应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Cashalo v2.25.0.0
48
安全评分
安全基线评分
48/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
5
高危
27
中危
4
信息
3
安全
隐私风险评估
8
第三方跟踪器
高隐私风险
检测到大量第三方跟踪器
检测结果分布
高危安全漏洞
5
中危安全漏洞
27
安全提示信息
4
已通过安全项
3
重点安全关注
0
高危安全漏洞 应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文
应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode Files: com/tom_roush/pdfbox/pdmodel/encryption/StandardSecurityHandler.java, line(s) 66
高危安全漏洞 使用弱加密算法
使用弱加密算法 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/intsig/view/a.java, line(s) 15,23
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: com/oriente/cashalo/page/fragment/p.java, line(s) 148,14,15
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/tom_roush/pdfbox/pdmodel/encryption/SecurityHandler.java, line(s) 166
高危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个8隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 Activity (com.snap.stuffing.lib.DynamicLaunchActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity-Alias (com.oriente.cashalo.page.activity.WelcomeActivity) 未受保护。
[android:exported=true] 检测到 Activity-Alias 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.oriente.cashalo.page.activity.LegacyWelcomeActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.oriente.cashalo.page.activity.DispatcherActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.facebook.CustomTabActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Content Provider (com.facebook.FacebookContentProvider) 未受保护。
[android:exported=true] 检测到 Content Provider 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.appsflyer.SingleInstallBroadcastReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (finance.empower.android.app.LaunchActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (finance.empower.android.app.DeepLinkLaunchActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.airbnb.android.showkase.ui.ShowkaseBrowserActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (androidx.compose.ui.tooling.PreviewActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: coil/decode/SvgDecoder.java, line(s) 37 coil/memory/MemoryCache.java, line(s) 120 coil/memory/MemoryCacheService.java, line(s) 40 coil/request/Parameters.java, line(s) 159 com/intsig/view/b.java, line(s) 74,141 com/iterable/iterableapi/IterableConstants.java, line(s) 56,87,243,244,245,247,249,252,254,256 com/iterable/iterableapi/IterableKeychainEncryptedDataMigrator.java, line(s) 47,46 com/oriente/adapter/analytics/impl/CommonAnalytics.java, line(s) 23,25,24,36,28,26,27,29,31,34,35,30,38,39,40,41 com/oriente/adapter/config/ValueConfig.java, line(s) 74,130,94 com/oriente/adapter/store/MetaCache.java, line(s) 753 com/oriente/cashalo/page/viewmodel/upgrade/UpgradeAccountsViewModel.java, line(s) 36 com/oriente/cashalo/service/model/config/PublicKeyModel.java, line(s) 60 com/oriente/cashalo/service/model/user/LoginRequestModel.java, line(s) 70 com/oriente/cashalo/service/model/ver/KeyResult.java, line(s) 18,29,31,81,84,103,107,119,87 com/oriente/cashalo/verify/parser/VerifyModelLoader.java, line(s) 15 com/oriente/cashalo/verify/parser/VerifyPropertyLoader.java, line(s) 10 com/oriente/form/holder/SelectFormViewHolder.java, line(s) 61 com/oriente/notify/Config.java, line(s) 7,8 com/oriente/qrcodelibrary/decoding/Intents.java, line(s) 45 com/segment/analytics/Analytics.java, line(s) 47,48,51,52 com/segment/analytics/AnalyticsContext.java, line(s) 283,282,25,37,24,29,38,39,217,46,30,47,284,360,31,317,32,361,35,36,318,285,218,286,27,33,43,219,287,362,26,40,42,45,48,220,319,221,50,288,51,289,363,364,52,28,34,44,49,41 com/segment/analytics/GetDeviceIdTask.java, line(s) 18 com/segment/analytics/Options.java, line(s) 9 com/segment/analytics/ProjectSettings.java, line(s) 9,10,11,12,13 com/segment/analytics/Properties.java, line(s) 10,11,12,13,14,238,15,239,16,17,18,240,241,19,20,21,22,23,24,242,25,26,27,28,29,30 com/segment/analytics/SegmentIntegration.java, line(s) 42 com/segment/analytics/Traits.java, line(s) 14,15,16,17,18,259,260,19,20,21,22,23,24,25,26,27,28,29,261,262,263,30,32,31,33 com/segment/analytics/android/integrations/firebase/FirebaseIntegration.java, line(s) 23 com/segment/analytics/integrations/AliasPayload.java, line(s) 9 com/segment/analytics/integrations/BasePayload.java, line(s) 14,15,16,17,19,20,21 com/segment/analytics/integrations/GroupPayload.java, line(s) 12,13 com/segment/analytics/integrations/IdentifyPayload.java, line(s) 12 com/segment/analytics/integrations/ScreenPayload.java, line(s) 12,13,14 com/segment/analytics/integrations/TrackPayload.java, line(s) 12,13 com/snap/stuffing/lib/DynamicAppManagerPrefs.java, line(s) 11,10,12,15,13,14,9 com/statsig/androidsdk/Marker.java, line(s) 216 com/statsig/androidsdk/StatsigClientKt.java, line(s) 7,8 com/statsig/androidsdk/StatsigNetworkKt.java, line(s) 14,16,32,33,36,37 com/statsig/androidsdk/StatsigOptionsKt.java, line(s) 9 com/statsig/androidsdk/StoreKt.java, line(s) 7,8,10,11,9 com/tom_roush/pdfbox/pdmodel/interactive/annotation/PDAnnotationRubberStamp.java, line(s) 20 com/tom_roush/pdfbox/pdmodel/interactive/annotation/PDAnnotationText.java, line(s) 17 com/withpersona/sdk2/inquiry/governmentid/GovernmentId.java, line(s) 329,159 com/withpersona/sdk2/inquiry/governmentid/GovernmentIdAnalyzeWorker.java, line(s) 118 com/withpersona/sdk2/inquiry/governmentid/GovernmentIdState.java, line(s) 2468 com/withpersona/sdk2/inquiry/governmentid/IdConfig.java, line(s) 136,285 com/withpersona/sdk2/inquiry/governmentid/live_hint/GovernmentIdHintWorker.java, line(s) 94 com/withpersona/sdk2/inquiry/internal/InquiryState.java, line(s) 673 com/withpersona/sdk2/inquiry/modal/ModalWorkflow.java, line(s) 28 com/withpersona/sdk2/inquiry/network/ErrorResponse.java, line(s) 762 com/withpersona/sdk2/inquiry/nfc/PassportNfcReaderConfig.java, line(s) 104 com/withpersona/sdk2/inquiry/permissions/PermissionRequestWorkflow.java, line(s) 34 com/withpersona/sdk2/inquiry/permissions/PermissionsUtilsKt.java, line(s) 21 com/withpersona/sdk2/inquiry/shared/data_collection/RealDataCollector.java, line(s) 10 finance/empower/android/app/authentication/AuthenticationEntryPresenter.java, line(s) 462,595 finance/empower/android/app/password/SetNewPasswordPresenter.java, line(s) 261,392 finance/empower/android/data/api/AuthApi.java, line(s) 801,281 finance/empower/android/data/api/AuthApiKt.java, line(s) 11 finance/empower/android/data/model/LiveConfig.java, line(s) 101,101 finance/empower/ph/BuildConfig.java, line(s) 13,19,18,4 finance/empower/ph/FetchScreenQuery.java, line(s) 452,582,842 finance/empower/ph/ResolveNavigationQuery.java, line(s) 358,241 finance/empower/ph/SubmitFormMutation.java, line(s) 316 finance/empower/ph/model/sdui/ui/actions/SubmitFormAction.java, line(s) 81 finance/empower/ph/model/sdui/ui/behaviours/ScrollToBottomBehaviour.java, line(s) 42 finance/empower/ph/model/sdui/ui/components/AutoCompleteTextField.java, line(s) 103 finance/empower/ph/model/sdui/ui/components/BottomNavigation.java, line(s) 82 finance/empower/ph/model/sdui/ui/components/BottomNavigationItem.java, line(s) 78 finance/empower/ph/model/sdui/ui/components/Checkbox.java, line(s) 108 finance/empower/ph/model/sdui/ui/components/CodeInput.java, line(s) 93 finance/empower/ph/model/sdui/ui/components/ImageSelectionField.java, line(s) 93 finance/empower/ph/model/sdui/ui/components/LoanApplicationDetailsCell.java, line(s) 86,86 finance/empower/ph/model/sdui/ui/components/SearchList.java, line(s) 67 finance/empower/ph/model/sdui/ui/components/SelectionCell.java, line(s) 105 finance/empower/ph/model/sdui/ui/components/SelectionList.java, line(s) 110 finance/empower/ph/model/sdui/ui/components/Selector.java, line(s) 105 finance/empower/ph/model/sdui/ui/components/Slider.java, line(s) 104 finance/empower/ph/model/sdui/ui/components/Switch.java, line(s) 95 finance/empower/ph/model/sdui/ui/components/Tabs.java, line(s) 81 finance/empower/ph/model/sdui/ui/components/TextField.java, line(s) 94 finance/empower/ph/model/sdui/ui/components/TextFieldV2.java, line(s) 97 finance/empower/ph/model/sdui/ui/components/TextSelectionField.java, line(s) 94 finance/empower/ph/model/sdui/ui/components/VisibilityContainer.java, line(s) 82 finance/empower/ph/type/FormData.java, line(s) 54 finance/empower/ph/type/ScreenArgument.java, line(s) 52 operations/array/Reduce.java, line(s) 17,18
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: coil/decode/SourceImageSource.java, line(s) 136 com/tom_roush/pdfbox/io/RandomAccessBufferedFileInputStream.java, line(s) 93 com/tom_roush/pdfbox/io/ScratchFile.java, line(s) 99 fsimpl/C.java, line(s) 38
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/oriente/cashalo/utils/OrientUtils.java, line(s) 300 com/oriente/locklibrary/LockPatternUtil.java, line(s) 95 com/tom_roush/pdfbox/pdmodel/encryption/MessageDigests.java, line(s) 20 fsimpl/aN.java, line(s) 41
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/intsig/scanner/CommonUtil.java, line(s) 123 com/intsig/scanner/ScannerSDK.java, line(s) 82 com/intsig/view/b.java, line(s) 464 com/oriente/adapter/store/MetaCache.java, line(s) 461 com/oriente/cashalo/page/fragment/BaseCFFragment.java, line(s) 309 com/oriente/cashalo/page/fragment/BorrowConsumerFragment.java, line(s) 1250 com/oriente/cashalo/page/fragment/BorrowInstallmentFragment.java, line(s) 833 com/oriente/cashalo/page/fragment/OpenBankFragment.java, line(s) 99 com/oriente/cashalo/page/fragment/RegisterFragmentStep2.java, line(s) 521 com/oriente/cashalo/page/fragment/WebViewFragment.java, line(s) 267 com/oriente/cashalo/service/handler/OrienteTokenInterceptor.java, line(s) 35 com/oriente/core/utils/CoderUtils.java, line(s) 24 com/oriente/user/UserUtils.java, line(s) 39,43,108,110,114 com/oriente/utils/WebViewUtils.java, line(s) 69 com/oriente/verify/VerifyPluginImpl.java, line(s) 1604 com/tom_roush/pdfbox/pdfwriter/COSWriter.java, line(s) 792 com/tom_roush/pdfbox/pdmodel/encryption/MessageDigests.java, line(s) 12
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/intsig/scanner/CommonUtil.java, line(s) 15 com/intsig/view/DocumentUtil.java, line(s) 57 com/intsig/view/Utils.java, line(s) 83,84 com/oriente/adapter/update/ApkDownloader.java, line(s) 45,56 com/oriente/cashalo/cordova/camera/CameraLauncher.java, line(s) 391,843 com/oriente/cashalo/cordova/camera/CordovaUri.java, line(s) 40 com/oriente/cashalo/cordova/camera/FileHelper.java, line(s) 36 com/oriente/core/utils/FileUtils.java, line(s) 155,111,111,111,168,171,521,602,622,625 com/oriente/core/utils/LogTracker.java, line(s) 106 com/withpersona/sdk2/inquiry/document/DocumentCameraWorker.java, line(s) 101 fsimpl/C0063ci.java, line(s) 226 fsimpl/C0263ci.java, line(s) 227 support/ada/embed/widget/AdaEmbedView.java, line(s) 428
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/iterable/iterableapi/IterableDatabaseManager.java, line(s) 4,5,21 com/iterable/iterableapi/IterableTaskStorage.java, line(s) 8,134,175,197 com/oriente/core/store/db/DatabaseManager.java, line(s) 5,6,7,8,9,10,11,12,13,93,98 com/oriente/core/store/db/PhoneDatabaseHelper.java, line(s) 4,5,46 com/oriente/core/store/db/SDCardDatabaseHelper.java, line(s) 4,81
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/intsig/view/b.java, line(s) 46,433,521 razerdp/library/BuildConfig.java, line(s) 12
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/oriente/cashalo/page/fragment/OpenBankFragment.java, line(s) 189,120 support/ada/embed/widget/AdaEmbedView.java, line(s) 230,200
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: support/ada/embed/widget/AdaEmbedView.java, line(s) 189,200
中危安全漏洞 Firebase远程配置已启用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/345159464576/namespaces/firebase:fetch?key=AIzaSyBr24IKEsmVNN40DV-xXxpMusf7vxsvbzY ) 已启用。请确保这些配置不包含敏感信息。响应内容如下所示:
{
"entries": {
"home_page_cash_config": "{\"title\":\"Cashalo Loan\",\"minLoanAmount\":\"1000\",\"maxLoanAmount\":\"25000\",\"tips\":\"You can now receive your loan through:\",\"payMethod\":[\"Bank Account\",\"Maya Account\",\"Gcash Account\"],\"buttonText\":\"Apply Now\",\"buttonBackgroundColor\":\"\",\"buttonTextColor\":\"\"}",
"sdui_onboarding": "true",
"segment_debug_logging_enabled": "true",
"use_fullstory": "false",
"use_improved_analytics_traits": "true",
"version_management": "{\"android\":{\"min_required_version\":56,\"min_recommended_version\":60,\"min_registrable_os_version\":23,\"dead_releases\":[1]}}"
},
"state": "UPDATE",
"templateVersion": "15"
}
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息
"google_crash_reporting_api_key" : "AIzaSyBr24IKEsmVNN40DV-xXxpMusf7vxsvbzY"
"google_app_id" : "1:345159464576:android:9d74e1702dc4e155"
"intsig_key" : "CrX75THdeyEY3efXKVLhde9C"
"segment_key" : "QqdKkf3LWPpMYWWF45XZ7UfukZE4PJhM"
"ori_register_regular_username" : "^.{5,20}$"
"ori_app_id_facebook_app_id" : "1885445421479058"
"ori_common_analytics_debug_key" : "sBZ0hAHq51T2UL9Qj4RYyyVQsM4Pz1X7"
"ori_register_regular_password" : "^.{8,14}$"
"ori_common_analytics_release_key" : "QqdKkf3LWPpMYWWF45XZ7UfukZE4PJhM"
"empower_key" : "UKgl31KZaZbJakJ9At92gvbMdlolj0LT33db4zcoi7oJ3/rgGmrHB1ljINI34BRMl+DloqTeVK81yFSDfZQq+Q=="
"google_api_key" : "AIzaSyBr24IKEsmVNN40DV-xXxpMusf7vxsvbzY"
"firebase_database_url" : "https://cashalo-8fd5c.firebaseio.com"
ca4802c4-55b2-4ec0-9e92-48d2df02adcd
CgcQksnmhYQHSwzk+QJCufdzlOgyXFeHLKu+GU0e9dWGLqQHbI8Jzl8fasfeasff
VBO5rGqJFjSxKyGUP9CSQovBXDgWR6cgOtO9uEk8mCN
93cecd444754ccce43dc8dfa480ffa7e408579c969e748236ec10107ed232fb2
cb072839e1e240a23baae123ca6cf165
278b5e0d-5ff7-4a8e-8942-8a3908766a44
df6b721c8b4d3b6eb44c861d4415007e5a35fc95
YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4
UKgl31KZaZbJakJ9At92gvbMdlolj0LT33db4zcoi7oJ3/rgGmrHB1ljINI34BRMl+DloqTeVK81yFSDfZQq+Q==
2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3
cc2751449a350f668590264ed76692694a80308a
89e32bea-1a32-4032-8ff4-61fea513cace
2ead66b1-3b76-4be2-91fa-fa988751b469
8cd0604ba33e2ba7f38a56f0aec08a54
3e585f13-6d5f-4353-8d4b-c6abdb1cd337
8f3a2b1c-4d5e-6f7a-8b9c-0d1e2f3a4b5c
E3F9E1E0CF99D0E56A055BA65E241B3399F7CEA524326B0CDD6EC1327ED0FDC1
a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc
d2607ca1-76af-4222-a96d-b75484a71de9
df7cee06-1502-4bf4-a6d8-13572120e596
d4aebcd8-1007-45c2-a083-b6f7974b72b1
3BAF59A2E5331C30675FAB35FF5FFF0D116142D3D4664F1C3CB804068B40614F
0ff906d0-a2cb-4c3c-a555-82d733c0a6e6
RJAkeOlpQW1B2DPjwLmNa5VC0GiuTMgysqSvXFntYhIoEKfrx4db3ZU69H8cz79i
e2380b201325a8f252636350338aeae8
49668163590f816aaf863df014568115
c1fb73a0-f67b-4cc2-8a2f-5e1baf19cb8d
QXT7fQaoVRywjjnejVGgNgY9Qpchy2HsHw0Ie21G01uzOhaAVBNjBh1R7P36kv2X
c345a9be-64ed-4a12-9c22-ca78c6af136e
889109d126886bd98bc8f6a70d138545
b97d2208-ec99-461b-b986-11a27b5ac30d
b62f7aea9613b98976498a9ecabe537b
a01625815f3428cb69100cc5d613fa7d
bfe56032f2f242659501c67433fb7666
5f389fef5fd41c84a33a91c6574cbf51
df62bab8-2710-4a7e-8f96-72dc431d9968
W6VLf6PitAIkKiFuVXBeTe54CSc8jB
FFE391E0EA186D0734ED601E4E70E3224B7309D48E2075BAC46D8C667EAE7212
7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
02471c25-0cc9-4021-a1d2-59ef8ae21b48
6436909b-a4c0-4219-ac9b-60c7e4d26f58
bc8f6a70d138545889109d126886bd98
9qqYxH+i+7lpnpA0y9z+TCqPD0bh4DQsoLtiIyzmja25X3JaBV83GGATAH06nqPa
cb6871e5-f201-43fd-a6d9-e39424d4d135
5a594d1aab57637e792a17e8ae9787829b362746489811cc7d197893367d223f
m1114Standard2LineWithIconAndSecondaryTextDIANMbU
8a3c4b262d721acd49a4bf97d5213199c86fa2b9
0e8b47f2-2acf-4407-a224-a9d84d46b373
c56fb7d591ba6704df047fd98f535372fea00211
m1248PhoneNumberTextFieldzYA1wlE
b44a693e-ecf2-4262-9d32-bfae658bbbea
809bd36cf78612fd1f11b739c382bfac
4170fdef-d2dc-4ffd-8335-e6ed593e394d
6f607d5e-100d-40bd-98b6-94354ecc56ac
613d3966-ad80-40ee-84a8-a6c39ec5a5c0
37dbd151eb3ca24477bc27cf0febcbe3
FBA3AF4E7757D9016E953FB3EE4671CA2BD9AF725F9A53D52ED4A38EAAA08901
9b8f518b086098de3d77736f9458a3d2f6f95a37
CHY2ITq2YKW9qKBNdN01uaDM1soLtizOhaAD0bh4DQYKJIeFG087t2qKFyzmjaXa
m1039TransactionItemView3f6hBDE
d96991e026276520aca4f0070d8dd002408e5d194a4c5351be3d4b1073f39823
19ed5791-f48a-43f6-ac19-e1dc04904230
b3c61531d3a785d8af140218304940e5b24834d3
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: com/apollographql/apollo3/cache/normalized/NormalizedCache.java, line(s) 132 com/apollographql/apollo3/exception/ApolloExceptionHandlerKt.java, line(s) 25 com/apollographql/apollo3/network/http/LoggingInterceptor.java, line(s) 49,68 com/apollographql/apollo3/network/ws/AppSyncWsProtocol$connectionInit$2.java, line(s) 59 com/apollographql/apollo3/network/ws/GraphQLWsProtocol$connectionInit$2.java, line(s) 57 com/apollographql/apollo3/network/ws/SubscriptionWsProtocol$connectionInit$2.java, line(s) 59 com/apollographql/apollo3/network/ws/WebSocketNetworkTransport$execute$3.java, line(s) 68 com/fullstory/FS.java, line(s) 522,526,419,530,534,724,413,538,542,718,546,550,554,558,562 com/fullstory/instrumentation/Bootstrap.java, line(s) 157,169,216,220,289 com/fullstory/instrumentation/InstrumentInjectorBridgeImpl.java, line(s) 195,273,439,461,483 com/fullstory/instrumentation/init/Initialization.java, line(s) 77,164,167,53,54,39 com/fullstory/instrumentation/webview/WebViewTracker.java, line(s) 181,211,221,231,302,321 com/fullstory/jni/FSNative.java, line(s) 26,81 com/fullstory/rust/RustInterface.java, line(s) 26 com/fullstory/util/Log.java, line(s) 34,41,45,49,64,71,88,180,187,27,194,201,208 com/oriente/core/utils/FileUtils.java, line(s) 442,447,454,476,493 com/oriente/http/image/ImageDisplay.java, line(s) 62 com/oriente/qrcodelibrary/view/ViewfinderView.java, line(s) 151 com/oriente/uikit/drawable/FloatDrawable.java, line(s) 35 com/statsig/androidsdk/ErrorBoundary.java, line(s) 64,65 com/statsig/androidsdk/OnDeviceEvalAdapter.java, line(s) 40 com/tom_roush/pdfbox/cos/COSDocument.java, line(s) 117 com/tom_roush/pdfbox/pdmodel/font/FontMapperImpl.java, line(s) 384,388,390 dagger/android/AndroidInjection.java, line(s) 30 finance/empower/android/dls/components/ComposableSingletons$BottomAppBarKt$lambda2$1.java, line(s) 97 fsimpl/AbstractC0060cf.java, line(s) 43 fsimpl/AbstractC0068cn.java, line(s) 19,22 fsimpl/AbstractC0163i.java, line(s) 23,38 fsimpl/AbstractC0165k.java, line(s) 19,25 fsimpl/AbstractC0166l.java, line(s) 46 fsimpl/AbstractC0260cf.java, line(s) 44 fsimpl/AbstractC0268cn.java, line(s) 20,23 fsimpl/AbstractC0363i.java, line(s) 24,39 fsimpl/AbstractC0365k.java, line(s) 20,26 fsimpl/AbstractC0366l.java, line(s) 47 fsimpl/C0000a.java, line(s) 18 fsimpl/C0007ag.java, line(s) 686,230,561,212 fsimpl/C0010aj.java, line(s) 71,78,94,107,195,231,103,214 fsimpl/C0011ak.java, line(s) 99 fsimpl/C0015ao.java, line(s) 26,28,35,40,50,78,90,76,86,126 fsimpl/C0020at.java, line(s) 188 fsimpl/C0021au.java, line(s) 698 fsimpl/C0031bd.java, line(s) 22 fsimpl/C0033bf.java, line(s) 30,35,40,57 fsimpl/C0041bn.java, line(s) 295,296,297,289,81,90,95,121,132,303 fsimpl/C0044bq.java, line(s) 32,31 fsimpl/C0054c.java, line(s) 25,33,46 fsimpl/C0062ch.java, line(s) 115 fsimpl/C0063ci.java, line(s) 434,163,169,175,181,187,193,209,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,393,394,395,396,397 fsimpl/C0069co.java, line(s) 40,36,74 fsimpl/C0073cs.java, line(s) 12,17 fsimpl/C0077cw.java, line(s) 50,54,77 fsimpl/C0111ed.java, line(s) 17,29 fsimpl/C0113ef.java, line(s) 100,102,121,124,135 fsimpl/C0114eg.java, line(s) 44,86,95 fsimpl/C0120em.java, line(s) 184,110,120,130,144,159,167,249,260,384,411,417,422,427,431,448,453 fsimpl/C0124eq.java, line(s) 50,55,65 fsimpl/C0134f.java, line(s) 31 fsimpl/C0135fa.java, line(s) 26,35,48,63,73,200,203,46 fsimpl/C0146fl.java, line(s) 59,19,22,54 fsimpl/C0151fq.java, line(s) 35 fsimpl/C0167m.java, line(s) 30 fsimpl/C0172r.java, line(s) 126,128,131,89,149 fsimpl/C0200a.java, line(s) 19 fsimpl/C0207ag.java, line(s) 687,231,562,213 fsimpl/C0210aj.java, line(s) 73,80,96,109,197,233,105,216 fsimpl/C0211ak.java, line(s) 179,100 fsimpl/C0215ao.java, line(s) 30,32,39,44,54,82,94,80,90,130 fsimpl/C0220at.java, line(s) 199,255 fsimpl/C0221au.java, line(s) 854 fsimpl/C0225ay.java, line(s) 27,36,49 fsimpl/C0231bd.java, line(s) 23 fsimpl/C0233bf.java, line(s) 31,36,41,58 fsimpl/C0241bn.java, line(s) 312,313,314,306,85,94,99,125,136,320 fsimpl/C0244bq.java, line(s) 33,32 fsimpl/C0254c.java, line(s) 26,34,47 fsimpl/C0262ch.java, line(s) 116 fsimpl/C0263ci.java, line(s) 435,164,170,176,182,188,194,210,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,394,395,396,397,398 fsimpl/C0269co.java, line(s) 41,37,75 fsimpl/C0273cs.java, line(s) 14,19 fsimpl/C0277cw.java, line(s) 52,56,79 fsimpl/C0311ed.java, line(s) 19,31 fsimpl/C0313ef.java, line(s) 102,104,123,126,137 fsimpl/C0314eg.java, line(s) 51,93,102,134,141,160,165,187 fsimpl/C0320em.java, line(s) 189,115,125,135,149,164,172,254,265,389,416,422,427,432,436,453,458 fsimpl/C0324eq.java, line(s) 51,56,66 fsimpl/C0334f.java, line(s) 32 fsimpl/C0335fa.java, line(s) 27,36,49,64,74,201,204,47 fsimpl/C0346fl.java, line(s) 60,20,23,55 fsimpl/C0351fq.java, line(s) 36 fsimpl/C0367m.java, line(s) 31 fsimpl/C0372r.java, line(s) 126,128,131,89,149 fsimpl/D.java, line(s) 99,122,128,133,144,154,160,169 fsimpl/E.java, line(s) 101,170,67 fsimpl/I.java, line(s) 94,51 fsimpl/O.java, line(s) 19 fsimpl/P.java, line(s) 218,427,429,570,170,507,513,674,679,180,392 fsimpl/RunnableC0129ev.java, line(s) 37,46,32 fsimpl/RunnableC0329ev.java, line(s) 38,47,33 fsimpl/T.java, line(s) 22,38,48 fsimpl/V.java, line(s) 22,30,38,15,24,32,40,45,51 fsimpl/aA.java, line(s) 40,43 fsimpl/aM.java, line(s) 19,22,27 fsimpl/aN.java, line(s) 123,53,83,48,90,109,128 fsimpl/aO.java, line(s) 32 fsimpl/aR.java, line(s) 62,84,100,107,113,119 fsimpl/aT.java, line(s) 37,54,77,83 fsimpl/aZ.java, line(s) 27 fsimpl/bM.java, line(s) 15 fsimpl/bO.java, line(s) 69,86 fsimpl/bR.java, line(s) 47 fsimpl/dG.java, line(s) 11,23 fsimpl/dH.java, line(s) 47 fsimpl/dN.java, line(s) 26,32 fsimpl/dT.java, line(s) 10 fsimpl/dV.java, line(s) 47,50,61,80 fsimpl/eH.java, line(s) 32 fsimpl/eM.java, line(s) 43,61,66 fsimpl/eR.java, line(s) 26 fsimpl/eW.java, line(s) 16,31,39,52,26 fsimpl/fB.java, line(s) 39,66,89,99 fsimpl/fC.java, line(s) 172 fsimpl/fI.java, line(s) 96 fsimpl/fL.java, line(s) 79 fsimpl/fY.java, line(s) 16 fsimpl/fZ.java, line(s) 35 fsstub/b.java, line(s) 37 org/greenrobot/eventbus/Logger.java, line(s) 32,37 org/joda/time/tz/DateTimeZoneBuilder.java, line(s) 891,892,917 org/joda/time/tz/ZoneInfoCompiler.java, line(s) 57,58,59,60,61,194,213,226,238,241,246,265,281,337,561 razerdp/basepopup/BasePopupHelper.java, line(s) 872 razerdp/basepopup/BasePopupWindow.java, line(s) 952,383,948 razerdp/basepopup/PopupDecorViewProxy.java, line(s) 151,254,310,328,332 razerdp/basepopup/WindowManagerProxy.java, line(s) 245,261,271,41,62,87,89,120,160 razerdp/blur/BlurHelper.java, line(s) 66,106,43,46,79,82,93,96,112,132 razerdp/blur/BlurImageView.java, line(s) 67,75,80,114,288,310,73,86,127,160,226,242,244,291 razerdp/util/PopupUiUtils.java, line(s) 106,114 razerdp/util/animation/BaseAnimationConfig.java, line(s) 109,110 razerdp/util/animation/TranslationConfig.java, line(s) 62,97 support/ada/embed/widget/AdaEmbedView.java, line(s) 423,424 timber/log/Timber.java, line(s) 396,415 top/zibin/luban/Luban.java, line(s) 85
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/oriente/adapter/page/BaseActivity.java, line(s) 5,162,163 com/oriente/core/utils/DeviceUtils.java, line(s) 8,231 com/oriente/utils/ClipboardUtils.java, line(s) 4,9 finance/empower/android/app/components/KeyboardComponent.java, line(s) 5,102
安全提示信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: com/statsig/androidsdk/StatsigClient.java, line(s) 2444,2444
安全提示信息 应用与Firebase数据库通信
该应用与位于 https://cashalo-8fd5c.firebaseio.com 的 Firebase 数据库进行通信
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/oriente/adapter/config/AdapterUtils.java, line(s) 153,225,151 com/oriente/adapter/http/SslUtil.java, line(s) 93,84,102,71,82,82,93,96 com/oriente/adapter/store/Util.java, line(s) 519,518,517,517 com/rizzi/bouquet/network/RetrofitProviderKt.java, line(s) 14,15,14 com/withpersona/sdk2/inquiry/network/NetworkModule.java, line(s) 219,224,228,231,241 finance/empower/android/app/dagger/NetworkModule.java, line(s) 118,120,120,132
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/oriente/core/utils/DeviceUtils.java, line(s) 151,151
已通过安全项 此应用程序具有防止窃听攻击的功能
此应用程序具有防止窃听攻击的功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-for-overlay-attacks-mstg-platform-9 Files: finance/empower/android/core/ui/view/extensions/ViewExtKt.java, line(s) 18
综合安全基线评分总结
Cashalo v2.25.0.0
Android APK
48
综合安全评分
中风险