应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Chaupal v3.2
43
安全评分
安全基线评分
43/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
11
高危
37
中危
3
信息
3
安全
隐私风险评估
11
第三方跟踪器
高隐私风险
检测到大量第三方跟踪器
检测结果分布
高危安全漏洞
11
中危安全漏洞
37
安全提示信息
3
已通过安全项
3
重点安全关注
0
高危安全漏洞 App 链接 assetlinks.json 文件未找到
[android:name=com.yupptv.ott.DeepLinkActivity][android:host=http://chaupal-testweb.revlet.net] App Link 资产验证 URL(http://chaupal-testweb.revlet.net/.well-known/assetlinks.json)未找到或配置不正确。(状态码:None)。应用程序链接允许用户通过 Web URL 或电子邮件直接跳转到移动应用。如果 assetlinks.json 文件缺失或主机/域配置错误,恶意应用可劫持此类 URL,导致网络钓鱼攻击,泄露 URI 中的敏感信息(如 PII、OAuth 令牌、魔术链接/重置令牌等)。请务必通过托管 assetlinks.json 文件并在 Activity 的 intent-filter 中设置 [android:autoVerify="true"] 来完成 App Link 域名验证。
高危安全漏洞 App 链接 assetlinks.json 文件未找到
[android:name=com.yupptv.ott.DeepLinkActivity][android:host=http://chaupal.com] App Link 资产验证 URL(http://chaupal.com/.well-known/assetlinks.json)未找到或配置不正确。(状态码:301)。应用程序链接允许用户通过 Web URL 或电子邮件直接跳转到移动应用。如果 assetlinks.json 文件缺失或主机/域配置错误,恶意应用可劫持此类 URL,导致网络钓鱼攻击,泄露 URI 中的敏感信息(如 PII、OAuth 令牌、魔术链接/重置令牌等)。请务必通过托管 assetlinks.json 文件并在 Activity 的 intent-filter 中设置 [android:autoVerify="true"] 来完成 App Link 域名验证。
高危安全漏洞 App 链接 assetlinks.json 文件未找到
[android:name=com.yupptv.ott.DeepLinkActivity][android:host=https://chaupal.com] App Link 资产验证 URL(https://chaupal.com/.well-known/assetlinks.json)未找到或配置不正确。(状态码:301)。应用程序链接允许用户通过 Web URL 或电子邮件直接跳转到移动应用。如果 assetlinks.json 文件缺失或主机/域配置错误,恶意应用可劫持此类 URL,导致网络钓鱼攻击,泄露 URI 中的敏感信息(如 PII、OAuth 令牌、魔术链接/重置令牌等)。请务必通过托管 assetlinks.json 文件并在 Activity 的 intent-filter 中设置 [android:autoVerify="true"] 来完成 App Link 域名验证。
高危安全漏洞 App 链接 assetlinks.json 文件未找到
[android:name=com.yupptv.ott.DeepLinkActivity][android:host=http://chaupal.test-app.link] App Link 资产验证 URL(http://chaupal.test-app.link/.well-known/assetlinks.json)未找到或配置不正确。(状态码:None)。应用程序链接允许用户通过 Web URL 或电子邮件直接跳转到移动应用。如果 assetlinks.json 文件缺失或主机/域配置错误,恶意应用可劫持此类 URL,导致网络钓鱼攻击,泄露 URI 中的敏感信息(如 PII、OAuth 令牌、魔术链接/重置令牌等)。请务必通过托管 assetlinks.json 文件并在 Activity 的 intent-filter 中设置 [android:autoVerify="true"] 来完成 App Link 域名验证。
高危安全漏洞 App 链接 assetlinks.json 文件未找到
[android:name=com.yupptv.ott.DeepLinkActivity][android:host=https://chaupal.test-app.link] App Link 资产验证 URL(https://chaupal.test-app.link/.well-known/assetlinks.json)未找到或配置不正确。(状态码:None)。应用程序链接允许用户通过 Web URL 或电子邮件直接跳转到移动应用。如果 assetlinks.json 文件缺失或主机/域配置错误,恶意应用可劫持此类 URL,导致网络钓鱼攻击,泄露 URI 中的敏感信息(如 PII、OAuth 令牌、魔术链接/重置令牌等)。请务必通过托管 assetlinks.json 文件并在 Activity 的 intent-filter 中设置 [android:autoVerify="true"] 来完成 App Link 域名验证。
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/clevertap/android/sdk/inapp/f.java, line(s) 120,11,12 com/clevertap/android/sdk/inapp/i.java, line(s) 126,15,16 com/razorpay/BaseCheckoutActivity.java, line(s) 222,227,16,17 com/razorpay/CheckoutActivity.java, line(s) 50,5 com/razorpay/CheckoutPresenterImpl.java, line(s) 721,21 in/juspay/hypersdk/core/DynamicUI.java, line(s) 241,494,9 in/juspay/hypersdk/safe/JuspayWebView.java, line(s) 61,9,10
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/yupptv/ottsdk/utils/MorseCodeLib.java, line(s) 18 t3/a.java, line(s) 69
高危安全漏洞 该文件是World Writable。任何应用程序都可以写入文件
该文件是World Writable。任何应用程序都可以写入文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/yupptv/ottsdk/utils/PreferencesUtils.java, line(s) 68 in/juspay/hypersdk/core/AndroidInterface.java, line(s) 682 in/juspay/hypersdk/data/KeyValueStore.java, line(s) 14
高危安全漏洞 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: com/yupptv/ott/WebViewActivity.java, line(s) 1885,2022
高危安全漏洞 应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文
应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode Files: wd/c.java, line(s) 20
高危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个11隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 应用数据允许备份
[android:allowBackup=true] 该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据,存在数据泄露风险。
中危安全漏洞 Activity (com.facebook.CustomTabActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.yupptv.ott.MainActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.yupptv.ott.DeepLinkActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.google.android.exoplayer2.scheduler.PlatformScheduler$PlatformSchedulerService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.yupptv.ott.cloudmessaging.NotificationActionsReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.yupptv.ott.cloudmessaging.FirebaseNotificationMessagingService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.yupptv.ott.cloudmessaging.FirebaseInstanceIDService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.appsflyer.FirebaseMessagingServiceListener) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.yupptv.ott.cast.CastPlayerActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.razorpay.CheckoutActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.aemerse.cropper.CropImageActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$BootstrapActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$EmptyActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$EmptyFloatingActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (in.juspay.hypersdk.core.CustomtabResult) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.clevertap.android.sdk.pushnotification.fcm.CTFirebaseMessagingReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.google.firebase.auth.internal.GenericIdpActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.google.firebase.auth.internal.RecaptchaActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.yupptv.ottsdk.MainActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: aa/d.java, line(s) 12 com/clevertap/android/sdk/pushnotification/g.java, line(s) 11 fe/a.java, line(s) 21 io/grpc/internal/DnsNameResolver.java, line(s) 20 io/grpc/internal/a0.java, line(s) 4 io/grpc/internal/p1.java, line(s) 16 io/grpc/okhttp/e.java, line(s) 43 o3/g.java, line(s) 14 o3/k.java, line(s) 8 of/a.java, line(s) 9 of/b.java, line(s) 3 org/java_websocket/drafts/Draft_10.java, line(s) 10 org/java_websocket/drafts/b.java, line(s) 7 org/java_websocket/drafts/c.java, line(s) 10 pf/a.java, line(s) 3 q5/h0.java, line(s) 63
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/connectsdk/service/AirPlayService.java, line(s) 177 com/yupptv/ottsdk/utils/MorseCodeLib.java, line(s) 82 com/yupptv/ottsdk/utils/MorseCodeLibGCM.java, line(s) 82 gc/a.java, line(s) 437 in/juspay/hypersdk/security/EncryptionHelper.java, line(s) 181,248 org/java_websocket/drafts/c.java, line(s) 33 t3/a.java, line(s) 68 x4/k.java, line(s) 146
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/aemerse/cropper/a.java, line(s) 140 com/connectsdk/device/DefaultConnectableDeviceStore.java, line(s) 58,58 q5/h0.java, line(s) 128,1074,1202
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/amazonaws/services/s3/model/S3ObjectSummary.java, line(s) 54 com/connectsdk/device/DefaultConnectableDeviceStore.java, line(s) 25,42 com/connectsdk/service/airplay/PListParser.java, line(s) 20 com/connectsdk/service/capability/KeyControl.java, line(s) 8 com/connectsdk/service/config/WebOSTVServiceConfig.java, line(s) 15 com/connectsdk/service/sessions/WebOSWebAppSession.java, line(s) 36 com/razorpay/AnalyticsConstants.java, line(s) 132,161,72 com/razorpay/BaseConstants.java, line(s) 27,35 com/razorpay/OtpElfData.java, line(s) 6 com/yupptv/ott/fragments/VideoSignInFragment.java, line(s) 1172 f8/b.java, line(s) 67 g8/e.java, line(s) 78 g8/w.java, line(s) 118 ga/b.java, line(s) 132 io/grpc/internal/c2.java, line(s) 81 j9/b.java, line(s) 91 p2/d.java, line(s) 86
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: p6/m0.java, line(s) 5,6,97,127,139,143,183,303,313,579 p6/v0.java, line(s) 4,5,125 u3/e.java, line(s) 5,6,7,132
中危安全漏洞 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: hd/b0.java, line(s) 60,60,60,60,60
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/clevertap/android/sdk/inapp/f.java, line(s) 60,55 com/clevertap/android/sdk/inapp/i.java, line(s) 105,100 com/razorpay/BaseUtils.java, line(s) 1005,152 com/razorpay/MagicXActivity.java, line(s) 88,75 com/yupptv/ott/WebViewActivity.java, line(s) 1710,1709 in/juspay/hypersdk/core/DynamicUI.java, line(s) 152,189,289,150 in/juspay/hypersdk/safe/Godel.java, line(s) 368,620,614
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/aemerse/cropper/CropImageActivity.java, line(s) 81 com/aemerse/cropper/a.java, line(s) 137,140,145 com/journeyapps/barcodescanner/e.java, line(s) 164
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: h9/v.java, line(s) 34 n9/a.java, line(s) 54 org/java_websocket/drafts/Draft_10.java, line(s) 66 wd/c.java, line(s) 15 z5/a.java, line(s) 28
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/clevertap/android/sdk/CleverTapAPI.java, line(s) 205 com/connectsdk/discovery/provider/ssdp/SSDPClient.java, line(s) 18
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: in/juspay/hypersdk/safe/Godel.java, line(s) 627,614
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "ca-app-pub-3940256099942544~3347511713" 凭证信息=> "APP_ID" : "@7F130313" "branch_key_live" : "key_live_abcD5f7H" "branch_key_test" : "key_test_abcD5f7H" "cast_app_id_live" : "4598E3E6" "cast_app_id_staging" : "7A227AE1" "facebook_app_id" : "823426623154214" "facebook_client_token" : "1f7ace97707a67597e8c19763328f64b" "freshchat_file_provider_authority" : "com.chaupal.provider" "google_api_key" : "AIzaSyDMa8TyGA6D-KPGP6knNyq9cNebg7vetvE" "google_app_id" : "1:581413374:android:1ce56bdf6f80304cfef8af" "google_crash_reporting_api_key" : "AIzaSyDMa8TyGA6D-KPGP6knNyq9cNebg7vetvE" "library_zxingandroidembedded_author" : "JourneyApps" "library_zxingandroidembedded_authorWebsite" : "https://journeyapps.com/" "moengage_app_id" : "MRNQZ3CJR6ZPJWGHKUBI45U7" "password" : "Password" "showPassword" : "Show" "cast_app_id_live" : "D3998A89" "cast_app_id_staging" : "D3998A89" "freshchat_file_provider_authority" : "com.watcho.provider" "moengage_app_id" : "MRNQZ3CJR6ZPJWGHKUBI45U7" "cast_app_id_live" : "D3998A89" "cast_app_id_staging" : "D3998A89" "freshchat_file_provider_authority" : "com.watcho.provider" "moengage_app_id" : "MRNQZ3CJR6ZPJWGHKUBI45U7" "cast_app_id_live" : "D3998A89" "cast_app_id_staging" : "D3998A89" "freshchat_file_provider_authority" : "com.watcho.provider" "moengage_app_id" : "MRNQZ3CJR6ZPJWGHKUBI45U7" "cast_app_id_live" : "D3998A89" "cast_app_id_staging" : "D3998A89" "freshchat_file_provider_authority" : "com.watcho.provider" "moengage_app_id" : "MRNQZ3CJR6ZPJWGHKUBI45U7" "showPassword" : "montrer" 2bb0e889-14c1-4b6b-bb52-ea98660e7ece 16a09e667f3bcc908b2fb1366ea957d3e3adec17512775099da2f590b0667322a ae1b97ce29685564930e816838833353 76c9d212627bf2765f6aa40baa929dde 5969378c6fc4d08aa1a47149020c2cd2 a42b807d-de4f-4a38-86c8-81cb99e774a6 4df84aed32532df34fd9a8bacdc5ae4b a69b1715-6126-4600-8af4-7ff8fb723cfe FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901 be0dea25-22fe-4e0b-9b8a-0bf5da93f0bf 3c5f4c28-5af5-41cf-9e63-d33a24d631bf cd761af4d6b32ae184f11c0e24dff62a ed2b40ccff589a88d233ceb77f6ad7ca 54fe37b821d26d3ebaa2fa63fa3c1c4b b9c0b46a5259459faeceef9ca1b169f6 7b7a20a5ff3a353678dc66beb4d93ed5 74d2ed7b83ca460981ada68e44e2e9ca d36bad5f857d14e3d4d4ca4b7055e179 dba88a1b-1ee1-4c5a-bbb7-e33abe9630fb b92f38a5-78fc-4195-a14e-db2a4c73e50a b9ed44fa-2bf5-4890-acde-87fbafdf73dd ee6bd2b2-9d91-43cb-a684-a65a89ab6ae7 bc06c22496264d62447604a9f52ae0d9 8a2c53270b5b46a058b83f58284c92f8 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 b374f7d3-48ff-484e-924a-4eb8ee059b86 04148c216f3344758a87390652d434c9 2181d5925b285dc9741cc66a34a719a7 e954da1f-cec7-4482-addf-7aedf5f97ceb c56fb7d591ba6704df047fd98f535372fea00211 9e10bedc-ee9a-4264-b6ac-f98021137f2f 41aa7c90eb2b7b19e1e5e1ea8edbda1d 49c24722-b837-4498-b5c9-85e0b0b0c736 074851e6c79ddc7a9988a4a3cb95c251 cc2751449a350f668590264ed76692694a80308a 7926228735fa4e38990bd4d4f268eb13 a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc 353a013c56d6a6b61629c3e59abb12c 03b92fea-f673-4a90-a8a7-9d97ca68ab83 1ce7b52b6d624de69e6fccc67f4063a0 8e562f1d-09f9-4e8d-b05f-9e65608d495f 53dc25f3-3fbb-423b-91b3-3e4b9c96453e bdeb5998d1b64b3d971171afb7ec1816 c56a258f-a890-45c9-9fbc-c7c8c0e6e85d ab518d34d86178c399217085c6cc4dad a70879a8-a6ea-4cfe-a168-75dcae8c92cd efce63488b621a3ea0bbdc19f42a5ff6 60cee651-1428-4f78-9174-00e9403995e6 27917511-84f4-4236-b22a-b06f72304668 d22e49d9-9544-4148-baf8-0ad3d26bc2b4 c4171614448e750850bd4daca2c7e8d1 b75fed30380630ebf8a8dbd2c4927481 255fe3f7-bc0d-47ea-b55e-8a74d174c9f3 959b6a53-5841-400b-aa3e-a9655318f152 30d2f48a17a840e588ddaf44bf497765 6321ee7f-0730-4c97-b454-a8b48f79dd3d 3a74c548-06a3-4eea-8eb9-1f7ae8156e9f 151f7841-2a97-4361-9ec8-b289fdca61d0 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 a4245ef0-a339-4ec6-8766-15d8acbca2fc 3dcc896b24aa4817bd0711bc5a37331d aac157a1a4254455af9120c919c583a7 3d8e1329-268b-4f56-8e8d-65043c1fdfba 8fa822f6-c592-4357-96b9-0ea94cf81e06 7de6f04b-efbd-4dd3-9f90-137dfc98b68c 0b0f2d25-9d5b-4f4e-8f59-c094a8681982 a00befd1-03e6-425b-a290-d7ea4054086d deff8125c0494686bade86d42e46595d adf5a1cc-1322-44ed-b2fa-1924b678ee69 00f64a29-32e2-490a-a078-d825cab9127f 30df21d6826ecf26eca460049f5d8c08 2755f2c7-ed2b-40a5-bb9d-381b03db0168 d4f7e6da0b982ba1ea374fb9ea68ae6a 131cc3c56b2b01e8b3e5560554acc1a2 7f47e4e3f9f3755fcd6012dfe6a7dc12 350b01bc484144b5975c6b923b580cb6 1e8682eb-f80e-412c-b1b7-eefe5e4d642f f0ce7f7e-2672-499b-b061-946a3468e324 7dd6d3ec670044f7a6848e24ed89e5bd cb0ea43c-51cc-450b-925c-a638c596527f 352ef73e-5bb9-498a-96c4-394f81650685 9b8f518b086098de3d77736f9458a3d2f6f95a37 df6b721c8b4d3b6eb44c861d4415007e5a35fc95 c90abaaa-0c89-441b-9266-410633538da3 27f7cf7f6490462e99939eb4a791a2f1 7e3de34a243e44779869869d67fe52b0 E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1 e1ff492228196aa72f4892db1e05624e 22d90a0e-b61b-4941-afd2-cf40061ea921 8af859232aed4445975538da1076a8ff 70832e91-7b1f-4567-8357-02a2effa4480 cdcfda32-ecc6-4e2b-8250-ee1a76acf04a FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212 8c31a615-bb1c-4cf5-972a-ee9916436cb9 330b587f-6d21-40a7-9070-9749369623a5 ca3ef50d-9123-4868-b59b-f6e334e1bb67 a47625fa-743e-4f0e-adbf-9761c54e8e1d fdc65eb0-e46f-4f82-999e-f22785bbf10e 7bc08a64c14608d6187563f33208b9a17e4305c9bce4c2e76c1fc7f23c9b206d 3606db24-ff2f-4809-a7c1-53d7832d4738 83fbdac1-3a6f-48b7-aa93-171ab6cbcc29 3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F 55157e27-1318-46f2-bb28-13eab10074fe
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: a1/a.java, line(s) 96 a3/a.java, line(s) 81,86,91,100,82,87,92,101 a3/d.java, line(s) 23,24 a3/j.java, line(s) 41,44 a5/a.java, line(s) 92 bc/a0.java, line(s) 52 c3/d.java, line(s) 54,67,72,77,53,60,66,71,76,61 c8/g.java, line(s) 28,38,15,48,58,68 cd/d.java, line(s) 62,120,145,410 com/aemerse/cropper/CropImageActivity.java, line(s) 295 com/aemerse/cropper/CropOverlayView.java, line(s) 286 com/aemerse/cropper/a.java, line(s) 144,449,513 com/airbnb/epoxy/f.java, line(s) 38 com/airbnb/epoxy/l.java, line(s) 16,25,30,35,40 com/amazonaws/logging/AndroidLog.java, line(s) 23,35,42,29,49 com/amazonaws/logging/ConsoleLog.java, line(s) 21,23 com/appsflyer/AFLogger.java, line(s) 42,60,116,58,75,84,35 com/appsflyer/internal/AFa1eSDK.java, line(s) 1942,2675,2685 com/appsflyer/internal/AFb1nSDK.java, line(s) 286 com/appsflyer/internal/AFb1sSDK.java, line(s) 98,103 com/appsflyer/internal/AFc1bSDK.java, line(s) 97,94,271,93,146 com/appsflyer/internal/AFd1fSDK.java, line(s) 110,123 com/appsflyer/internal/AFd1hSDK.java, line(s) 52 com/appsflyer/internal/AFd1jSDK.java, line(s) 50 com/appsflyer/internal/AFd1lSDK.java, line(s) 40 com/appsflyer/internal/AFd1nSDK.java, line(s) 98 com/appsflyer/internal/AFd1oSDK.java, line(s) 117,125,152,154 com/appsflyer/internal/AFd1pSDK.java, line(s) 64,101 com/appsflyer/internal/AFd1rSDK.java, line(s) 33 com/appsflyer/internal/AFd1zSDK.java, line(s) 92,127,34 com/appsflyer/internal/AFe1pSDK.java, line(s) 21,49,50,53 com/appsflyer/internal/AFf1hSDK.java, line(s) 154,182,157,200 com/appsflyer/share/LinkGenerator.java, line(s) 83 com/cardreader/card_reader_lib/CardTask.java, line(s) 95,123,125,167,169,171,176,180,184,187,201,296,299,205,222 com/clevertap/android/pushtemplates/a.java, line(s) 9,19,25 com/clevertap/android/pushtemplates/c.java, line(s) 319 com/clevertap/android/sdk/displayunits/CTDisplayUnitType.java, line(s) 39 com/clevertap/android/sdk/t.java, line(s) 17,23,29,35,103,110,113,120,126,49,55,61,132,138,67,73,79,85,93,96,144,150,157 com/connectsdk/core/ChannelInfo.java, line(s) 30,31,32 com/connectsdk/device/ConnectableDevice.java, line(s) 171 com/connectsdk/device/SimpleDevicePicker.java, line(s) 174,99 com/connectsdk/discovery/DiscoveryManager.java, line(s) 147,318,374,365,371,457,561 com/connectsdk/discovery/provider/SSDPDiscoveryProvider.java, line(s) 163 com/connectsdk/discovery/provider/ZeroconfDiscoveryProvider.java, line(s) 57,58,59,125 com/connectsdk/service/AirPlayService.java, line(s) 123 com/connectsdk/service/DIALService.java, line(s) 85,267 com/connectsdk/service/DLNAService.java, line(s) 244,247 com/connectsdk/service/NetcastTVService.java, line(s) 638,1440,1561,381,446,555,597,633,1169,1344,1396,1469,690,2030 com/connectsdk/service/RokuService.java, line(s) 534,544,609 com/connectsdk/service/WebOSTVService.java, line(s) 992,678,1831,1856,2100 com/connectsdk/service/netcast/NetcastPOSTRequestParser.java, line(s) 41 com/connectsdk/service/sessions/WebOSWebAppSession.java, line(s) 543 com/connectsdk/service/webos/WebOSTVMouseSocketConnection.java, line(s) 62,66,127,149,151 com/connectsdk/service/webos/WebOSTVServiceSocketClient.java, line(s) 111,121,384,414,441,445,498,711,714,317,360,405,493,679,400 com/journeyapps/barcodescanner/a.java, line(s) 570,611,95,254,321,343 com/journeyapps/barcodescanner/camera/a.java, line(s) 24,25,29,34,40,63,66,71,80,99,105,108,123,129,132,134,140,151,154,156,165,168,175,177,179 com/journeyapps/barcodescanner/camera/b.java, line(s) 52,69,292,93,136,166,132,138,176,184 com/journeyapps/barcodescanner/e.java, line(s) 79,185,170 com/razorpay/AppSignatureHelper.java, line(s) 34,50 com/razorpay/BaseUtils.java, line(s) 942 com/razorpay/MagicXActivity$setWebViewClientForMagicX$1.java, line(s) 138 com/yupptv/ott/MainActivity.java, line(s) 5453,5297,5301,7128,7295,7403,7469,847,7225,7246,7264,7614,7638 com/yupptv/ott/SplashScreenActivity.java, line(s) 575 com/yupptv/ott/WebViewActivity.java, line(s) 154,1512,1703,2012,2018,2023,2040,2137,2251,2256 com/yupptv/ott/billing/billingrepo/BillingRepository.java, line(s) 173,175,186,198 com/yupptv/ott/controllers/ListController.java, line(s) 39,92 com/yupptv/ott/fragments/PaymentsFragment.java, line(s) 195 com/yupptv/ott/fragments/a1.java, line(s) 942,1255 com/yupptv/ott/fragments/c1.java, line(s) 218 com/yupptv/ott/fragments/f1.java, line(s) 105 com/yupptv/ott/fragments/g.java, line(s) 860,988,1001,1113,1138,1149,1319,1321,1330,1332,1349,2234,2386 com/yupptv/ott/fragments/g1.java, line(s) 169,172 com/yupptv/ott/fragments/h1.java, line(s) 66 com/yupptv/ott/fragments/m.java, line(s) 153,389 com/yupptv/ott/fragments/n.java, line(s) 114 com/yupptv/ott/fragments/onboarding/SignInFragment.java, line(s) 658,666,671,826,1601 com/yupptv/ott/fragments/onboarding/SignupFragmentStep2.java, line(s) 226,805,813,818,1195 com/yupptv/ott/fragments/onboarding/c0.java, line(s) 192 com/yupptv/ott/fragments/payment/NewPackageFragment.java, line(s) 208,897,1111 com/yupptv/ott/fragments/q0.java, line(s) 958,1178,1657,2337 com/yupptv/ott/fragments/r1.java, line(s) 1081 com/yupptv/ott/fragments/x1.java, line(s) 134 com/yupptv/ott/plugin/events/Ott_EventQueueManager.java, line(s) 69 com/yupptv/ott/previewviews/DownloadImageAndVttFile.java, line(s) 67,72,79,81,83,87,95,121,153,154,177,225,238,249,253,257,308,330,364 com/yupptv/ott/previewviews/d.java, line(s) 90 com/yupptv/ott/shorts/ShortsFragment.java, line(s) 141 com/yupptv/ottsdk/MainActivity.java, line(s) 20,34,37 com/yupptv/ottsdk/OttSDK.java, line(s) 601,611,632,635,682,691,696,713,724,736,748,760,779,795,808,813,853,980,984,990,994,1004,1021,1033,1328,1335 com/yupptv/ottsdk/managers/Application/AppManagerImp.java, line(s) 134,153,159,160,184,185,188,288,289,317,334,419,420,422,487,488,505,514,651 com/yupptv/ottsdk/managers/MediaCatalog/MediaCatalogManagerImpl.java, line(s) 187,953,97,108,170,181,208,228,230,434,881,887,947,984,1174,1204,1240,1268,1269,1286,1287,1290,1618,1861,1879 com/yupptv/ottsdk/managers/Payment/PaymentManagerImpl.java, line(s) 142,635,78,89,125,136,161,176,178,320,593,599,629,659,812,900,956,979,1060,1082,1101,1115,1152,1153,1170,1171,1174,1324,1331,1338,1345,1352,1359,1366,1373,1380,1409,1427,1453,1557,1580,1604,1611 com/yupptv/ottsdk/managers/Preferences/PreferenceManagerImp.java, line(s) 160,166,171,176,181,490,496,592,745,751,757,817,838,844,850,856,866,872,883 com/yupptv/ottsdk/managers/Status/StatusManagerImp.java, line(s) 55,83,84,89,98,136,137,140,148,176,177,182 com/yupptv/ottsdk/managers/User/UserManagerImpl.java, line(s) 178,1224,97,108,161,172,197,212,214,501,1158,1164,1218,1248,1566,1700,1745,1860,1921,2047,2079,2080,2094,2095,2101,2253,2269,2296,2308,2417,2420,2746,2839,3299,3320,3338,3362,3411,3558,3591,3603 com/yupptv/ottsdk/rest/DataHelper.java, line(s) 74,75,207,311,324,335,356,357,361,371,385,406,407,432,459,485,486 com/yupptv/ottsdk/rest/network/RestAdapter.java, line(s) 113,159,166,169,171,174,238,270,273,275,285,297,300,302,305,318,330,333,335,338,361,364,366,382,394,397,399 com/yupptv/ottsdk/utils/CipherUtils.java, line(s) 953,444,446,448,464,488,893,918,943,946,984 com/yupptv/ottsdk/utils/MorseCodeLib.java, line(s) 66 com/yupptv/ottsdk/utils/MorseCodeLibGCM.java, line(s) 66 com/yupptv/ottsdk/utils/OttLog.java, line(s) 11,29,17,23 d1/a.java, line(s) 36 e1/e1.java, line(s) 36,121 e1/q.java, line(s) 55,67,82 e1/u0.java, line(s) 38,47,49 e3/j.java, line(s) 58,99,100,59 ea/a.java, line(s) 61 ea/e.java, line(s) 35,47 ed/a.java, line(s) 70,108,154 eightbitlab/com/blurview/BlurView.java, line(s) 67 f9/l2.java, line(s) 8,13,7,17,18,23 fd/a.java, line(s) 74 g3/b.java, line(s) 20 h4/b.java, line(s) 12 h7/d.java, line(s) 153,186 hd/e0.java, line(s) 2017,420,1990 hd/h.java, line(s) 10,16,22,28 hd/p.java, line(s) 78 hd/u.java, line(s) 787,898,903,1019,1612,1613,1631,1649,1653 hd/v.java, line(s) 59 i2/c.java, line(s) 20,41,35 i3/a.java, line(s) 74,75 i6/i.java, line(s) 36,65,72,75,88,91,94,97,100 i7/b.java, line(s) 76 id/g0.java, line(s) 178,302 id/h0.java, line(s) 178 id/y2.java, line(s) 1235 in/juspay/hyper/core/JuspayLogger.java, line(s) 22,30,94,38,85 in/juspay/hypersdk/core/AndroidInterface.java, line(s) 450,727,787 io/branch/referral/BranchJsonConfig.java, line(s) 44,46,65,82,99,112,125,138,151 io/branch/referral/BranchLogger.java, line(s) 53,75,90,135,152 k0/a.java, line(s) 30 k3/e.java, line(s) 22 k7/g.java, line(s) 256 l6/a.java, line(s) 15,22,29,14,21,28,42,43,49,50 m2/a.java, line(s) 446 mc/l.java, line(s) 1087 n0/a.java, line(s) 169,174,181,185,201,211 n2/d.java, line(s) 77,104,76,103 n2/e.java, line(s) 530,551,569,529,550,568 n9/a.java, line(s) 58,75 nb/i.java, line(s) 80 nc/a.java, line(s) 137 nc/e.java, line(s) 301,665 nc/f.java, line(s) 65,477 nc/g.java, line(s) 182,525 nc/i.java, line(s) 183 nc/j.java, line(s) 80 nc/k.java, line(s) 125 nc/n.java, line(s) 169 nd/a.java, line(s) 122 o0/a.java, line(s) 24 o2/a.java, line(s) 91,90 o7/i.java, line(s) 21,30,37,29,36,43,44,50,51 ob/a.java, line(s) 68,91,109 ob/f.java, line(s) 33,49,68,85,124,37,56,73,89 ob/i.java, line(s) 28 ob/k.java, line(s) 28 ob/n.java, line(s) 37,38 org/java_websocket/a.java, line(s) 136,357,406 org/joda/time/tz/DateTimeZoneBuilder.java, line(s) 335,336,361 org/joda/time/tz/ZoneInfoCompiler.java, line(s) 269,270,271,272,273,282,298,375,394,407,419,422,427,493 q2/c.java, line(s) 116,115 q2/e.java, line(s) 64,63 q4/f.java, line(s) 299,304,309 q4/k0.java, line(s) 231,327,330,335 q4/z.java, line(s) 70,160 q5/b0.java, line(s) 447,455,458,460,115 q5/h0.java, line(s) 797,815,827 q5/i0.java, line(s) 100 r2/j.java, line(s) 110,150,111,151 r2/k.java, line(s) 113,155,165,177,78,112,122,144,154,164,176,197,204,84,123,198,205,145 r4/b.java, line(s) 30 r4/c0.java, line(s) 134,153 r4/d.java, line(s) 85 r4/k.java, line(s) 172 s2/e.java, line(s) 44,50,78,88,45,79,51,91 s2/i.java, line(s) 123,107 s9/e.java, line(s) 62 t2/a.java, line(s) 174,171 t2/b.java, line(s) 39,38 t4/l.java, line(s) 158,169,177,211,241,254,264,279 tc/i.java, line(s) 3454,1077,1979,2010,2938,3229,3232,3477,3562,4782,4955,5202,5231,5936,6156,3125 tc/j.java, line(s) 584,594,1080,1086,1680,1816,1937,2251,1683 u0/b.java, line(s) 37 u2/c.java, line(s) 17,16 u2/d.java, line(s) 49,48 u2/g.java, line(s) 114,113 u2/t.java, line(s) 82,85 u2/u.java, line(s) 75,80,93,109,76,81,96,112 u2/v.java, line(s) 39,38 u4/c.java, line(s) 55 u4/d.java, line(s) 140,156 u5/c.java, line(s) 101 ua/e.java, line(s) 31,61 ua/g.java, line(s) 38,32 v6/h.java, line(s) 50 v9/c.java, line(s) 23,27,31,35 va/a.java, line(s) 12 vc/c.java, line(s) 134 w/c.java, line(s) 135 w2/a.java, line(s) 77,78 w4/a.java, line(s) 183 wb/d.java, line(s) 64,115,140,313,425 wd/a.java, line(s) 34,59,76,82,89,118,124,130,136,154 x0/a.java, line(s) 142 x4/f.java, line(s) 205 x4/h.java, line(s) 120,141 x4/k.java, line(s) 91,124 y/c.java, line(s) 150 y7/i0.java, line(s) 35,53,62,69,80 y7/s.java, line(s) 33 yb/a.java, line(s) 69,106,154 yc/a.java, line(s) 366 z0/h.java, line(s) 73,76,90,66,80 z5/c.java, line(s) 99 z7/g.java, line(s) 29,36,39,48,86 z7/o.java, line(s) 86
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/clevertap/android/sdk/inbox/i.java, line(s) 4,44 com/razorpay/RzpAssist.java, line(s) 5,137 in/juspay/hypersdk/core/JBridge.java, line(s) 7,454
安全提示信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: b5/b.java, line(s) 79,79 q4/b0.java, line(s) 33,33 q4/k0.java, line(s) 170,170 w4/j.java, line(s) 86,86
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/clevertap/android/sdk/network/http/UrlConnectionHttpClient.java, line(s) 101,99,101,98,92,92 com/yupptv/ottsdk/rest/network/RestAdapter.java, line(s) 48,172,201,211,276,303,336,367,373,400,48,172,201,211,276,303,336,367,373,400 in/juspay/hypersdk/security/HyperSSLSocketFactory.java, line(s) 71,63,70,69,69
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: hd/b0.java, line(s) 187,23,104,39,104,104,104,104,104 in/juspay/hypersdk/data/SessionInfo.java, line(s) 140,144 o7/v.java, line(s) 25
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/581413374/namespaces/firebase:fetch?key=AIzaSyDMa8TyGA6D-KPGP6knNyq9cNebg7vetvE ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
Chaupal v3.2
Android APK
43
综合安全评分
中风险