导航菜单

应用安全检测报告

应用安全检测报告,支持文件搜索、内容检索和AI代码分析

移动应用安全检测报告

应用图标

Screensaver v1.38.0.32

Android APK 01d81fd9...
51
安全评分

安全基线评分

51/100

低风险

综合风险等级

风险等级评定
  1. A
  2. B
  3. C
  4. F

应用存在一定安全风险,建议优化

漏洞与安全项分布

2 高危
19 中危
1 信息
2 安全

隐私风险评估

0
第三方跟踪器

隐私安全
未检测到第三方跟踪器


检测结果分布

高危安全漏洞 2
中危安全漏洞 19
安全提示信息 1
已通过安全项 2
重点安全关注 1

高危安全漏洞 存在 Janus 漏洞风险

仅使用 v1 签名方案,Android 5.0-8.0 设备易受 Janus 漏洞影响。若同时存在 v1 和 v2/v3 签名,Android 5.0-7.0 设备同样存在风险。

高危安全漏洞 Activity (com.amazon.tv.activity.FontDemo) 易受 StrandHogg 2.0 攻击

检测到 Activity 存在 StrandHogg 2.0 任务劫持漏洞。攻击者可将恶意 Activity 置于易受攻击应用的任务栈顶部,使应用极易成为钓鱼攻击目标。可通过将启动模式设置为 "singleInstance" 并将 taskAffinity 设为空(taskAffinity=""),或将应用的 target SDK 版本(28)升级至 29 及以上,从平台层面修复该漏洞。

中危安全漏洞 Service (com.amazon.ftv.screensaver.app.services.ScreensaverService) 受权限保护,但应检查权限保护级别。

Permission: android.permission.BIND_DREAM_SERVICE [android:exported=true]
检测到  Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Service (com.amazon.ftv.screensaver.app.uss.AlexaCollectionSettingsService) 受权限保护,但应检查权限保护级别。

Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
检测到  Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Service (com.amazon.ftv.screensaver.app.uss.AlexaProviderSettingsService) 受权限保护,但应检查权限保护级别。

Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
检测到  Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Service (com.amazon.ftv.screensaver.app.endpointstate.ScreensaverEndpointStateClientHandlerService) 受权限保护,但应检查权限保护级别。

Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
检测到  Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Content Provider (com.amazon.ftv.screensaver.app.auth.PhotosMAPInformationProvider) 受权限保护,但应检查权限保护级别。

Permission: com.amazon.identity.permission.CAN_CALL_MAP_INFORMATION_PROVIDER [android:exported=true]
检测到  Content Provider 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Broadcast Receiver (com.amazon.ftv.screensaver.app.receivers.AlexaSettingsReceiver) 受权限保护,但应检查权限保护级别。

Permission: amazon.speech.permission.SEND_ALEXA_DIRECTIVE [android:exported=true]
检测到  Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Broadcast Receiver (com.amazon.ftv.screensaver.app.receivers.OnBootAndPackageUpdateReceiver) 未受保护。

存在 intent-filter。
检测到  Broadcast Receiver 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Broadcast Receiver 被显式导出,存在安全风险。

中危安全漏洞 Broadcast Receiver (com.amazon.ftv.screensaver.app.receivers.ScreensaverEndpointStateClientReceiver) 未受保护。

存在 intent-filter。
检测到  Broadcast Receiver 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Broadcast Receiver 被显式导出,存在安全风险。

中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。

Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
检测到  Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Activity (com.amazon.tv.activity.FontDemo) 受权限保护,但应检查权限保护级别。

Permission: com.amazon.tv.permission.LAUNCHER_SETTINGS [android:exported=true]
检测到  Activity 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Broadcast Receiver (com.amazon.ftv.screensaver.provider.sponsoredcontent.receivers.OnPackageUpdateReceiver) 未受保护。

存在 intent-filter。
检测到  Broadcast Receiver 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Broadcast Receiver 被显式导出,存在安全风险。

中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
amazon/speech/simclient/event/EventMetadata.java, line(s) 12,13,14
com/amazon/clouddrive/cdasdk/cdrs/GetLifecycleModulesRequest.java, line(s) 156
com/amazon/clouddrive/cdasdk/cdrs/GetLifecycleModulesRequestBody.java, line(s) 102
com/amazon/clouddrive/cdasdk/cdrs/GetLifecycleModulesResponse.java, line(s) 85
com/amazon/clouddrive/cdasdk/cds/account/SetPersonalPreferenceRequest.java, line(s) 71
com/amazon/clouddrive/cdasdk/cds/common/Preference.java, line(s) 64
com/amazon/clouddrive/cdasdk/cds/family/SetFamilyPreferenceRequest.java, line(s) 71
com/amazon/clouddrive/cdasdk/cds/job/GetJobStatusRequest.java, line(s) 51
com/amazon/clouddrive/cdasdk/dps/common/Display.java, line(s) 5
com/amazon/clouddrive/cdasdk/dps/common/Enablement.java, line(s) 6
com/amazon/clouddrive/cdasdk/dps/common/Mute.java, line(s) 4
com/amazon/clouddrive/cdasdk/dps/common/Repeat.java, line(s) 4
com/amazon/clouddrive/cdasdk/dps/common/Shuffle.java, line(s) 4
com/amazon/clouddrive/cdasdk/dps/common/Speed.java, line(s) 5
com/amazon/clouddrive/cdasdk/dps/common/Version.java, line(s) 4
com/amazon/clouddrive/cdasdk/dps/settings/GetDeviceAccountSettingRequest.java, line(s) 70
com/amazon/clouddrive/cdasdk/dps/settings/PhotosDisabledSettingResponse.java, line(s) 4
com/amazon/clouddrive/cdasdk/dps/settings/PutDeviceAccountSettingRequest.java, line(s) 90
com/amazon/clouddrive/cdasdk/dps/settings/SlideshowSettingsResponse.java, line(s) 4
com/amazon/clouddrive/cdasdk/prompto/nodes/BatchNodeRequest.java, line(s) 109
com/amazon/ftv/screensaver/provider/stockphoto/i0/f/a.java, line(s) 125
f/c/a/a/a/m.java, line(s) 76

中危安全漏洞 应用程序使用不安全的随机数生成器

应用程序使用不安全的随机数生成器
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
amazon/speech/simclient/common/queue/delay/DelayFactory.java, line(s) 3
com/amazon/clouddrive/cdasdk/util/SystemUtilImpl.java, line(s) 7
f/a/c/a/a/a1/l.java, line(s) 10
f/a/c/a/b/a/e0/c.java, line(s) 13
f/a/h/a/t/v/a.java, line(s) 7
f/a/h/a/t/v/f.java, line(s) 7
j/a0/a.java, line(s) 3
j/a0/b.java, line(s) 4
j/a0/d/a.java, line(s) 4

中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
com/amazon/ftv/screensaver/app/t0/n.java, line(s) 300
com/amazon/tv/util/f.java, line(s) 235

中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
e/q/a/g/a.java, line(s) 5,6,7,8,49
f/b/a/a/f/d.java, line(s) 6,7,51,60,61,62,63,64,65,81

中危安全漏洞 IP地址泄露

IP地址泄露


Files:
com/amazon/ftv/screensaver/app/l0/b/s2.java, line(s) 1410,1445
com/amazon/ftv/screensaver/app/p0/q/a.java, line(s) 23

中危安全漏洞 MD5是已知存在哈希冲突的弱哈希

MD5是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/amazon/clouddrive/cdasdk/util/MD5Fingerprint.java, line(s) 24

中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
e/n/b.java, line(s) 271
f/d/b/c/b.java, line(s) 85

中危安全漏洞 此应用可能包含硬编码机密信息

从应用程序中识别出以下机密确保这些不是机密或私人信息
"adrive_gallery_upsell_keyboard_send" : "Send"
"preference_disabled_in_demo_mode_for_retail_associate_key" : "preference_disabled_in_demo_mode_for_retail_associate_key"
"preference_enabled_in_demo_mode_for_customer_key" : "preference_enabled_in_demo_mode_for_customer_key"
"settings_details_key" : "settings_details_key"
"adrive_gallery_upsell_keyboard_send" : "Ipadala"
"adrive_gallery_upsell_keyboard_send" : "Envia"
"adrive_gallery_upsell_keyboard_send" : "Send"
"adrive_gallery_upsell_keyboard_send" : "Kirim"
"adrive_gallery_upsell_keyboard_send" : "SENDEN"
"adrive_gallery_upsell_keyboard_send" : "Verzenden"
"adrive_gallery_upsell_keyboard_send" : "Send"
"adrive_gallery_upsell_keyboard_send" : "Trimite"
"adrive_gallery_upsell_keyboard_send" : "ENVOYER"
"adrive_gallery_upsell_keyboard_send" : "Poslat"
"adrive_gallery_upsell_keyboard_send" : "ENVIAR"
"adrive_gallery_upsell_keyboard_send" : "Senda"
"adrive_gallery_upsell_keyboard_send" : "Hantar"
"adrive_gallery_upsell_keyboard_send" : "Saada"
"adrive_gallery_upsell_keyboard_send" : "Invia"
"adrive_gallery_upsell_keyboard_send" : "Skicka"
"adrive_gallery_upsell_keyboard_send" : "Send"
"adrive_gallery_upsell_keyboard_send" : "Envoyer"
"adrive_gallery_upsell_keyboard_send" : "Send"
"adrive_gallery_upsell_keyboard_send" : "Send"
"adrive_gallery_upsell_keyboard_send" : "ENVIAR"
"adrive_gallery_upsell_keyboard_send" : "Send"
"adrive_gallery_upsell_keyboard_send" : "Enviar"
"adrive_gallery_upsell_keyboard_send" : "ENVIAR"
"adrive_gallery_upsell_keyboard_send" : "Send"
"adrive_gallery_upsell_keyboard_send" : "Enviar"
f64ec860d51206ea61d138f7dafcae57
4022d3aaaaac40aa92d2fe71b0ac29ef
facb2e82ed1bb0564322d87b4ebc19db

安全提示信息 应用程序记录日志信息,不得记录敏感信息

应用程序记录日志信息,不得记录敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
amazon/speech/simclient/common/BaseClient.java, line(s) 74,117,136
amazon/speech/simclient/common/ServiceConnectionManager.java, line(s) 39,47,65
amazon/speech/simclient/common/ServiceResolver.java, line(s) 26,45
amazon/speech/simclient/common/SimClient.java, line(s) 25
amazon/speech/simclient/common/queue/QueueRequest.java, line(s) 183,124,142,198,72,95,109,132
amazon/speech/simclient/common/queue/RequestQueue.java, line(s) 28,36,43,51,18
amazon/speech/simclient/directive/DataWriter.java, line(s) 103,75
amazon/speech/simclient/directive/Directive.java, line(s) 37,40,75,78
amazon/speech/simclient/directive/DirectiveIntent.java, line(s) 18,30,49,23,27
amazon/speech/simclient/directive/DirectiveKeys.java, line(s) 23
amazon/speech/simclient/endpointstate/EndpointStateClient.java, line(s) 87,170,182,194,90,105,120,135,150,173,185,197,162
amazon/speech/simclient/endpointstate/EndpointStateClientHandlerService.java, line(s) 37,35,74,85,52,94,104
amazon/speech/simclient/endpointstate/util/log/ELog.java, line(s) 26,74,32,80,42,47,86,56,92,62,68,98,104
amazon/speech/simclient/endpointstate/utils/EndpointStateTypeExtractor.java, line(s) 54,85,30,35,71,89
amazon/speech/simclient/endpointstate/utils/EndpointStateUtils.java, line(s) 19,24
amazon/speech/simclient/event/EventClient.java, line(s) 49,64,87,93,105,112
amazon/speech/simclient/event/EventMetadata.java, line(s) 117,133,183,227,232,43,147
c/a/a/b.java, line(s) 62
com/amazon/clouddrive/cdasdk/util/AndroidLogger.java, line(s) 14,44,19,49,24,54,29,59,34,39,64,69
com/amazon/ftv/screensaver/app/ScreensaverApplication.java, line(s) 98,102
com/amazon/ftv/screensaver/app/auth/c.java, line(s) 35,39
com/amazon/ftv/screensaver/app/services/AccountStateManagementJobService.java, line(s) 14,20
com/amazon/ftv/screensaver/app/settings/SetAsScreensaverActivity.java, line(s) 23
com/amazon/ftv/screensaver/app/settings/o.java, line(s) 596
com/amazon/ftv/screensaver/app/settings/t/h.java, line(s) 289
com/amazon/ftv/screensaver/framework/ui/ImageTextView.java, line(s) 178,170,172
com/amazon/ftv/screensaver/provider/usercontent/w.java, line(s) 28,50
com/amazon/ftv/screensaver/provider/usercontent/y/b.java, line(s) 46
com/amazon/mls/performance/pmet/tasks/PmetLoggerTask.java, line(s) 40
com/amazon/tv/carousel/view/PagingCarouselView.java, line(s) 76,96,98
com/amazon/tv/carousel/view/d.java, line(s) 181,839,566
com/amazon/tv/util/d.java, line(s) 76,74
com/amazon/tv/util/f.java, line(s) 178,216,232,233,249,284,55,142
com/amazon/tv/util/v.java, line(s) 109,111
com/amazon/tv/view/FontableButton.java, line(s) 97
com/amazon/tv/view/FontableToggleButton.java, line(s) 26
com/amazon/tv/view/GradientTextView.java, line(s) 62
com/amazon/tv/view/MiniDetailsView.java, line(s) 312,317
com/amazon/tv/view/ShimmerTextView.java, line(s) 50
com/amazon/tv/view/c.java, line(s) 55,58
e/a/k/a/a.java, line(s) 75
e/a/n/g.java, line(s) 198,272,311
e/g/d/c/a.java, line(s) 20
e/g/d/c/b.java, line(s) 58
e/g/e/c.java, line(s) 418,423
e/g/e/e.java, line(s) 52
e/g/e/f.java, line(s) 39,55
e/g/e/g.java, line(s) 56,83
e/g/e/j.java, line(s) 82,85
e/g/e/k.java, line(s) 123
e/g/i/a.java, line(s) 20
e/g/l/b.java, line(s) 19
e/g/m/b.java, line(s) 56
e/g/m/e0.java, line(s) 304,316,323,332
e/g/m/f.java, line(s) 18,27
e/g/m/f0/d.java, line(s) 150
e/g/m/h.java, line(s) 14
e/g/m/v.java, line(s) 744
e/g/m/w.java, line(s) 20,31
e/g/m/z.java, line(s) 25,46,62,89,110,125,140
e/i/b/a.java, line(s) 174
e/j/a/a.java, line(s) 391,1038,1102,246,253,844,853,1005,1019,1023
e/m/a/b.java, line(s) 119,128,137
e/n/a.java, line(s) 86,117,388,390,69,71,80,83,325,346,353,355,364,63,112,123,133,153,229,282,349,357,361
e/n/b.java, line(s) 59,68,70,102,104,123,145,173,179,181,194,206,272,286,98,106,133,149,164,189,307
e/q/a/c.java, line(s) 34,37,51,27,41
e/r/d0.java, line(s) 121
e/r/e0.java, line(s) 66,79
e/r/f0.java, line(s) 58,71
e/r/g0.java, line(s) 41
e/r/y.java, line(s) 39,48,50
e/r/z.java, line(s) 19,21,34
e/s/a/a/i.java, line(s) 1054,1057
f/a/c/a/a/b.java, line(s) 38,53
f/a/c/a/a/w0/a.java, line(s) 14,19,44,24,49,29,34,39,54,59
f/a/c/a/b/a/j0/a.java, line(s) 63,24,67,20,28,33,60,36,40,44
f/a/d/a/b.java, line(s) 30,32,46
f/a/e/a/h.java, line(s) 92,125,159
f/a/e/a/o/g.java, line(s) 107,110,130,132
f/a/f/a/a.java, line(s) 29,46,79,81,92
f/a/f/a/b.java, line(s) 23,57
f/a/f/a/e/a/b.java, line(s) 71,92,100,108,136,73,98,143
f/a/f/a/h/c.java, line(s) 85,87,99
f/a/g/b.java, line(s) 47,66
f/a/g/d/b.java, line(s) 95,83,107,114
f/a/g/d/e.java, line(s) 94,109
f/a/g/e/b.java, line(s) 200
f/a/g/e/c.java, line(s) 1094
f/a/g/i/a.java, line(s) 100,125,135
f/a/h/a/t/l.java, line(s) 33
f/a/h/a/t/o.java, line(s) 138,142
f/a/h/a/t/v/e.java, line(s) 158,163
f/a/h/a/v/a.java, line(s) 21
f/b/a/a/d.java, line(s) 158,189,191,161
f/b/a/a/f/c.java, line(s) 115
f/b/a/a/f/d.java, line(s) 66,82,222,228,342,98,39,59,86
f/b/a/a/f/g/b.java, line(s) 16
f/d/a/a/k/b.java, line(s) 10
f/d/a/b/j/h.java, line(s) 72
f/d/a/b/k/a.java, line(s) 205

已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
k/h0/c.java, line(s) 549,548,547,547

已通过安全项 此应用程序没有隐私跟踪程序

此应用程序不包括任何用户或设备跟踪器。在静态分析期间没有找到任何跟踪器。

重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (fls-cn.amazon.com) 通信。

{'ip': '54.222.61.241', 'country_short': 'CN', 'country_long': '中国', 'region': '北京', 'city': '北京', 'latitude': '39.907501', 'longitude': '116.397102'}

综合安全基线评分总结

应用图标

Screensaver v1.38.0.32

Android APK
51
综合安全评分
中风险