应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Tarjeta Transporte v3.0.29
58
安全评分
安全基线评分
58/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
1
高危
14
中危
2
信息
3
安全
隐私风险评估
2
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
1
中危安全漏洞
14
安全提示信息
2
已通过安全项
3
重点安全关注
3
高危安全漏洞 该文件是World Writable。任何应用程序都可以写入文件
该文件是World Writable。任何应用程序都可以写入文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/sgcr/fn2.java, line(s) 67
中危安全漏洞 Activity (com.redsys.tpvvinapplibrary.directPayment.DirectPaymentActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.redsys.tpvvinapplibrary.webviewPayment.WebViewPaymentActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/itextpdf/text/Version.java, line(s) 37 com/itextpdf/text/pdf/PdfWriter.java, line(s) 774 com/sgcr/d6.java, line(s) 84 com/sgcr/t7.java, line(s) 73 com/sgcr/v6.java, line(s) 126
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/itextpdf/text/pdf/security/BouncyCastleDigest.java, line(s) 31,37,40,43,34,49,46,52,55 com/itextpdf/text/pdf/security/CertificateInfo.java, line(s) 47,49,51,53,61,63,65,67,69,55,45,57,59,75,73,70 com/itextpdf/text/pdf/security/CertificateVerification.java, line(s) 27,29,29 com/itextpdf/text/pdf/security/DigestAlgorithms.java, line(s) 30,63,64,53,52,54,32,67,68,33,69,70,34,71,72,31,65,66,48,49,50,51,36,75,76,35,73,74,37,77,78,42,43,44,41,39,38,40,55,79 com/itextpdf/text/pdf/security/EncryptionAlgorithms.java, line(s) 23,24,25,26,21,22,17,18,19,16,13,14,15,27 com/itextpdf/text/pdf/security/OCSPVerifier.java, line(s) 33 com/itextpdf/text/pdf/security/PdfPKCS7.java, line(s) 720,153 com/itextpdf/text/pdf/security/SecurityConstants.java, line(s) 12 com/itextpdf/text/pdf/security/SecurityIDs.java, line(s) 16,11,14,12,13,7,10,15,6,4,5
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/crtm/recarga/ui/MainActivity.java, line(s) 450 com/crtm/recarga/ui/factura/FacturasFragment.java, line(s) 63 com/sgcr/g41.java, line(s) 95
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/itextpdf/text/ImgJBIG2.java, line(s) 40 com/itextpdf/text/pdf/PdfEncryption.java, line(s) 57,101 com/itextpdf/text/pdf/PdfSmartCopy.java, line(s) 31,138 com/sgcr/q03.java, line(s) 347
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/sgcr/b91.java, line(s) 5,6,81,204,221,298,332,351,360,698 com/sgcr/f53.java, line(s) 3,59 com/sgcr/m62.java, line(s) 4,5,35 com/sgcr/na1.java, line(s) 4,5,140 com/sgcr/u52.java, line(s) 5,6,134,404,463,652,684
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/itextpdf/text/pdf/PdfStamper.java, line(s) 306 com/sgcr/bp0.java, line(s) 137 com/sgcr/jw0.java, line(s) 41
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/itextpdf/text/pdf/PdfReader.java, line(s) 1159 com/itextpdf/text/pdf/security/LtvVerification.java, line(s) 149 com/itextpdf/text/pdf/security/MakeXmlSignature.java, line(s) 115 com/itextpdf/text/pdf/security/PdfPKCS7.java, line(s) 717 com/sgcr/d80.java, line(s) 147 com/sgcr/lb0.java, line(s) 54
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/sgcr/Cstatic.java, line(s) 3 com/sgcr/d00.java, line(s) 3 com/sgcr/q03.java, line(s) 44 com/sgcr/tw0.java, line(s) 3 com/sgcr/wd2.java, line(s) 20
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个2隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "ca-app-pub-xxxxxxxxxxxxxxxx~yyyyyyyyyy" "firebase_database_url" : "https://crtm-recarga-d6667.firebaseio.com" "google_api_key" : "AIzaSyBAxYXm_Kc8DBdCfuYU2UE7OxdcoUkun5g" "google_app_id" : "1:41074723528:android:ffbdedfbd5554eb1a473fd" "google_crash_reporting_api_key" : "AIzaSyBAxYXm_Kc8DBdCfuYU2UE7OxdcoUkun5g" DQoNCllvdSBhcmUgdXNpbmcgaVRleHQgdW5kZXIgdGhlIEFHUEwuDQoNCklmIHRoaXMgaXMgeW91ciBpbnRlbnRpb24sIHlvdSBoYXZlIHB1Ymxpc2hlZCB5b3VyIG93biBzb3VyY2UgY29kZSBhcyBBR1BMIHNvZnR3YXJlIHRvby4NClBsZWFzZSBsZXQgdXMga25vdyB3aGVyZSB0byBmaW5kIHlvdXIgc291cmNlIGNvZGUgYnkgc2VuZGluZyBhIG1haWwgdG8gYWdwbEBpdGV4dHBkZi5jb20NCldlJ2QgYmUgaG9ub3JlZCB0byBhZGQgaXQgdG8gb3VyIGxpc3Qgb2YgQUdQTCBwcm9qZWN0cyBidWlsdCBvbiB0b3Agb2YgaVRleHQgb3IgaVRleHRTaGFycA0KYW5kIHdlJ2xsIGV4cGxhaW4gaG93IHRvIHJlbW92ZSB0aGlzIG1lc3NhZ2UgZnJvbSB5b3VyIGVycm9yIGxvZ3MuDQoNCklmIHRoaXMgd2Fzbid0IHlvdXIgaW50ZW50aW9uLCB5b3UgYXJlIHByb2JhYmx5IHVzaW5nIGlUZXh0IGluIGEgbm9uLWZyZWUgZW52aXJvbm1lbnQuDQpJbiB0aGlzIGNhc2UsIHBsZWFzZSBjb250YWN0IHVzIGJ5IGZpbGxpbmcgb3V0IHRoaXMgZm9ybTogaHR0cDovL2l0ZXh0cGRmLmNvbS9zYWxlcw0KSWYgeW91IGFyZSBhIGN1c3RvbWVyLCB3ZSdsbCBleHBsYWluIGhvdyB0byBpbnN0YWxsIHlvdXIgbGljZW5zZSBrZXkgdG8gYXZvaWQgdGhpcyBtZXNzYWdlLg0KSWYgeW91J3JlIG5vdCBhIGN1c3RvbWVyLCB3ZSdsbCBleHBsYWluIHRoZSBiZW5lZml0cyBvZiBiZWNvbWluZyBhIGN1c3RvbWVyLg0KDQo= 0123456789ABCDEF0123456789abcdef 470fa2b4ae81cd56ecbcda9735803434cec591fa ZdPZfPPFYoRT9gcqm965HChS5ojEWjlz
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/itextpdf/text/log/DefaultCounter.java, line(s) 21 com/itextpdf/text/log/SysoCounter.java, line(s) 17,22 com/itextpdf/text/log/SysoLogger.java, line(s) 34,39,49,59,64,73 com/itextpdf/text/pdf/BarcodePDF417.java, line(s) 319 com/itextpdf/text/pdf/GlyphList.java, line(s) 60 com/itextpdf/text/pdf/PdfCopy.java, line(s) 1794 com/itextpdf/text/pdf/PdfLister.java, line(s) 92 com/itextpdf/text/pdf/Type1Font.java, line(s) 78 com/itextpdf/text/pdf/codec/Base64.java, line(s) 380,403,625,705,706,954,320,329,330 com/itextpdf/text/pdf/fonts/otf/GlyphPositioningTableReader.java, line(s) 41,111,131,155,193 com/itextpdf/text/pdf/fonts/otf/GlyphSubstitutionTableReader.java, line(s) 166 com/itextpdf/text/pdf/hyphenation/HyphenationTree.java, line(s) 130 com/itextpdf/text/pdf/hyphenation/SimplePatternParser.java, line(s) 56,61,66 com/itextpdf/text/pdf/hyphenation/TernaryTree.java, line(s) 377,378,379 com/itextpdf/text/pdf/parser/LocationTextExtractionStrategy.java, line(s) 25,31,32,214 com/itextpdf/text/pdf/parser/PdfContentReaderTool.java, line(s) 94,106,111 com/sgcr/ah.java, line(s) 86 com/sgcr/ap0.java, line(s) 81,150,222,136,143,154,192,243,250,252,258,41,65,77,87,98,116,246,254,261 com/sgcr/au1.java, line(s) 48,63,72,86,95,109,129 com/sgcr/b30.java, line(s) 101,105,131 com/sgcr/bp0.java, line(s) 58,69,71,138,159,179,221,243,283,285,294,304,307,311,121,231,247,262,279,287,302 com/sgcr/bq1.java, line(s) 22,19 com/sgcr/c12.java, line(s) 27 com/sgcr/c43.java, line(s) 28,39,27,38 com/sgcr/c5.java, line(s) 11,19 com/sgcr/cg0.java, line(s) 90 com/sgcr/cj1.java, line(s) 112,277,300,214,228,242,259,304,307,413,501 com/sgcr/cm2.java, line(s) 20 com/sgcr/co.java, line(s) 102,113 com/sgcr/co0.java, line(s) 54,73,86 com/sgcr/cp1.java, line(s) 77,92 com/sgcr/ct1.java, line(s) 1247,1176,1246 com/sgcr/d80.java, line(s) 68,63,123 com/sgcr/da2.java, line(s) 22,40,49,59 com/sgcr/dh.java, line(s) 101,305,308,69,86,97,135,150,157,211,221 com/sgcr/dl2.java, line(s) 104 com/sgcr/dm.java, line(s) 16 com/sgcr/do0.java, line(s) 37,44,47,64,69,74,79,84,92 com/sgcr/dy1.java, line(s) 45,119,178 com/sgcr/dz1.java, line(s) 64 com/sgcr/e13.java, line(s) 57,62 com/sgcr/el0.java, line(s) 34,43 com/sgcr/ew1.java, line(s) 32 com/sgcr/f12.java, line(s) 76,79,108,111,114,35,40 com/sgcr/f80.java, line(s) 115,122,233 com/sgcr/fb2.java, line(s) 30,46,65,80,27,45,62 com/sgcr/g41.java, line(s) 150,215,233 com/sgcr/gl1.java, line(s) 156,208 com/sgcr/gm1.java, line(s) 125 com/sgcr/gn0.java, line(s) 100 com/sgcr/gz2.java, line(s) 42,60,64,96,103,147 com/sgcr/h40.java, line(s) 58 com/sgcr/h61.java, line(s) 112,280 com/sgcr/hg0.java, line(s) 32,104 com/sgcr/hi0.java, line(s) 181 com/sgcr/ht1.java, line(s) 623 com/sgcr/hu1.java, line(s) 138 com/sgcr/i0.java, line(s) 91,275 com/sgcr/i22.java, line(s) 26 com/sgcr/i61.java, line(s) 80,89,199 com/sgcr/i72.java, line(s) 102 com/sgcr/i80.java, line(s) 241,350 com/sgcr/ic2.java, line(s) 30 com/sgcr/if1.java, line(s) 63,67 com/sgcr/ig0.java, line(s) 115,121 com/sgcr/in0.java, line(s) 427 com/sgcr/ju1.java, line(s) 46 com/sgcr/k50.java, line(s) 69,121,153,91,99,196,202 com/sgcr/k51.java, line(s) 53 com/sgcr/k71.java, line(s) 80 com/sgcr/kg.java, line(s) 496 com/sgcr/kn1.java, line(s) 40 com/sgcr/l.java, line(s) 352 com/sgcr/l52.java, line(s) 28 com/sgcr/l80.java, line(s) 89,47,132,138,147,150,173 com/sgcr/lb0.java, line(s) 58,82 com/sgcr/li.java, line(s) 33,40,43,52,86 com/sgcr/lj0.java, line(s) 28 com/sgcr/m01.java, line(s) 79,94,17,84,78,91 com/sgcr/m80.java, line(s) 41,107 com/sgcr/mj0.java, line(s) 11,7 com/sgcr/mj1.java, line(s) 137,166,216 com/sgcr/mp1.java, line(s) 41 com/sgcr/mv1.java, line(s) 85,112,116,13,80 com/sgcr/nb0.java, line(s) 67,58,59,66,94,95,43 com/sgcr/nc1.java, line(s) 40,73,86,95,120,64,67,100,103,106,39,72,85,119 com/sgcr/ng2.java, line(s) 46 com/sgcr/nj0.java, line(s) 61,27,56,67,33,43 com/sgcr/nn1.java, line(s) 81 com/sgcr/np1.java, line(s) 54,245 com/sgcr/nx.java, line(s) 41 com/sgcr/o0.java, line(s) 230,234 com/sgcr/oc0.java, line(s) 46 com/sgcr/om.java, line(s) 135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153 com/sgcr/on1.java, line(s) 41,54,96,143,76,95,137,158,171,187 com/sgcr/p00.java, line(s) 31,30 com/sgcr/p10.java, line(s) 240,294,298,178 com/sgcr/p12.java, line(s) 52 com/sgcr/p23.java, line(s) 35,92,203,34,78,91,105,143,202,231,264,79,106,144,232,265,41,68 com/sgcr/ph1.java, line(s) 67 com/sgcr/pj0.java, line(s) 23,30,37,8,9,15,22,29,36,16 com/sgcr/pm0.java, line(s) 30 com/sgcr/pq0.java, line(s) 44 com/sgcr/pv0.java, line(s) 380,385 com/sgcr/q3.java, line(s) 58 com/sgcr/qc1.java, line(s) 50,131,214 com/sgcr/qd1.java, line(s) 50 com/sgcr/qn1.java, line(s) 43 com/sgcr/qv.java, line(s) 117 com/sgcr/qv1.java, line(s) 123,202,116,216 com/sgcr/qy1.java, line(s) 51,70,79 com/sgcr/r00.java, line(s) 25 com/sgcr/r1.java, line(s) 49,80,80 com/sgcr/r33.java, line(s) 24 com/sgcr/r50.java, line(s) 134,156,214,236,322 com/sgcr/rj2.java, line(s) 157 com/sgcr/ro0.java, line(s) 358 com/sgcr/rp1.java, line(s) 120 com/sgcr/rs.java, line(s) 107,161,177,304,411 com/sgcr/s43.java, line(s) 47,46 com/sgcr/sj.java, line(s) 64,75 com/sgcr/sl2.java, line(s) 58 com/sgcr/sn1.java, line(s) 31 com/sgcr/so0.java, line(s) 753 com/sgcr/su1.java, line(s) 49,57,71,73,76 com/sgcr/t33.java, line(s) 51 com/sgcr/t50.java, line(s) 143,190,137 com/sgcr/t70.java, line(s) 40,82,94 com/sgcr/tl0.java, line(s) 709 com/sgcr/tl1.java, line(s) 33,32 com/sgcr/ts.java, line(s) 212,246,259,299 com/sgcr/u0.java, line(s) 135,176 com/sgcr/u1.java, line(s) 13 com/sgcr/u92.java, line(s) 16,13 com/sgcr/uc1.java, line(s) 109,111 com/sgcr/uj1.java, line(s) 38,48,79,73,112,66,76,90,94 com/sgcr/um2.java, line(s) 24 com/sgcr/v02.java, line(s) 183,444 com/sgcr/v3.java, line(s) 73,118,127,328 com/sgcr/v71.java, line(s) 111,124,145,185,200,300,110,123,144,184,199,299,141,157,169,207,228,248 com/sgcr/vd2.java, line(s) 62 com/sgcr/vq2.java, line(s) 35 com/sgcr/vw1.java, line(s) 453,495,696,708,715,724,486,647,666 com/sgcr/wc1.java, line(s) 93,122,201,212,221,292,316,117,324 com/sgcr/wd2.java, line(s) 168,156,165,174,267,278,294,300 com/sgcr/we1.java, line(s) 51 com/sgcr/wh.java, line(s) 34 com/sgcr/wh1.java, line(s) 48,49 com/sgcr/wi.java, line(s) 207 com/sgcr/wl1.java, line(s) 70 com/sgcr/wm2.java, line(s) 21 com/sgcr/wn.java, line(s) 28 com/sgcr/wo0.java, line(s) 61 com/sgcr/wt.java, line(s) 90,89,43,47,49 com/sgcr/wu1.java, line(s) 62 com/sgcr/x43.java, line(s) 31,52,66 com/sgcr/x92.java, line(s) 39 com/sgcr/xj.java, line(s) 154,71,273 com/sgcr/xl2.java, line(s) 62,109,55 com/sgcr/xt1.java, line(s) 42 com/sgcr/xz1.java, line(s) 36,43,56 com/sgcr/y02.java, line(s) 50 com/sgcr/y3.java, line(s) 106 com/sgcr/y43.java, line(s) 49,51,45 com/sgcr/z02.java, line(s) 34 com/sgcr/z10.java, line(s) 53,266,269,61,62,239,245 com/sgcr/z20.java, line(s) 61,68 com/sgcr/z8.java, line(s) 472,359,363,367,373,490 com/sgcr/zc1.java, line(s) 47,61,36,53 com/sgcr/zk1.java, line(s) 90 com/sgcr/zk2.java, line(s) 38 com/sgcr/zm2.java, line(s) 24
安全提示信息 应用与Firebase数据库通信
该应用与位于 https://crtm-recarga-d6667.firebaseio.com 的 Firebase 数据库进行通信
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/sgcr/am2.java, line(s) 33 com/sgcr/fh.java, line(s) 140,140,141
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/sgcr/au0.java, line(s) 101,100,99,99 com/sgcr/ca.java, line(s) 100,99,98 com/sgcr/ow0.java, line(s) 215,195,214,213,213 com/sgcr/tj.java, line(s) 116,106,115,122,114,114
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/41074723528/namespaces/firebase:fetch?key=AIzaSyBAxYXm_Kc8DBdCfuYU2UE7OxdcoUkun5g ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (app-measurement.com) 通信。
{'ip': '180.163.151.166', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (firebase-settings.crashlytics.com) 通信。
{'ip': '180.163.151.166', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
重点安全关注 应用程序可能与位于OFAC制裁国家 (中国) 的服务器 (pagead2.googlesyndication.com) 通信。
{'ip': '180.163.151.166', 'country_short': 'CN', 'country_long': '中国', 'region': '上海', 'city': '上海', 'latitude': '31.224333', 'longitude': '121.468948'}
综合安全基线评分总结
Tarjeta Transporte v3.0.29
Android APK
58
综合安全评分
中风险