应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Litron vpn v3.2.3
51
安全评分
安全基线评分
51/100
低风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
2
高危
24
中危
1
信息
2
安全
隐私风险评估
3
第三方跟踪器
中等隐私风险
检测到少量第三方跟踪器
检测结果分布
高危安全漏洞
2
中危安全漏洞
24
安全提示信息
1
已通过安全项
2
重点安全关注
0
高危安全漏洞 SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击
SSL的不安全实现。信任所有证书或接受自签名证书是一个关键的安全漏洞。此应用程序易受MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#android-network-apis Files: com/slipkprojects/ultrasshservice/tunnel/SSLProxy.java, line(s) 21,22,23,24,25,53,54,4 com/slipkprojects/ultrasshservice/tunnel/SSLTunnelProxy.java, line(s) 14,15,16,17,18,39,40,3
高危安全漏洞 已启用远程WebView调试
已启用远程WebView调试 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/onesignal/inAppMessages/internal/display/impl/WebViewManager.java, line(s) 494,5
中危安全漏洞 应用已启用明文网络流量
[android:usesCleartextTraffic=true] 应用允许明文网络流量(如 HTTP、FTP 协议、DownloadManager、MediaPlayer 等)。API 级别 27 及以下默认启用,28 及以上默认禁用。明文流量缺乏机密性、完整性和真实性保护,攻击者可窃听或篡改传输数据。建议关闭明文流量,仅使用加密协议。
中危安全漏洞 应用数据允许备份
[android:allowBackup=true] 该标志允许通过 adb 工具备份应用数据。启用 USB 调试的用户可直接复制应用数据,存在数据泄露风险。
中危安全漏洞 Broadcast Receiver (com.slipkprojects.ultrasshservice.MainReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (com.slipkprojects.ultrasshservice.tunnel.vpn.TunnelVpnService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_VPN_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.onesignal.notifications.receivers.FCMBroadcastReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Activity (com.onesignal.NotificationOpenedActivityHMS) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.onesignal.notifications.receivers.NotificationDismissReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.onesignal.notifications.receivers.BootUpReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.onesignal.notifications.receivers.UpgradeReceiver) 未受保护。
[android:exported=true] 检测到 Broadcast Receiver 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.onesignal.notifications.activities.NotificationOpenedActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.onesignal.notifications.activities.NotificationOpenedActivityAndroid22AndOlder) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Service (androidx.work.impl.background.systemjob.SystemJobService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.work.impl.diagnostics.DiagnosticsReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (androidx.profileinstaller.ProfileInstallReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.DUMP [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 高优先级 Intent(999) - {1} 个命中
[android:priority] 通过设置较高的 Intent 优先级,应用可覆盖其他请求,可能导致安全风险。
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/onesignal/common/AndroidUtils.java, line(s) 29 com/slipkprojects/ultrasshservice/tunnel/TunnelUtils.java, line(s) 19 com/slipkprojects/ultrasshservice/tunnel/vpn/Pinger.java, line(s) 10
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: com/onesignal/core/internal/http/impl/OptionalHeaders.java, line(s) 122 com/onesignal/inAppMessages/internal/display/impl/WebViewManager.java, line(s) 69,72,75,54 com/onesignal/inAppMessages/internal/prompt/InAppMessagePromptTypes.java, line(s) 11,14 com/onesignal/inAppMessages/internal/prompt/impl/InAppMessagePrompt.java, line(s) 37 com/onesignal/notifications/bridges/OneSignalHmsEventBridge.java, line(s) 32,35 com/onesignal/notifications/internal/Notification.java, line(s) 610 com/onesignal/notifications/internal/bundle/impl/NotificationBundleProcessor.java, line(s) 32 com/onesignal/notifications/internal/common/NotificationConstants.java, line(s) 39,21,24,27,30,33 com/onesignal/notifications/internal/common/NotificationHelper.java, line(s) 35 com/onesignal/notifications/receivers/FCMBroadcastReceiver.java, line(s) 26 com/slipkprojects/ultrasshservice/tunnel/TunnelManagerThread.java, line(s) 46,45 com/slipkprojects/ultrasshservice/tunnel/vpn/TunnelConstants.java, line(s) 6
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: bin/mt/signature/KillerApplication.java, line(s) 59
中危安全漏洞 IP地址泄露
IP地址泄露 Files: com/slipkprojects/ultrasshservice/tunnel/TunnelManagerThread.java, line(s) 650,305,650,650,650 com/slipkprojects/ultrasshservice/tunnel/vpn/Pinger.java, line(s) 42 com/slipkprojects/ultrasshservice/tunnel/vpn/Tunnel.java, line(s) 23,176,178,177,183,184,185,263,25,125 com/slipkprojects/ultrasshservice/tunnel/vpn/TunnelConstants.java, line(s) 15,7,7 com/slipkprojects/ultrasshservice/tunnel/vpn/VpnUtils.java, line(s) 218,218,218,145,221,221,221,219,219,219,220,220,220,27,28 com/slipkprojects/ultrasshservice/v2/V2Service.java, line(s) 114,115,79,113,79,116 com/trilead/ssh2/LocalStreamForwarder.java, line(s) 20 com/trilead/ssh2/channel/DynamicAcceptThread.java, line(s) 62 com/trilead/ssh2/signature/ECDSAKeyAlgorithm.java, line(s) 53,74,95 net/i2p/crypto/eddsa/EdDSASecurityProvider.java, line(s) 26,27,28,29,30,31 net/sourceforge/jsocks/Socks5Message.java, line(s) 46 net/sourceforge/jsocks/server/ServerAuthenticatorNone.java, line(s) 13
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/onesignal/core/internal/database/impl/OSDatabase.java, line(s) 7,8,9,10,11,339 com/onesignal/session/internal/outcomes/impl/OutcomeTableProvider.java, line(s) 4,5,16,17,18,23,24,28,35,36,37,38,39,40,41,45,54,55,56,57,62,66,73,74,78
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/trilead/ssh2/RandomFactory.java, line(s) 12
中危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个3隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 AdMob广告平台的=> "com.google.android.gms.ads.APPLICATION_ID" : "ca-app-pub-3908873668748271~9107735887" "com.google.firebase.crashlytics.mapping_file_id" : "f3fd36a44f0a4ac2914883c01225dc32" "proxy_user" : "Username" "state_auth" : "Authenticating" "proxy_pass" : "Password" "google_api_key" : "AIzaSyAA93i18dYFLjtiyepO0XnLGvoUO-PPmsg" "password" : "Password" "state_auth_success" : "Authenticated" "google_app_id" : "1:720872435256:android:d7cffc8645c79449fd80cd" "google_crash_reporting_api_key" : "AIzaSyAA93i18dYFLjtiyepO0XnLGvoUO-PPmsg" "auth_username" : "Username" njzIdVb8jCdBg5tgIoRprz57tavuxydFko8Aagep+zjaWq5+asrhszVIOvewjBRIOYXdBUShNYpEj nMyFjVhMcSx0PqfPgMn2vVLuJE1774432RQaV+HcleVY5BT6fkPqo3NNsXJqMoh7C9+Y4FuY= nd6PvtUuSXW+tQLeACkfdZkUgYfVeEEYIxRKS6MzXFXfIXTHAVEgkCx3wpk87j+IOJ6pcwu+Vf6eQ AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7 a3785913ca4deb75abd841414d0a700098e879777940c78c73fe6f2bee6c0352 nKz6rjcL89GCvBECJ1dj37XqNklIpJTbVbUOKEa2YIB2vsMbHlYQhp+nosY0lKWwKaX2ZYTP5X9ZD 00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66 c682b8144a8dd52bc1ad63 nCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2dsZSBJbmMu nR19KpU5u9RIj7To+nAikf57oQrctXjtypH3mTtV5I4s5N0rzKfQbNAeknohLtHyfEzB7nrD8dumD nEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDAg B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF nMRAwDgYDVQQLEwdBbmRyb2lkMRAwDgYDVQQDEwdBbmRyb2lkMIICIjANBgkqhkiG9w0BAQEFAAOC 011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650 ntW0KhIbTjpSNV2/8c83Km+Zbsing8oIYB8xD9fU7G7zuM0+jeEO2rYrSoYF6C6EKcGmtDnYxyYP3 nLRdf6INv0P0lus6RVrhuDLi/6VBQX472S73GszPUsa5r6lKQJZamaUlvrG3kILh194jgx+902AAS 3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F nBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw 6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296 b0a00e4a271beec478e42fad0618432fa7d7fb3d99004d2b0bdfc14f8024832b nza9Uk2QFK0yPtolj1YEQt+JPlhKvbkkShpwa+AJOv/aRBdrDt+i23qH9s9u+X+OIsNarqbU6r9ss nR+emJRpA2LBFbl0CAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEALHWA 4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5 FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551 179769313486231590770839156793787453197860296048756011706444423684197180216158519368947833795864925541502180565485980503646440548199239100050792877003355816639229553136239076508735759914822574862575007425302077447712589550957937778424442426617334727629299387668709205606050270810842907692932019128194467627007 nDWPfmRZswjaI4g8uD9lcfKUvZ/hLjjvSsyXINXI3cmdCHfG35pOycsgpJKgNd0s3e9BlTwAyhLGK nFw0yNDAzMjkwMDQxMDdaGA8yMDU0MDMyOTAwNDEwN1owdDELMAkGA1UEBhMCVVMxEzARBgNVBAgT n3XlyemQP7qBJA57tAlplmQl+4YEy8H2MvzfmZ8+M0m4FT4SWxgsml6tEpBL+/PEeUvFz1T6c+Oj2 nNqvrLbzus70jqsdf08EzJ7uPRqH/+f3TBy5W+6Bv9HpqpcGX9ACsmQpAsd+QUf1NHDN+UiSnXvCn MIIFiTCCA3GgAwIBAgIVAJjeSkUPkt8vhMVGVq+ORRqAscA+MA0GCSqGSIb3DQEBCwUAMHQxCzAJ 5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b 0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: bin/mt/signature/KillerApplication.java, line(s) 98,108,143 com/onesignal/debug/internal/logging/Logging.java, line(s) 216,226,255,219,213,222 com/onesignal/notifications/internal/badges/impl/shortcutbadger/ShortcutBadger.java, line(s) 65,88,98,62,87,156,160,166 com/slipkprojects/sockshttp/MyApplication.java, line(s) 115 com/slipkprojects/ultrasshservice/SocksHttpService.java, line(s) 384,402,362,374,389 com/slipkprojects/ultrasshservice/raphaeludp/UDPTunnel.java, line(s) 55 com/slipkprojects/ultrasshservice/tunnel/TLSSocketFactory.java, line(s) 68 com/slipkprojects/ultrasshservice/tunnel/TunnelManagerThread.java, line(s) 349,619,652,749,331,333 com/slipkprojects/ultrasshservice/tunnel/vpn/Pdnsd.java, line(s) 49 com/slipkprojects/ultrasshservice/tunnel/vpn/TunnelVpnManager.java, line(s) 41,142,149,154,159,167,171,49,58,61,69,72,140,188 com/slipkprojects/ultrasshservice/tunnel/vpn/TunnelVpnService.java, line(s) 56,62,76 com/trilead/ssh2/Connection.java, line(s) 592 org/lsposed/hiddenapibypass/HiddenApiBypass.java, line(s) 74,313
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/slipkprojects/ultrasshservice/tunnel/TLSSocketFactory.java, line(s) 75,59,73,75,71,72,72
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/720872435256/namespaces/firebase:fetch?key=AIzaSyAA93i18dYFLjtiyepO0XnLGvoUO-PPmsg ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
Litron vpn v3.2.3
Android APK
51
综合安全评分
中风险