应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Starpresta v4.0.3
54
安全评分
安全基线评分
54/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
2
高危
19
中危
1
信息
3
安全
隐私风险评估
4
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
2
中危安全漏洞
19
安全提示信息
1
已通过安全项
3
重点安全关注
0
高危安全漏洞 该文件是World Readable。任何应用程序都可以读取文件
该文件是World Readable。任何应用程序都可以读取文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/datavisorobfus/k0.java, line(s) 29
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: i00IIIIi/jl.java, line(s) 90,10,11
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 Broadcast Receiver (io.flutter.plugins.firebase.messaging.FlutterFirebaseMessagingReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: IiiII0I/IiiIII.java, line(s) 7 com/appsflyer/internal/AFb1gSDK.java, line(s) 18 com/datavisor/vangogh/util/ExceptionUtil.java, line(s) 7 com/datavisorobfus/o.java, line(s) 11 com/dinero/hoy/plugin/camera/FlutterCameraActivity.java, line(s) 28 com/dinero/hoy/plugin/face/FaceActivity.java, line(s) 33 i000I00/IiiI0I0.java, line(s) 28 i000IIiI/i00I0I.java, line(s) 21 i000IIiI/ii000i.java, line(s) 18 i000i000/IiiI.java, line(s) 3 i000i000/IiiI0I0.java, line(s) 12 i000i000/IiiI0II.java, line(s) 4 i000i000/IiiI0i.java, line(s) 39 i000i000/IiiII0.java, line(s) 3 i000i000/IiiII0I.java, line(s) 10 i000i000/IiiIII0.java, line(s) 4 i000i000/IiiIIII.java, line(s) 9 i000i000/i000iIiI.java, line(s) 8 i000i000/i0IiIi0.java, line(s) 13 i000i00I/IiiI0I0.java, line(s) 30 i000i00I/IiiII0.java, line(s) 22 i00I00iI/i00000I.java, line(s) 9 i00III/i000I0I0.java, line(s) 3 i00III/i000II0I.java, line(s) 7 i00IIIIi/b6.java, line(s) 46 i00IIIIi/ca.java, line(s) 7 i00IIIi0/i00I00i0.java, line(s) 4 i00i0000/i0I0I00.java, line(s) 8 i00i0000/i0II00I.java, line(s) 8 i00i0000/i0III0i.java, line(s) 8
中危安全漏洞 此应用程序可能会请求root(超级用户)权限
此应用程序可能会请求root(超级用户)权限 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/datavisorobfus/c.java, line(s) 91
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: IiiIiI0/IiiI0II.java, line(s) 57 i00IIIIi/b6.java, line(s) 377
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: i0000ii0/Iiii0.java, line(s) 4,5,6,7,73,83 i00I0ii/i0iI0Iii.java, line(s) 9,10,11,12,13,392 i00IIIIi/i000II00.java, line(s) 6,7,88,228,540,1099,1615 i00IIIIi/i00I000i.java, line(s) 4,5,15 i00IIIIi/l6.java, line(s) 3,49 i0I0iiI/i0000I0.java, line(s) 5,6,85,119,138,328,549,566,619,632 i0I0iiI/i000I0i.java, line(s) 4,5,135
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/datavisor/vangogh/storage/local/a.java, line(s) 104 com/datavisor/vangogh/storage/local/b.java, line(s) 12,13 com/datavisorobfus/i.java, line(s) 1432 com/datavisorobfus/l.java, line(s) 171 com/datavisorobfus/p.java, line(s) 279
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/datavisorobfus/e0.java, line(s) 24 com/datavisorobfus/l0.java, line(s) 11,30,47 i00I0iII/i0II000.java, line(s) 48
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/datavisor/vangogh/util/ExceptionUtil.java, line(s) 63 com/datavisorobfus/g.java, line(s) 18 com/datavisorobfus/o.java, line(s) 98
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/appsflyer/appsflyersdk/AppsFlyerConstants.java, line(s) 7 com/datavisor/vangogh/face/DVKeyName.java, line(s) 4,5
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/datavisorobfus/h.java, line(s) 55,54 com/datavisorobfus/l.java, line(s) 237,236
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: i0000I/IiiI0I0.java, line(s) 115 i0000IIi/i0iiIIi.java, line(s) 50
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个4隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "ca-app-pub-3940256099942544~3347511713" "google_api_key" : "AIzaSyCW5TZ4cmVvPF3qbwJS0jEEB4aVuhWrer4" "google_app_id" : "1:66920932801:android:b476369e4d37ea6c6efb40" "google_crash_reporting_api_key" : "AIzaSyCW5TZ4cmVvPF3qbwJS0jEEB4aVuhWrer4" MJCR3nbjtc8ARKt9HOAI/AZAzrHiEyhubQ== E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1 KZGR3Uffq88OW6tuEewC9j5V3A== FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901 3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F H6ik7UfoqtAwYIZxE9A68jVW8J/oAjw= dI2H2mzZqo8OQIQxI/oZ8itF3Lf7XC57dQ== MJCR3nbjtc8ARKt/AP825zhTxLPuFzw= B3EEABB8EE11C2BE770B684D95219ECB FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: IiiI/IiiIII0.java, line(s) 211,213,229,119,276 IiiI/IiiIi.java, line(s) 236,238,112 IiiII0I/IiiII0I.java, line(s) 31,37,43,49,9 IiiII0I/i000iIiI.java, line(s) 140,513 IiiII0I/i0iiIIi.java, line(s) 20 IiiIiII/IiiIIII.java, line(s) 249,253 IiiIiII/i000iIiI.java, line(s) 154 IiiIiII/i00I0000.java, line(s) 117 IiiIiII/i00I0I00.java, line(s) 128 IiiIiII/i00III0I.java, line(s) 145 IiiIiII/i00IIII0.java, line(s) 82,86,90 IiiIiII/i00Ii00.java, line(s) 37,39 IiiIiII/i0iII.java, line(s) 120,122 IiiIiII/ii00iI.java, line(s) 41,43 IiiIii/ii000i.java, line(s) 176,239,274 Iiii000/IiiI0i.java, line(s) 352 Iiii000/IiiIII.java, line(s) 28,37,46,56,65,74,83,92,101,110,119 com/appsflyer/appsflyersdk/AppsflyerSdkPlugin.java, line(s) 421,430,483,540,560,565,801,100,115,378,475 com/appsflyer/internal/AFh1ySDK.java, line(s) 69,115,84,73,79,77 i00000/IiiI.java, line(s) 98 i000000/i0II00I.java, line(s) 321 i00000I/IiiI0II.java, line(s) 434 i00000iI/i0III0i.java, line(s) 39 i00000iI/i0iiIIi.java, line(s) 725,868,939,1053,1120,1140,1153,1180,1230,1280,1330,1346,1350,1413,1598,1648,1654,1663,1666,1707,1786,1831,2012,2064,2116,2220,2231,2238,2319,2415,2621,139,824,829,992,1028,1294,1298,1302,2003,2022,2030,2285,2293,2815 i0000I/IiiI00i.java, line(s) 187,223,267,269,72,79,81,87,209,211,217,220,249,36,64,75,83,90,111,119,130,190 i0000I/IiiI0I0.java, line(s) 58,69,71,116,132,192,194,204,216,220,222,227,243,265,292,109,188,196,212,253,269,284 i0000I/IiiII0.java, line(s) 116,107,111 i0000I00/IiiI0i.java, line(s) 215 i0000I00/IiiII0.java, line(s) 188 i0000I00/IiiII0I.java, line(s) 183,78,98,110,111,126,130 i0000IIi/i0000I00.java, line(s) 86 i0000IIi/i000Ii0.java, line(s) 266,269 i0000IIi/i000iIiI.java, line(s) 36 i0000IIi/i0iiIIi.java, line(s) 102,105,110 i0000i0I/IiiI0I0.java, line(s) 53,68,76,100,201,220,330,336,358,60 i0000ii0/i00I00I.java, line(s) 35 i0000ii0/i0I0I00.java, line(s) 54,66,94 i000I0/IiiII0.java, line(s) 53 i000I0/i0IiIi0.java, line(s) 170,173,176,179,232,235,238,241,262,265,268,271,274,277 i000I0i/IiiII0I.java, line(s) 78 i000I0ii/IiiI0I0.java, line(s) 20,30,39 i000I0ii/IiiIIII.java, line(s) 24,26,35,37,46,48,57,59,68,70 i000I0ii/i00Ii0.java, line(s) 67 i000I0ii/i00iI0i.java, line(s) 13 i000III/i000000.java, line(s) 69 i000III/i000I0I0.java, line(s) 44,53,67,87,102,116,130 i000III/i000I0Ii.java, line(s) 54,88 i000III/i000Ii0.java, line(s) 1120,1081,1119 i000III/i0I0iiI.java, line(s) 687,730,481,493,500,509,56,75,721 i000IIiI/i0000I00.java, line(s) 37,44,47,55,81,84,87,90,93 i000IIiI/i0000I0I.java, line(s) 15,22,29,14,21,28,35,36,49,50 i000IIiI/ii000i.java, line(s) 74 i000Ii0/IiiI.java, line(s) 20,26 i000Ii0/IiiI00i.java, line(s) 14 i000Iii0/IiiIII.java, line(s) 16 i000Iii0/i00000.java, line(s) 32 i000Iii0/i0I0I00.java, line(s) 90,94,99 i000Iii0/i0II00I.java, line(s) 57,260,292,296,364,367,391,397,405,195 i000i00I/IiiII0.java, line(s) 51,55,183 i00I0/i00I00I.java, line(s) 11,17,19,28 i00I000/IiiIi00.java, line(s) 352,314,318,235 i00I00iI/Iiii000.java, line(s) 23,37,46,56 i00I0I0I/i0Ii0ii.java, line(s) 44 i00I0II0/IiiIi.java, line(s) 14,36 i00I0II0/Iiii000.java, line(s) 43 i00I0i/IiiIi00.java, line(s) 91,228 i00I0i/i00000I0.java, line(s) 63 i00I0i/i00Iii.java, line(s) 27 i00I0i/i00iI0i.java, line(s) 710,709 i00I0iII/i000000I.java, line(s) 25 i00I0iII/i0000I0.java, line(s) 49 i00I0iII/i0000II0.java, line(s) 78,82,98,125,129,59 i00I0iII/i000I00I.java, line(s) 53,55,49 i00I0iII/i000IIi0.java, line(s) 309,408 i00I0iII/i00II.java, line(s) 57 i00I0iII/i00II00I.java, line(s) 269,377 i00I0iII/i0I0000I.java, line(s) 22,31 i00I0iII/i0I0I00.java, line(s) 41,69 i00I0iII/i0I0ii0i.java, line(s) 26 i00I0iII/i0II000.java, line(s) 52,106 i00I0iII/i0III0II.java, line(s) 124,130,150,157,40,48,57,62,72,81,82,84,96,105,113,122,135,148,163,172,186,226,53,87,102,116 i00I0iII/i0III0i.java, line(s) 126,177,184 i00I0iII/ii0I.java, line(s) 50 i00I0iII/ii0i0Ii.java, line(s) 71,41,90,102,112,118,121,123,127,145 i00I0ii/IiiIIII.java, line(s) 89,102,123,200,215,290,88,101,122,199,214,289,119,139,151,222,242,329 i00I0ii/i0000.java, line(s) 48,30,69 i00I0ii/i00000.java, line(s) 24 i00I0ii/i000000I.java, line(s) 39,80,150,38,79,93,149,185,227,256,285,94,186,228,257,286,46,202 i00I0ii/i00000I.java, line(s) 29,36,28,35 i00I0ii/i0000Iii.java, line(s) 63,62 i00I0ii/i000II.java, line(s) 11,19 i00I0ii/i00I.java, line(s) 35 i00I0ii/i00I000.java, line(s) 27 i00I0ii/i00I0000.java, line(s) 95,98,101,104,107,110,118,121,124,127,165,173 i00I0ii/i00II0II.java, line(s) 30 i00I0ii/i00IIIIi.java, line(s) 54 i00I0ii/i00Ii0.java, line(s) 17,14,14 i00I0ii/i0II00II.java, line(s) 31 i00I0ii/i0iI0Iii.java, line(s) 171,209,230,309,398,447,540,421 i00I0ii/ii0iI0.java, line(s) 68,116,161,171,224,291,307,338,351,357,377,382,72,165 i00II0i0/IiiIIII.java, line(s) 17 i00II0i0/i0II00I.java, line(s) 68,76,105,49,58,121 i00II0i0/i0Ii0ii.java, line(s) 18,15 i00III0/IiiIIII.java, line(s) 59,65,77,110,117 i00IIII/i00iIii.java, line(s) 21,30,37,29,36,43,44,50,51 i00IIIIi/cb.java, line(s) 14 i00IIIIi/dd.java, line(s) 75,79 i00IIIIi/gb.java, line(s) 71,89,133,168,83,125,128 i00IIIIi/i0000ii.java, line(s) 138,176 i00IIIIi/iii0i.java, line(s) 251 i00IIIIi/l4.java, line(s) 21 i00IIIIi/n8.java, line(s) 21,30,37,29,36,43,44,50,51 i00IIIIi/rc.java, line(s) 175 i00IIIIi/u6.java, line(s) 157 i00IIIIi/vi.java, line(s) 135 i00IIIIi/xc.java, line(s) 32 i00IIIi0/i0000I0I.java, line(s) 54 i00Ii00/IiiI00i.java, line(s) 63,67 i00Ii00i/IiiIII.java, line(s) 113,179,266,278,105,194 i00Ii00i/i0II00I.java, line(s) 7,11,19,23 i00Ii0I/i00000I0.java, line(s) 96 i00Ii0I/i000IIi.java, line(s) 54,219 i00Ii0I/i0I0I00.java, line(s) 41,73 i00Ii0I/i0Ii0ii.java, line(s) 503,508 i00Ii0I/ii0i0Ii.java, line(s) 70 i00Ii0Ii/IiiI0I0.java, line(s) 91,102 i00Ii0Ii/i0II00I.java, line(s) 50 i00i00i0/IiiIII.java, line(s) 28,35,38,47,85 i00i00i0/i00I0I.java, line(s) 103 i00iI000/IiiI00i.java, line(s) 45,50,37 i0II00I/IiiI.java, line(s) 57,88 i0Ii0ii/IiiIII.java, line(s) 30,34,38 i0Ii0ii/i0iiIIi.java, line(s) 31 i0IiIi0/IiiI.java, line(s) 95 i0IiIi0/IiiI00i.java, line(s) 68 i0IiIi0/IiiII0.java, line(s) 184,250,391 i0IiIi0/IiiII0I.java, line(s) 31,159,161 i0IiIi0/IiiIII0.java, line(s) 124,129 i0IiIi0/IiiIIII.java, line(s) 97,411 i0IiIi0/IiiIi.java, line(s) 137,144 i0IiIi0/IiiIi00.java, line(s) 98,238,245 i0IiIi0/Iiii000.java, line(s) 736 i0IiIiII/IiiI.java, line(s) 121,120 ii000i/IiiI0II.java, line(s) 60 ii000i/IiiI0i.java, line(s) 66 ii000i/IiiIII0.java, line(s) 138,147,260 ii0i0Ii/IiiI0I0.java, line(s) 51,54 org/microg/safeparcel/IiiI00i.java, line(s) 383
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: i00IIII/iI00Ii0.java, line(s) 387,386,385,385
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: IiiII0I/i000iIiI.java, line(s) 594,594,597,597 i00IIII/i00I0II0.java, line(s) 27 i00IIIIi/m7.java, line(s) 58
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/66920932801/namespaces/firebase:fetch?key=AIzaSyCW5TZ4cmVvPF3qbwJS0jEEB4aVuhWrer4 ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
Starpresta v4.0.3
Android APK
54
综合安全评分
中风险