应用安全检测报告
应用安全检测报告,支持文件搜索、内容检索和AI代码分析
移动应用安全检测报告
Loja LPF v1.0.4
46
安全评分
安全基线评分
46/100
中风险
综合风险等级
风险等级评定
- A
- B
- C
- F
应用存在一定安全风险,建议优化
漏洞与安全项分布
5
高危
22
中危
1
信息
2
安全
隐私风险评估
7
第三方跟踪器
高隐私风险
检测到大量第三方跟踪器
检测结果分布
高危安全漏洞
5
中危安全漏洞
22
安全提示信息
1
已通过安全项
2
重点安全关注
0
高危安全漏洞 存在 Janus 漏洞风险
仅使用 v1 签名方案,Android 5.0-8.0 设备易受 Janus 漏洞影响。若同时存在 v1 和 v2/v3 签名,Android 5.0-7.0 设备同样存在风险。
高危安全漏洞 Activity (com.mercadopago.InstructionsActivity) 的启动模式非 standard
Activity 启动模式设置为 "singleTask" 或 "singleInstance" 时,可能成为根 Activity,导致其他应用可读取调用 Intent 内容。涉及敏感信息时应使用 "standard" 启动模式。
高危安全漏洞 Activity(com.mercadopago.InstructionsActivity)易受 Android Task Hijacking/StrandHogg 攻击。
Activity 启动模式为 "singleTask" 时,恶意应用可将自身置于栈顶,导致任务劫持(StrandHogg 1.0),易被钓鱼攻击。建议将启动模式设为 "singleInstance" 或 taskAffinity 设为空(taskAffinity=""),或将 target SDK 版本(27) 升级至 28 及以上以获得平台级防护。
高危安全漏洞 如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击
如果一个应用程序使用WebView.loadDataWithBaseURL方法来加载一个网页到WebView,那么这个应用程序可能会遭受跨站脚本攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#static-analysis-7 Files: bolts/WebViewAppLinkResolver.java, line(s) 126,6,7 com/pushwoosh/inapp/WebActivity.java, line(s) 218,19,20
高危安全漏洞 应用程序包含隐私跟踪程序
此应用程序有多个7隐私跟踪程序。跟踪器可以跟踪设备或用户,是终端用户的隐私问题。
中危安全漏洞 Activity (br.com.mobfiq.base.SplashScreen) 未受保护。
存在 intent-filter。 检测到 Activity 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Activity 被显式导出,存在安全风险。
中危安全漏洞 Broadcast Receiver (com.onesignal.GcmBroadcastReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.google.android.gms.gcm.GcmReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (br.com.mobfiq.base.GeofenceService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.onesignal.BootUpReceiver) 未受保护。
存在 intent-filter。 检测到 Broadcast Receiver 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Broadcast Receiver 被显式导出,存在安全风险。
中危安全漏洞 Broadcast Receiver (com.onesignal.UpgradeReceiver) 未受保护。
存在 intent-filter。 检测到 Broadcast Receiver 已与设备上的其他应用共享,因此可被任意应用访问。intent-filter 的存在表明该 Broadcast Receiver 被显式导出,存在安全风险。
中危安全漏洞 Service (com.google.android.gms.auth.api.signin.RevocationBoundService) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true] 检测到 Service 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.google.android.gms.measurement.AppMeasurementInstallReferrerReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.INSTALL_PACKAGES [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.google.firebase.messaging.FirebaseMessagingService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.google.android.c2dm.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.google.firebase.iid.FirebaseInstanceIdService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 Broadcast Receiver (com.pushwoosh.MessageAlertReceiver) 受权限保护,但应检查权限保护级别。
Permission: com.amazon.device.messaging.permission.SEND [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Broadcast Receiver (com.pushwoosh.local.BootReceiver) 受权限保护,但应检查权限保护级别。
Permission: android.permission.RECEIVE_BOOT_COMPLETED [android:exported=true] 检测到 Broadcast Receiver 已导出并受未在本应用定义的权限保护。请在权限定义处核查其保护级别。若为 normal 或 dangerous,恶意应用可申请并与组件交互;若为 signature,仅同证书签名应用可访问。
中危安全漏洞 Service (com.pushwoosh.thirdparty.radiusnetworks.ibeacon.service.IBeaconService) 未受保护。
[android:exported=true] 检测到 Service 已导出,未受任何权限保护,任意应用均可访问。
中危安全漏洞 高优先级 Intent(999) - {1} 个命中
[android:priority] 通过设置较高的 Intent 优先级,应用可覆盖其他请求,可能导致安全风险。
中危安全漏洞 不安全的Web视图实现。可能存在WebView任意代码执行漏洞
不安全的Web视图实现。可能存在WebView任意代码执行漏洞 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05h-Testing-Platform-Interaction.md#testing-javascript-execution-in-webviews-mstg-platform-5 Files: bolts/WebViewAppLinkResolver.java, line(s) 116,91 com/pushwoosh/inapp/WebActivity.java, line(s) 134,137,123
中危安全漏洞 应用程序使用不安全的随机数生成器
应用程序使用不安全的随机数生成器 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#weak-random-number-generators Files: com/onesignal/GcmBroadcastReceiver.java, line(s) 15 com/onesignal/GenerateNotification.java, line(s) 33 com/onesignal/NotificationGenerationJob.java, line(s) 6 com/onesignal/OneSignalChromeTab.java, line(s) 12 io/sentry/connection/RandomEventSampler.java, line(s) 4
中危安全漏洞 应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据
应用程序可以读取/写入外部存储器,任何应用程序都可以读取写入外部存储器的数据 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#external-storage Files: com/mercadopago/model/Fingerprint.java, line(s) 105 com/pushwoosh/internal/utils/b.java, line(s) 183,214 io/sentry/android/event/helper/AndroidEventBuilderHelper.java, line(s) 310,338,351
中危安全漏洞 文件可能包含硬编码的敏感信息,如用户名、密码、密钥等
文件可能包含硬编码的敏感信息,如用户名、密码、密钥等 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#checking-memory-for-sensitive-data-mstg-storage-10 Files: bolts/MeasurementEvent.java, line(s) 18,19 com/mercadopago/util/ErrorUtil.java, line(s) 9 com/onesignal/GcmBroadcastReceiver.java, line(s) 20 com/pushwoosh/BasePushMessageReceiver.java, line(s) 15 io/sentry/connection/AbstractConnection.java, line(s) 20 io/sentry/event/interfaces/UserInterface.java, line(s) 67 io/sentry/marshaller/json/UserInterfaceBinding.java, line(s) 13
中危安全漏洞 应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库
应用程序使用SQLite数据库并执行原始SQL查询。原始SQL查询中不受信任的用户输入可能会导致SQL注入。敏感信息也应加密并写入数据库 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04h-Testing-Code-Quality.md#injection-flaws-mstg-arch-2-and-mstg-platform-2 Files: com/onesignal/OneSignalDbHelper.java, line(s) 5,6,7,90 com/pushwoosh/inapp/c.java, line(s) 6,7,24
中危安全漏洞 MD5是已知存在哈希冲突的弱哈希
MD5是已知存在哈希冲突的弱哈希 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4 Files: com/anupcowkur/reservoir/SimpleDiskCache.java, line(s) 139 com/pushwoosh/internal/utils/GeneralUtils.java, line(s) 97
中危安全漏洞 此应用可能包含硬编码机密信息
从应用程序中识别出以下机密确保这些不是机密或私人信息 凭证信息=> "io.fabric.ApiKey" : "52179f99ae88e69d21f6f66c9c1f43332a63a8f3" 凭证信息=> "com.google.android.geo.API_KEY" : "AIzaSyABM4c4l-l5vQwQMjl6oxWr-i8EQRR2udM" 凭证信息=> "onesignal_app_id" : "@string/MOBFIQ_ONESIGNAL_KEY" Bugsnag-SDK的=> "com.bugsnag.android.API_KEY" : "b9879189024b973f505025ab1a7c26e8" "MOBFIQ_ONESIGNAL_KEY" : "0" "google_app_id" : "0" "MOBFIQ_API_DEPRECATED" : "google.com" "MOBFIQ_SENTRY_KEY" : "https://ecddb69bf585420da41d15ef79517216:[email protected]/142490" "MOBFIQ_FACEBOOK_KEY" : "0" "MOBFIQ_PUSHWOOSH_KEY" : "0" "MOBFIQ_API" : "https://api.moblite.com.br" "mpsdk_mp_app_id" : "account_money" 5e8f16062ea3cd2c4a0d547876baa6f38cabf625 a4b7452e2ed8f5f191058ca7bbfd26b0d3214bfc 3i2ndDfv2rTHiSisAbouNdArYfORhtTPEefj3q2f 5eb5a37e-b458-11e3-ac11-000c2940e62c AIzaSyANzIbVdGCMLxS3gVH4Dv0X5kG4qWXs0B8 8a3c4b262d721acd49a4bf97d5213199c86fa2b9 b2f7f966-d8cc-11e4-bed1-df8f05be55ba
安全提示信息 应用程序记录日志信息,不得记录敏感信息
应用程序记录日志信息,不得记录敏感信息 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05d-Testing-Data-Storage.md#logs Files: bolts/MeasurementEvent.java, line(s) 60,72 com/iarcuschin/simpleratingbar/SimpleRatingBar.java, line(s) 102,186,573,807,813 com/jakewharton/disklrucache/DiskLruCache.java, line(s) 110 com/nineoldandroids/animation/PropertyValuesHolder.java, line(s) 153,194,238,256,258,274,276,311,313,436,438,525,527 com/onesignal/AndroidSupportV4Compat.java, line(s) 28 com/onesignal/OneSignal.java, line(s) 775,781,804,777,773,779 com/onesignal/shortcutbadger/ShortcutBadger.java, line(s) 59,119,129,56,90,97,118,103 com/pushwoosh/BasePushMessageReceiver.java, line(s) 42,24 com/pushwoosh/GCMInstanceIDListenerService.java, line(s) 10 com/pushwoosh/GCMListenerService.java, line(s) 23,19 com/pushwoosh/GCMRegistrationService.java, line(s) 35,50,39,54,82,85 com/pushwoosh/MessageActivity.java, line(s) 45 com/pushwoosh/PushAmazonIntentService.java, line(s) 31,20,25,36 com/pushwoosh/PushHandlerActivity.java, line(s) 17,32 com/pushwoosh/PushManager.java, line(s) 165,232,429,134,137,218,235,236,241,278 com/pushwoosh/fragment/PushFragment.java, line(s) 120,124 com/pushwoosh/inapp/InAppDownloader.java, line(s) 34,44,53,65 com/pushwoosh/inapp/InAppFacade.java, line(s) 35,74 com/pushwoosh/inapp/InAppFragment.java, line(s) 88,57 com/pushwoosh/inapp/InAppJSBridge.java, line(s) 79,95 com/pushwoosh/inapp/InAppRetrieverService.java, line(s) 42 com/pushwoosh/inapp/WebActivity.java, line(s) 67,77,82,276,58,100,220,281,111 com/pushwoosh/inapp/b.java, line(s) 22,28,30,39,43 com/pushwoosh/inapp/c.java, line(s) 53 com/pushwoosh/inapp/d.java, line(s) 30,306 com/pushwoosh/inapp/f.java, line(s) 56,42,116 com/pushwoosh/internal/PushManagerImpl.java, line(s) 80,175 com/pushwoosh/internal/a.java, line(s) 66 com/pushwoosh/internal/a/a.java, line(s) 35,40,64,68,29,56,73,80 com/pushwoosh/internal/a/b.java, line(s) 21,20,25,29 com/pushwoosh/internal/a/d.java, line(s) 34,57 com/pushwoosh/internal/a/e.java, line(s) 31,54,79 com/pushwoosh/internal/b.java, line(s) 35 com/pushwoosh/internal/b/k.java, line(s) 123,126 com/pushwoosh/internal/utils/GeneralUtils.java, line(s) 59 com/pushwoosh/internal/utils/JsonUtils.java, line(s) 109 com/pushwoosh/internal/utils/PWLog.java, line(s) 60,66,84,90,136,142,175,181,214,220,112,118,234,240 com/pushwoosh/internal/utils/PermissionActivity.java, line(s) 17,43 com/pushwoosh/internal/utils/a.java, line(s) 45,30 com/pushwoosh/internal/utils/b.java, line(s) 78 com/pushwoosh/internal/utils/d.java, line(s) 81,45,135,195,208 com/pushwoosh/internal/utils/e.java, line(s) 85,98,99,121 com/pushwoosh/local/AlarmReceiver.java, line(s) 63 com/pushwoosh/local/BootReceiver.java, line(s) 13 com/pushwoosh/local/a.java, line(s) 24,34 com/pushwoosh/location/GeoLocationService.java, line(s) 72,145 com/pushwoosh/location/d.java, line(s) 131,80,136,141 com/pushwoosh/location/h.java, line(s) 52,91,96 com/pushwoosh/notification/AbsNotificationFactory.java, line(s) 70,85,167,158 com/pushwoosh/notification/Action.java, line(s) 36 com/pushwoosh/notification/PushData.java, line(s) 91,192,159,178 com/pushwoosh/richpages/RichPageActivity.java, line(s) 61 com/pushwoosh/richpages/a.java, line(s) 77 com/pushwoosh/richpages/b.java, line(s) 124,45,59,135 com/pushwoosh/richpages/c.java, line(s) 26 com/pushwoosh/richpages/d.java, line(s) 85 com/pushwoosh/thirdparty/a/b.java, line(s) 51,57,77,93 com/pushwoosh/thirdparty/radiusnetworks/bluetooth/BluetoothCrashResolver.java, line(s) 53,57,66,71,80,95,98,117,136,144,150,176,219,229,235,238,246,253,260,306,329,336,131,182,222,225,232,251,311,312 com/pushwoosh/thirdparty/radiusnetworks/ibeacon/IBeacon.java, line(s) 77,85,123 com/pushwoosh/thirdparty/radiusnetworks/ibeacon/IBeaconIntentProcessor.java, line(s) 25,36,46,55,60,39 com/pushwoosh/thirdparty/radiusnetworks/ibeacon/IBeaconManager.java, line(s) 52,90,106,126,131,152,157,163,243,368,373,376,395,69,238,231,379,146,227,280,297,314,339,363,388 com/pushwoosh/thirdparty/radiusnetworks/ibeacon/Region.java, line(s) 80,86,94 com/pushwoosh/thirdparty/radiusnetworks/ibeacon/service/Callback.java, line(s) 26 com/pushwoosh/thirdparty/radiusnetworks/ibeacon/service/IBeaconService.java, line(s) 171,222,227,238,263,274,285,296,309,313,325,332,345,368,381,404,415,420,437,475,528,538,555,565,571,583,358,412,478,70,89,93,97,101,105,461,490,501,514,521,532,549,167,177,187,208,215,247,363,400,408,427,486 com/pushwoosh/thirdparty/radiusnetworks/ibeacon/service/MonitorState.java, line(s) 30 com/pushwoosh/thirdparty/radiusnetworks/ibeacon/service/RangeState.java, line(s) 23,30,50 com/pushwoosh/thirdparty/radiusnetworks/ibeacon/service/RangedIBeacon.java, line(s) 60,99 com/pushwoosh/thirdparty/radiusnetworks/ibeacon/service/RangingData.java, line(s) 30,68,73 com/tapadoo/alerter/Alert.java, line(s) 167,223,233,241,245 com/tapadoo/alerter/Alerter.java, line(s) 54,73 io/card/payment/CardIOActivity.java, line(s) 135,263,323,354,359,366,378,416,435,455,468,483,514,187,209,231,293,439,509,108,111,127,171,278,311,364,182,384,399,424,441,526,569 io/card/payment/CardScanner.java, line(s) 66,67,68,69,72,74,182,243,258,266,281,285,299,304,332,342,413,90,128,134,155,268,272,309,322,63,78,81,84,203,246,144,158,188,196,198,200,207,209,211,213,86,131,139,176,186,238,288,318,398,421 io/card/payment/DataEntryActivity.java, line(s) 65,345,377,357 io/card/payment/OverlayView.java, line(s) 81,93,228,230,233,240 io/card/payment/Preview.java, line(s) 36,45,51 io/card/payment/Torch.java, line(s) 68 io/card/payment/Util.java, line(s) 106,47,61,63,67,73,93,96 io/card/payment/i18n/I18nManager.java, line(s) 66,69,76,82,95,48,55,123,129 io/sentry/android/AndroidSentryClientFactory.java, line(s) 27,36,80,34,60,39 io/sentry/android/event/helper/AndroidEventBuilderHelper.java, line(s) 140,142,152,161,176,188,198,217,235,256,263,268,279,299,318,328,341,354,363,384 me/dm7/barcodescanner/core/CameraPreview.java, line(s) 129,151,270,278 me/dm7/barcodescanner/zbar/ZBarScannerView.java, line(s) 133 net/danlew/android/joda/ResUtils.java, line(s) 58 net/danlew/android/joda/TimeZoneChangedReceiver.java, line(s) 16,18 org/androidannotations/api/BackgroundExecutor.java, line(s) 122 org/androidannotations/api/ViewServer.java, line(s) 70,112,122,214,229,432,443,517 org/androidannotations/api/sharedpreferences/SetXmlSerializer.java, line(s) 60,63 org/greenrobot/eventbus/BackgroundPoster.java, line(s) 40 org/greenrobot/eventbus/EventBus.java, line(s) 290,424,426,435,172 org/greenrobot/eventbus/util/AsyncExecutor.java, line(s) 98 org/greenrobot/eventbus/util/ErrorDialogConfig.java, line(s) 34 org/greenrobot/eventbus/util/ErrorDialogManager.java, line(s) 184 org/greenrobot/eventbus/util/ExceptionToResourceMapping.java, line(s) 26 org/joda/time/tz/DateTimeZoneBuilder.java, line(s) 853,854,885 rx/android/app/OperatorConditionalBinding.java, line(s) 71,70 rx/internal/util/IndexedRingBuffer.java, line(s) 39 rx/internal/util/RxRingBuffer.java, line(s) 46 rx/observers/SafeSubscriber.java, line(s) 114 tourguide/tourguide/FrameLayoutWithHole.java, line(s) 56,58,60,61,73,74,133,134,152,212,219,242 tourguide/tourguide/TourGuide.java, line(s) 155 uk/co/chrisjenx/calligraphy/TypefaceUtils.java, line(s) 24
已通过安全项 此应用程序可能具有Root检测功能
此应用程序可能具有Root检测功能 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05j-Testing-Resiliency-Against-Reverse-Engineering.md#testing-root-detection-mstg-resilience-1 Files: io/sentry/android/event/helper/AndroidEventBuilderHelper.java, line(s) 293,296,296,296,296,296,296
已通过安全项 此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击
此应用程序使用SSL Pinning 来检测或防止安全通信通道中的MITM攻击 https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4 Files: com/mercadopago/core/CustomServer.java, line(s) 65,65 com/mercadopago/core/MercadoPago.java, line(s) 267,117,130 com/mercadopago/core/MercadoPagoServices.java, line(s) 161,192 com/mercadopago/core/MerchantServer.java, line(s) 46,46
综合安全基线评分总结
Loja LPF v1.0.4
Android APK
46
综合安全评分
中风险