应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
学医酷教师端 v2.4.3
52
安全评分
安全基线评分
52/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
2
高危
13
中危
3
信息
2
安全
隐私风险评估
1
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
2
中危安全漏洞
13
安全提示信息
3
已通过安全项
2
重点安全关注
0
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/reactnativecommunity/webview/RNCWebViewManager.java, line(s) 877,33,34
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: e/g/c/a/a/a/a/a.java, line(s) 189,281
中危安全漏洞 Activity (com.tencent.android.tpush.TpnsActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.huawei.hms.support.api.push.service.HmsMsgService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Content Provider (com.huawei.hms.support.api.push.PushProvider) 未受保护。
[android:exported=true] 检测到 Content Provider 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: f/z/a.java, line(s) 3 f/z/b.java, line(s) 4 f/z/d/a.java, line(s) 4 g/a0.java, line(s) 15 g/k0/o/d.java, line(s) 22 g/k0/o/h.java, line(s) 8
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/aitch/rn/HessianModule.java, line(s) 37,38 com/reactnative/ivpusic/imagepicker/PickerModule.java, line(s) 52,55,57
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: cn/reactnative/modules/update/d.java, line(s) 113 com/aitch/c/a.java, line(s) 99,103 com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 404 com/lwansbrough/RCTCamera/RCTCameraModule.java, line(s) 358,391 com/reactnative/ivpusic/imagepicker/PickerModule.java, line(s) 371,382 com/reactnative/ivpusic/imagepicker/a.java, line(s) 83 com/reactnative/ivpusic/imagepicker/d.java, line(s) 77 com/rnfs/RNFSManager.java, line(s) 592,581,583,586,614 com/rssignaturecapture/a.java, line(s) 107 e/b/b/a/a/a.java, line(s) 13,14 e/d/b/b/a.java, line(s) 257 e/d/d/i/a.java, line(s) 49
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/jg/ids/i/i.java, line(s) 101 e/d/d/k/c.java, line(s) 12 e/g/c/a/a/a/b/a.java, line(s) 15 e/g/c/a/a/a/d/b.java, line(s) 40 e/j/a/a/a/t/q/e.java, line(s) 112
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: c/n/b.java, line(s) 115 com/lwansbrough/RCTCamera/RCTCameraModule.java, line(s) 403,406 com/reactnative/ivpusic/imagepicker/PickerModule.java, line(s) 375,386 e/d/b/b/a.java, line(s) 108
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/aitch/b/a/a/a.java, line(s) 4,5,14 com/reactnativecommunity/asyncstorage/f.java, line(s) 4,5,6,97
中危安全漏洞 IP地址泄露
IP地址泄露 Files: e/g/c/a/a/b/g/a.java, line(s) 160
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 腾讯云 信鸽推送SDK的=> "XG_V2_ACCESS_ID" : "1500030228" 腾讯云 信鸽推送SDK的=> "XG_V2_ACCESS_KEY" : "ADMDXQV5LI8C" 华为HMS Core 应用ID的=> "com.huawei.hms.client.appid" : "appid=108021749" E49D5C2C0E11B3B1B96CA56C6DE2A14EC7DAB5CCC3B5F300D03E5B4DBA44F539 B92825C2BD5D6D6D1E7F39EECD17843B7D9016F611136B75441BC6F4D3F00F05 258EAFA5-E914-47DA-95CA-C5AB0DC85B11
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: c/a/k/a/a.java, line(s) 100 c/a/o/g.java, line(s) 127,160,241 c/f/j/c.java, line(s) 511,516 c/f/j/e.java, line(s) 83 c/f/j/f.java, line(s) 41,76 c/f/j/g.java, line(s) 49,107 c/f/j/j.java, line(s) 97,100 c/f/j/k.java, line(s) 96 c/f/m/e.java, line(s) 34 c/f/o/b.java, line(s) 35,47,49,61,63,83,86 c/f/p/b.java, line(s) 63 c/f/p/b0.java, line(s) 20,35,56,83,104,125,146 c/f/p/g.java, line(s) 20,29 c/f/p/h0.java, line(s) 783,801,565,577,584,593,42,61,774 c/f/p/i.java, line(s) 14 c/f/p/j0/c.java, line(s) 143 c/f/p/x.java, line(s) 942,797,941 c/f/p/y.java, line(s) 20,31 c/h/b/c.java, line(s) 125 c/j/a/a.java, line(s) 311,854,978,1023,1028,1034,1117,1285,1309,1469,1472,1481,1487,1569,1666,1854,1865,1872,1955,2016,2095,2187,2276,2328,2349,2362,2394,2459,2509,2556,1557,1563,91,991,995,999,1361,1919,1927,2253,2450,2469,2477,2635,2642,2690,2748 c/m/a/b.java, line(s) 34,42,63 c/n/a.java, line(s) 229,347,396,398,193,200,202,208,329,331,341,344,385,106,137,196,204,211,224,235,247,264,310 c/n/b.java, line(s) 56,67,69,96,98,116,132,172,214,236,286,298,302,304,309,92,100,109,224,240,255,294 c/p/b/c.java, line(s) 539,709,723,743 c/q/a.java, line(s) 35 c/r/k.java, line(s) 51,63,78 c/r/k0.java, line(s) 37,46,48 c/r/u0.java, line(s) 36,121 c/s/a/a/i.java, line(s) 258,261 c/t/a/b.java, line(s) 1652 cn/reactnative/modules/update/DownloadTask.java, line(s) 93,109,133,143,187,205,243,260,280,292,307,360,408 cn/reactnative/modules/update/UpdateModule.java, line(s) 155,172 cn/reactnative/modules/update/d.java, line(s) 179 com/aitch/activity/TempActivity.java, line(s) 22 com/aitch/c/a.java, line(s) 100,58,112 com/aitch/c/c.java, line(s) 58 com/aitch/rn/HessianModule.java, line(s) 78,93,281,293,294,407,73,88,123,331 com/aitch/rn/SendEventModule.java, line(s) 22 com/aitch/tencentcloud/tpns/receiver/MessageReceiver.java, line(s) 89,115,122,150,169,195,213,219,235,155 com/aurelhubert/ahbottomnavigation/q.java, line(s) 907,1010,1034,1036,1104 com/brentvatne/react/b.java, line(s) 616,627 com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 209,269,588,643,779,976,997 com/learnium/RNDeviceInfo/c.java, line(s) 30,36,42,47,54,88,104 com/learnium/RNDeviceInfo/d/a.java, line(s) 31,34,35,39 com/lwansbrough/RCTCamera/RCTCameraModule.java, line(s) 334,364,372,386,408,411,466,587,690 com/lwansbrough/RCTCamera/a.java, line(s) 147,162,250 com/lwansbrough/RCTCamera/b.java, line(s) 137,155,165,329,377,457 com/lwansbrough/RCTCamera/e.java, line(s) 208,325,393,280 com/reactnative/ivpusic/imagepicker/a.java, line(s) 40,43,45,85 com/reactnative/ivpusic/imagepicker/e.java, line(s) 39,47,27,33 com/reactnativecommunity/asyncstorage/c.java, line(s) 118,124,130,132,138,140 com/reactnativecommunity/webview/RNCWebViewManager.java, line(s) 1194,1179,1196,125 com/reactnativecommunity/webview/RNCWebViewModule.java, line(s) 238,243,285,290,435,481 com/reactnativedocumentpicker/DocumentPickerModule.java, line(s) 69 com/reactnativenavigation/react/i0/b.java, line(s) 22 com/reactnativenavigation/react/w.java, line(s) 22,23,24 com/reactnativenavigation/views/f/b.java, line(s) 16 com/rssignaturecapture/RSSignatureCaptureViewManager.java, line(s) 31,42,50,58,66,74,82,90,98,106 com/rssignaturecapture/a.java, line(s) 47,86,116,163 com/swmansion/gesturehandler/react/g.java, line(s) 74,125 com/swmansion/gesturehandler/react/h.java, line(s) 50 com/swmansion/reanimated/nodes/i.java, line(s) 21 com/yalantis/ucrop/UCropActivity.java, line(s) 572 com/yalantis/ucrop/l/a.java, line(s) 49,97,107 com/yalantis/ucrop/l/c.java, line(s) 70 com/yalantis/ucrop/l/f.java, line(s) 126,161,171,183,197,213,223,226,229,232,235,249,254,267,272,160,170,182,196,212,222,225,228,231,234,248,253,266,271 com/yalantis/ucrop/task/BitmapCropTask.java, line(s) 68 com/yalantis/ucrop/task/a.java, line(s) 55,97,145,151,160,167,194,197 com/yalantis/ucrop/view/b.java, line(s) 138,43,219 e/b/a/b/a.java, line(s) 7,13,8,14 e/b/b/a/a/b.java, line(s) 123,106,110,70,129,133,148 e/c/b/g.java, line(s) 57 e/d/h/c/f.java, line(s) 12 e/d/i/b/a/d.java, line(s) 12 e/f/a/b/b.java, line(s) 103,183,188,194,206,211,326,341,384,534,620,631,637,753,899,929,951,969,992,1032,1087,1095,1114,1128,1159,1165,1187,1334,1441,1456,740,802,878,1301 e/f/a/b/c.java, line(s) 109,137,157,159,177,281,289,422,441,449,456,469,483,559,574,747,791,798,810,1042,1163,1183,1213,554 e/f/a/d/b/a.java, line(s) 175 e/f/a/d/c/d.java, line(s) 48,104 e/f/a/d/c/g.java, line(s) 42,116,124,128,137,149,152 e/f/a/d/c/h.java, line(s) 34 e/f/a/d/c/k/a.java, line(s) 56 e/f/a/d/c/o.java, line(s) 14 e/f/a/d/c/p.java, line(s) 40 e/f/a/d/f/b/a6.java, line(s) 180 e/f/a/d/f/b/c.java, line(s) 70 e/f/a/d/f/b/f.java, line(s) 126 e/f/a/d/f/b/k.java, line(s) 17,36 e/f/a/d/f/b/l.java, line(s) 17 e/f/a/d/f/b/m.java, line(s) 26,51 e/f/a/d/f/b/m5.java, line(s) 47 e/f/a/d/f/b/w5.java, line(s) 74,88,91 e/f/a/d/f/d/h.java, line(s) 24 e/f/a/d/f/g/l.java, line(s) 49 e/f/a/d/f/g/s.java, line(s) 29 e/f/a/d/f/g/s2.java, line(s) 52,64 e/f/a/d/f/g/s6.java, line(s) 50 e/f/a/d/f/g/w.java, line(s) 20 e/f/a/d/h/b/a.java, line(s) 84,88 e/f/a/e/a0/b.java, line(s) 79 e/f/a/e/m/h.java, line(s) 49 e/f/a/e/z/d.java, line(s) 134,167 e/f/b/c.java, line(s) 216,178 e/g/c/a/a/a/d/f.java, line(s) 14,18 e/g/c/a/a/b/g/a.java, line(s) 115,124,126,195 e/g/c/a/a/b/g/f.java, line(s) 14,18,22,26 e/h/k/k/o0/e/i.java, line(s) 44 g/k0/c.java, line(s) 384 g/k0/l/i/c.java, line(s) 49,49,69 org/reactnative/facedetector/c/a.java, line(s) 69 org/wonday/orientation/a.java, line(s) 33,39,48,53,57,63,68,74
安全提示信息 此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改
此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/reactnativecommunity/clipboard/ClipboardModule.java, line(s) 29,32,4
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/reactnativecommunity/clipboard/ClipboardModule.java, line(s) 4,201
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: e/g/c/a/a/b/e.java, line(s) 39,38,35 e/j/a/a/a/t/p/a.java, line(s) 319,153,245,318,284,302,302,468 g/k0/l/c.java, line(s) 106,104,103 g/k0/l/d.java, line(s) 123,112,121,129,120,120,122 g/k0/l/g.java, line(s) 105,103,102,102 g/k0/l/h.java, line(s) 236,223,234,233,233
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/aitch/c/c.java, line(s) 39,22,26,26,26,17,17,26,26,26
综合安全基线评分总结
学医酷教师端 v2.4.3
Android APK
52
综合安全评分
中风险