导航菜单
登录 注册

应用安全检测报告

应用安全检测报告,支持文件搜索、内容检索和AI代码分析

移动应用安全检测报告

应用图标

Mantra Counter v25.01

Android APK 64b114cb...
58
安全评分

安全基线评分

58/100

低风险

综合风险等级

风险等级评定
  1. A
  2. B
  3. C
  4. F

应用存在一定安全风险,建议优化

漏洞与安全项分布

0 高危
22 中危
2 信息
3 安全

隐私风险评估

4
第三方跟踪器

中等隐私风险
检测到少量第三方跟踪器


检测结果分布

高危安全漏洞 0
中危安全漏洞 22
安全提示信息 2
已通过安全项 3
重点安全关注 0

中危安全漏洞 应用已启用明文网络流量 

[android:usesCleartextTraffic=true]
应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。

中危安全漏洞 应用数据允许备份 

[android:allowBackup=true]
该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据,存在数据泄露风险。

中危安全漏洞 Activity (com.sweetedge.mantracounter.Authentication.Authentication) 未受保护。 

[android:exported=true]
检测到  Activity 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Service (push_notif.MyFirebaseInstanceService) 未受保护。 

[android:exported=true]
检测到  Service 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Activity (com.sweetedge.mantracounter.group.HandleInApp) 未受保护。 

[android:exported=true]
检测到  Activity 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。 

Permission: com.google.android.c2dm.permission.SEND [android:exported=true]
检测到  Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Broadcast Receiver (com.cashfree.pg.core.api.ui.receiver.CFSMSBroadcastReceiver) 受权限保护,但应检查权限保护级别。 

Permission: com.google.android.gms.auth.api.phone.permission.SEND [android:exported=true]
检测到  Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Activity (com.google.firebase.auth.internal.GenericIdpActivity) 未受保护。 

[android:exported=true]
检测到  Activity 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Activity (com.google.firebase.auth.internal.RecaptchaActivity) 未受保护。 

[android:exported=true]
检测到  Activity 已导出,未受任何权限保护,任意应用均可访问。

中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。 

Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true]
检测到  Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。 

Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
检测到  Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护,但应检查权限保护级别。 

Permission: android.permission.DUMP [android:exported=true]
检测到  Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。 

Permission: android.permission.DUMP [android:exported=true]
检测到  Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。

中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 

应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage

Files:
com/sweetedge/mantracounter/Authentication/User_Screen.java, line(s) 307
com/sweetedge/mantracounter/MainActivity.java, line(s) 421,1047
com/sweetedge/mantracounter/RecordList.java, line(s) 77,179
com/sweetedge/mantracounter/Settings.java, line(s) 317,317
com/sweetedge/mantracounter/multimedia/GodImage.java, line(s) 132,264,269
com/yalantis/ucrop/util/FileUtils.java, line(s) 50
save_data/PDFClass.java, line(s) 95
save_data/iUtils.java, line(s) 25,54

中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 

应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2

Files:
alarmreminder/ReminderDatabase.java, line(s) 5,6,80,100,104
com/sweetedge/mantracounter/Database.java, line(s) 7,8,80,84,88,99
com/sweetedge/mantracounter/MusicDatabase.java, line(s) 7,8,63,74
com/sweetedge/mantracounter/list/MantraListDb.java, line(s) 7,8,107,112
com/sweetedge/mantracounter/multimedia/GodVideoDB.java, line(s) 7,8,67,75

中危安全漏洞 应用程序使用不安全的随机数生成器 

应用程序使用不安全的随机数生成器
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators

Files:
com/sweetedge/mantracounter/Country.java, line(s) 24
com/sweetedge/mantracounter/group/FallAnimation.java, line(s) 20
io/grpc/internal/DnsNameResolver.java, line(s) 32
io/grpc/internal/ExponentialBackoffPolicy.java, line(s) 5
io/grpc/internal/PickFirstLoadBalancer.java, line(s) 13
io/grpc/internal/RetriableStream.java, line(s) 23
io/grpc/okhttp/OkHttpClientTransport.java, line(s) 70
io/grpc/util/OutlierDetectionLoadBalancer.java, line(s) 27
io/grpc/util/RoundRobinLoadBalancer.java, line(s) 20
org/jacoco/core/runtime/AbstractRuntime.java, line(s) 3

中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 

文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10

Files:
io/grpc/internal/DnsNameResolver.java, line(s) 73,71,72,74
io/grpc/internal/PickFirstLoadBalancerProvider.java, line(s) 13
io/grpc/internal/TransportFrameUtil.java, line(s) 33

中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件 

应用程序创建临时文件。敏感信息永远不应该被写进临时文件


Files:
com/journeyapps/barcodescanner/CaptureManager.java, line(s) 262
com/soundcloud/android/crop/CropUtil.java, line(s) 77

中危安全漏洞 IP地址泄露 

IP地址泄露


Files:
io/grpc/okhttp/OkHttpClientTransport.java, line(s) 220
io/grpc/okhttp/OkHttpServerTransport.java, line(s) 602,617,623,708

中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞 

不安全的Web视图实现。可能存在WebView任意代码执行漏洞
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5

Files:
com/cashfree/pg/core/api/ui/BaseCFWebView.java, line(s) 62,57

中危安全漏洞 应用程序包含隐私跟踪程序 

此应用程序有多个4隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。

中危安全漏洞 此应用可能包含硬编码机密信息 

从应用程序中识别出以下机密确保这些不是机密或私人信息
AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "@7F120030"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"base64Key" : "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAo4ecYPqNMqJAoVnJ/wyyFhCr+PCrkc1/sSNw0wxgwK/oAEG7jla1byRpwq6hOV8xi4qn6j3l3YjmkgIDpdUMXaYP/Ca/jNO0sJaOzQYWsQ3OMK2svjlXLFThlYtKyGWwcpqkfnmtY7XpZ7VX83oEwHY7wISJpuPmJ56kauKRnKCvxKlp1dqQSBYHEBjtjkW+uwOEbVacNquc6XX0aOwTKGXdxnateFuzQ8n6wsZ8ChkNEJGCHfBSR0LXzCKxZZIffkxFJBSJhqUgHU4W3SBUTrIildBjURyB6aFhaJWvpLYQ7aOIy3iMdnWGPnl3ys+FuSrCXhVSIWOOd+3/Te7vDQIDAQAB"
"firebase_database_url" : "https://mantra-counter-2b210.firebaseio.com"
"google_api_key" : "AIzaSyABFv6KqWJIAwvUkJRX7UvuGlBSk4PxM6Y"
"google_app_id" : "1:485600442373:android:50f8c17703d9a8279c046c"
"google_crash_reporting_api_key" : "AIzaSyABFv6KqWJIAwvUkJRX7UvuGlBSk4PxM6Y"
"library_roundedimageview_authorWebsite" : "https://github.com/vinc3m1"
"library_zxingandroidembedded_author" : "JourneyApps"
"library_zxingandroidembedded_authorWebsite" : "https://journeyapps.com/"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Contrasenya"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Adgangskode"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Passord"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Passwort"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Wagwoord"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Wagwoordsleutel"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Salasana"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Avainkoodi"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Heslo"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Contrasinal"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Wachtwoord"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Toegangssleutel"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Klucz"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Geslo"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Sandi"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Zaporka"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Lozinka"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Lozinka"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Heslo"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Parool"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Pasahitza"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Sarbide-gakoa"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Iphasiwedi"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Parole"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Nyckel"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Nenosiri"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Parol"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Parol"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Kod"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Senha"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Palavra-passe"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Senha"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
"android.credentials.TYPE_PASSWORD_CREDENTIAL" : "Password"
"androidx.credentials.TYPE_PUBLIC_KEY_CREDENTIAL" : "Passkey"
aXNccyhcZHs2LDh9KXwoXGR7Niw4fSlcc2lzfGlzXHMoXGR7NH0p

安全提示信息 应用程序记录日志信息,不得记录敏感信息 

应用程序记录日志信息,不得记录敏感信息
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs

Files:
com/cashfree/pg/base/logger/CFLoggerService.java, line(s) 56,35,49,63,42
com/cashfree/pg/core/hidden/nfc/NfcCardReader.java, line(s) 25,67
com/cashfree/pg/core/hidden/nfc/parser/EmvParser.java, line(s) 296
com/cashfree/pg/core/hidden/nfc/utils/EnumUtils.java, line(s) 15
com/cashfree/pg/image_caching/cache/DiskLruCache.java, line(s) 108
com/cashfree/pg/ui/hidden/nfc/NfcCardReader.java, line(s) 25,67
com/cashfree/pg/ui/hidden/nfc/parser/EmvParser.java, line(s) 296
com/cashfree/pg/ui/hidden/nfc/utils/EnumUtils.java, line(s) 15
com/github/amlcurran/showcaseview/ShowcaseAreaCalculator.java, line(s) 22
com/github/amlcurran/showcaseview/targets/ActionBarViewWrapper.java, line(s) 34,37,48,51,83
com/journeyapps/barcodescanner/CameraPreview.java, line(s) 654,681,149,250,351,774,512,754
com/journeyapps/barcodescanner/CaptureManager.java, line(s) 95,116,268
com/journeyapps/barcodescanner/DecoderThread.java, line(s) 119
com/journeyapps/barcodescanner/camera/AutoFocusManager.java, line(s) 69,93,110
com/journeyapps/barcodescanner/camera/CameraConfigurationUtils.java, line(s) 45,62,64,80,83,88,98,116,122,124,131,133,137,142,144,148,159,162,167,172,188,191,196,201,217,223,233,234,238,243,204
com/journeyapps/barcodescanner/camera/CameraInstance.java, line(s) 26,38,53,66,213,30,45,58,70
com/journeyapps/barcodescanner/camera/CameraManager.java, line(s) 54,71,345,356,179,209,248,175,181,262,270
com/journeyapps/barcodescanner/camera/CenterCropStrategy.java, line(s) 27
com/journeyapps/barcodescanner/camera/FitCenterStrategy.java, line(s) 27
com/journeyapps/barcodescanner/camera/LegacyPreviewScalingStrategy.java, line(s) 42,43,73
com/journeyapps/barcodescanner/camera/PreviewScalingStrategy.java, line(s) 22,23
com/makeramen/roundedimageview/RoundedDrawable.java, line(s) 117
com/makeramen/roundedimageview/RoundedImageView.java, line(s) 268,308
com/pairip/licensecheck/LicenseActivity.java, line(s) 93,71
com/pairip/licensecheck/LicenseClient.java, line(s) 78,91,122,139,169,197,188,113
com/soundcloud/android/crop/CropImageActivity.java, line(s) 136,142,359,368,391,400,441
com/soundcloud/android/crop/CropUtil.java, line(s) 52,66
com/soundcloud/android/crop/Log.java, line(s) 10,14
com/sweetedge/mantracounter/Authentication/UserWebService.java, line(s) 72
com/sweetedge/mantracounter/Database.java, line(s) 39,94
com/sweetedge/mantracounter/GetMusic.java, line(s) 93,105
com/sweetedge/mantracounter/IndianNumberFormatter.java, line(s) 25
com/sweetedge/mantracounter/MainActivity.java, line(s) 1419
com/sweetedge/mantracounter/MusicDatabase.java, line(s) 35
com/sweetedge/mantracounter/PAds.java, line(s) 67,72
com/sweetedge/mantracounter/cashfree/MakePurchase.java, line(s) 44,80
com/sweetedge/mantracounter/group/GroupWebService.java, line(s) 89,122
com/sweetedge/mantracounter/group/MyGroup.java, line(s) 502
com/sweetedge/mantracounter/multimedia/GodImage.java, line(s) 162,178,242
com/sweetedge/mantracounter/multimedia/GodVideoDB.java, line(s) 36
com/yalantis/ucrop/UCropActivity.java, line(s) 152
com/yalantis/ucrop/task/BitmapCropTask.java, line(s) 150,117
com/yalantis/ucrop/task/BitmapLoadTask.java, line(s) 122,151,196,83,86,128,137,144
com/yalantis/ucrop/util/BitmapLoadUtils.java, line(s) 105,53,84
com/yalantis/ucrop/util/EglUtils.java, line(s) 23
com/yalantis/ucrop/util/FileUtils.java, line(s) 58
com/yalantis/ucrop/util/ImageHeaderParser.java, line(s) 54,61,72,80,112,122,134,148,162,168,172,177,183,187,290,53,60,71,79,111,121,133,147,161,167,171,176,182,186
com/yalantis/ucrop/view/TransformImageView.java, line(s) 214,231,123,78
io/grpc/okhttp/internal/Platform.java, line(s) 69
lecho/lib/hellocharts/formatter/ValueFormatterHelper.java, line(s) 69
push_notif/TokenClass.java, line(s) 48
save_data/iUtils.java, line(s) 32
sweetedge/default_package/PRateShareETC.java, line(s) 31
sweetedge/extra/PLog.java, line(s) 9
uk/co/senab/photoview/PhotoViewAttacher.java, line(s) 56
uk/co/senab/photoview/log/LoggerDefault.java, line(s) 18,23,48,53,28,33,8,13,38,43

安全提示信息 应用与Firebase数据库通信 

该应用与位于 https://mantra-counter-2b210.firebaseio.com 的 Firebase 数据库进行通信

已通过安全项 此应用程序可能具有Root检测功能 

此应用程序可能具有Root检测功能
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1

Files:
com/cashfree/pg/base/util/RootUtil.java, line(s) 31,15,19,19,19,19,19,19,9
com/cashfree/pg/cf_analytics/context/CFOSContext.java, line(s) 17

已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 

此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4

Files:
com/cashfree/pg/network/POSTApiWithSSLPin.java, line(s) 37,36,34,34,59,59,60,60,63,78
io/grpc/okhttp/OkHttpChannelBuilder.java, line(s) 418,419,506,432,479,505,502,504,504
io/grpc/okhttp/OkHttpServerBuilder.java, line(s) 263,264,277
io/grpc/util/AdvancedTlsX509TrustManager.java, line(s) 110,109,100,108,108,126

已通过安全项 Firebase远程配置已禁用 

Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/485600442373/namespaces/firebase:fetch?key=AIzaSyABFv6KqWJIAwvUkJRX7UvuGlBSk4PxM6Y ) 已禁用。响应内容如下所示:

{
    "state": "NO_TEMPLATE"
}

综合安全基线评分总结

应用图标

Mantra Counter v25.01

Android APK
58
综合安全评分
中风险