoBusiness.java, line(s) 52,56,60,64,146,35,40,45,68,85,109,133,79,103,127,186,197 com/engagelab/privates/push/platform/oppo/callback/MTOppoCallback.java, line(s) 16 com/engagelab/privates/push/platform/oppo/callback/MTOppoCallbackImp.java, line(s) 36,40 com/engagelab/privates/push/platform/vivo/business/MTVivoBusiness.java, line(s) 51,56,60,65,78,106,117,37,42,48,72 com/engagelab/privates/push/platform/vivo/callback/MTVivoCallback.java, line(s) 15,19 com/engagelab/privates/push/utils/NotificationChannelUtil.java, line(s) 30,32,54,49 com/engagelab/privates/push/utils/NotificationUtil.java, line(s) 73,254,276,279,355,404,519,535,390,492,503,117,138,163,209,237,261,298,312,325,359,389,409,480,524,563,575 com/horcrux/svg/Brush.java, line(s) 140,150 com/horcrux/svg/ClipPathView.java, line(s) 33 com/horcrux/svg/ImageView.java, line(s) 138 com/horcrux/svg/LinearGradientView.java, line(s) 78 com/horcrux/svg/MaskView.java, line(s) 82 com/horcrux/svg/PatternView.java, line(s) 89 com/horcrux/svg/RadialGradientView.java, line(s) 92 com/horcrux/svg/UseView.java, line(s) 57,88,103 com/horcrux/svg/VirtualView.java, line(s) 379,310,344,348 com/imagepicker/ImageMetadata.java, line(s) 34 com/imagepicker/Metadata.java, line(s) 31 com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 221,301,410,415,531,566,659,847,926,930 com/learnium/RNDeviceInfo/RNInstallReferrerClient.java, line(s) 76,82,87,100,27,43,94 com/learnium/RNDeviceInfo/resolver/DeviceIdResolver.java, line(s) 35,41 com/microsoft/appcenter/AbstractAppCenterService.java, line(s) 108,200,137,155,215 com/microsoft/appcenter/AppCenter.java, line(s) 470,560,187,192,210,286,291,296,311,319,413,484,494,506,540,549,626,240,244,260,271,369,454,457,574,589,592,609,690,702,706,716,158,229,323,615,346,375,501,536 com/microsoft/appcenter/Constants.java, line(s) 30 com/microsoft/appcenter/Flags.java, line(s) 23 com/microsoft/appcenter/ServiceInstrumentationUtils.java, line(s) 27 com/microsoft/appcenter/UncaughtExceptionHandler.java, line(s) 30,36,39 com/microsoft/appcenter/analytics/Analytics.java, line(s) 219,233,400,409,214,227,385,427,437,508,512,393,394,432,434,440,441,442 com/microsoft/appcenter/analytics/AnalyticsTransmissionTarget.java, line(s) 44,48,52,55,163 com/microsoft/appcenter/analytics/AuthenticationProvider.java, line(s) 53,66,70,72,76 com/microsoft/appcenter/analytics/EventProperties.java, line(s) 45,78,92,84 com/microsoft/appcenter/analytics/channel/AnalyticsValidator.java, line(s) 50,56,74,78,80,83,87,109,114,118,130,133 com/microsoft/appcenter/analytics/channel/SessionTracker.java, line(s) 71,80,91,96,99,109,62,68,78 com/microsoft/appcenter/analytics/ingestion/models/EventLog.java, line(s) 63,63 com/microsoft/appcenter/analytics/ingestion/models/json/EventLogFactory.java, line(s) 29 com/microsoft/appcenter/channel/DefaultChannel.java, line(s) 105,122,140,143,161,166,217,293,298,301,310,442,446,454,458,462,474,505,510,253,379,402,423,465,406 com/microsoft/appcenter/channel/OneCollectorChannelListener.java, line(s) 85,80 com/microsoft/appcenter/crashes/Crashes.java, line(s) 262,282,432,455,462,472,515,526,530,543,560,564,568,571,651,699,702,738,740,766,458,464,509,535,659,661,679,682,758,268,658,400,401,402,403,480,481,482,483,486,488,490,491,499,500,656,657,162,264,319,325,450,666 com/microsoft/appcenter/crashes/WrapperSdkExceptionManager.java, line(s) 33,37,44,50,59,102 com/microsoft/appcenter/crashes/ingestion/models/AbstractErrorLog.java, line(s) 174,174,178,178,182,182,154,154 com/microsoft/appcenter/crashes/ingestion/models/ErrorAttachmentLog.java, line(s) 139,130,130,138,138,126,126,42,43,44 com/microsoft/appcenter/crashes/ingestion/models/HandledErrorLog.java, line(s) 74,70,70 com/microsoft/appcenter/crashes/ingestion/models/ManagedErrorLog.java, line(s) 71,71 com/microsoft/appcenter/crashes/utils/ErrorLogHelper.java, line(s) 271,70,162,228,240,255,299,311,64,65,66,68,72,77,82,84,85,86,87,88,89,98,221,366,393,430,434,436,439,443 com/microsoft/appcenter/http/AbstractAppCallTemplate.java, line(s) 14,20 com/microsoft/appcenter/http/DefaultHttpClient.java, line(s) 78 com/microsoft/appcenter/http/DefaultHttpClientCallTask.java, line(s) 132,161,164 com/microsoft/appcenter/http/HttpClientNetworkStateHandler.java, line(s) 31,53 com/microsoft/appcenter/http/HttpClientRetryer.java, line(s) 62 com/microsoft/appcenter/ingestion/OneCollectorIngestion.java, line(s) 71,112,122 com/microsoft/appcenter/ingestion/models/AbstractLog.java, line(s) 150,150,158,158,146,146 com/microsoft/appcenter/ingestion/models/one/CommonSchemaDataUtils.java, line(s) 48,63,69,77,82 com/microsoft/appcenter/ingestion/models/one/CommonSchemaLog.java, line(s) 175,171,171,163,163,159,159,147,147 com/microsoft/appcenter/persistence/DatabasePersistence.java, line(s) 115,116,121,130,139,173,224,257,261,262,269,279,164,196,207,214,238,301,254 com/microsoft/appcenter/reactnative/analytics/AppCenterReactNativeAnalyticsModule.java, line(s) 61,79 com/microsoft/appcenter/reactnative/appcenter/AppCenterReactNativeModule.java, line(s) 31 com/microsoft/appcenter/reactnative/appcenter/ReactNativeUtils.java, line(s) 124,116,120 com/microsoft/appcenter/reactnative/crashes/AppCenterReactNativeCrashesUtils.java, line(s) 45,37,41 com/microsoft/appcenter/reactnative/shared/AppCenterReactNativeShared.java, line(s) 32,36,39,47,59 com/microsoft/appcenter/utils/AppCenterLog.java, line(s) 53,64,119,130,75,86,31,42,97,108 com/microsoft/appcenter/utils/AsyncTaskUtils.java, line(s) 15 com/microsoft/appcenter/utils/DeviceInfoHelper.java, line(s) 123,26,53,69,120 com/microsoft/appcenter/utils/IdHelper.java, line(s) 11 com/microsoft/appcenter/utils/NetworkStateHelper.java, line(s) 89,96,107,65 com/microsoft/appcenter/utils/context/SessionContext.java, line(s) 35,31 com/microsoft/appcenter/utils/context/UserIdContext.java, line(s) 43,50,54,65 com/microsoft/appcenter/utils/crypto/CryptoUtils.java, line(s) 154,157,189,193,196,201,214,224 com/microsoft/appcenter/utils/storage/DatabaseManager.java, line(s) 111,121,94,108,149,158,167,175,222,232,241,199,226,229,197,201 com/microsoft/appcenter/utils/storage/FileManager.java, line(s) 56,72 com/microsoft/codepush/react/CodePushUtils.java, line(s) 243,247 com/permissionx/guolindev/request/InvisibleFragment.java, line(s) 939 com/reactnativecommunity/asyncstorage/AsyncLocalStorageUtil.java, line(s) 80,83,90,92 com/reactnativecommunity/asyncstorage/AsyncStorageExpoMigration.java, line(s) 27,33,39,41,47,49 com/reactnativecommunity/asyncstorage/AsyncStorageModule.java, line(s) 123,163,177,191,209,214,219,255,260,280,309,323,337,351,362,367,383,402,433 com/reactnativecommunity/asyncstorage/ReactDatabaseSupplier.java, line(s) 92,95 com/reactnativecommunity/cameraroll/CameraRollModule.java, line(s) 428,442,481,497,516,543,561,589 com/reactnativecommunity/webview/RNCWebView.java, line(s) 354 com/reactnativecommunity/webview/RNCWebViewClient.java, line(s) 106,182,95,111,139,184 com/reactnativecommunity/webview/RNCWebViewManagerImpl.java, line(s) 139,152 com/reactnativecommunity/webview/RNCWebViewModuleImpl.java, line(s) 299,304,328,333,207,235,238,252 com/swmansion/gesturehandler/react/RNGestureHandlerModule.java, line(s) 699 com/swmansion/gesturehandler/react/RNGestureHandlerRootHelper.java, line(s) 48,66 com/swmansion/gesturehandler/react/RNGestureHandlerRootView.java, line(s) 36 com/swmansion/reanimated/NativeMethodsHelper.java, line(s) 46 com/swmansion/reanimated/ReanimatedModule.java, line(s) 146 com/swmansion/reanimated/ReanimatedUIManagerFactory.java, line(s) 21 com/swmansion/reanimated/keyboard/WindowsInsetsManager.java, line(s) 40,59,79,114 com/swmansion/reanimated/layoutReanimation/AnimationsManager.java, line(s) 199,213 com/swmansion/reanimated/layoutReanimation/ReanimatedNativeHierarchyManager.java, line(s) 41 com/swmansion/reanimated/layoutReanimation/ScreensHelper.java, line(s) 17 com/swmansion/reanimated/layoutReanimation/SharedTransitionManager.java, line(s) 123 com/swmansion/reanimated/layoutReanimation/TabNavigatorObserver.java, line(s) 34,53,108 com/swmansion/reanimated/nativeProxy/NativeProxyCommon.java, line(s) 189 com/swmansion/reanimated/sensor/ReanimatedSensorContainer.java, line(s) 35 com/swmansion/rnscreens/ScreenStackHeaderConfigViewManager.java, line(s) 179 com/swmansion/rnscreens/ScreensModule.java, line(s) 46,96,49 com/swmansion/rnscreens/SearchBarManager.java, line(s) 120 com/swmansion/rnscreens/utils/ScreenDummyLayoutHelper.java, line(s) 150,59 com/th3rdwave/safeareacontext/SafeAreaView.java, line(s) 106 com/zoontek/rnpermissions/RNPermissionsModule.java, line(s) 399,402 fr/greweb/reactnativeviewshot/RNViewShotModule.java, line(s) 132,91 fr/greweb/reactnativeviewshot/ViewShot.java, line(s) 114,138,299 io/invertase/firebase/app/ReactNativeFirebaseApp.java, line(s) 16 io/invertase/firebase/app/ReactNativeFirebaseAppModule.java, line(s) 51 io/invertase/firebase/common/RCTConvertFirebase.java, line(s) 115 io/invertase/firebase/common/ReactNativeFirebaseEventEmitter.java, line(s) 130 io/invertase/firebase/common/SharedUtils.java, line(s) 84,237,295,95 io/invertase/firebase/crashlytics/ReactNativeFirebaseCrashlyticsInitProvider.java, line(s) 20,23,26,28,39,42,45,47,58,61,64,66,78,75 io/invertase/firebase/crashlytics/ReactNativeFirebaseCrashlyticsModule.java, line(s) 54,57,72,146,155 io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java, line(s) 70 zendesk/logger/Logger.java, line(s) 145
安全提示信息 此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改
此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/reactnativecommunity/clipboard/ClipboardModule.java, line(s) 31,232,232,4
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/reactnativecommunity/clipboard/ClipboardModule.java, line(s) 4,104
安全提示信息 此应用程序使用SQL Cipher,确保密钥没有硬编码在代码中
此应用程序使用SQL Cipher,确保密钥没有硬编码在代码中 Files: com/microsoft/appcenter/utils/storage/DatabaseManager.java, line(s) 195,203
安全提示信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: zendesk/storage/android/internal/BasicStorage.java, line(s) 23,23
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/RNFetchBlob/RNFetchBlobReq.java, line(s) 345,344,351,343,343 com/engagelab/privates/common/i.java, line(s) 60,59,247,58,58 zendesk/android/internal/network/NetworkModule.java, line(s) 74,74,75,75,77,82,82,82,82,82,82,82,82,83,57 zendesk/conversationkit/android/internal/rest/RestClientFactory.java, line(s) 128,128,128,113
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/265290532228/namespaces/firebase:fetch?key=AIzaSyAp17uB9n4iklHZQ1MOrRiIjf1cIa3XMD8 ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
Bitroo v3.0.0
Android APK
48
综合安全评分
中风险