应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Hopscotch v9.7.2
39
安全评分
安全基线评分
39/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在较高安全风险,需要重点关注
漏洞与安全项分布
10
高危
24
中危
5
信息
2
安全
隐私风险评估
9
第三方跟踪器
高隐私风险
检测到大量第三方跟踪器
检测结果分布
高危安全漏洞
10
中危安全漏洞
24
安全提示信息
5
已通过安全项
2
重点安全关注
1
高危安全漏洞 App 链接 assetlinks.json 文件未找到
[android:name=in.hopscotch.android.activity.SplashActivity][android:host=http://hopscotch.in] App Link 资产验证 URL(http://hopscotch.in/.well-known/assetlinks.json)未找到或配置不正确。(状态码:301)。应用程序链接允许用户通过 Web URL 或电子邮件直接跳转到移动应用。如果 assetlinks.json 文件缺失或主机/域配置错误,恶意应用可劫持此类 URL,导致网络钓鱼攻击,泄露 URI 中的敏感信息(如 PII、OAuth 令牌、魔术链接/重置令牌等)。请务必通过托管 assetlinks.json 文件并在 Activity 的 intent-filter 中设置 [android:autoVerify="true"] 来完成 App Link 域名验证。
高危安全漏洞 App 链接 assetlinks.json 文件未找到
[android:name=in.hopscotch.android.activity.SplashActivity][android:host=https://hopscotch.in] App Link 资产验证 URL(https://hopscotch.in/.well-known/assetlinks.json)未找到或配置不正确。(状态码:301)。应用程序链接允许用户通过 Web URL 或电子邮件直接跳转到移动应用。如果 assetlinks.json 文件缺失或主机/域配置错误,恶意应用可劫持此类 URL,导致网络钓鱼攻击,泄露 URI 中的敏感信息(如 PII、OAuth 令牌、魔术链接/重置令牌等)。请务必通过托管 assetlinks.json 文件并在 Activity 的 intent-filter 中设置 [android:autoVerify="true"] 来完成 App Link 域名验证。
高危安全漏洞 App 链接 assetlinks.json 文件未找到
[android:name=in.hopscotch.android.activity.SplashActivity][android:host=https://hopscotch.test-app.link] App Link 资产验证 URL(https://hopscotch.test-app.link/.well-known/assetlinks.json)未找到或配置不正确。(状态码:None)。应用程序链接允许用户通过 Web URL 或电子邮件直接跳转到移动应用。如果 assetlinks.json 文件缺失或主机/域配置错误,恶意应用可劫持此类 URL,导致网络钓鱼攻击,泄露 URI 中的敏感信息(如 PII、OAuth 令牌、魔术链接/重置令牌等)。请务必通过托管 assetlinks.json 文件并在 Activity 的 intent-filter 中设置 [android:autoVerify="true"] 来完成 App Link 域名验证。
高危安全漏洞 该文件是World Readable。任何应用程序都可以读取文件
该文件是World Readable。任何应用程序都可以读取文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/appsflyer/internal/AFb1tSDK.java, line(s) 714
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/clevertap/android/sdk/inapp/g.java, line(s) 77,10,11 com/clevertap/android/sdk/inapp/j.java, line(s) 103,15,16 com/payu/custombrowser/d.java, line(s) 702,19 in/hopscotch/android/adapter/p1.java, line(s) 98,110,9 in/hopscotch/android/adapter/q1.java, line(s) 85,11,12 in/juspay/hypersdk/core/DynamicUI.java, line(s) 199,395,10 in/juspay/hypersdk/safe/JuspayWebView.java, line(s) 56,9,10
高危安全漏洞 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: com/payu/custombrowser/Bank.java, line(s) 1468,903 com/payu/custombrowser/PayUWebViewClient.java, line(s) 100,96
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/clevertap/android/sdk/cryption/a.java, line(s) 56
高危安全漏洞 该文件是World Writable。任何应用程序都可以写入文件
该文件是World Writable。任何应用程序都可以写入文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/clevertap/android/sdk/k1.java, line(s) 57 in/juspay/hypersdk/core/AndroidInterface.java, line(s) 679 in/juspay/hypersdk/data/KeyValueStore.java, line(s) 14
高危安全漏洞 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: in/hopscotch/android/api/HttpsTrustManager.java, line(s) 22,8,9,10,11,12
高危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个9隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 Activity (com.facebook.CustomTabActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (in.hopscotch.android.receiver.CustomInstallTrackerReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (in.hopscotch.android.receiver.CustomInstallTrackerReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Content Provider (com.facebook.FacebookContentProvider) 未受保护。
[android:exported=true] 检测到 Content Provider 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (in.hopscotch.android.components.util.ConnectionChangeReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (in.hopscotch.android.notification.FCMMessageListenerService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (in.juspay.hypersdk.core.CustomtabResult) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.clevertap.android.sdk.pushnotification.fcm.CTFirebaseMessagingReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.gokwik.sdk.WebCheckoutActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: ch/qos/logback/classic/gaffer/a.java, line(s) 17 com/amazonaws/auth/CognitoCachingCredentialsProvider.java, line(s) 26,29,25,27,28 com/amazonaws/internal/keyvaluestore/AWSKeyValueStore.java, line(s) 277 com/amazonaws/services/s3/model/S3ObjectSummary.java, line(s) 15 com/clevertap/android/sdk/inapp/data/a.java, line(s) 23,18 com/clevertap/android/sdk/inapp/store/preference/d.java, line(s) 13 com/payu/custombrowser/util/CBConstant.java, line(s) 88,97,94,118,158,182,233,223 com/payu/india/Payu/PayuConstants.java, line(s) 69,88,192,212,288,77,230,388,392,330,424,503,506 com/payu/india/Payu/PayuErrors.java, line(s) 25 com/payu/paymentparamhelper/PayuConstants.java, line(s) 104,118,125,66,140,147,192,223 com/payu/socketverification/util/PayUNetworkConstant.java, line(s) 19,21 com/payu/upisdk/Upi.java, line(s) 261 com/payu/upisdk/j.java, line(s) 414 com/payu/upisdk/util/UpiConstant.java, line(s) 35,39,44,49,96,111,155 com/segment/analytics/Analytics.java, line(s) 51,52,55,56 com/segment/analytics/AnalyticsContext.java, line(s) 125,123,29,40,28,33,41,42,58,49,34,50,126,210,167,35,211,38,39,168,127,59,128,31,36,46,60,129,212,30,43,45,48,51,61,169,62,53,130,54,131,213,214,55,32,37,47,52,44 com/segment/analytics/GetDeviceIdTask.java, line(s) 17 com/segment/analytics/Options.java, line(s) 9 com/segment/analytics/ProjectSettings.java, line(s) 10,11,12,13,14 com/segment/analytics/Properties.java, line(s) 10,11,12,13,14,33,15,34,16,17,18,35,36,19,20,21,22,23,24,37,25,26,27,28,29,30 com/segment/analytics/SegmentIntegration.java, line(s) 43 com/segment/analytics/Traits.java, line(s) 15,16,17,18,19,37,38,20,21,22,23,24,25,26,27,28,29,30,39,40,41,31,33,32,34 com/segment/analytics/android/integrations/clevertap/CleverTapIntegration.java, line(s) 40,37,39,38 com/segment/analytics/integrations/AliasPayload.java, line(s) 11 com/segment/analytics/integrations/BasePayload.java, line(s) 15,16,17,18,20,21,22 com/segment/analytics/integrations/GroupPayload.java, line(s) 13,14 com/segment/analytics/integrations/IdentifyPayload.java, line(s) 13 com/segment/analytics/integrations/ScreenPayload.java, line(s) 13,14,15 com/segment/analytics/integrations/TrackPayload.java, line(s) 13,14 in/hopscotch/android/api/ApiParam.java, line(s) 133 in/hopscotch/android/cache/sharedpreferences/plp/a.java, line(s) 11 in/hopscotch/android/components/carousel/h.java, line(s) 12 in/hopscotch/android/components/hero/m.java, line(s) 12,15 in/hopscotch/android/db/a.java, line(s) 118 in/hopscotch/android/hscheckout/data/model/o.java, line(s) 189 in/hopscotch/android/hspdp/domain/model/productdetail/ProductInfo.java, line(s) 95 in/hopscotch/android/hsplp/data/model/GenieFilterDTO.java, line(s) 69 in/hopscotch/android/hsplp/data/model/SelectedFiltersDTO.java, line(s) 144 in/hopscotch/android/hsplp/domain/model/genie/Filter.java, line(s) 122 in/hopscotch/android/hsplp/domain/model/genie/GenieFilter.java, line(s) 72 in/hopscotch/android/plpfilters/domain/model/SelectedFilters.java, line(s) 139 in/hopscotch/android/remote/config/b.java, line(s) 29,32,35,38,41,44,47,50,53,56 io/ktor/http/p.java, line(s) 210 net/mischneider/MSREventBridgeModule.java, line(s) 37,35,33,36 rx/internal/schedulers/d.java, line(s) 21,30
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/clevertap/android/sdk/inapp/g.java, line(s) 114,109 com/clevertap/android/sdk/inapp/j.java, line(s) 127,122 com/gokwik/sdk/WebCheckoutActivity.java, line(s) 103,101 com/payu/custombrowser/d.java, line(s) 556,555 com/payu/upisdk/upiintent/PaymentResponseUpiSdkActivity.java, line(s) 83,82 com/payu/upisdk/upiintent/PaymentResponseUpiSdkFragment.java, line(s) 148,147 in/hopscotch/android/activity/HSWebviewActivity.java, line(s) 141,147 in/juspay/hypersdk/core/DynamicUI.java, line(s) 137,160,229,135 in/juspay/hypersdk/safe/Godel.java, line(s) 363,611,605
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/microsoft/clarity/e/C0156s.java, line(s) 12 com/microsoft/clarity/e/C0741s.java, line(s) 12 com/microsoft/clarity/g/K.java, line(s) 81 com/segment/analytics/logging/FileLogger.java, line(s) 149 com/yalantis/ucrop/util/FileUtils.java, line(s) 71 in/hopscotch/android/activity/base/a.java, line(s) 75 in/hopscotch/android/backgroundtasks/b.java, line(s) 37 in/hopscotch/android/core/webapp/resources/b.java, line(s) 54 in/hopscotch/android/core/webapp/resources/c.java, line(s) 87,98
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/amazonaws/mobileconnectors/s3/transferutility/TransferDatabaseHelper.java, line(s) 4,5,19 com/amazonaws/mobileconnectors/s3/transferutility/TransferTable.java, line(s) 3,15,16,17,18,19,22,25,28,33
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/clevertap/android/sdk/u.java, line(s) 552 in/hopscotch/android/activity/OnBoardingActivity.java, line(s) 105 io/ktor/network/tls/j.java, line(s) 65,50,47,38,26,29,35,32,59,56,53,62
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/amazonaws/services/s3/AmazonS3Client.java, line(s) 206,568 com/amazonaws/services/s3/internal/MD5DigestCalculatingInputStream.java, line(s) 16,57 com/amazonaws/util/Md5Utils.java, line(s) 19 com/clevertap/android/sdk/cryption/a.java, line(s) 55 com/microsoft/clarity/e/Z.java, line(s) 210 com/microsoft/clarity/i/z.java, line(s) 11 com/microsoft/clarity/m/b.java, line(s) 17 in/juspay/hypersdk/security/EncryptionHelper.java, line(s) 123,201
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: in/juspay/hypersdk/safe/Godel.java, line(s) 618,605
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/amazonaws/retry/PredefinedRetryPolicies.java, line(s) 8 com/appsflyer/internal/AFb1cSDK.java, line(s) 19 com/clevertap/android/pushtemplates/content/g.java, line(s) 14 com/clevertap/android/pushtemplates/content/k.java, line(s) 7 com/clevertap/android/sdk/pushnotification/f.java, line(s) 12
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: io/ktor/util/y.java, line(s) 105
中危安全漏洞 Firebase远程配置已启用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/722884108401/namespaces/firebase:fetch?key=AIzaSyCPfO7adhXfNm50nyatwdQ5K0uTbfLJ6tk ) 已启用。请确保这些配置不包含敏感信息。响应内容如下所示:
{
"entries": {
"card_tokenisation_learn_more_link": "",
"coupon_new_flow": "true",
"feature_enable_delete_account_android": "false",
"feature_enable_login_native_android": "true",
"feature_enable_order_confirmation_android": "false",
"feature_in_app_update_enabled": "true",
"feature_new_profile_migration_enabled": "true",
"gokwik_enabled": "true",
"image_url_mrp_tag": "https://static.hopscotch.in/MRP-Grey.jpg",
"image_url_return_tag": "https://static.hopscotch.in/Return-grey.png",
"is_facebook_login_enabled": "false",
"is_homepage_analytics_enabled": "true",
"is_imagekit_webp_force_conversion_added": "true",
"is_n7_human_detector_enabled": "true",
"is_rating_after_shopping_experience_enabled": "false",
"is_shopping_experience_rating_enabled": "false",
"measure_first_n7_token_api": "true",
"n7_api_timeout_in_seconds": "4",
"pdp_trust_strip": "https://static.hopscotch.in/trust-strip.jpg",
"push_utm_source_to_amplitude": "false"
},
"state": "UPDATE",
"templateVersion": "53"
}
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "ca-app-pub-3940256099942544~3347511713" 凭证信息=> "CLEVERTAP_XIAOMI_APP_KEY" : "@7F140935" 凭证信息=> "CLEVERTAP_XIAOMI_APP_ID" : "@7F140934" "api_auto_login" : "/customer/login/auto" "cb_password" : "PASSWORD" "cb_password_small" : "Password" "cb_password_value" : "Password" "cb_pwd_btn" : "pwd_btn" "cb_snooze_verify_api_status" : "api_status" "clevertap_token" : "046-400" "com.google.firebase.crashlytics.mapping_file_id" : "749b11f9e7b84a57bd0e184e6d068533" "deepLinkPassword" : "change-password" "deepLinkSetPassword" : "set-password" "firebase_database_url" : "https://hopscotch-android.firebaseio.com" "google_api_key" : "AIzaSyCPfO7adhXfNm50nyatwdQ5K0uTbfLJ6tk" "google_app_id" : "1:722884108401:android:698499a3312099ba" "google_crash_reporting_api_key" : "AIzaSyCPfO7adhXfNm50nyatwdQ5K0uTbfLJ6tk" "hs_facebook_app_id" : "501471509943731" "hs_facebook_client_token" : "578d1bc1f7cac47e305be044966d36d9" "password" : "Password" "payu_sentry_key" : "payu_sentry_key" "prop_password" : "Password" "pwd_hidden" : "Hidden" "pwd_shown" : "Shown" "user" : "User" "user_credentials" : "Hopscotch:%1$s" "xiaomi_app_id" : "2882303761517627831" "xiaomi_app_key" : "5821762769831" 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 c56fb7d591ba6704df047fd98f535372fea00211 E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1 b5df90d6741a4136914f1f83a996409a cc2751449a350f668590264ed76692694a80308a 9b8f518b086098de3d77736f9458a3d2f6f95a37 df6b721c8b4d3b6eb44c861d4415007e5a35fc95 FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901 FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212 3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F 258EAFA5-E914-47DA-95CA-C5AB0DC85B11 a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: ch/qos/logback/classic/spi/j.java, line(s) 18 ch/qos/logback/core/joran/util/a.java, line(s) 15 ch/qos/logback/core/net/c.java, line(s) 23 ch/qos/logback/core/spi/d.java, line(s) 50 ch/qos/logback/core/spi/e.java, line(s) 26 com/amazonaws/logging/AndroidLog.java, line(s) 31,38,55,62,17,44,49,68,74,24,81 com/appsflyer/internal/AFg1aSDK.java, line(s) 51,97,66,55,61,59 com/aurelhubert/ahbottomnavigation/AHBottomNavigation.java, line(s) 166,168,414,429 com/cardreader/card_reader_lib/CardTask.java, line(s) 48,50,88,90,92,99,103,134,142,145,148,257,286,63,138 com/cardreader/card_reader_lib/xutils/d.java, line(s) 27 com/caverock/androidsvg/b.java, line(s) 1060,908 com/caverock/androidsvg/h.java, line(s) 647,2247,386,653,725,1129,1136,1142 com/caverock/androidsvg/j.java, line(s) 1946,1977,2001,2154,2006 com/clevertap/android/pushtemplates/b.java, line(s) 16,23,30 com/clevertap/android/pushtemplates/k.java, line(s) 103 com/clevertap/android/sdk/displayunits/b.java, line(s) 39 com/clevertap/android/sdk/network/http/d.java, line(s) 111,88 com/clevertap/android/sdk/response/b.java, line(s) 11 com/clevertap/android/sdk/response/g.java, line(s) 54 com/clevertap/android/sdk/task/d.java, line(s) 24 com/clevertap/android/sdk/y0.java, line(s) 15,21,27,33,40,43,50,56,97,103,62,68,74,80,87,90,109,115,121 com/gokwik/sdk/GoKwikActivity.java, line(s) 67,73,79,82,146,152,157,179,88,133,172,221,260,271,289,296,306 com/gokwik/sdk/WebCheckoutActivity.java, line(s) 68 com/gokwik/sdk/b.java, line(s) 23,26,32,35 com/gokwik/sdk/d.java, line(s) 122,133,207 com/gokwik/sdk/e.java, line(s) 27,30,34 com/gokwik/sdk/p.java, line(s) 74,49,78 com/instacart/library/truetime/d.java, line(s) 10,16,22 com/microsoft/clarity/m/f.java, line(s) 41 com/microsoft/clarity/m/h.java, line(s) 17,23,29,35 com/payu/crashlogger/b.java, line(s) 75 com/payu/crashlogger/f.java, line(s) 53,56 com/payu/custombrowser/Bank.java, line(s) 863,914 com/payu/custombrowser/CustomBrowser.java, line(s) 125,190 com/payu/custombrowser/PayUWebChromeClient.java, line(s) 58 com/payu/custombrowser/PayUWebViewClient.java, line(s) 29 com/payu/custombrowser/b.java, line(s) 267 com/payu/custombrowser/c.java, line(s) 351 com/payu/custombrowser/util/b.java, line(s) 828 com/payu/custombrowser/util/d.java, line(s) 9,23,17 com/payu/custombrowser/wrapper/b.java, line(s) 230,259,275,302 com/payu/india/Model/DeviceIdRequest.java, line(s) 42 com/payu/india/Model/LookupRequest.java, line(s) 140 com/payu/india/Model/PayuEmiAmountAccordingToInterest.java, line(s) 45,139 com/payu/india/Payu/PayuUtils.java, line(s) 215,218,221,230 com/payu/india/Tasks/BinInfoTask.java, line(s) 77,79,81 com/payu/india/Tasks/CheckBalanceTask.java, line(s) 63,65,67 com/payu/india/Tasks/CheckOfferDetailsTask.java, line(s) 510,518,554,562,807,815,838,845,862,868 com/payu/india/Tasks/DeleteCvvTask.java, line(s) 64,69 com/payu/india/Tasks/EligibleBinsForEMITask.java, line(s) 103,105,107 com/payu/india/Tasks/GetCardInformationTask.java, line(s) 69,74 com/payu/india/Tasks/GetEmiAmountAccordingToInterestTask.java, line(s) 90,92,94 com/payu/india/Tasks/GetOfferStatusTask.java, line(s) 171,173,175 com/payu/india/Tasks/GetTransactionInfoTask.java, line(s) 63,68 com/payu/india/Tasks/GlobalVaultReSendOTPTask.java, line(s) 39,60,65,70,75,87 com/payu/india/Tasks/GlobalVaultSendOTPTask.java, line(s) 35,56,61,66,71,83 com/payu/india/Tasks/GlobalVaultVerifyOTPTask.java, line(s) 35,56,61,66,71,83 com/payu/india/Tasks/LookupTask.java, line(s) 98,100 com/payu/india/Tasks/PayuUploadDeviceAnalytics.java, line(s) 122,128,144,148,152,185,249,323 com/payu/india/Tasks/QuickPayTask.java, line(s) 89,116,124,153,165,174,183,219 com/payu/india/Tasks/UpdateDeviceIdTask.java, line(s) 44,49,54,59 com/payu/india/Tasks/ValidateOfferTask.java, line(s) 129,131 com/payu/india/Tasks/ValueAddedServiceTask.java, line(s) 95,100 com/payu/otpparser/b.java, line(s) 11,16 com/payu/payuanalytics/analytics/manager/b.java, line(s) 123,147,187,191,199,208,249,251,253,275,286,299 com/payu/payuanalytics/analytics/model/h.java, line(s) 86 com/payu/payuanalytics/analytics/utils/a.java, line(s) 32 com/payu/socketverification/socket/SocketHandler.java, line(s) 78,92,101 com/payu/socketverification/util/a.java, line(s) 100,101 com/payu/upisdk/j.java, line(s) 407 com/payu/upisdk/util/a.java, line(s) 61,60,90,91 com/payu/upisdk/util/c.java, line(s) 247,244 com/romainpiel/shimmer/g.java, line(s) 40 com/segment/analytics/integrations/Logger.java, line(s) 27,33,39,49 com/smixx/fabric/SMXCrashlytics.java, line(s) 87 com/tbuonomo/viewpagerdotsindicator/DotsIndicator.java, line(s) 201 com/wix/interactable/j.java, line(s) 94,98 com/yalantis/ucrop/task/BitmapLoadTask.java, line(s) 40,83,89,96,123,126 com/yalantis/ucrop/util/BitmapLoadUtils.java, line(s) 102,112 com/yalantis/ucrop/util/EglUtils.java, line(s) 75 com/yalantis/ucrop/util/ImageHeaderParser.java, line(s) 139,184,198,232,245,251,274,283,291,173,183,195,211,227,241,244,247,250,253,264,273,282,290 com/yalantis/ucrop/view/TransformImageView.java, line(s) 117,173,203,221 in/hopscotch/android/activity/CustomerInfoActivity.java, line(s) 192,213,275,310,317,394,397,443,459,481,495,673,744,1094 in/hopscotch/android/activity/MomentUploadActivity.java, line(s) 510 in/hopscotch/android/activity/NudgeActivity.java, line(s) 57 in/hopscotch/android/activity/ReturnableItemDetailsActivity.java, line(s) 136 in/hopscotch/android/activity/ReviewGuestCheckoutActivity.java, line(s) 1339 in/hopscotch/android/activity/f2.java, line(s) 73 in/hopscotch/android/activity/i6.java, line(s) 17 in/hopscotch/android/activity/n.java, line(s) 31,53,74,98 in/hopscotch/android/activity/o4.java, line(s) 32,47,80,105 in/hopscotch/android/activity/parent/n.java, line(s) 59 in/hopscotch/android/activity/v5.java, line(s) 22 in/hopscotch/android/adapter/d0.java, line(s) 58 in/hopscotch/android/appupdate/b.java, line(s) 81,129 in/hopscotch/android/backgroundtasks/a.java, line(s) 38,81,87,94,111 in/hopscotch/android/components/time/countdown/h.java, line(s) 263 in/hopscotch/android/components/time/countdown/i.java, line(s) 74 in/hopscotch/android/core/util/g.java, line(s) 22 in/hopscotch/android/fragment/b0.java, line(s) 377 in/hopscotch/android/fragment/k.java, line(s) 41 in/hopscotch/android/fragment/q1.java, line(s) 217,244,269,318,331,361,380,403,404,416,419,518,551,623,630,657,665,676,688,696,699,706,738,746,756,761,804,814,846,851,865,884,907,952,974,987,994,1007,1015,1026,1034,1048,1080,1090,1110,1208,1235,1242,1248,1254,1260,1282,1306,1325,1360,1390,1407,1433,1459,1468,1478,1513,1545,1588 in/hopscotch/android/fragment/s1.java, line(s) 18,26 in/hopscotch/android/plpfilters/a.java, line(s) 91 in/hopscotch/android/plpfilters/ui/helpers/a.java, line(s) 265 in/hopscotch/android/ui/orders/listing/b.java, line(s) 138 in/hopscotch/android/util/a1.java, line(s) 751 in/hopscotch/android/util/b0.java, line(s) 131,135,144,154,176,207,220,226,108,128,134,137,143,151,173,186,202,216,219,222,225,228 in/hopscotch/android/util/k.java, line(s) 12,20,25 in/hopscotch/android/util/m.java, line(s) 108 in/hopscotch/android/util/ui/a.java, line(s) 105,143 in/hopscotch/android/viewmodel/q.java, line(s) 143 in/hopscotch/android/widget/TransformImageView.java, line(s) 115,158 in/juspay/hyper/core/JuspayLogger.java, line(s) 13,19,56,25,50 in/juspay/hypersdk/core/AndroidInterface.java, line(s) 459,719,772 org/joda/time/tz/DateTimeZoneBuilder.java, line(s) 380 org/joda/time/tz/ZoneInfoCompiler.java, line(s) 63,259,275,355,374,387,405,410,476 rx/plugins/s.java, line(s) 40
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/clevertap/android/sdk/inbox/g.java, line(s) 4,79 in/hopscotch/android/hspdp/ui/adapter/viewholders/m.java, line(s) 5,87
安全提示信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: com/microsoft/clarity/models/DynamicConfig.java, line(s) 117,117
安全提示信息 此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改
此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: in/juspay/hypersdk/core/ClipboardListener.java, line(s) 15,5
安全提示信息 应用与Firebase数据库通信
该应用与位于 https://hopscotch-android.firebaseio.com 的 Firebase 数据库进行通信
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/clevertap/android/sdk/network/http/d.java, line(s) 81,79,81,78,72,72 com/gokwik/sdk/common/di/b.java, line(s) 31,39,31,39 in/hopscotch/android/api/RetrofitApiBuilder.java, line(s) 281,286,281,286 in/hopscotch/android/remote/config/g.java, line(s) 74,65,73,72,72 in/hopscotch/android/remote/config/h.java, line(s) 35,49,35,49 in/juspay/hypersdk/security/HyperSSLSocketFactory.java, line(s) 66,65,67,64,64 io/ktor/network/tls/z.java, line(s) 44,43,41,41
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: in/juspay/hypersdk/data/SessionInfo.java, line(s) 120,124
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (www.microsoft.com) 通信。
{'ip': '13.107.6.158', 'country_short': 'CN', 'country_long': '中国', 'region': '江苏', 'city': '南通', 'latitude': '32.030296', 'longitude': '120.874779'}
综合安全基线评分总结
Hopscotch v9.7.2
Android APK
39
综合安全评分
高风险