应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
CashVia v1.6.02
55
安全评分
安全基线评分
55/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
2
高危
16
中危
2
信息
3
安全
隐私风险评估
4
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
2
中危安全漏洞
16
安全提示信息
2
已通过安全项
3
重点安全关注
0
高危安全漏洞 应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文
应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode Files: u2/q.java, line(s) 62
高危安全漏洞 该文件是World Readable。任何应用程序都可以读取文件
该文件是World Readable。任何应用程序都可以读取文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/datavisorobfus/k0.java, line(s) 29
中危安全漏洞 应用数据允许备份
[android:allowBackup=true] 该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据,存在数据泄露风险。
中危安全漏洞 Broadcast Receiver (com.xy.release.SmsAutoFileReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.phone.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: K/C0327d.java, line(s) 219,227 K/C0525d.java, line(s) 719,727 com/datavisor/vangogh/storage/local/a.java, line(s) 104 com/datavisor/vangogh/storage/local/b.java, line(s) 13,15 com/datavisorobfus/i.java, line(s) 1452 com/datavisorobfus/l.java, line(s) 188 com/datavisorobfus/p.java, line(s) 291 com/xy/credyclub/repository/risk/info/InfoStorage.java, line(s) 67,68
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: K1/e.java, line(s) 9 N1/C0206b.java, line(s) 18 N1/C0560b.java, line(s) 19 X0/b.java, line(s) 3 a3d20241011/o0oOOOOOooooo.java, line(s) 26 com/appsflyer/internal/AFb1gSDK.java, line(s) 20 com/datavisor/vangogh/util/ExceptionUtil.java, line(s) 7 com/datavisorobfus/o.java, line(s) 10 d1/w1.java, line(s) 43 t3/y.java, line(s) 3
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: K/AbstractC0524c.java, line(s) 113 d1/w1.java, line(s) 74
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: A2/C0011a.java, line(s) 10,263,275,298 A2/C0026a.java, line(s) 17,665,677,700 Q0/h.java, line(s) 4,56 Q0/i.java, line(s) 4,29 R0/k.java, line(s) 3,12,13,14,15,16,19,20,21,24,27,28,29,32,33,34,35,36,39,42,43,44 R0/l.java, line(s) 5,6,46 d1/AbstractC0242u0.java, line(s) 6,7,71 d1/AbstractC0392u0.java, line(s) 6,7,72 d1/C0214g.java, line(s) 6,7,106,669,939 d1/C0345B.java, line(s) 5,6,7,8,80 d1/C0364g.java, line(s) 6,7,120,161,1114,2001,2321,2361
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: X1/g.java, line(s) 116 com/datavisorobfus/e0.java, line(s) 26 com/datavisorobfus/l0.java, line(s) 11,30,47 r1/c.java, line(s) 48
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: coil/memory/MemoryCache$Key.java, line(s) 54 com/datavisor/vangogh/face/DVKeyName.java, line(s) 4,5
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/datavisor/vangogh/util/ExceptionUtil.java, line(s) 63 com/datavisorobfus/g.java, line(s) 19 com/datavisorobfus/o.java, line(s) 100
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/datavisorobfus/h.java, line(s) 59,58 com/datavisorobfus/l.java, line(s) 254,253
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: T/d.java, line(s) 248 com/xy/credyclub/view/inbasic/BasicThirdFragment.java, line(s) 377
中危安全漏洞 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/datavisorobfus/c.java, line(s) 94
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个4隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "com.google.firebase.crashlytics.mapping_file_id" : "603a826298a743769f99c0011cb2fb9c" "google_api_key" : "AIzaSyBmYnDJtf6ZmJs6WCHuCymaeBU0BnwKzew" "google_app_id" : "1:1048986715349:android:5223ad223b157d834fce5c" "google_crash_reporting_api_key" : "AIzaSyBmYnDJtf6ZmJs6WCHuCymaeBU0BnwKzew" "local_key" : "6LJHsi98e4" 470fa2b4ae81cd56ecbcda9735803434cec591fa E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1 dI2H2mzZqo8OQIQxI/oZ8itF3Lf7XC57dQ== MJCR3nbjtc8ARKt9HOAI/AZAzrHiEyhubQ== H6ik7UfoqtAwYIZxE9A68jVW8J/oAjw= 3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901 KZGR3Uffq88OW6tuEewC9j5V3A== FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212 MJCR3nbjtc8ARKt/AP825zhTxLPuFzw=
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: A/AbstractC0023a.java, line(s) 104,252,111,258,103,110 A/AbstractC0146a.java, line(s) 105,267,112,273,104,111 A2/C0011a.java, line(s) 149,169,168 A2/C0026a.java, line(s) 184,204,258,261,281,296,304,315,502,518,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,507,573,203,244,279,295,303,314,337,433,501,517,557,338,434 A2/C0125c.java, line(s) 30 A2/C0129g.java, line(s) 30 A2/C0149b.java, line(s) 62,88 A2/C0150c.java, line(s) 31 A2/C0151d.java, line(s) 170,195,151 A2/C0154g.java, line(s) 31 C1/c.java, line(s) 111 C1/e.java, line(s) 81,162,86,80,161 E0/b.java, line(s) 45,38,51,56 E0/g.java, line(s) 358,377,364,367,389,357,376,400,401 E0/j.java, line(s) 47,72 E1/d.java, line(s) 26,56,49,25,42,52,55,43,53 F0/d.java, line(s) 29 F0/e.java, line(s) 54,87,94 F0/h.java, line(s) 35 F0/i.java, line(s) 194,196,98,120,124,191,48 F0/l.java, line(s) 63 F0/o.java, line(s) 105,109,40 H0/d.java, line(s) 30 H0/e.java, line(s) 303,411 H0/g.java, line(s) 56,55 H0/s.java, line(s) 84,88 H0/v.java, line(s) 43,67 H1/e.java, line(s) 25,57,58 J0/AbstractC0019e.java, line(s) 305,202,208,214,223,333 J0/AbstractC0072e.java, line(s) 305,202,208,214,223,333 J0/C.java, line(s) 48 J0/j.java, line(s) 33,36,39,42,45,48,59,62,65,68,98,103 J0/k.java, line(s) 33 J0/v.java, line(s) 38 J0/x.java, line(s) 39,54 J0/z.java, line(s) 40,45 L1/RunnableC0533a.java, line(s) 362,381,397 M1/C0194e.java, line(s) 18 M1/C0196g.java, line(s) 212,230,61,65,71,74,141 M1/C0547e.java, line(s) 20 M1/C0549g.java, line(s) 223,241,72,76,82,85,152 N2/n.java, line(s) 132,105,104,131 Q0/b.java, line(s) 70,89 Q0/c.java, line(s) 101,100 Q1/b.java, line(s) 32 Q1/e.java, line(s) 163,351 R0/b.java, line(s) 127,126,120 T/c.java, line(s) 176,184,204,225,175,179,192,180,193,360,373 T/d.java, line(s) 223,414,345,346 U0/f.java, line(s) 58,64,238,294,319,289,61,88,147,183,198,206,216 U0/g.java, line(s) 33 U1/C0281a.java, line(s) 38,39 U1/C0659a.java, line(s) 41,42 U1/b.java, line(s) 87,82,123,129 V2/C0286a.java, line(s) 60 V2/C0667a.java, line(s) 62 W/b.java, line(s) 20,30 W1/C0303b.java, line(s) 10,9 W1/C0690b.java, line(s) 10,9 W1/c.java, line(s) 59,168,58,100 X1/g.java, line(s) 48,120 X1/h.java, line(s) 28,34 X1/i.java, line(s) 32 X1/j.java, line(s) 54,61,62,171 X1/m.java, line(s) 90,250,271,289,372,329,345,89,111,249,270,288,319,324,347,361,371,112,320,325,362,285,295,316,350 X1/o.java, line(s) 32,44,45,28 X1/p.java, line(s) 83,107,91,112,114,116,68,82,106,69,77 X1/r.java, line(s) 35,24,28,34 X1/u.java, line(s) 27,35,42,26,34,41 X1/w.java, line(s) 39,40 X1/z.java, line(s) 194,59,193,60,157 Y1/A.java, line(s) 34 Y1/C0104m.java, line(s) 22,29 Y1/C0114x.java, line(s) 30 Y1/C0126l.java, line(s) 82,102,155,119,108,117 Y1/C0127m.java, line(s) 24,31 Y1/C0131q.java, line(s) 44 Y1/C0137x.java, line(s) 31 Y1/C0319d.java, line(s) 32,60 Y1/C0322g.java, line(s) 138,165,76,137,164,54,67,98,144,194,231,266 Y1/C0327l.java, line(s) 26,62 Y1/C0713d.java, line(s) 35,63 Y1/C0716g.java, line(s) 140,167,78,139,166,56,69,100,146,196,233,268 Y1/C0721l.java, line(s) 30,54,97 Y1/F.java, line(s) 59 Y1/S.java, line(s) 58,67,57 Y1/T.java, line(s) 53,45 Y1/V.java, line(s) 61,73,89,79 Y1/W.java, line(s) 29,49 Y1/X.java, line(s) 36,57,62,97,100 com/appsflyer/internal/AFf1cSDK.java, line(s) 145 com/appsflyer/internal/AFf1fSDK.java, line(s) 135 com/appsflyer/internal/AFf1uSDK.java, line(s) 66,71,117,123 com/appsflyer/internal/AFg1dSDK.java, line(s) 39,85,54,43,49,47 com/xy/credyclub/MineApp.java, line(s) 162 d1/C0241u.java, line(s) 143,142 d1/C0243v.java, line(s) 168 d1/C0391u.java, line(s) 147,146 d1/C0393v.java, line(s) 175 d1/G.java, line(s) 233 d1/u1.java, line(s) 77 d1/w1.java, line(s) 875 m0/a.java, line(s) 136 o3/d.java, line(s) 33 r1/c.java, line(s) 41,52 r1/e.java, line(s) 67 s1/c.java, line(s) 78,79 t1/a.java, line(s) 51,50,55 u2/z.java, line(s) 49 w0/a.java, line(s) 110,211 w0/b.java, line(s) 37,52,60,69
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: X2/C0312a.java, line(s) 5,76,89 X2/C0703a.java, line(s) 5,77,90
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: K/C0327d.java, line(s) 158,158,158,158 K/C0525d.java, line(s) 658,658,658,658 X1/g.java, line(s) 107,107,108
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: j2/e.java, line(s) 63,66,69,39 n3/e.java, line(s) 71,70,69 n3/h.java, line(s) 84,74,83,91,82,82 n3/m.java, line(s) 72,71,70,70 n3/n.java, line(s) 117,105,116,115,115
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/1048986715349/namespaces/firebase:fetch?key=AIzaSyBmYnDJtf6ZmJs6WCHuCymaeBU0BnwKzew ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
CashVia v1.6.02
Android APK
55
综合安全评分
中风险