应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告

Screensaver v1.38.0.32
51
安全评分
安全基线评分
51/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
2
高危
19
中危
1
信息
2
安全
隐私风险评估
0
第三方跟踪器
隐私安全
未检测到第三方跟踪器
检测结果分布
高危安全漏洞
2
中危安全漏洞
19
安全提示信息
1
已通过安全项
2
重点安全关注
1
高危安全漏洞 存在 Janus 漏洞风险
仅使用 v1 签名方案,Android 5.0-8.0 设备易受 Janus 漏洞影响。若同时存在 v1 和 v2/v3 签名,Android 5.0-7.0 设备同样存在风险。
高危安全漏洞 Activity (com.amazon.tv.activity.FontDemo) 易受 StrandHogg 2.0 攻击
检测到 Activity 存在 StrandHogg 2.0 任务劫持漏洞。攻击者可将恶意 Activity 置于易受攻击应用的任务栈顶部,使应用极易成为钓鱼攻击目标。可通过将启动模式设置为 "singleInstance" 并将 taskAffinity 设为空(taskAffinity=""),或将应用的 target SDK 版本(28)升级至 29 及以上,从平台层面修复该漏洞。
中危安全漏洞 Service (com.amazon.ftv.screensaver.app.services.ScreensaverService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_DREAM_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.amazon.ftv.screensaver.app.uss.AlexaCollectionSettingsService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.amazon.ftv.screensaver.app.uss.AlexaProviderSettingsService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.amazon.ftv.screensaver.app.endpointstate.ScreensaverEndpointStateClientHandlerService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Content Provider (com.amazon.ftv.screensaver.app.auth.PhotosMAPInformationProvider) 受权限保护,但应检查权限保护级别。
Permission: com.amazon.identity.permission.CAN_CALL_MAP_INFORMATION_PROVIDER [android:exported=true] 检测到 Content Provider 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.amazon.ftv.screensaver.app.receivers.AlexaSettingsReceiver) 受权限保护,但应检查权限保护级别。
Permission: amazon.speech.permission.SEND_ALEXA_DIRECTIVE [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.amazon.ftv.screensaver.app.receivers.OnBootAndPackageUpdateReceiver) 未受保护。
存在 intent-filter。 检测到 Broadcast Receiver 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Broadcast Receiver 被显式导出,存在安全风险。
中危安全漏洞 Broadcast Receiver (com.amazon.ftv.screensaver.app.receivers.ScreensaverEndpointStateClientReceiver) 未受保护。
存在 intent-filter。 检测到 Broadcast Receiver 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Broadcast Receiver 被显式导出,存在安全风险。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.amazon.tv.activity.FontDemo) 受权限保护,但应检查权限保护级别。
Permission: com.amazon.tv.permission.LAUNCHER_SETTINGS [android:exported=true] 检测到 Activity 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.amazon.ftv.screensaver.provider.sponsoredcontent.receivers.OnPackageUpdateReceiver) 未受保护。
存在 intent-filter。 检测到 Broadcast Receiver 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Broadcast Receiver 被显式导出,存在安全风险。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: amazon/speech/simclient/event/EventMetadata.java, line(s) 12,13,14 com/amazon/clouddrive/cdasdk/cdrs/GetLifecycleModulesRequest.java, line(s) 156 com/amazon/clouddrive/cdasdk/cdrs/GetLifecycleModulesRequestBody.java, line(s) 102 com/amazon/clouddrive/cdasdk/cdrs/GetLifecycleModulesResponse.java, line(s) 85 com/amazon/clouddrive/cdasdk/cds/account/SetPersonalPreferenceRequest.java, line(s) 71 com/amazon/clouddrive/cdasdk/cds/common/Preference.java, line(s) 64 com/amazon/clouddrive/cdasdk/cds/family/SetFamilyPreferenceRequest.java, line(s) 71 com/amazon/clouddrive/cdasdk/cds/job/GetJobStatusRequest.java, line(s) 51 com/amazon/clouddrive/cdasdk/dps/common/Display.java, line(s) 5 com/amazon/clouddrive/cdasdk/dps/common/Enablement.java, line(s) 6 com/amazon/clouddrive/cdasdk/dps/common/Mute.java, line(s) 4 com/amazon/clouddrive/cdasdk/dps/common/Repeat.java, line(s) 4 com/amazon/clouddrive/cdasdk/dps/common/Shuffle.java, line(s) 4 com/amazon/clouddrive/cdasdk/dps/common/Speed.java, line(s) 5 com/amazon/clouddrive/cdasdk/dps/common/Version.java, line(s) 4 com/amazon/clouddrive/cdasdk/dps/settings/GetDeviceAccountSettingRequest.java, line(s) 70 com/amazon/clouddrive/cdasdk/dps/settings/PhotosDisabledSettingResponse.java, line(s) 4 com/amazon/clouddrive/cdasdk/dps/settings/PutDeviceAccountSettingRequest.java, line(s) 90 com/amazon/clouddrive/cdasdk/dps/settings/SlideshowSettingsResponse.java, line(s) 4 com/amazon/clouddrive/cdasdk/prompto/nodes/BatchNodeRequest.java, line(s) 109 com/amazon/ftv/screensaver/provider/stockphoto/i0/f/a.java, line(s) 125 f/c/a/a/a/m.java, line(s) 76
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: amazon/speech/simclient/common/queue/delay/DelayFactory.java, line(s) 3 com/amazon/clouddrive/cdasdk/util/SystemUtilImpl.java, line(s) 7 f/a/c/a/a/a1/l.java, line(s) 10 f/a/c/a/b/a/e0/c.java, line(s) 13 f/a/h/a/t/v/a.java, line(s) 7 f/a/h/a/t/v/f.java, line(s) 7 j/a0/a.java, line(s) 3 j/a0/b.java, line(s) 4 j/a0/d/a.java, line(s) 4
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/amazon/ftv/screensaver/app/t0/n.java, line(s) 300 com/amazon/tv/util/f.java, line(s) 235
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: e/q/a/g/a.java, line(s) 5,6,7,8,49 f/b/a/a/f/d.java, line(s) 6,7,51,60,61,62,63,64,65,81
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/amazon/ftv/screensaver/app/l0/b/s2.java, line(s) 1410,1445 com/amazon/ftv/screensaver/app/p0/q/a.java, line(s) 23
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/amazon/clouddrive/cdasdk/util/MD5Fingerprint.java, line(s) 24
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: e/n/b.java, line(s) 271 f/d/b/c/b.java, line(s) 85
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "adrive_gallery_upsell_keyboard_send" : "Send" "preference_disabled_in_demo_mode_for_retail_associate_key" : "preference_disabled_in_demo_mode_for_retail_associate_key" "preference_enabled_in_demo_mode_for_customer_key" : "preference_enabled_in_demo_mode_for_customer_key" "settings_details_key" : "settings_details_key" "adrive_gallery_upsell_keyboard_send" : "Ipadala" "adrive_gallery_upsell_keyboard_send" : "Envia" "adrive_gallery_upsell_keyboard_send" : "Send" "adrive_gallery_upsell_keyboard_send" : "Kirim" "adrive_gallery_upsell_keyboard_send" : "SENDEN" "adrive_gallery_upsell_keyboard_send" : "Verzenden" "adrive_gallery_upsell_keyboard_send" : "Send" "adrive_gallery_upsell_keyboard_send" : "Trimite" "adrive_gallery_upsell_keyboard_send" : "ENVOYER" "adrive_gallery_upsell_keyboard_send" : "Poslat" "adrive_gallery_upsell_keyboard_send" : "ENVIAR" "adrive_gallery_upsell_keyboard_send" : "Senda" "adrive_gallery_upsell_keyboard_send" : "Hantar" "adrive_gallery_upsell_keyboard_send" : "Saada" "adrive_gallery_upsell_keyboard_send" : "Invia" "adrive_gallery_upsell_keyboard_send" : "Skicka" "adrive_gallery_upsell_keyboard_send" : "Send" "adrive_gallery_upsell_keyboard_send" : "Envoyer" "adrive_gallery_upsell_keyboard_send" : "Send" "adrive_gallery_upsell_keyboard_send" : "Send" "adrive_gallery_upsell_keyboard_send" : "ENVIAR" "adrive_gallery_upsell_keyboard_send" : "Send" "adrive_gallery_upsell_keyboard_send" : "Enviar" "adrive_gallery_upsell_keyboard_send" : "ENVIAR" "adrive_gallery_upsell_keyboard_send" : "Send" "adrive_gallery_upsell_keyboard_send" : "Enviar" f64ec860d51206ea61d138f7dafcae57 4022d3aaaaac40aa92d2fe71b0ac29ef facb2e82ed1bb0564322d87b4ebc19db
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: amazon/speech/simclient/common/BaseClient.java, line(s) 74,117,136 amazon/speech/simclient/common/ServiceConnectionManager.java, line(s) 39,47,65 amazon/speech/simclient/common/ServiceResolver.java, line(s) 26,45 amazon/speech/simclient/common/SimClient.java, line(s) 25 amazon/speech/simclient/common/queue/QueueRequest.java, line(s) 183,124,142,198,72,95,109,132 amazon/speech/simclient/common/queue/RequestQueue.java, line(s) 28,36,43,51,18 amazon/speech/simclient/directive/DataWriter.java, line(s) 103,75 amazon/speech/simclient/directive/Directive.java, line(s) 37,40,75,78 amazon/speech/simclient/directive/DirectiveIntent.java, line(s) 18,30,49,23,27 amazon/speech/simclient/directive/DirectiveKeys.java, line(s) 23 amazon/speech/simclient/endpointstate/EndpointStateClient.java, line(s) 87,170,182,194,90,105,120,135,150,173,185,197,162 amazon/speech/simclient/endpointstate/EndpointStateClientHandlerService.java, line(s) 37,35,74,85,52,94,104 amazon/speech/simclient/endpointstate/util/log/ELog.java, line(s) 26,74,32,80,42,47,86,56,92,62,68,98,104 amazon/speech/simclient/endpointstate/utils/EndpointStateTypeExtractor.java, line(s) 54,85,30,35,71,89 amazon/speech/simclient/endpointstate/utils/EndpointStateUtils.java, line(s) 19,24 amazon/speech/simclient/event/EventClient.java, line(s) 49,64,87,93,105,112 amazon/speech/simclient/event/EventMetadata.java, line(s) 117,133,183,227,232,43,147 c/a/a/b.java, line(s) 62 com/amazon/clouddrive/cdasdk/util/AndroidLogger.java, line(s) 14,44,19,49,24,54,29,59,34,39,64,69 com/amazon/ftv/screensaver/app/ScreensaverApplication.java, line(s) 98,102 com/amazon/ftv/screensaver/app/auth/c.java, line(s) 35,39 com/amazon/ftv/screensaver/app/services/AccountStateManagementJobService.java, line(s) 14,20 com/amazon/ftv/screensaver/app/settings/SetAsScreensaverActivity.java, line(s) 23 com/amazon/ftv/screensaver/app/settings/o.java, line(s) 596 com/amazon/ftv/screensaver/app/settings/t/h.java, line(s) 289 com/amazon/ftv/screensaver/framework/ui/ImageTextView.java, line(s) 178,170,172 com/amazon/ftv/screensaver/provider/usercontent/w.java, line(s) 28,50 com/amazon/ftv/screensaver/provider/usercontent/y/b.java, line(s) 46 com/amazon/mls/performance/pmet/tasks/PmetLoggerTask.java, line(s) 40 com/amazon/tv/carousel/view/PagingCarouselView.java, line(s) 76,96,98 com/amazon/tv/carousel/view/d.java, line(s) 181,839,566 com/amazon/tv/util/d.java, line(s) 76,74 com/amazon/tv/util/f.java, line(s) 178,216,232,233,249,284,55,142 com/amazon/tv/util/v.java, line(s) 109,111 com/amazon/tv/view/FontableButton.java, line(s) 97 com/amazon/tv/view/FontableToggleButton.java, line(s) 26 com/amazon/tv/view/GradientTextView.java, line(s) 62 com/amazon/tv/view/MiniDetailsView.java, line(s) 312,317 com/amazon/tv/view/ShimmerTextView.java, line(s) 50 com/amazon/tv/view/c.java, line(s) 55,58 e/a/k/a/a.java, line(s) 75 e/a/n/g.java, line(s) 198,272,311 e/g/d/c/a.java, line(s) 20 e/g/d/c/b.java, line(s) 58 e/g/e/c.java, line(s) 418,423 e/g/e/e.java, line(s) 52 e/g/e/f.java, line(s) 39,55 e/g/e/g.java, line(s) 56,83 e/g/e/j.java, line(s) 82,85 e/g/e/k.java, line(s) 123 e/g/i/a.java, line(s) 20 e/g/l/b.java, line(s) 19 e/g/m/b.java, line(s) 56 e/g/m/e0.java, line(s) 304,316,323,332 e/g/m/f.java, line(s) 18,27 e/g/m/f0/d.java, line(s) 150 e/g/m/h.java, line(s) 14 e/g/m/v.java, line(s) 744 e/g/m/w.java, line(s) 20,31 e/g/m/z.java, line(s) 25,46,62,89,110,125,140 e/i/b/a.java, line(s) 174 e/j/a/a.java, line(s) 391,1038,1102,246,253,844,853,1005,1019,1023 e/m/a/b.java, line(s) 119,128,137 e/n/a.java, line(s) 86,117,388,390,69,71,80,83,325,346,353,355,364,63,112,123,133,153,229,282,349,357,361 e/n/b.java, line(s) 59,68,70,102,104,123,145,173,179,181,194,206,272,286,98,106,133,149,164,189,307 e/q/a/c.java, line(s) 34,37,51,27,41 e/r/d0.java, line(s) 121 e/r/e0.java, line(s) 66,79 e/r/f0.java, line(s) 58,71 e/r/g0.java, line(s) 41 e/r/y.java, line(s) 39,48,50 e/r/z.java, line(s) 19,21,34 e/s/a/a/i.java, line(s) 1054,1057 f/a/c/a/a/b.java, line(s) 38,53 f/a/c/a/a/w0/a.java, line(s) 14,19,44,24,49,29,34,39,54,59 f/a/c/a/b/a/j0/a.java, line(s) 63,24,67,20,28,33,60,36,40,44 f/a/d/a/b.java, line(s) 30,32,46 f/a/e/a/h.java, line(s) 92,125,159 f/a/e/a/o/g.java, line(s) 107,110,130,132 f/a/f/a/a.java, line(s) 29,46,79,81,92 f/a/f/a/b.java, line(s) 23,57 f/a/f/a/e/a/b.java, line(s) 71,92,100,108,136,73,98,143 f/a/f/a/h/c.java, line(s) 85,87,99 f/a/g/b.java, line(s) 47,66 f/a/g/d/b.java, line(s) 95,83,107,114 f/a/g/d/e.java, line(s) 94,109 f/a/g/e/b.java, line(s) 200 f/a/g/e/c.java, line(s) 1094 f/a/g/i/a.java, line(s) 100,125,135 f/a/h/a/t/l.java, line(s) 33 f/a/h/a/t/o.java, line(s) 138,142 f/a/h/a/t/v/e.java, line(s) 158,163 f/a/h/a/v/a.java, line(s) 21 f/b/a/a/d.java, line(s) 158,189,191,161 f/b/a/a/f/c.java, line(s) 115 f/b/a/a/f/d.java, line(s) 66,82,222,228,342,98,39,59,86 f/b/a/a/f/g/b.java, line(s) 16 f/d/a/a/k/b.java, line(s) 10 f/d/a/b/j/h.java, line(s) 72 f/d/a/b/k/a.java, line(s) 205
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: k/h0/c.java, line(s) 549,548,547,547
已通过安全项 此应用程序没有隐私跟踪程序
此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (fls-cn.amazon.com) 通信。
{'ip': '54.222.61.241', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}
综合安全基线评分总结

Screensaver v1.38.0.32
Android APK
51
综合安全评分
中风险