应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Hell Idlers 2 v1.323.
49
安全评分
安全基线评分
49/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
3
高危
13
中危
1
信息
2
安全
隐私风险评估
7
第三方跟踪器
高隐私风险
检测到大量第三方跟踪器
检测结果分布
高危安全漏洞
3
中危安全漏洞
13
安全提示信息
1
已通过安全项
2
重点安全关注
0
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: bolts/WebViewAppLinkResolver.java, line(s) 123,6,7 com/unity3d/services/core/webview/WebViewApp.java, line(s) 303,305,10,377,406,412,418
高危安全漏洞 启用了调试配置。生产版本不能是可调试的
启用了调试配置。生产版本不能是可调试的 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04c-Tampering-and-Reverse-Engineering.md#debugging-and-tracing Files: com/unity/purchasing/BuildConfig.java, line(s) 3,5
高危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个7隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 Content Provider (com.facebook.FacebookContentProvider) 未受保护。
[android:exported=true] 检测到 Content Provider 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.facebook.unity.FBUnityAppLinkActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.facebook.unity.FBUnityDeepLinkingActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Activity (com.facebook.CustomTabActivity) 未受保护。
[android:exported=true] 检测到 Activity 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.google.firebase.messaging.MessageForwardingService) 受权限保护,但应检查权限保护级别。
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/unity/androidnotifications/UnityNotificationManager.java, line(s) 34 com/unity3d/services/core/request/metrics/SDKMetrics.java, line(s) 9 com/yahoo/sketches/quantiles/ItemsSketch.java, line(s) 11
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: bolts/WebViewAppLinkResolver.java, line(s) 113,88 com/unity3d/services/ads/webplayer/WebPlayerView.java, line(s) 90,74 com/unity3d/services/core/webview/WebView.java, line(s) 74,47
中危安全漏洞 可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息
可能存在跨域漏洞。在 WebView 中启用从 URL 访问文件可能会泄漏文件系统中的敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-6 Files: com/unity3d/services/core/webview/WebView.java, line(s) 21,47
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: bolts/MeasurementEvent.java, line(s) 19,20 com/gameanalytics/sdk/Consts.java, line(s) 4,5,6,7,8 com/gameanalytics/sdk/state/GAState.java, line(s) 238,248 com/unity/androidnotifications/UnityNotificationManager.java, line(s) 58,60 com/unity/androidnotifications/UnityNotificationUtilities.java, line(s) 29,28 com/unity3d/ads/metadata/InAppPurchaseMetaData.java, line(s) 13 com/unity3d/services/core/configuration/ExperimentObject.java, line(s) 7,8 com/unity3d/services/core/device/reader/DeviceInfoReaderFilterProvider.java, line(s) 11,12 com/unity3d/services/core/device/reader/JsonStorageKeyNames.java, line(s) 4,6,7,9,10,11,8,12,5,13,14,15 com/unity3d/services/core/properties/SdkProperties.java, line(s) 25
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/gameanalytics/sdk/device/GADevice.java, line(s) 457 com/unity3d/services/core/cache/CacheDirectory.java, line(s) 32
中危安全漏洞 SHA-1是已知存在哈希冲突的弱哈希
SHA-1是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/unity3d/services/core/device/Device.java, line(s) 466
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 Google_Drive_API_Key: AIzaSyBqd27uE3ygQxuZ2LIHhlXBWAtCX9qWJ4I "google_api_key" : "AIzaSyBqd27uE3ygQxuZ2LIHhlXBWAtCX9qWJ4I" "google_app_id" : "1:663753043623:android:f115c09b7fd637c1b9b582" "google_crash_reporting_api_key" : "AIzaSyBqd27uE3ygQxuZ2LIHhlXBWAtCX9qWJ4I" df6b721c8b4d3b6eb44c861d4415007e5a35fc95 2438bce1ddb7bd026d5ff89f598b3b5e5bb824b3 a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc c56fb7d591ba6704df047fd98f535372fea00211 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 9b8f518b086098de3d77736f9458a3d2f6f95a37 cc2751449a350f668590264ed76692694a80308a
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: bitter/jnibridge/JNIBridge.java, line(s) 38 bolts/MeasurementEvent.java, line(s) 61,73 com/gameanalytics/sdk/errorreporter/GameAnalyticsExceptionReportService.java, line(s) 27 com/gameanalytics/sdk/logging/GALogger.java, line(s) 95,89,100,93 com/gameanalytics/sdk/validators/GAValidator.java, line(s) 333,341,349,357 com/unity/androidnotifications/UnityNotificationBackgroundThread.java, line(s) 174 com/unity/androidnotifications/UnityNotificationManager.java, line(s) 397,642,651,754,680 com/unity/androidnotifications/UnityNotificationRestartReceiver.java, line(s) 20,53,59 com/unity/androidnotifications/UnityNotificationUtilities.java, line(s) 77,93,96,144,169,172,225,228,334,340,376,378,392,399,431,435,444,461,463,395 com/unity3d/ads/UnityAdsBaseOptions.java, line(s) 18 com/unity3d/ads/metadata/InAppPurchaseMetaData.java, line(s) 62,77,81 com/unity3d/ads/metadata/MetaData.java, line(s) 73,82 com/unity3d/services/UnityServices.java, line(s) 27,64,71,76,87,92,105,114,97,99,109,40 com/unity3d/services/ads/UnityAdsImplementation.java, line(s) 40,115 com/unity3d/services/ads/adunit/AdUnitActivity.java, line(s) 412,414,52,115,137,159,182,220,333,378,438,187 com/unity3d/services/ads/adunit/VideoPlayerHandler.java, line(s) 33,51 com/unity3d/services/ads/api/AdUnit.java, line(s) 76,79,82,85,108,422,428,480,484,489,493,99,112,117,122,154,244,336,352,381,388 com/unity3d/services/ads/api/VideoPlayer.java, line(s) 57,75,93,111,129,165 com/unity3d/services/ads/api/WebPlayer.java, line(s) 133 com/unity3d/services/ads/configuration/AdsModuleConfiguration.java, line(s) 48,59,67 com/unity3d/services/ads/gmascar/adapters/ScarAdapterFactory.java, line(s) 27 com/unity3d/services/ads/gmascar/bridges/AdapterStatusBridge.java, line(s) 26,35 com/unity3d/services/ads/gmascar/bridges/InitializeListenerBridge.java, line(s) 26,49 com/unity3d/services/ads/gmascar/bridges/MobileAdsBridge.java, line(s) 24 com/unity3d/services/ads/gmascar/finder/GMAInitializer.java, line(s) 53 com/unity3d/services/ads/gmascar/finder/ScarVersionFinder.java, line(s) 33 com/unity3d/services/ads/token/AsyncTokenStorage.java, line(s) 161,191 com/unity3d/services/ads/token/NativeTokenGenerator.java, line(s) 41 com/unity3d/services/ads/video/VideoPlayerView.java, line(s) 46,78,93,136,142,196,207,234 com/unity3d/services/ads/webplayer/WebPlayerView.java, line(s) 66,166,203,207,301,314,326,339,358,420 com/unity3d/services/banners/BannerView.java, line(s) 110 com/unity3d/services/banners/UnityBanners.java, line(s) 134 com/unity3d/services/core/api/Cache.java, line(s) 104,118,44,123,133 com/unity3d/services/core/api/DeviceInfo.java, line(s) 205,226,242,295,303,333,505 com/unity3d/services/core/api/Intent.java, line(s) 90,108,132,168,182 com/unity3d/services/core/api/Request.java, line(s) 33,45,63,75,92,104 com/unity3d/services/core/api/Sdk.java, line(s) 16,42,87,99,69,81,75 com/unity3d/services/core/broadcast/BroadcastEventReceiver.java, line(s) 37 com/unity3d/services/core/cache/CacheDirectory.java, line(s) 43,47,54,92,96,102,105,114,116,36,57,119 com/unity3d/services/core/cache/CacheThread.java, line(s) 30 com/unity3d/services/core/cache/CacheThreadHandler.java, line(s) 44,86,89,92 com/unity3d/services/core/configuration/ConfigurationReader.java, line(s) 40 com/unity3d/services/core/configuration/ConfigurationRequestFactory.java, line(s) 47 com/unity3d/services/core/configuration/EnvironmentCheck.java, line(s) 21,40,24,27,30,33,43 com/unity3d/services/core/configuration/ExperimentObject.java, line(s) 28 com/unity3d/services/core/configuration/ExperimentsReader.java, line(s) 33 com/unity3d/services/core/configuration/InitializationNotificationCenter.java, line(s) 66 com/unity3d/services/core/configuration/InitializeEventsMetricSender.java, line(s) 60,77,100,115,123 com/unity3d/services/core/configuration/InitializeThread.java, line(s) 186,196,222,417,432,508,540,638,650,670,62,71,482,517,520,547,550,590,624,674,737,829,334,424,460,811 com/unity3d/services/core/configuration/PrivacyConfigurationLoader.java, line(s) 29 com/unity3d/services/core/connectivity/ConnectivityMonitor.java, line(s) 113,130,157,102,149 com/unity3d/services/core/device/AdvertisingId.java, line(s) 177,49,59 com/unity3d/services/core/device/Device.java, line(s) 313,318,328,337,366,382,391,468,575,585,598,121 com/unity3d/services/core/device/OpenAdvertisingId.java, line(s) 168,57,64 com/unity3d/services/core/device/Storage.java, line(s) 36,40,70 com/unity3d/services/core/device/reader/DeviceInfoReaderCompressor.java, line(s) 40,44 com/unity3d/services/core/device/reader/DeviceInfoReaderExtended.java, line(s) 45,61 com/unity3d/services/core/log/DeviceLog.java, line(s) 187,227,234 com/unity3d/services/core/misc/JsonFlattener.java, line(s) 39 com/unity3d/services/core/misc/JsonStorage.java, line(s) 62,56,65,74,86,117,137,155,161 com/unity3d/services/core/misc/JsonStorageAggregator.java, line(s) 24 com/unity3d/services/core/misc/Utilities.java, line(s) 50,71 com/unity3d/services/core/misc/ViewUtilities.java, line(s) 18,27 com/unity3d/services/core/preferences/AndroidPreferences.java, line(s) 20,32,44,56,68 com/unity3d/services/core/properties/ClientProperties.java, line(s) 68,87,99,101 com/unity3d/services/core/properties/SdkProperties.java, line(s) 214,216,143 com/unity3d/services/core/reflection/GenericBridge.java, line(s) 32,39,58,73,82,88,95,101 com/unity3d/services/core/request/WebRequest.java, line(s) 263,153,162,169 com/unity3d/services/core/request/WebRequestRunnable.java, line(s) 35,39,82 com/unity3d/services/core/request/WebRequestThread.java, line(s) 46,157,171 com/unity3d/services/core/request/metrics/MetricCommonTags.java, line(s) 126 com/unity3d/services/core/request/metrics/MetricSender.java, line(s) 50,69,73,75,86,88,91 com/unity3d/services/core/request/metrics/MetricSenderWithBatch.java, line(s) 40 com/unity3d/services/core/request/metrics/SDKMetrics.java, line(s) 20,31,76,91,96 com/unity3d/services/core/sensorinfo/SensorInfoListener.java, line(s) 53 com/unity3d/services/core/timer/BaseTimer.java, line(s) 131 com/unity3d/services/core/webview/WebView.java, line(s) 83,29,109,113 com/unity3d/services/core/webview/WebViewApp.java, line(s) 123,142,163,192,408,413,449,155,185,228,273,294,301,309,340,390,421,424,427,442 com/unity3d/services/core/webview/WebViewUrlBuilder.java, line(s) 34 com/unity3d/services/core/webview/bridge/Invocation.java, line(s) 49 com/unity3d/services/core/webview/bridge/NativeCallback.java, line(s) 40 com/unity3d/services/core/webview/bridge/WebViewBridge.java, line(s) 99 com/unity3d/services/core/webview/bridge/WebViewBridgeInterface.java, line(s) 11,27 com/unity3d/services/core/webview/bridge/WebViewCallback.java, line(s) 56 com/unity3d/services/store/core/StoreLifecycleListener.java, line(s) 55 com/unity3d/services/store/gpbl/bridges/CommonJsonResponseBridge.java, line(s) 38 com/unity3d/services/store/gpbl/bridges/PurchaseBridge.java, line(s) 37 org/fmod/FMODAudioDevice.java, line(s) 68 org/fmod/a.java, line(s) 76
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: com/gameanalytics/sdk/GAPlatform.java, line(s) 354,334,342,338,342,342,342,342,71,328
已通过安全项 Firebase远程配置已禁用
Firebase远程配置URL ( https://firebaseremoteconfig.googleapis.com/v1/projects/663753043623/namespaces/firebase:fetch?key=AIzaSyBqd27uE3ygQxuZ2LIHhlXBWAtCX9qWJ4I ) 已禁用。响应内容如下所示:
{
"state": "NO_TEMPLATE"
}
综合安全基线评分总结
Hell Idlers 2 v1.323.
Android APK
49
综合安全评分
中风险