应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
bbinstant v6.24.0
45
安全评分
安全基线评分
45/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
6
高危
26
中危
5
信息
2
安全
隐私风险评估
4
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
6
中危安全漏洞
26
安全提示信息
5
已通过安全项
2
重点安全关注
0
高危安全漏洞 不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击
不安全的Web视图实现。Web视图忽略SSL证书错误并接受任何SSL证书。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#webview-server-certificate-verification Files: com/bigbasket/bbinstant/ui/help/DeleteAccountActivity.java, line(s) 40,71 com/bigbasket/bbinstant/ui/invoice/BannerClickWebView.java, line(s) 25,41
高危安全漏洞 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/adjetter/kapchatsdk/BuildConfig.java, line(s) 3,8
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: in/juspay/hypersdk/core/DynamicUI.java, line(s) 175,376,10 in/juspay/hypersdk/safe/JuspayWebView.java, line(s) 60,9,10
高危安全漏洞 应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。
应用程序使用带PKCS5/PKCS7填充的加密模式CBC。此配置容易受到填充oracle攻击。 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: f/b.java, line(s) 60,92
高危安全漏洞 该文件是World Writable。任何应用程序都可以写入文件
该文件是World Writable。任何应用程序都可以写入文件 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#testing-local-storage-for-sensitive-data-mstg-storage-1-and-mstg-storage-2 Files: com/adjetter/kapchatsdk/KapchatOfflineMessage.java, line(s) 73,85,86,88,96 in/juspay/hypersdk/core/AndroidInterface.java, line(s) 676 in/juspay/hypersdk/data/KeyValueStore.java, line(s) 13
高危安全漏洞 应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文
应用程序在加密算法中使用ECB模式。ECB模式是已知的弱模式,因为它对相同的明文块[UNK]产生相同的密文 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-block-cipher-mode Files: com/adjetter/kapchatsdk/KapchatHelper.java, line(s) 101,113 com/bigbasket/bbinstant/core/utils/f.java, line(s) 176,206
中危安全漏洞 Activity (com.bigbasket.bbinstant.ui.login.LoginActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.bigbasket.bbinstant.ui.BBInstantActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (in.juspay.hypersdk.core.CustomtabResult) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.moengage.firebase.MoEFireBaseMessagingService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.amazon.identity.auth.device.workflow.WorkflowActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.amazon.android.apay.commonlibrary.browsinglib.activity.RedirectUriReceiverActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$BootstrapActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$EmptyActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (androidx.test.core.app.InstrumentationActivityInvoker$EmptyFloatingActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/adjetter/kapchatsdk/database/KapchatDatabaseHelper.java, line(s) 7,8,9,198 com/adjetter/kapchatsdk/helper/KapchatReadOfflineMessage.java, line(s) 5,44 com/amazonaws/mobileconnectors/remoteconfiguration/internal/ConfigurationDb.java, line(s) 6,7,59,92,101,102,103,104,105,106 com/amazonaws/mobileconnectors/s3/transferutility/TransferTable.java, line(s) 3,52,53,54,55,56,60,64,68,72 com/moengage/core/internal/storage/database/a.java, line(s) 5,6,116 com/moengage/core/internal/storage/database/b.java, line(s) 6,114 com/moengage/core/internal/storage/database/w.java, line(s) 6,7,184,185,226,227,141,203 com/snowplowanalytics/snowplow/tracker/storage/b.java, line(s) 4,5,36,42 f/h.java, line(s) 4,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,38,39,40,41,42,43,46,49 f/i.java, line(s) 5,15,16,17
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/adjetter/kapchatsdk/KapchatListAdapter.java, line(s) 277,278,280,292,293,295,330,333,334,336,338 com/adjetter/kapchatsdk/KapchatReadMessages.java, line(s) 58,59 com/adjetter/kapchatsdk/activity/KapChatWebView.java, line(s) 91,183,298 com/adjetter/kapchatsdk/activity/KapchatAttachmentActivity.java, line(s) 218 com/adjetter/kapchatsdk/activity/KapchatScreenActivity.java, line(s) 460,896,905,952,1035,1750 com/adjetter/kapchatsdk/customattachments/KapchatAttachmentFolderViewActivity.java, line(s) 69 com/adjetter/kapchatsdk/helper/KapchatReadOfflineMessage.java, line(s) 70,71 com/adjetter/kapchatsdk/service/Kapchatdownloadservice.java, line(s) 113,172,180
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/adjetter/kapchatsdk/KapchatHelper.java, line(s) 44 com/adjetter/kapchatsdk/KapchatService.java, line(s) 26 com/adjetter/kapchatsdk/KapchatUploadService.java, line(s) 31 com/adjetter/kapchatsdk/activity/KapchatScreenActivity.java, line(s) 92 com/amazonaws/retry/PredefinedRetryPolicies.java, line(s) 9 com/simpl/android/fingerprint/a/a.java, line(s) 3 com/simpl/android/fingerprint/commons/exception/SimplAirbrakeNotifier.java, line(s) 20 de/measite/minidns/a.java, line(s) 16 de/measite/minidns/iterative/IterativeDNSClient.java, line(s) 24 de/measite/minidns/util/CollectionsUtil.java, line(s) 4 org/jivesoftware/smack/ReconnectionManager.java, line(s) 5 org/jivesoftware/smack/util/StringUtils.java, line(s) 7 org/jivesoftware/smackx/bytestreams/ibb/InBandBytestreamManager.java, line(s) 8 org/jivesoftware/smackx/bytestreams/socks5/Socks5BytestreamManager.java, line(s) 12 org/jivesoftware/smackx/filetransfer/FileTransferNegotiator.java, line(s) 10 org/junit/runner/manipulation/Ordering.java, line(s) 7
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/adjetter/kapchatsdk/KapchatHelper.java, line(s) 209 com/amazon/android/apay/commonlibrary/instrumentationlib/encryptor/a.java, line(s) 74 com/moengage/core/internal/utils/MoEUtils.java, line(s) 150 de/measite/minidns/a.java, line(s) 59 org/jivesoftware/smack/util/MAC.java, line(s) 14 org/jivesoftware/smack/util/SHA1.java, line(s) 11 org/jivesoftware/smackx/caps/EntityCapsManager.java, line(s) 120 org/jivesoftware/smackx/vcardtemp/packet/VCard.java, line(s) 206
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: com/bigbasket/bbinstant/core/payments/activity/SimplWebViewActivity.java, line(s) 141,123 com/bigbasket/bbinstant/ui/offers/FragmentOffers.java, line(s) 66,63 com/paytm/pgsdk/PaytmWebView.java, line(s) 196,194 com/simpl/android/zeroClickSdk/internal/SimplZeroClickWebViewFragment.java, line(s) 609,606 in/juspay/hypersdk/core/DynamicUI.java, line(s) 106,129,205,104 in/juspay/hypersdk/safe/Godel.java, line(s) 332,582,576
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/adjetter/kapchatsdk/activity/KapChatWebView.java, line(s) 231,228 in/juspay/hypersdk/safe/Godel.java, line(s) 589,576
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: ch/qos/logback/classic/ClassicConstants.java, line(s) 17,20,22 ch/qos/logback/classic/gaffer/c.java, line(s) 38 ch/qos/logback/classic/joran/action/ConfigurationAction.java, line(s) 21 ch/qos/logback/classic/sift/ContextBasedDiscriminator.java, line(s) 7 ch/qos/logback/classic/sift/JNDIBasedContextDiscriminator.java, line(s) 9 ch/qos/logback/core/CoreConstants.java, line(s) 12,31,65,21 ch/qos/logback/core/rolling/helper/DateTokenConverter.java, line(s) 10 ch/qos/logback/core/rolling/helper/IntegerTokenConverter.java, line(s) 7 com/adjetter/kapchatsdk/KapchatHelper.java, line(s) 72,313 com/amazonaws/auth/CognitoCachingCredentialsProvider.java, line(s) 17,18,19,20,21 com/amazonaws/auth/policy/conditions/ConditionFactory.java, line(s) 8,9,10,11,12,13,14 com/amazonaws/auth/policy/conditions/S3ConditionFactory.java, line(s) 10,11,12,14,15,8,9,13 com/amazonaws/mobileconnectors/remoteconfiguration/internal/AttributesImpl.java, line(s) 94 com/amazonaws/mobileconnectors/s3/transferutility/TransferTable.java, line(s) 30,36 com/amazonaws/services/s3/Headers.java, line(s) 23,28,65 com/amazonaws/services/s3/model/S3ObjectSummary.java, line(s) 72 com/bigbasket/bbinstant/AppMigrator.java, line(s) 23 com/bigbasket/bbinstant/BuildConfig.java, line(s) 9 com/bigbasket/bbinstant/core/Constants.java, line(s) 10 com/bigbasket/bbinstant/core/io/wifi/n.java, line(s) 146,155 com/bigbasket/bbinstant/core/persistance/a.java, line(s) 4 com/bigbasket/bbinstant/ui/login/v.java, line(s) 291 com/moengage/core/config/h.java, line(s) 49 com/moengage/core/config/k.java, line(s) 49 com/moengage/core/internal/rest/d.java, line(s) 145 com/moengage/core/internal/storage/database/contract/h.java, line(s) 11 org/jivesoftware/smackx/muc/MucConfigFormManager.java, line(s) 19
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/amazonaws/services/s3/AmazonS3Client.java, line(s) 2170 com/amazonaws/services/s3/internal/MD5DigestCalculatingInputStream.java, line(s) 28 com/amazonaws/util/Md5Utils.java, line(s) 20,63 com/moengage/core/internal/utils/d.java, line(s) 475 f/b.java, line(s) 107,115 in/juspay/hypersdk/security/EncryptionHelper.java, line(s) 123,201 org/jivesoftware/smack/util/MD5.java, line(s) 11
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/bigbasket/bbinstant/core/machine/impl/transactor/h.java, line(s) 12,38 com/bigbasket/bbinstant/core/utils/NetworkUtils.java, line(s) 18,51 de/measite/minidns/DNSClient.java, line(s) 73 org/jivesoftware/smackx/bytestreams/socks5/Socks5BytestreamManager.java, line(s) 162
中危安全漏洞 应用程序创建临时文件。敏感信息永远不应该被写进临时文件
应用程序创建临时文件。敏感信息永远不应该被写进临时文件 Files: com/journeyapps/barcodescanner/j.java, line(s) 120 org/junit/rules/TemporaryFolder.java, line(s) 70,196
中危安全漏洞 Firebase远程配置已启用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/107639205075/namespaces/firebase:fetch?key=AIzaSyB37oVE4etgDV38pu_GU2DIqzXDUy_rJzg ) 已启用。请确保这些配置不包含敏感信息。响应内容如下所示:
{
"entries": {
"bbinstant_cer": "-----BEGIN CERTIFICATE-----\nMIIECjCCAvKgAwIBAgIJAKXZGBQMk4cgMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD\nVQQGEwJJTjESMBAGA1UECAwJS2FybmF0YWthMRIwEAYDVQQHDAlCYW5nYWxvcmUx\nEjAQBgNVBAoMCUJpZ2Jhc2tldDESMBAGA1UECwwJQkJJbnN0YW50MRIwEAYDVQQD\nDAliYmluc3RhbnQxJjAkBgkqhkiG9w0BCQEWF2JiaW5zdGFudEBiaWdiYXNrZXQu\nY29tMB4XDTIzMDgxODA5NTQwMFoXDTI0MDgxNzA5NTQwMFowgZkxCzAJBgNVBAYT\nAklOMRIwEAYDVQQIDAlLYXJuYXRha2ExEjAQBgNVBAcMCUJhbmdhbG9yZTESMBAG\nA1UECgwJQmlnYmFza2V0MRIwEAYDVQQLDAlCQkluc3RhbnQxEjAQBgNVBAMMCWJi\naW5zdGFudDEmMCQGCSqGSIb3DQEJARYXYmJpbnN0YW50QGJpZ2Jhc2tldC5jb20w\nggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrLyiWAIAMLnDMe/vh1kpo\nNm/WAblEWC+vigUkM+OKXGoA23gWYxGBvy+pFcV+rGUQ7eXBkPElREPh7/Aab1Os\nIvDg449Ie5vL1cTssSv2Fn1AZX7nHBvDxv+P2R+vYPZODYdJiHDRugeU5MEjQs/W\n1h6r0KdRR4TBc7Y7IzErdZlS36Zeb/lz26jHVxCiq4uMh0v3oOA9jd3ww9opKVhE\nX4R14IejIURTPlThKJfkyoHsCNoHq4eYHsTYrlQ03kxDtM3gv1ocyZvLWEq7Llk0\nsPiUvj7slMJRRklWPlzNT2iSay+jpBcYpJ3eiKbtzUtZW1eUTOz476DaLHoECVvd\nAgMBAAGjUzBRMB0GA1UdDgQWBBQzdjnQ8Tz7mnH6JOQ35BCJSxi7+zAfBgNVHSME\nGDAWgBQzdjnQ8Tz7mnH6JOQ35BCJSxi7+zAPBgNVHRMBAf8EBTADAQH/MA0GCSqG\nSIb3DQEBCwUAA4IBAQBdUz7eHh0iXdvb9KyZ3s0/k3Rgm+FldfX9gf2iq/I1I1h+\nGrPz2Ti1shRE5Z9hecF8psz/tkFUtDYfNO4K194QiECTUJ7w1BY4ADKa8dJzQADk\n0IheAAZlnKPvmxwSA27Jnod9QDt03vrdDVmpdi/WgfnTBANeyDmXkkv4mfb1kr8g\ny93kuqmKucXhQDNkmGl08GhSlWE5c/4LsZwkwMmomGBRq6+S+3+iuih2E2djT50l\n8lnWyO+t6KkRSWTy3T/megZf8+cNgrn9SiyQzePwX3QnZrLgMABJnu6cV7/A62hJ\nHj4tsyy6bxs/Ofw8pMHjltMqao9RMoGBFFR5F74D\n-----END CERTIFICATE-----\n",
"bbinstant_private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDrLyiWAIAMLnDM\ne/vh1kpoNm/WAblEWC+vigUkM+OKXGoA23gWYxGBvy+pFcV+rGUQ7eXBkPElREPh\n7/Aab1OsIvDg449Ie5vL1cTssSv2Fn1AZX7nHBvDxv+P2R+vYPZODYdJiHDRugeU\n5MEjQs/W1h6r0KdRR4TBc7Y7IzErdZlS36Zeb/lz26jHVxCiq4uMh0v3oOA9jd3w\nw9opKVhEX4R14IejIURTPlThKJfkyoHsCNoHq4eYHsTYrlQ03kxDtM3gv1ocyZvL\nWEq7Llk0sPiUvj7slMJRRklWPlzNT2iSay+jpBcYpJ3eiKbtzUtZW1eUTOz476Da\nLHoECVvdAgMBAAECggEAYkXlZrC00OJC/h88xESf+OXuW3WC7f0PiAFbXqJUDUfK\nf6s1hd1FvnqeNsBDM0hkPuu5muWu7kyVNP7mzJUCWKaNEtvjznzgQA+GZwUtgnop\nQlRm77l+HJO1zG0E4WrZ4QmkI2ThB7H9Ywknb02GvZXhYRgiIkOJRLDOT+3HqQmA\noJ1RdplVLJ4LrXIcz3hDAtZuRcdEdExFxXosaxBPTYSBuFBxlcvuDKVeimU7lW2f\nsbaW0Z42HVHJQWl6hWo172UjJQWhzbgoEqTIDG7wiA5SvuBCPSqVvSqpKnMy3ft/\nvMF8tZAc8aAeErKpaU0Nu0MoA36xGWWovWOA6F/PAQKBgQD+qVo+YbcmiHklzhF7\niaoZ9QMdHK1LJbji6w9MlahThyfGSLCz7PzrL5dMNwVgohmKbJwpK0avOmWOvZts\nBMh4miNJjzj2quX0OlvNVdZyuctec4Hz/gu7aMJZJ1NxUu/JjT2WeUu1bnAlReA6\nQFHMfI8SSgJjl/VpBK/ZXjRMnQKBgQDsa5lpHBisRkjUU4yWvM3H+j0GDGrCnQvO\nl7vYeLu7JHrEYqgqxznELg/78aTY6ZeATiXMcgoTqoBEJRaXPi9Q51ct3W6UjC+j\nduDQD1JNE5A8fx6JTuhGyWag6N5JmAXE4MPM8cy7zXAMxEnR5AschEMohQ582fa/\npzrQRMEIQQKBgBQO7sa/F5f3Y+NwabwbScSlocsnORcUL43gCeJ0Xz/FA4MAsrpZ\nTkqQAxDDvK6x1eUrTNmJSRYAOYOWt6k4bzngmirvFwOGznoAJr7zpeJ/c99Kpc+8\nENyAEd7H1DC24aA0ecdiYm419qtY56Ju8oJyxSohnjKOA4x0DA3I98GZAoGBAJHy\nJoUdhBmtVb5FSW+wY/REhTFbrvguzKAfSSXr+jAf5+2d3aRy0jVKHjHwzUvef9kD\n5Q+dgpz7Ty1CG/0HtVvjRA0bOe1X0Py/IS8vliXgotTFwIsQ/BDeuY0x1C9oOn98\nJUM6LaHtw3MOJWf9t+JFv9Oet//Y6hsL2CHDn8pBAoGAalIUSb8qpCCJMlvP6DSh\nFu0V0tsGq4HBY22hg5YPzwGNI3IRBEFQwx/71gb8FpWWDxW0tFGcY1P1Bor8wjos\n1nKstQusz/fowDCV4kAZ+fQ8CxSvdRNelIAbbGoAPq4Lskb0isYNukloD37/cfcG\nsMYi0N9Gs1+nnB4ocVG0MSg=\n-----END PRIVATE KEY-----\n",
"root_detetction_key": "22097eed8863e4cdaaa881263ce048a4"
},
"state": "UPDATE",
"templateVersion": "7"
}
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个4隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 "com.google.firebase.crashlytics.mapping_file_id" : "f797b19961954cef8c3316b7e8d9b8dc" "firebase_database_url" : "https://bbinstant-3d40b.firebaseio.com" "google_api_key" : "AIzaSyB37oVE4etgDV38pu_GU2DIqzXDUy_rJzg" "google_app_id" : "1:107639205075:android:03390ffdb271f25ff6f826" "google_crash_reporting_api_key" : "AIzaSyB37oVE4etgDV38pu_GU2DIqzXDUy_rJzg" "kapchat_encription_key" : "Dlj16uso0U9OfX5S" "kapchat_support_key" : "95bbfa381c541117d41252aad76b9b8f799b94025197660011" "library_zxingandroidembedded_author" : "JourneyApps" "library_zxingandroidembedded_authorWebsite" : "https://journeyapps.com/" "long_live_token" : "YXU2ZjBmMGhtb2czbWJnMWlxdHVlemxrOGxtMnc2OHA6TkE6MTUyMjY2NTAyNzc5MjozNjcwMTQ4Njc0NzkyOmRlZmF1bHQ6QkI6OlF2REg1QS8xVm5UUjRveEcwWEZhN2JveWpTeXdmR1FUUUIxODNuVkp6eFBjYjlzQVdRTDNreDlCdDVPd2VOeDc5YWRacG5hL1UyWXhlZjh2TG1Cc3VtQUE0dm1yR2NsOFFJS1FDa1hPMzVQUlp3cDJCNXcxSCs1UE5zL29DczBZelpxZzBSd3FDNFVDOHJyellUK0g3ZHh1TzkwV2czVXljbkJlSytGaFZpQT0=" 36C9F7E3EB6A269BDDFF5A64CC66B5BE3A60F5574F98E01B3A545DB50FC93FAB 57660439B9DC6FABAECC0D3CC97D6115 3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F a0ef473d453f05ad6ff71676e33d7d4a C2517D5D73DCAD84D9095606B6E17303 66342e6a-221b-4be7-acdf-953a00dabf02 YXU2ZjBmMGhtb2czbWJnMWlxdHVlemxrOGxtMnc2OHA6TkE6MTUyMjY2NTAyNzc5MjozNjcwMTQ4Njc0NzkyOmRlZmF1bHQ6QkI6OlF2REg1QS8xVm5UUjRveEcwWEZhN2JveWpTeXdmR1FUUUIxODNuVkp6eFBjYjlzQVdRTDNreDlCdDVPd2VOeDc5YWRacG5hL1UyWXhlZjh2TG1Cc3VtQUE0dm1yR2NsOFFJS1FDa1hPMzVQUlp3cDJCNXcxSCs1UE5zL29DczBZelpxZzBSd3FDNFVDOHJyellUK0g3ZHh1TzkwV2czVXljbkJlSytGaFZpQT0= 4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5 636AB46B2AF570F9FD30ADD59BC2FB6FEAECFA89C3E49CCC3112ED3165BAAB34 8D91E471E0989CDA27DF505A453F2B7635294F2DDF23E3B122ACC99C9E9F1E14 44F78EC25D25FF975E8F7FB250CBCE2D raOEEmS6NNJF+0NTK2DPnxl7nmS0lzdtzWPgKibq3+M= FDF0F181D42606A8898272AA4123FB832B1B552E7BA2CC82597C5120E02F259DB4C6785517813C182666216FB0876FD1 2f19adeb284eb36f7f07786152b9a1d14b21653203ad0b04ebbf9c73ab6d7625 f6feefbb-ec15-40fc-a95d-920d767d36f0 B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF 34e6eb07889d4740999b1097d5fa8907 6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296 013D19574167A4BAA905907B56AB23A5 4D7CC84A8C10D9B460C7E1661532DD7949122F257A5255A55A2E1414B5B6C0F1D2A2068B70BF0F371DC6B8CCAE7A76634A7C5F90131CA628860D9D84517D3A820C6A731FEB89D5D3F358BAA9CF5476D21BF232AAB3182E5B0D907D259DB0D62F51A735919700B0F9D5998FF21E079FE27C62828565E71E993F5B7BEC5A276DF1429654C08ACFA5B668AD862272E63222DA7546CC3EAA2B39031A2C61F51BD04BA46F301BF16B0D2C1659D72019046959B28D4291608701EADB25FCF1C3F7AB37EB6672984A06DB04D065666B2C8A93631593A0F346DCA6C65ECFDF72C0E02A2674DD77B50017A26C93B2DCA7BCCD5FA77D0AE0354F5D9B39DB1ECD8A924E38844174D66EE2DD49A916FFAC313BC7F960BC1D5074E280C4BBDBBC9B9D3F06F6D6282287F415D371267D6FF31205C561B7FA8F2E20CEFCA61722C78D7FE98E83E05EB73245B8C99F91C50062B4CDBD0DE14DB5524A1283E7CD43FFFC960F4A40154DCD8E943521A60B4CF927D0CD21F8E9EDDD8ACAF9AE4204D6694ECE6CCEBFFA35893BD4997A79873A197101BE93FC9CDC59CFD54DE6E34C78E0DB4F4C9E0AC1 FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7 6B587B24A16D35ECAF938D3E6983EA5FA8A694B7A67F1178D87173FE4956E6B7B3182746986CA911AB1B0B8AB2E4DCF5755A0C50C0A99AABDAC5A1F00BF683E744F1990CD7BE3497F8FF9672841737F6F9600C1731AA254E8A524A3E80543E5B5B7CBA995D03E021CE95F179055C06C578DE91136F5555D682432E7E2C302E539BE507972B4719AA91D4F1D08F8BD9A4 03010001a80020a95566ba42e886bb804cda84e47ef56dbd7aec612615552cec906d2116d0ef207028c51554144dfeafe7c7cb8f005dd18234133ac0710a81182ce1fd14ad2283bc83435f9df2f6313251931a176df0da51e54f42e604860dfb359580250f559cc543c4ffd51cbe3de8cfd06719237f9fc47ee729da06835fa452e825e9a18ebc2ecbcf563474652c33cf56a9033bcdf5d973121797ec8089041b6e03a1b72d0a735b984e03687309332324f27c2dba85e9db15e83a0143382e974b0621c18e625ecec907577d9e7bade95241a81ebbe8a901d4d3276e40b114c0a2e6fc38d19c2e6aab02644b2813f575fc21601e0dee49cd9ee96a43103e524d62873d 145ED281FC8E72F118F221C3AAEA73EDD88BA2A6FB994DA3ADE8DD3F0AB953760A3F888D3A76ABDA8692AA44361CB954 mXoPQltfyvuB7EhEtNgjqo0MpjU3aq92WWMIBy2y 4A32E19B09F8B5D951F6B70DBF31A5BE 2D086BA22FDD20075032499B803991B8 9A045ADDE66EBDC57A9C94D973C45BCA 5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B 5a19174c-d4dc-436e-867c-866e396b4904 fb68fde12f8d24307fa351f463d75d12 E2679CD1FB9DD4277518CD606ABA879B
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: ch/qos/logback/classic/pattern/b.java, line(s) 26,29,31,34 ch/qos/logback/classic/spi/PackagingDataCalculator.java, line(s) 20 ch/qos/logback/classic/spi/j.java, line(s) 79 ch/qos/logback/core/joran/util/a.java, line(s) 29 ch/qos/logback/core/net/d.java, line(s) 23 ch/qos/logback/core/recovery/ResilientOutputStreamBase.java, line(s) 43 ch/qos/logback/core/spi/ContextAwareBase.java, line(s) 37 ch/qos/logback/core/spi/d.java, line(s) 37 com/adjetter/kapchatsdk/KapchatListAdapter.java, line(s) 279,282,286,289,294,297,303 com/adjetter/kapchatsdk/KapchatOfflineMessage.java, line(s) 78 com/adjetter/kapchatsdk/KapchatService.java, line(s) 104 com/adjetter/kapchatsdk/KapchatUpdateMessageStatus.java, line(s) 41 com/adjetter/kapchatsdk/KapchatUploadService.java, line(s) 131 com/adjetter/kapchatsdk/NetworkconnectionChecker.java, line(s) 44 com/adjetter/kapchatsdk/activity/KapchatRegistrationActivity.java, line(s) 95 com/adjetter/kapchatsdk/activity/KapchatScreenActivity.java, line(s) 624,1081 com/amazon/android/apay/commonlibrary/commonlib/arcus/AppConfigWorker.java, line(s) 33 com/amazonaws/logging/AndroidLog.java, line(s) 27,32,37,42,47 com/amazonaws/mobileconnectors/remoteconfiguration/internal/AttributesImpl.java, line(s) 220 com/bigbasket/bbinstant/core/io/socket/command/parsers/Test.java, line(s) 10,12 com/bigbasket/bbinstant/ui/discoverability/i0.java, line(s) 109,151 com/paytm/pgsdk/PaytmPGService.java, line(s) 82,87 com/paytm/pgsdk/PaytmUtility.java, line(s) 18 junit/runner/BaseTestRunner.java, line(s) 221 junit/runner/a.java, line(s) 12 junit/textui/TestRunner.java, line(s) 27,60,91 org/jivesoftware/smack/debugger/ConsoleDebugger.java, line(s) 25
安全提示信息 应用程序可以写入应用程序目录。敏感信息应加密
应用程序可以写入应用程序目录。敏感信息应加密 Files: com/amazon/android/apay/commonlibrary/commonlib/utils/c.java, line(s) 34,81,34,81 com/moengage/core/internal/storage/e.java, line(s) 257,280,257,280
安全提示信息 此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改
此应用侦听剪贴板更改。一些恶意软件也会监听剪贴板更改 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: in/juspay/hypersdk/core/ClipboardListener.java, line(s) 14,5
安全提示信息 此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它
此应用程序将数据复制到剪贴板。敏感数据不应复制到剪贴板,因为其他应用程序可以访问它 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04b-Mobile-App-Security-Testing.md#clipboard Files: com/moengage/core/internal/utils/d.java, line(s) 7,397,399
安全提示信息 应用与Firebase数据库通信
该应用与位于 https://bbinstant-3d40b.firebaseio.com 的 Firebase 数据库进行通信
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: ch/qos/logback/core/net/ssl/SSLContextFactoryBean.java, line(s) 36,54,81,53,53,54,55 com/adjetter/kapchatsdk/helper/ApiClient.java, line(s) 26,26 com/bigbasket/bbinstant/core/cloud/Cloud.java, line(s) 131,134,128,77,156,162,166,170 com/snowplowanalytics/snowplow/tracker/emitter/h.java, line(s) 28,27,26,26 de/measite/minidns/dane/b.java, line(s) 24,23,22,22 in/juspay/hypersdk/security/HyperSSLSocketFactory.java, line(s) 66,65,67,64,64 org/jivesoftware/smack/util/TLSUtils.java, line(s) 54,60
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: in/juspay/hypersdk/data/SessionInfo.java, line(s) 108,112
综合安全基线评分总结
bbinstant v6.24.0
Android APK
45
综合安全评分
中风险