应用安全检测报告

[android:allowBackup=true]
该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据，存在数据泄露风险。

[android:exported=true]
检测到  Activity 已导出，未受任何权限保护，任意应用均可访问。

[android:exported=true]
检测到  Activity 已导出，未受任何权限保护，任意应用均可访问。

Permission: com.google.android.c2dm.permission.SEND [android:exported=true]
检测到  Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous，恶意应用可申请并与组件交互；若为 signature，仅同证书签名应用可访问。

Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true]
检测到  Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous，恶意应用可申请并与组件交互；若为 signature，仅同证书签名应用可访问。

[android:exported=true]
检测到  Service 已导出，未受任何权限保护，任意应用均可访问。

[android:exported=true]
检测到  Service 已导出，未受任何权限保护，任意应用均可访问。

[android:exported=true]
检测到  Service 已导出，未受任何权限保护，任意应用均可访问。

Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
检测到  Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous，恶意应用可申请并与组件交互；若为 signature，仅同证书签名应用可访问。

(com.braze.push.NotificationTrampolineActivity)
设置 taskAffinity 后，其他应用可读取发送至该 Activity 的 Intent。为防止敏感信息泄露，建议保持默认 affinity（包名）。

不安全的Web视图实现。可能存在WebView任意代码执行漏洞
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5

Files:
com/braze/ui/banners/BannerView.java, line(s) 138,125

应用程序使用不安全的随机数生成器
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
com/appsflyer/internal/AFb1cSDK.java, line(s) 17
com/braze/support/IntentUtils.java, line(s) 13
com/microsoft/appcenter/http/HttpClientRetryer.java, line(s) 10
com/unity/androidnotifications/UnityNotificationManager.java, line(s) 31

文件可能包含硬编码的敏感信息，如用户名、密码、密钥等
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
com/braze/Constants.java, line(s) 49,55,70,47,48,87,29,30,53,54,31,51,65,46,69,71,79,64,94,77,98,36,45,96,12,13,16,17,18,101,60,62,61,50,63,72,78,93,75,95,57
com/braze/configuration/BrazeConfig.java, line(s) 958
com/braze/enums/CardKey.java, line(s) 30,27,28,31,32
com/braze/images/DefaultBrazeImageLoader.java, line(s) 39
com/braze/models/Banner.java, line(s) 14
com/braze/models/inappmessage/InAppMessageHtml.java, line(s) 17,19,20
com/braze/models/outgoing/AttributionData.java, line(s) 15,13,14,17
com/braze/push/BrazeNotificationUtils.java, line(s) 51
com/braze/push/BrazePushReceiver.java, line(s) 42,35,34,45,37,46,39
com/braze/storage/z.java, line(s) 56
com/braze/support/StringUtils.java, line(s) 26
com/braze/ui/BrazeWebViewClient.java, line(s) 52
com/braze/ui/contentcards/ContentCardsFragment.java, line(s) 54,55,58,59
com/braze/unity/configuration/UnityConfigurationProvider.java, line(s) 18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36
com/microsoft/appcenter/AppCenter.java, line(s) 42,50
com/microsoft/appcenter/Constants.java, line(s) 8
com/microsoft/appcenter/channel/DefaultChannel.java, line(s) 454
com/microsoft/appcenter/crashes/utils/ErrorLogHelper.java, line(s) 40,52
com/microsoft/appcenter/http/DefaultHttpClient.java, line(s) 17,19
com/microsoft/appcenter/ingestion/OneCollectorIngestion.java, line(s) 25,27,32
com/microsoft/appcenter/ingestion/models/WrapperSdk.java, line(s) 9
com/microsoft/appcenter/ingestion/models/one/CommonSchemaLog.java, line(s) 15
com/microsoft/appcenter/loader/AppCenterLoader.java, line(s) 19,21,29,31,35,20,22,23,24,25,26,28,33,34,37,39,40,41,42,43,44,45,27
com/microsoft/appcenter/persistence/DatabasePersistence.java, line(s) 33
com/microsoft/appcenter/utils/context/SessionContext.java, line(s) 14
com/microsoft/appcenter/utils/storage/DatabaseManager.java, line(s) 16
com/unity/androidnotifications/UnityNotificationManager.java, line(s) 55,57
com/unity/androidnotifications/UnityNotificationUtilities.java, line(s) 28,27

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
com/microsoft/appcenter/persistence/DatabasePersistence.java, line(s) 6,7,64,69,70,71
com/microsoft/appcenter/utils/storage/DatabaseManager.java, line(s) 7,8,9,10,40

应用程序可以读取/写入外部存储器，任何应用程序都可以读取写入外部存储器的数据
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
com/onevcat/uniwebview/T.java, line(s) 88
com/onevcat/uniwebview/W.java, line(s) 117
com/yasirkula/unity/NativeCameraUtils.java, line(s) 233
com/yasirkula/unity/NativeFilePickerUtils.java, line(s) 82
com/yasirkula/unity/NativeGalleryUtils.java, line(s) 89

MD5是已知存在哈希冲突的弱哈希
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

Files:
com/braze/support/StringUtils.java, line(s) 65

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
com/onevcat/uniwebview/T.java, line(s) 93

Firebase远程配置URL （ https://firebaseremoteconfig.googleapis.com/v1/projects/626950017386/namespaces/firebase:fetch?key=AIzaSyDQQpFJCvlFk4g_5FM_2xDWGTN_7PXl3UA ） 已启用。请确保这些配置不包含敏感信息。响应内容如下所示：

{
    "entries": {
        "app_rating_day": "9",
        "app_rating_feature_enabled": "true",
        "blacklisted_versions_android": "",
        "blacklisted_versions_ios": "",
        "demo_user_email": "[email protected]",
        "demo_user_pwd_encrypted": "BnSEGwmkHVpCFlqf7CeSjg==",
        "instant_analytic_events": "MobileAppSignUp;MobileAppLogin;MobileAppLogout;MobileAppLaunched;CompanionDeviceInstallation;MobileKokuaRunStarted;MobileKokuaInputScreenClosed;MobileKokua1stInputScreenCompleted;MobileKokuaMeditationStarted;MobileKokuaMeditationSkipped;MobileKokuaMeditationCompleted;MobileKokua2ndInputScreenCompleted;MobileKokuaContentRatingStarted;MobileKokuaContentRatingSkipped;MobileKokuaContentRatingCompleted;MobileKokuaFeatureRatingStarted;MobileKokuaFeatureRatingSkipped;MobileKokuaFeatureRatingCompleted;MobileKokuaShareButtonPressed;MobileKokuaPinEntryScreenEntered;MobileKokuaRunEnded;XrKokuaEstablishConnectionWaitTime;XrKokuaKeyboardInputSent;XrKokuaInterrupt;TrippMicPermissionState;XrKokuaCaptionsEnabled;XrKokuaCaptionsDisabled;XrKokuaReflectionStarted;XrKokuaReflectionCompleted;XrKokuaUserRespondedPostReflection;XrKokuaReflectionPoolImageGenerationSucceded;XrKokuaReflectionPoolImageGenerationFailed;CompanionSubmitPhoto;CompanionRejectPhoto;MobileWeeklyStreak1;MobileWeeklyStreak2;MobileWeeklyStreak3;MobileWeeklyStreak4;MobileWeeklyStreak5;MobileWeeklyStreak6;MobileWeeklyStreak7;MobileIAPInitializationEvent;MobileIAPPurchaseStartedEvent;MobileIAPPurchaseFinishedEvent;MobileIAPPurchaseFailedEvent;MobilePreviousPurchaseDetected;MobileWelcomeScreenOnboardingFunnel;MobileSurveyStartedOnboardingFunnel;MobileSurveySubmittedOnboardingFunnel;MobileSurveySkippedOnboardingFunnel;MobileSubscriptionPlansEnteredOnboardingFunnel;MobileSubscriptionPlansSkippedOnboardingFunnel;MobileSubscriptionPurchaseStartedOnboardingFunnel;MobileSubscriptionPurchaseSucceededOnboardingFunnel;MobileSubscriptionPurchaseFailedOnboardingFunnel;MobileSubscriptionPlansEnteredGateFunnel;MobileSubscriptionPlansSkippedGateFunnel;MobileSubscriptionPurchaseStartedGateFunnel;MobileSubscriptionPurchaseSucceededGateFunnel;MobileSubscriptionPurchaseFailedGateFunnel;MobileSubscriptionUpsellVrEnteredGateFunnel;MobileSubscriptionComparisonEnteredGateFunnel;MobileJoinForkFunnel;MobileUseVrForkFunnel;MobileLoginForkFunnel;MobileCreateAccountMobileStartedOnboardingFunnel;MobilePairDeviceVrIntroEnteredOnboardingFunnel;MobileCreateAccountVrStartedOnboardingFunnel;MobileCreateAccountMobileCompletedOnboardingFunnel;MobileCreateAccountVrCompletedOnboardingFunnel;MobilePairDeviceVrEnteredOnboardingFunnel;MobilePairDeviceVrSkippedOnboardingFunnel;MobilePairDeviceVrSucceededOnboardingFunnel;MobilePromotionsDeeplinkScreenOpened;MobilePromotionsDeeplinkScreenPurchaseInitiated;MobilePromotionsDeeplinkScreenPurchaseSucceeded;MobilePromotionsDeeplinkScreenPurchaseFailed",
        "kokua_create_for_others_flow_enabled": "true",
        "kokua_entry_enabled": "true",
        "kokua_feature_enabled": "true",
        "kokua_image_generation_enabled": "true",
        "kokua_voice_cloning_enabled": "false",
        "minimal_version_android": "1.15.9",
        "minimal_version_ios": "1.15.9",
        "recommended_version_android": "1.15.10",
        "recommended_version_ios": "1.15.10",
        "weekly_goals_bonus_aura": "10",
        "weekly_goals_data": "[{\"GoalTitle\": \"Check-in with Yourself\",\"GoalDescription\": \"Track mood {0} days this week\",\"WeeklyGoalType\":2,\"RequiredCountToComplete\":[3],\"AuraRewardAmount\":3,\"MaxCompletionPerDay\":1},{\"GoalTitle\": \"Get Support from Kōkua\",\"GoalDescription\": \"Chat with Kōkua {0} days this week\",\"WeeklyGoalType\":0,\"RequiredCountToComplete\":[2],\"AuraRewardAmount\":3,\"MaxCompletionPerDay\":1},{\"GoalTitle\": \"Expand your Practice\",\"GoalDescription\": \"Listen to TRIPP of the week\",\"WeeklyGoalType\":4,\"RequiredCountToComplete\":[1],\"AuraRewardAmount\":3,\"MaxCompletionPerDay\":1}]",
        "weekly_goals_enabled": "true",
        "weekly_goals_featured_audio_content_playlist_id": "3c3cab0b8528a768fe562676169e8c72"
    },
    "state": "UPDATE",
    "templateVersion": "60"
}

从应用程序中识别出以下机密确保这些不是机密或私人信息
"PASSWORD" : "Password"
"USERNAME" : "Username"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"appcenter_app_secret" : "8e4f9ef1-853a-4216-a0c3-356db0f9bd60"
"com.google.firebase.crashlytics.unity_version" : "2022.3.47f1"
"com_braze_api_key" : "7ec70f34-be63-4c9b-abf6-f84d1e1e5777"
"com_braze_firebase_cloud_messaging_sender_id" : "626950017386"
"com_braze_image_is_read_tag_key" : "com_appboy_image_is_read_tag_key"
"com_braze_image_lru_cache_image_url_key" : "com_braze_image_lru_cache_image_url_key"
"com_braze_image_resize_tag_key" : "com_appboy_image_resize_tag_key"
"com_braze_inapp_initial_display_operation_key" : "DISPLAY_NOW"
"enable_manual_session_tracker" : "False"
"firebase_database_url" : "https://tripp-prod.firebaseio.com"
"google_api_key" : "AIzaSyDQQpFJCvlFk4g_5FM_2xDWGTN_7PXl3UA"
"google_app_id" : "1:626950017386:android:a02b5159070594a7"
"google_crash_reporting_api_key" : "AIzaSyDQQpFJCvlFk4g_5FM_2xDWGTN_7PXl3UA"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Contrasenya"
"PASSWORD" : "Adgangskode"
"USERNAME" : "Brugernavn"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Adgangskode"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Passord"
"PASSWORD" : "Passwort"
"USERNAME" : "Nutzername"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Passwort"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Wagwoord"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Wagwoordsleutel"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Salasana"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Avainkoodi"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Heslo"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Contrasinal"
"PASSWORD" : "Wachtwoord"
"USERNAME" : "Gebruikersnaam"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Wachtwoord"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Toegangssleutel"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Klucz"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Geslo"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Sandi"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Zaporka"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Lozinka"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Lozinka"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Heslo"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Parool"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"PASSWORD" : "Senha"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Senha"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Pasahitza"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Sarbide-gakoa"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Iphasiwedi"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Parole"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Nyckel"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Nenosiri"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Parol"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Parol"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Kod"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Senha"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Palavra-passe"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
37a6259cc0c1dae299a7866489dff0bd
FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901
3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F
FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212
E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1