应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
sushain v0.0.42
59
安全评分
安全基线评分
59/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
1
高危
13
中危
3
信息
3
安全
隐私风险评估
1
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
1
中危安全漏洞
13
安全提示信息
3
已通过安全项
3
重点安全关注
0
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/reactnativecommunity/webview/RNCWebViewManagerImpl.java, line(s) 446,17
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 Broadcast Receiver (io.invertase.firebase.messaging.ReactNativeFirebaseMessagingReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.cashfree.pg.core.api.ui.receiver.CFSMSBroadcastReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.phone.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/heanoria/library/reactnative/locationenabler/AndroidLocationEnablerModule.java, line(s) 35,36 com/reactnative/ivpusic/imagepicker/PickerModule.java, line(s) 59,62,64 com/sudoplz/rninappupdates/SpReactNativeInAppUpdatesModule.java, line(s) 31,32 io/invertase/firebase/common/TaskExecutorService.java, line(s) 14,15 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingHeadlessService.java, line(s) 12,10 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingSerializer.java, line(s) 19
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/agontuk/RNFusedLocation/FusedLocationProvider.java, line(s) 24 live/videosdk/rnincallmanager/InCallManagerModule.java, line(s) 47
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 391 com/reactnative/ivpusic/imagepicker/Compression.java, line(s) 40 com/reactnative/ivpusic/imagepicker/PickerModule.java, line(s) 520,756,767 com/reactnativecommunity/webview/RNCWebViewModuleImpl.java, line(s) 465 com/yalantis/ucrop/util/FileUtils.java, line(s) 51 io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java, line(s) 112,121,122,123
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/reactnative/ivpusic/imagepicker/PickerModule.java, line(s) 760,771 com/reactnativecommunity/webview/RNCWebViewModuleImpl.java, line(s) 465
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/reactnativecommunity/asyncstorage/AsyncLocalStorageUtil.java, line(s) 6,88 com/reactnativecommunity/asyncstorage/ReactDatabaseSupplier.java, line(s) 4,5,6,42
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/cashfree/pg/core/api/ui/BaseCFWebView.java, line(s) 62,57
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个1隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 Google_Drive_API_Key: AIzaYRtRtcBO3li1bTlLBjE6CoIkt6A02wgXrDV "google_api_key" : "AIzaSyCKsFRx7AMLR2PWLMdp8WdV9lIBQS1z9E8" "google_app_id" : "1:996922397465:android:e1d9a2681f72bfea202b88" "google_crash_reporting_api_key" : "AIzaSyCKsFRx7AMLR2PWLMdp8WdV9lIBQS1z9E8" aXNccyhcZHs2LDh9KXwoXGR7Niw4fSlcc2lzfGlzXHMoXGR7NH0p c06c8400-8e06-11e0-9cb6-0002a5d5c51b bb392ec0-8d4d-11e0-a896-0002a5d5c51b
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/agontuk/RNFusedLocation/FusedLocationProvider.java, line(s) 75 com/agontuk/RNFusedLocation/LocationManagerProvider.java, line(s) 75 com/agontuk/RNFusedLocation/RNFusedLocationModule.java, line(s) 44 com/babisoft/ReactNativeLocalization/ReactNativeLocalization.java, line(s) 47 com/cashfree/pg/base/logger/CFLoggerService.java, line(s) 56,35,49,63,42 com/cashfree/pg/core/hidden/nfc/NfcCardReader.java, line(s) 25,67 com/cashfree/pg/core/hidden/nfc/parser/EmvParser.java, line(s) 296 com/cashfree/pg/core/hidden/nfc/utils/EnumUtils.java, line(s) 15 com/cashfree/pg/image_caching/cache/DiskLruCache.java, line(s) 111 com/cashfree/pg/ui/hidden/nfc/NfcCardReader.java, line(s) 25,67 com/cashfree/pg/ui/hidden/nfc/parser/EmvParser.java, line(s) 296 com/cashfree/pg/ui/hidden/nfc/utils/EnumUtils.java, line(s) 15 com/heanoria/library/reactnative/locationenabler/AndroidLocationEnablerModule.java, line(s) 129,81,100,153,156 com/horcrux/svg/Brush.java, line(s) 135,146 com/horcrux/svg/ClipPathView.java, line(s) 33 com/horcrux/svg/ImageView.java, line(s) 170 com/horcrux/svg/LinearGradientView.java, line(s) 110 com/horcrux/svg/PatternView.java, line(s) 121 com/horcrux/svg/RadialGradientView.java, line(s) 142 com/horcrux/svg/UseView.java, line(s) 91,122,137 com/horcrux/svg/VirtualView.java, line(s) 388,314,352,356 com/learnium/RNDeviceInfo/RNDeviceModule.java, line(s) 244,321,419,424,535,587,682,870,946,950 com/learnium/RNDeviceInfo/RNInstallReferrerClient.java, line(s) 76,82,87,100,27,43,94 com/learnium/RNDeviceInfo/resolver/DeviceIdResolver.java, line(s) 35,41 com/pairip/licensecheck/LicenseActivity.java, line(s) 93,71 com/pairip/licensecheck/LicenseClient.java, line(s) 77,90,121,138,168,196,187,112 com/reactnative/ivpusic/imagepicker/Compression.java, line(s) 42,87,90,92 com/reactnative/ivpusic/imagepicker/PickerModule.java, line(s) 541 com/reactnative/ivpusic/imagepicker/ResultCollector.java, line(s) 66,74,39,45 com/reactnativecashfreepgapi/CashfreePgApiModule.java, line(s) 52,70,88,160,166 com/reactnativecommunity/asyncstorage/AsyncLocalStorageUtil.java, line(s) 80,83,90,92 com/reactnativecommunity/asyncstorage/AsyncStorageExpoMigration.java, line(s) 30,36,42,44,50,52 com/reactnativecommunity/asyncstorage/AsyncStorageModule.java, line(s) 121,161,175,189,207,212,217,256,261,277,306,320,334,348,359,364,380,401,429 com/reactnativecommunity/asyncstorage/ReactDatabaseSupplier.java, line(s) 91,94 com/reactnativecommunity/webview/RNCWebView.java, line(s) 355 com/reactnativecommunity/webview/RNCWebViewClient.java, line(s) 97,176,86,102,130,178 com/reactnativecommunity/webview/RNCWebViewManagerImpl.java, line(s) 139,152 com/reactnativecommunity/webview/RNCWebViewModuleImpl.java, line(s) 301,306,330,335,209,237,240,254 com/reactnativedocumentpicker/RNDocumentPickerModule.java, line(s) 72 com/reactnativegooglesignin/PromiseWrapper.java, line(s) 23,33,43 com/reactnativegooglesignin/RNGoogleSigninModule.java, line(s) 84 com/sudoplz/rninappupdates/SpReactNativeInAppUpdatesModule.java, line(s) 191,203 com/swmansion/gesturehandler/react/RNGestureHandlerModule.java, line(s) 663 com/swmansion/gesturehandler/react/RNGestureHandlerRootHelper.java, line(s) 48,66 com/swmansion/gesturehandler/react/RNGestureHandlerRootView.java, line(s) 38 com/swmansion/reanimated/NativeMethodsHelper.java, line(s) 46 com/swmansion/reanimated/ReanimatedModule.java, line(s) 107 com/swmansion/reanimated/ReanimatedUIManagerFactory.java, line(s) 20 com/swmansion/reanimated/layoutReanimation/AnimationsManager.java, line(s) 201,215 com/swmansion/reanimated/layoutReanimation/ReanimatedNativeHierarchyManager.java, line(s) 37 com/swmansion/reanimated/layoutReanimation/SharedTransitionManager.java, line(s) 92 com/swmansion/reanimated/nativeProxy/NativeProxyCommon.java, line(s) 190 com/swmansion/reanimated/sensor/ReanimatedSensorContainer.java, line(s) 35 com/swmansion/rnscreens/ScreenStackHeaderConfigViewManager.java, line(s) 204 com/th3rdwave/safeareacontext/SafeAreaView.java, line(s) 108 com/yalantis/ucrop/UCropActivity.java, line(s) 149 com/yalantis/ucrop/task/BitmapCropTask.java, line(s) 112 com/yalantis/ucrop/task/BitmapLoadTask.java, line(s) 122,151,196,83,86,128,137,144 com/yalantis/ucrop/util/BitmapLoadUtils.java, line(s) 104,52,83 com/yalantis/ucrop/util/EglUtils.java, line(s) 23 com/yalantis/ucrop/util/FileUtils.java, line(s) 59 com/yalantis/ucrop/util/ImageHeaderParser.java, line(s) 56,63,74,82,114,124,136,150,164,170,174,179,185,189,292,55,62,73,81,113,123,135,149,163,169,173,178,184,188 com/yalantis/ucrop/view/TransformImageView.java, line(s) 212,229,121,78 com/zoontek/rnpermissions/RNPermissionsModuleImpl.java, line(s) 224 io/invertase/firebase/app/ReactNativeFirebaseApp.java, line(s) 16 io/invertase/firebase/app/ReactNativeFirebaseAppModule.java, line(s) 52 io/invertase/firebase/common/RCTConvertFirebase.java, line(s) 114 io/invertase/firebase/common/ReactNativeFirebaseEventEmitter.java, line(s) 130 io/invertase/firebase/common/SharedUtils.java, line(s) 85,264,322,122 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingModule.java, line(s) 80 io/invertase/firebase/messaging/ReactNativeFirebaseMessagingReceiver.java, line(s) 21,26,46 io/invertase/firebase/utils/ReactNativeFirebaseUtilsModule.java, line(s) 69 live/videosdk/rnfgservice/ForegroundService.java, line(s) 26,99,121,151,83,109,116,123,137,185 live/videosdk/rnfgservice/NotificationConfig.java, line(s) 24,34,43,52 live/videosdk/rnfgservice/NotificationHelper.java, line(s) 93,47,53 live/videosdk/rnincallmanager/AppRTC/AppRTCBluetoothManager.java, line(s) 95,98,106,112,154,164,168,176,178,180,186,191,196,214,245,246,248,253,271,276,285,296,302,308,316,321,325,327,351,356,358,364,370,376,233,238,278,282,173,216,220,229 live/videosdk/rnincallmanager/AppRTC/AppRTCProximitySensor.java, line(s) 24,31,41,68,71,78,98,59 live/videosdk/rnincallmanager/AppRTC/AppRTCUtils.java, line(s) 21 live/videosdk/rnincallmanager/InCallManagerModule.java, line(s) 188,196,199,216,219,239,250,264,290,297,305,320,327,335,389,396,419,423,425,427,435,438,441,479,512,516,599,602,651,654,656,692,744,781,791,797,800,808,811,818,821,840,851,865,876,880,895,906,919,928,932,947,959,972,983,986,992,997,1021,1024,1054,1065,1072,1079,1094,1096,1153,1157,1164,1167,1173,1176,1276,1281,1285,1304,1312,1314,1339,1351,1354,1363,1366,1376,1382,1389,1396,1407,1418,1434,1439,1456,1486,1493,1499,1503,1507,1521,1579,1611,1615,1627,1631,1635,1657,1658,1697,1700,492,495,1032,1523,1536,1577,1585,635,1467,1480 live/videosdk/rnincallmanager/InCallProximityManager.java, line(s) 23,63,66,71,75,127,140,142 live/videosdk/rnincallmanager/InCallWakeLockUtils.java, line(s) 61,67,73,79,85,91,97 live/videosdk/rnwebrtc/BitmapVideoFrameConversion.java, line(s) 71 live/videosdk/rnwebrtc/CameraCaptureController.java, line(s) 92,96,113,117,131,135,40,72,121,139 live/videosdk/rnwebrtc/CameraEventsHandler.java, line(s) 14,19,24,29,34,39 live/videosdk/rnwebrtc/EglUtils.java, line(s) 29 live/videosdk/rnwebrtc/GetUserMediaImpl.java, line(s) 74,77,98,115,162,294,313,137,70 live/videosdk/rnwebrtc/PeerConnectionObserver.java, line(s) 105,177,186,197,222,240,261,409,205,346 live/videosdk/rnwebrtc/ScreenCaptureController.java, line(s) 43 live/videosdk/rnwebrtc/StringUtils.java, line(s) 76 live/videosdk/rnwebrtc/VideoTrackAdapter.java, line(s) 36,51,115,32,46 live/videosdk/rnwebrtc/WebRTCModule.java, line(s) 378,403,427,451,471,510,529,551,573,614,655,702,744,780,800,845,864,883,902,534,556,820 live/videosdk/rnwebrtc/WebRTCView.java, line(s) 105,304,318
安全提示信息 此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改
此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/reactnativecommunity/clipboard/ClipboardModule.java, line(s) 30,246,246,4
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/reactnativecommunity/clipboard/ClipboardModule.java, line(s) 4,103
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/cashfree/pg/base/util/RootUtil.java, line(s) 31,15,19,19,19,19,19,19,9 com/cashfree/pg/cf_analytics/context/CFOSContext.java, line(s) 17
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/cashfree/pg/network/POSTApiWithSSLPin.java, line(s) 39,38,36,36,61,61,62,62,65,80
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/996922397465/namespaces/firebase:fetch?key=AIzaSyCKsFRx7AMLR2PWLMdp8WdV9lIBQS1z9E8 ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
sushain v0.0.42
Android APK
59
综合安全评分
中风险