应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
医路轻松 v1.1.3
41
安全评分
安全基线评分
41/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
4
高危
11
中危
2
信息
1
安全
隐私风险评估
1
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
4
中危安全漏洞
11
安全提示信息
2
已通过安全项
1
重点安全关注
0
高危安全漏洞 App 链接 assetlinks.json 文件未找到
[android:name=com.qshealth.qsdoctor.MainActivity][android:host=https://qsdoctor.qshealth.com] App Link 资产验证 URL(https://qsdoctor.qshealth.com/.well-known/assetlinks.json)未找到或配置不正确。(状态码:404)。应用程序链接允许用户通过 Web URL 或电子邮件直接跳转到移动应用。如果 assetlinks.json 文件缺失或主机/域配置错误,恶意应用可劫持此类 URL,导致网络钓鱼攻击,泄露 URI 中的敏感信息(如 PII、OAuth 令牌、魔术链接/重置令牌等)。请务必通过托管 assetlinks.json 文件并在 Activity 的 intent-filter 中设置 [android:autoVerify="true"] 来完成 App Link 域名验证。
高危安全漏洞 已启用远程WebView调试
已启用远程WebView调试 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/qshealth/qsdoctor/feature/webview/WebViewPageV2Kt$WebV2Page$5$1$1.java, line(s) 127,18,19 com/qshealth/qsdoctor/feature/webview/WebViewPageV3Kt$WebV3Page$5$1$1.java, line(s) 127,18,19
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/qshealth/qsdoctor/utils/SecUtils.java, line(s) 31,53
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/qshealth/qsdoctor/widgets/WebViewKt$CWebView$2$1.java, line(s) 129,8,9
中危安全漏洞 应用数据允许备份
[android:allowBackup=true] 该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据,存在数据泄露风险。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/orhanobut/logger/CsvFormatStrategy.java, line(s) 101 com/qshealth/qsdoctor/base/AppInitializer.java, line(s) 30,31,32,33,34 com/qshealth/qsdoctor/feature/videotask/base/params/VideoPageParamsKt.java, line(s) 29 com/qshealth/qsdoctor/feature/videotask/record/VideoRecordVm.java, line(s) 167 com/qshealth/qsdoctor/feature/videotask/utils/AssetCopyUtil.java, line(s) 35 com/qshealth/qsdoctor/utils/DownloadManagerUtils.java, line(s) 148
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: coil/memory/MemoryCache.java, line(s) 119 coil/memory/MemoryCacheService.java, line(s) 39 coil/request/Parameters.java, line(s) 158 com/hjq/permissions/PermissionActivityIntentHandler.java, line(s) 9 com/qshealth/qsdoctor/feature/me/collectList/DetailPageParamsV2.java, line(s) 61 com/qshealth/qsdoctor/feature/videotask/utils/OssUtilsParams.java, line(s) 102 com/qshealth/qsdoctor/repo/remote/model/Captcha.java, line(s) 61 com/qshealth/qsdoctor/repo/remote/model/PersonalInfoCategory.java, line(s) 88 com/qshealth/qsdoctor/repo/remote/model/PersonalInfoData.java, line(s) 89 com/qshealth/qsdoctor/repo/remote/model/PersonalInfoDataItem.java, line(s) 64 com/qshealth/qsdoctor/repo/remote/model/PersonalInfoItem.java, line(s) 75 com/qshealth/qsdoctor/repo/remote/model/UserStatus.java, line(s) 263 com/qshealth/qsdoctor/repo/remote/model/videotask/OssInfo.java, line(s) 106 com/qshealth/qsdoctor/repo/remote/params/PPIParams.java, line(s) 47 com/qshealth/qsdoctor/repo/remote/params/PPIParamsByReport.java, line(s) 57 com/qshealth/qsdoctor/repo/remote/params/PPIParamsByReportItem.java, line(s) 75 com/qshealth/qsdoctor/repo/remote/params/PPIParamsWithKey.java, line(s) 64 com/qshealth/qsdoctor/repo/remote/params/SmsCaptchaLoginParams.java, line(s) 74 com/qshealth/qsdoctor/repo/remote/params/SmsCaptchaParams.java, line(s) 107 com/qshealth/qsdoctor/repo/remote/params/TokenPlusParams.java, line(s) 78 com/qshealth/qsdoctor/repo/remote/params/UserLoginParams.java, line(s) 85,85 com/qshealth/qsdoctor/repo/remote/params/videotask/PIIConfig.java, line(s) 29 com/qshealth/qsdoctor/repo/remote/params/videotask/PiiCfgInfo.java, line(s) 85 com/qshealth/qsdoctor/utils/SecUtils.java, line(s) 17
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/hjq/permissions/RequestDangerousPermissionFragment.java, line(s) 7
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/qshealth/qsdoctor/feature/webview/WebViewPageV2Kt$WebV2Page$5$1$1.java, line(s) 137,115 com/qshealth/qsdoctor/feature/webview/WebViewPageV3Kt$WebV3Page$5$1$1.java, line(s) 137,115 com/qshealth/qsdoctor/widgets/WebViewKt$CWebView$2$1.java, line(s) 73,64
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/qshealth/qsdoctor/feature/webview/WebViewPageV2Kt$WebV2Page$5$1$1.java, line(s) 125,115 com/qshealth/qsdoctor/feature/webview/WebViewPageV3Kt$WebV3Page$5$1$1.java, line(s) 125,115
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: coil/decode/SourceImageSource.java, line(s) 133 com/journeyapps/barcodescanner/CaptureManager.java, line(s) 263 com/qshealth/qsdoctor/feature/webview/WebViewPageV2Kt.java, line(s) 100
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/qshealth/qsdoctor/feature/login/LoginVm.java, line(s) 227
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "library_zxingandroidembedded_authorWebsite" : "https://journeyapps.com/" "library_zxingandroidembedded_author" : "JourneyApps" 0063bb260854334f2dd4fda71fa97b41 da82e6e3b6964a7eb2434ee96ba7aa9b 7e95a0b5e6a848189586d6cca9d66482 145780b0fef2ae266c665fa4b10cc0df8e41d293 e02a9beb3ddc477db22f9888a6c87150 b43df6e249a64b5cb490fddf59d93f62 bf7a7f1ea957b83e05a3d83a0db8f28a d59727aa6b14a13f2d79344e47ee813f a5b3996628944e2a9354868d1ee517a1 d9c8750bed0b3c7d089fa7d55720d6cf df994f28e14047b0a7adae29579cb338
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/journeyapps/barcodescanner/CameraPreview.java, line(s) 652,679,148,249,350,772,511,752 com/journeyapps/barcodescanner/CaptureManager.java, line(s) 96,117,269 com/journeyapps/barcodescanner/DecoderThread.java, line(s) 118 com/journeyapps/barcodescanner/camera/AutoFocusManager.java, line(s) 70,94,111 com/journeyapps/barcodescanner/camera/CameraConfigurationUtils.java, line(s) 46,58,60,80,83,89,99,117,123,125,132,134,138,143,145,149,160,163,168,173,189,192,197,202,218,224,234,235,239,244,205 com/journeyapps/barcodescanner/camera/CameraInstance.java, line(s) 26,38,53,66,213,30,45,58,70 com/journeyapps/barcodescanner/camera/CameraManager.java, line(s) 53,70,344,355,178,208,247,174,180,261,269 com/journeyapps/barcodescanner/camera/CenterCropStrategy.java, line(s) 27 com/journeyapps/barcodescanner/camera/FitCenterStrategy.java, line(s) 27 com/journeyapps/barcodescanner/camera/LegacyPreviewScalingStrategy.java, line(s) 42,43,73 com/journeyapps/barcodescanner/camera/PreviewScalingStrategy.java, line(s) 22,23 com/qshealth/qsdoctor/CustomCaptureActivity$onActivityResult$1.java, line(s) 62 com/qshealth/qsdoctor/CustomCaptureActivity.java, line(s) 125,128 com/qshealth/qsdoctor/ai/FaceLandmarkerHelper.java, line(s) 190,196 com/qshealth/qsdoctor/ai/PoseLandmarkerHelper.java, line(s) 186,192 com/qshealth/qsdoctor/feature/videotask/utils/ExtensionsKt.java, line(s) 234,235,236,237,238,239,272 com/qshealth/qsdoctor/feature/webview/WebViewPageV2Kt$WebV2Page$5$1$1.java, line(s) 157,234,244,253,256,260,276,281,284,393,395,270,387,391,397,266,389 com/qshealth/qsdoctor/feature/webview/WebViewPageV2Kt.java, line(s) 74,65,82 com/qshealth/qsdoctor/feature/webview/WebViewPageV3Kt$WebV3Page$5$1$1.java, line(s) 157,234,244,253,256,260,276,281,284,387,389,270,381,385,391,266,383 com/qshealth/qsdoctor/repo/remote/interceptor/AuthInterceptor.java, line(s) 37,48 com/qshealth/qsdoctor/utils/DownloadManagerUtils.java, line(s) 78,84,90,97,104,159,183 com/qshealth/qsdoctor/utils/LOG.java, line(s) 58,70,83,98 com/qshealth/qsdoctor/widgets/CountingDownKt.java, line(s) 114 com/qshealth/qsdoctor/widgets/CustomWebChromeClient.java, line(s) 25 com/qshealth/qsdoctor/widgets/MediaPlayerViewKt.java, line(s) 132,137
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/qshealth/qsdoctor/feature/webview/WebInterface.java, line(s) 5,101,102
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/qshealth/qsdoctor/di/AppModule.java, line(s) 81,91,101,111,138,81,91,101,111,138
综合安全基线评分总结
医路轻松 v1.1.3
Android APK
41
综合安全评分
中风险