0

高危漏洞

5

中危漏洞

5

低危漏洞

7

警告

文件名 xinghuowx-release.apk
上传者 liulangmaO
文件大小 50.410551071167MB
MD5 0360da3ecc0d620da285f540415aa4e6
包名 com.xinghuowx.wx
Main Activity com.xinghuolive.live.SplashActivity
Min SDK 21
Target SDK 28

权限列表

# 名称 说明 提示
0 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
1 android.permission.ACCESS_FINE_LOCATION 访问精准的位置源,例如手机上的全球定位系统(如果有)。恶意应用程序可能会借此确定您所处的位置,并可能消耗额外的电池电量。 注意
2 android.permission.BLUETOOTH 允许应用程序查看本地蓝牙手机的配置,以及建立或接受与配对设备的连接。 注意
3 android.permission.GET_TASKS 允许应用程序检索有关当前和最近运行的任务的信息。恶意应用程序可借此发现有关其他应用程序的保密信息。 注意
4 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
5 android.permission.RECEIVE_BOOT_COMPLETED 允许应用程序在系统完成启动后即自行启动。这样会延长手机的启动时间,而且如果应用程序一直运行,会降低手机的整体速度。 注意
6 android.permission.RECORD_AUDIO 允许应用程序访问录音路径。 注意
7 android.permission.REORDER_TASKS 允许应用程序将任务移至前端和后台。恶意应用程序可借此强行进入前端,而不受您的控制。 注意
8 android.permission.SYSTEM_ALERT_WINDOW 允许应用程序显示系统警报窗口。恶意应用程序可借此掌控整个手机屏幕。 注意
9 android.permission.WRITE_SETTINGS 允许应用程序修改系统设置方面的数据。恶意应用程序可借此破坏您的系统配置。 注意
10 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
11 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
12 android.permission.CAMERA 允许应用程序使用相机拍照,这样应用程序可随时收集进入相机镜头的图像。 提示
13 android.permission.CHANGE_CONFIGURATION 允许应用程序更改当前配置,例如语言设置或整体的字体大小。 提示
14 android.permission.CHANGE_WIFI_STATE 允许应用程序连接到WLAN接入点以及与WLAN接入点断开连接,并对配置的WLAN网络进行更改。 提示
15 android.permission.FLASHLIGHT 允许应用程序控制闪光灯。 提示
16 android.permission.GET_ACCOUNTS 允许应用程序获取手机已知的帐户列表。 提示
17 android.permission.INTERNET 允许程序访问网络. 提示
18 android.permission.MODIFY_AUDIO_SETTINGS 允许应用程序修改整个系统的音频设置,如音量和路由。 提示
19 android.permission.MOUNT_UNMOUNT_FILESYSTEMS 允许应用程序装载和卸载可移动存储器的文件系统。 提示
20 android.permission.READ_LOGS 允许应用程序从系统的各日志文件中读取信息。这样应用程序可以发现您的手机使用情况,但这些信息不应包含任何个人信息或保密信息。 提示
21 android.permission.RESTART_PACKAGES 允许程序自己重启或重启其他程序 提示
22 android.permission.VIBRATE 允许应用程序控制振动器。 提示
23 android.permission.WAKE_LOCK 允许应用程序防止手机进入休眠状态。 提示
24 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

com.xinghuolive.live.SplashActivity
com.xinghuolive.live.SplashWelcomeAty
com.alibaba.verificationsdk.ui.VerifyActivity
com.xinghuolive.live.control.user.NewLoginActivity
com.xinghuolive.live.control.user.InputPhoneActivity
com.xinghuolive.live.control.user.LoginMainRegisterActivity
com.xinghuolive.live.control.user.RegisterActivity
com.xinghuolive.live.control.user.ForgetPwdPhoneActivity
com.xinghuolive.live.control.user.ForgetPasswordActivity
com.xinghuolive.live.control.user.CaptchaLoginActivity
com.xinghuolive.live.control.user.NewPasswordLoginActivity
com.xinghuolive.live.control.user.SetPasswordLoginActivity
com.xinghuolive.live.control.user.UserAgreementActivity
com.xinghuolive.live.control.user.LoginStudentListActivity
com.xinghuolive.live.control.curriculum.mine.CalendarActivity
com.xinghuolive.live.control.dynamic.main.SpecifiedCalendarActivity
com.xinghuolive.live.common.activity.WebActivity
com.xinghuolive.live.common.activity.TitleWebActivity
com.xinghuolive.live.control.webreport.XhooKtfkWebActivity
com.xinghuolive.live.common.activity.XPetWebActivity
com.xinghuolive.live.control.webreport.TTReportWebActivity
com.xinghuolive.live.control.webreport.ZBReportWebActivity
com.xinghuolive.live.control.webreport.stage.ZBBKStageReportWebActivity
com.xinghuolive.live.control.webreport.stage.TenStageReportWebActivity
com.xinghuolive.live.control.webreport.TrajectoryWebActivity
com.xinghuolive.live.control.webreport.ZBJdcsReportWebActivity
com.xinghuolive.live.control.webreport.ZBOOReportWebActivity
com.xinghuolive.live.control.webreport.PYReportWebActivity
com.xinghuolive.live.control.webreport.TenReportWebActivity
com.xinghuolive.live.control.webreport.ParentsServiceWebActivity
com.xinghuolive.live.common.activity.GetCodeWebActivity
com.xinghuolive.live.control.web.ZbClassKtpjWebActivity
com.xinghuolive.live.MainActivity
com.xinghuolive.live.control.studentnotice.NoticeMainActivity
com.xinghuolive.live.control.imageselector.AlbumActivity
com.xinghuolive.live.control.dynamic.camera.CameraActivity
com.xinghuolive.live.control.wrongtitle.upload.WrongTitleCameraActivity
com.xinghuolive.live.control.wrongtitle.upload.CourseListChoiceChapterActivity
com.xinghuolive.live.control.wrongtitle.upload.ChoiceVersionActivity
com.xinghuolive.live.control.wrongtitle.upload.AddedResultActivity
com.xinghuolive.live.control.wrongtitle.upload.ChoiceChapterActivity
com.xinghuolive.live.control.wrongtitle.upload.ChoiceVersionChapterActivity
com.xinghuolive.live.control.wrongtitle.home.EditWrongtitleSubjectActivity
com.xinghuolive.live.control.wrongtitle.revisal.TimeOrChapterListActivity
com.xinghuolive.live.control.dynamic.camera.sample.CameraSamplePortraitActivity
com.xinghuolive.live.control.dynamic.camera.sample.CameraSampleLandscapeActivity
com.xinghuolive.live.control.imageselector.AlbumFolderActivity
com.xinghuolive.live.control.download.downloading.DownloadingActivity
com.xinghuolive.live.control.download.manager.DownloadManageAvtiviity
com.xinghuolive.live.control.me.activity.SetActivity
com.xinghuolive.live.control.me.activity.BalanceCouponsActivity
com.xinghuolive.live.control.me.activity.StudentManageActivity
com.xinghuolive.live.control.download.downloaded.DownloadedActivity
com.xinghuolive.live.control.curriculum.download.zbclass.CurriculumDownloadActivity
com.xinghuolive.live.control.curriculum.download.zboo.ZbooCurriculumDownloadActivity
com.xinghuolive.live.control.userinfo.MyInfoActivity
com.xinghuolive.live.control.user.CreatInfoActivity
com.xinghuolive.live.control.user.PerfectInfoActivity
com.xinghuolive.live.control.imageselector.preview.PreviewActivity
com.xinghuolive.live.control.dynamic.upload.UploadPreviewActivity
com.xinghuolive.live.control.others.ImagesPreviewActivity
com.xinghuolive.live.control.others.TimuImagesPreviewActivity
com.xinghuolive.live.control.userinfo.CropActivity
com.xinghuolive.live.control.userinfo.modify.ModifyNameActivity
com.xinghuolive.live.control.userinfo.modify.ModifyGenderActivity
com.xinghuolive.live.control.userinfo.modify.ModifyGradeActivity
com.xinghuolive.live.control.userinfo.modify.ModifyMaterailActivity
com.xinghuolive.live.control.userinfo.location.ModifyProvinceActivity
com.xinghuolive.live.control.userinfo.location.ModifyCityActivity
com.xinghuolive.live.control.userinfo.location.ModifyDistrictActivity
com.xinghuolive.live.control.others.TextBrowseActivity
com.xinghuolive.live.control.others.BigPictureWithRemakActivity
com.xinghuolive.live.control.live.LiveActivity
com.xinghuolive.live.control.demand.DemandActivity
com.xinghuolive.live.control.demand.zboo.ZbooDemandActivity
com.xinghuolive.live.control.demand.NormalVideoActivity
com.xinghuolive.live.control.curriculum.detail.kczl.DocumentViewActivity
com.xinghuolive.live.control.curriculum.detail.oo.OOPdfWaitingActivity
com.xinghuolive.live.control.curriculum.detail.kczl.KczlListActivity
com.xinghuolive.live.control.curriculum.detail.zbclass.ZbStageTestActivity
com.xinghuolive.live.control.curriculum.detail.kczl.KczlSoundViewActivity
com.xinghuolive.live.control.curriculum.detail.kczl.KczlZipViewActivity
com.xinghuolive.live.control.curriculum.detail.zbclass.LessonDetailActivity
com.xinghuolive.live.control.curriculum.detail.ten.TwoTeacherLessonDetailActivity
com.xinghuolive.live.wxapi.WXEntryActivity
com.tencent.tauth.AuthActivity
com.tencent.connect.common.AssistActivity
com.xinghuolive.live.control.curriculum.detail.oo.OOImageListActivity
com.xinghuolive.live.control.curriculum.detail.oo.OODataListActivity
com.xinghuolive.live.control.curriculum.detail.oo.OOCurriculumDetailActivity
com.xinghuolive.live.control.curriculum.detail.zbclass.CurriculumDetailActivity
com.xinghuolive.live.control.curriculum.detail.ten.detail.TTCurriculumDetailActivity
com.xinghuolive.live.control.curriculum.detail.ten.detail.PYCurriculumDetailActivity
com.xinghuolive.live.control.curriculum.detail.ten.detail.TenCurriculumDetailActivity
com.xinghuolive.live.control.curriculum.detail.ten.TenJKZYActivity
com.xinghuolive.live.control.curriculum.detail.ten.TenJKZYResultOptionActivity
com.xinghuolive.live.control.curriculum.detail.ten.TenKHZYCourseListActivity
com.xinghuolive.live.control.curriculum.detail.ten.part.PyPartActivity
com.xinghuolive.live.control.curriculum.detail.ten.part.TwoTeacherPartActivity
com.xinghuolive.live.control.curriculum.detail.ten.part.TenPartActivity
com.xinghuolive.live.control.timu.tiku.result.TimuTikuAnswerResultActivity
com.xinghuolive.live.control.timu.image.result.TimuImageAnswerResultActivity
com.xinghuolive.live.control.curriculum.detail.ten.ktt.TenKttCommitActivity
com.xinghuolive.live.control.curriculum.detail.zbclass.CurriculumShortcutActivity
com.xinghuolive.live.control.curriculum.detail.zbclass.LessonReportActivity
com.xinghuolive.live.control.userinfo.DeliveryActivity
com.xinghuolive.live.control.curriculum.detail.zboo.ZbooCurriculumDetailActivity
com.xinghuolive.live.control.curriculum.detail.zboo.ZbooCurriculumShortcutActivity
com.xinghuolive.live.control.curriculum.detail.zboo.ZbooHasOverCurriculumActivity
com.xinghuolive.live.control.wrongtitle.timu.WtTimuReviewActivity
com.xinghuolive.live.control.timu.tiku.pager.TimuTikuPagerActivity
com.xinghuolive.live.control.timu.tiku.sub.TimuTikuSubPagerActivity
com.xinghuolive.live.control.timu.jkzy.TimuTenJkzyPagerActivity
com.xinghuolive.live.control.timu.image.pager.TimuImagePagerActivity
com.xinghuolive.live.control.dynamic.list.SubjectMsgActivity
com.xinghuolive.live.control.me.activity.OrderOrCouponActivity
com.xinghuolive.live.control.me.activity.FeedbackActivity
com.xinghuolive.live.control.me.activity.ManageDeliveryAddressActivity
com.xinghuolive.live.control.learningtask.activity.LearningPreviewActvitiy
com.xinghuolive.live.control.learningtask.activity.LearningConsolidateActvitiy
com.xinghuolive.live.control.learningtask.activity.LearningReportActvitiy
com.xinghuolive.live.control.learningtask.activity.LearningExamineActvitiy
com.xinghuolive.live.control.mycurriculum.MyCurriculumListCommAty
com.xinghuolive.live.control.mycurriculum.MyCurriculumMaterialAty
com.xinghuolive.live.control.mycurriculum.MycurriculumReportAty
com.xinghuolive.live.control.bo2o.BO2OActivity
com.xinghuolive.live.control.bo2o.BO2OSettingActivity
com.tencent.bugly.beta.ui.BetaActivity
com.xinghuolive.live.UpgradeActivity
com.xinghuolive.live.domain.push.PopupPushActivity
com.qiyukf.unicorn.ui.activity.ServiceMessageActivity
com.qiyukf.nim.uikit.session.activity.WatchMessagePictureActivity
com.qiyukf.nim.uikit.session.activity.PickImageActivity
com.qiyukf.nim.uikit.common.media.picker.activity.PickerAlbumActivity
com.qiyukf.nim.uikit.common.media.picker.activity.PickerAlbumPreviewActivity
com.qiyukf.nim.uikit.common.media.picker.activity.PreviewImageFromCameraActivity
com.qiyukf.unicorn.ui.activity.FileDownloadActivity
com.qiyukf.unicorn.ui.activity.UrlImagePreviewActivity
com.qiyukf.unicorn.ui.activity.CardPopupActivity
com.qiyukf.unicorn.ui.activity.LeaveMessageDetailActivity

com.netease.nimlib.service.NimService
com.netease.nimlib.service.NimService$Aux
com.netease.nimlib.job.NIMJobService
com.netease.nimlib.service.ResponseService
com.xinghuolive.live.control.msg.push.MessageIntentService
com.liulishuo.filedownloader.services.FileDownloadService$SharedMainProcessService
com.liulishuo.filedownloader.services.FileDownloadService$SeparateProcessService
com.qiyukf.nimlib.service.NimService
com.qiyukf.nimlib.service.NimService$Aux
com.qiyukf.unicorn.analytics.AnalyticsService
com.qiyukf.nimlib.service.WakeupService
com.tencent.bugly.beta.tinker.TinkerResultService
com.alibaba.sdk.android.push.MsgService
com.alibaba.sdk.android.push.channel.CheckService
com.taobao.accs.ChannelService
com.taobao.accs.ChannelService$KernelService
com.taobao.accs.data.MsgDistributeService
org.android.agoo.accs.AgooService
com.alibaba.sdk.android.push.AliyunPushIntentService
com.alibaba.sdk.android.push.channel.TaobaoRecvService
com.taobao.accs.internal.AccsJobService
com.alibaba.sdk.android.push.channel.KeepChannelService
com.xiaomi.mipush.sdk.PushMessageHandler
com.xiaomi.mipush.sdk.MessageHandleService
com.coloros.mcssdk.PushService

com.netease.nimlib.service.NimReceiver
com.netease.nimlib.service.ResponseReceiver
com.xinghuolive.live.domain.push.MyMessageReceiver
com.qiyukf.nimlib.service.NimReceiver
com.taobao.accs.EventReceiver
com.taobao.accs.ServiceReceiver
com.taobao.agoo.AgooCommondReceiver
com.alibaba.sdk.android.push.SystemEventReceiver
com.alibaba.sdk.android.push.MiPushBroadcastReceiver
com.xiaomi.push.service.receivers.NetworkStatusReceiver
com.alibaba.sdk.android.push.HuaWeiReceiver

com.netease.nimlib.ipc.NIMContentProvider
android.support.v4.content.FileProvider
com.qiyukf.nim.uikit.provider.UnicornProvider
com.tencent.bugly.beta.utils.BuglyFileProvider
com.growingio.android.sdk.collection.GrowingIOSettingsProvider

第三方库

# 库名 介绍
0 com.alibaba.fastjson Fast JSON Processor https://github.com/alibaba/fastjson/wiki
1 android.support.transition A backport of the new Transitions API for Android.
2 com.google.protobuf Protocol Buffers - Google's data interchange format https://developers.google.com/protocol-buffers/
3 com.bumptech.glide An image loading and caching library for Android focused on smooth scrolling
4 com.huawei.android.pushagent 华为推送
5 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
6 android.support.multidex DEPRECATED
7 com.tencent.bugly 腾讯Bugly,面向移动开发者提供最专业的Crash监控、崩溃分析等质量跟踪服务,为您修复用户的每一次Crash!
8 io.realm Realm is a mobile database=> a replacement for SQLite & ORMs.
9 retrofit2 Type-safe REST client for Android and Java by Square, Inc.
10 com.tencent.tauth 腾讯QQ互联平台为广大开发者整理了SDK列表,辅助开发者快速接入QQ登录、分享等功能。QQ互联是腾讯旗下的开放平台,通过QQ互联,网站主和开发者可以申请接入QQ登录、用户可以使用QQ账号登录接入的站点,通过添加分享和赞组件,将站点内容分享到QQ空间和朋友网,通过获取API授权,网站主还可以将用户操作同步到QQ空间和朋友网。
11 rx RxJava – Reactive Extensions for the JVM – a library for composing asynchronous and event-based programs using observable sequences for the Java VM.
12 pl.droidsonroids.gif Views and Drawable for displaying animated GIFs on Android
13 okhttp3 An HTTP+SPDY client for Android and Java applications.
14 jp.co.cyberagent.android.gpuimage Android filters based on OpenGL (idea from GPUImage for iOS)
15 com.squareup.okhttp An HTTP+HTTP/2 client for Android and Java applications. http://square.github.io/okhttp/.
16 net.sourceforge.pinyin4j Pinyin4j is a popular Java library supporting convertion between Chinese characters and most popular Pinyin systems. The output format of pinyin could be customized.
17 com.tencent.connect 腾讯开放平台
18 com.tencent.smtt 腾讯X5浏览服务由QQ浏览器团队出品,致力于优化移动端webview体验的整套解决方案,使用QQ浏览器X5内核SDK和X5云端服务,解决移动端webview使用过程中出现的一切问题,优化用户的浏览体验,同时腾讯还将持续提供后续的更新和优化,为开发者提供最新最优秀的功能和服务。
19 com.xiaomi.mipush.sdk 小米推送(MiPush)是小米公司为开发者提供的消息推送服务,通过在云端和客户端之间建立一条稳定、可靠的长连接,为开发者提供向客户端应用推送实时消息的服务,帮助开发者有效地拉动用户活跃。

静态扫描发现风险点

风险等级 风险名称

中危

检测到1处证书弱校验漏洞。

位置: classes.dex
anet.channel.util.i$b$a;

当移动App客户端使用https或ssl/tls进行通信时,如果不校验证书的可信性,将存在中间人攻击漏洞,可导致信息泄露,传输数据被篡改,甚至通过中间人劫持将原有信息替换成恶意链接或恶意代码程序,以达到远程控制等攻击意图。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
www.wooyun.org/bugs/wooyun-2014-079358

参考资料:
http://drops.wooyun.org/tips/3296
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

检测到1个未移除的敏感Test或Debug组件

com.xinghuolive.live.control.curriculum.detail.zbclass.ZbStageTestActivity

建议:
在正式发布app前移除敏感的Test或Debug组件

中危

检测到15个WebView远程执行漏洞。

位置: classes.dex
com.growingio.android.sdk.autoburry.VdsJsHelper;->wrapWebChromeClient(Landroid.view.View;)V
com.growingio.android.sdk.autoburry.VdsJsHelper;->wrapWebChromeClient(Landroid.view.View;)V
com.growingio.android.sdk.circle.HybridEventEditDialog;->prepareWebView(Landroid.content.Context;)V
com.huawei.android.pushselfshow.richpush.html.HtmlViewer;->enableJavaJS(Ljava.lang.String;)V
com.huawei.android.pushselfshow.richpush.html.HtmlViewer;->enableJavaJS(Ljava.lang.String;)V

位置: classes2.dex
com.xinghuolive.live.common.widget.timu.BaseWebView;->i()V
com.tencent.smtt.sdk.JsContext;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.tencent.smtt.sdk.WebView;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.tencent.smtt.sdk.X5JsCore;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.xinghuolive.live.common.widget.ProgressWebView;->a(Ljava.lang.Object; Ljava.lang.String;)V
com.tencent.smtt.sdk.JsVirtualMachine$a;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.xinghuolive.live.common.activity.XPetWebActivity;->j()V
com.xinghuolive.live.common.activity.BaseWebViewFragment;->b()V
com.tencent.smtt.sdk.WebView;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.tencent.bugly.crashreport.CrashReport$1;->addJavascriptInterface(Lcom.tencent.bugly.crashreport.crash.h5.H5JavaScriptInterface; Ljava.lang.String;)V

Android API < 17之前版本存在远程代码执行安全漏洞,该漏洞源于程序没有正确限制使用addJavaScriptInterface方法,攻击者可以通过Java反射利用该漏洞执行任意Java对象的方法,导致远程代码执行安全漏洞。
(1)API等于高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252
http://drops.wooyun.org/papers/548

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis
https://developer.android.com/reference/android/webkit/WebView.html

中危

检测到162条敏感明文信息,建议移除。

位置: classes.dex
'10.101.108.10' used in: Lcom/alibaba/sdk/android/ams/common/global/AmsGlobalHolder;->()V
'data:image' used in: Lcom/bumptech/glide/load/model/DataUrlLoader;->handles(Ljava/lang/String;)Z
'data:image' used in: Lcom/bumptech/glide/load/model/DataUrlLoader$StreamFactory$1;->decode(Ljava/lang/String;)Ljava/io/InputStream;
'data:image/jpeg;base64,' used in: Lcom/growingio/android/sdk/debugger/proxy/GioProtocolProxy;->sendScreenUpdate()Ljava/lang/String;
'data:image/jpeg;base64,' used in: Lcom/growingio/android/sdk/circle/HybridEventEditDialog$HybridCircleContent;->(Ljava/util/List; Landroid/app/Activity; Ljava/lang/String; Ljava/lang/String;)V
'data:image/jpeg;base64,' used in: Lcom/growingio/android/sdk/circle/ScreenshotInfo;->getScreenShotInfo()Lorg/json/JSONObject;
'http://127.0.0.1' used in: Lcom/alibaba/sdk/android/oss/internal/InternalRequestOperation;->(Landroid/content/Context; Lcom/alibaba/sdk/android/oss/common/auth/OSSCredentialProvider; Lcom/alibaba/sdk/android/oss/ClientConfiguration;)V
'http://demo-vod.cn-shanghai.aliyuncs.com/voddemo/CreateSecurityToken?BusinessType=vodai&TerminalType=pc&DeviceModel=iPhone9,2&UUID=59ECA-4193-4695-94DD-7E1247288&AppVersion=1.0.0&UploadType=oss' used in: Lcom/alivc/player/LogOssUploader;->getCredential()Lorg/json/JSONObject;
'http://open.hicloud.com/android/push1.0.js' used in: Lcom/huawei/android/pushselfshow/richpush/html/HtmlViewer;->prepareJS(Ljava/lang/String;)Ljava/lang/String;
'http://oss.aliyuncs.com' used in: Lcom/alibaba/sdk/android/oss/internal/InternalRequestOperation;->(Landroid/content/Context; Lcom/alibaba/sdk/android/oss/common/auth/OSSCredentialProvider; Lcom/alibaba/sdk/android/oss/ClientConfiguration;)V
'http://schemas.android.com/apk/res-auto' used in: Landroid/support/design/chip/ChipDrawable;->loadFromAttributes(Landroid/util/AttributeSet; I I)V
'http://schemas.android.com/apk/res/android' used in: Landroid/support/v4/content/res/TypedArrayUtils;->hasAttribute(Lorg/xmlpull/v1/XmlPullParser; Ljava/lang/String;)Z
'http://schemas.android.com/apk/res/android' used in: Landroid/support/design/chip/Chip;->validateAttributes(Landroid/util/AttributeSet;)V
'https://203.107.1.1/144428/d?host=' used in: Lcom/growingio/android/sdk/data/net/DNSService$HttpDNSTask;->query()Lcom/growingio/android/sdk/data/net/DNSService$HostInformation;
'https://adash.man.aliyuncs.com/man/api?ak=23356390&s=' used in: Lcom/alibaba/sdk/android/utils/AMSDevReporter;->a(Lcom/alibaba/sdk/android/utils/AMSDevReporter$AMSSdkTypeEnum; Ljava/util/Map;)Z
'https://api%s.growingio.com/v3' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://assets.giocdn.com' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://assets.giocdn.com/sdk/hybrid' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://crashapi%s.growingio.com/v2' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://gio.ren/app/at5/android/%s' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://gio.ren/app/at5/android/%s' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->getAppLinkParamsUrl(Ljava/lang/String;)Ljava/lang/String;
'https://t%s.growingio.com/app' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://t.growingio.com/app/%s/%s/devices' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://t.growingio.com/app/%s/%s/devices' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->getDeeplinkHost()Ljava/lang/String;
'https://tags%s.growingio.com' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://www.growingio.com' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
"javascript:(function() {var parent = document.getElementsByTagName('head').item(0);var script = document.createElement('script');script.type = 'text/javascript';script.charset= 'utf-8';script.innerHTML = window.atob('" used in: Lcom/growingio/android/sdk/autoburry/VdsJsHelper;->injectScriptFile(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;
'javascript:(function(){try{%s}catch(e){}})()' used in: Lcom/growingio/android/sdk/autoburry/VdsJsHelper;->getInitPatternServer()Ljava/lang/String;
'javascript:(function(){try{%s}catch(e){}})()' used in: Lcom/growingio/android/sdk/autoburry/VdsJsHelper;->getVdsHybridConfig()Ljava/lang/String;
"javascript:(function(){try{var p=document.createElement('script');p.src='%s';document.head.appendChild(p);}catch(e){}})()" used in: Lcom/growingio/android/sdk/autoburry/VdsJsHelper;->getVdsHybridSrc(Landroid/content/Context;)Ljava/lang/String;
"javascript:(function(){try{var p=document.createElement('script');p.src='%s';document.head.appendChild(p);}catch(e){}})()" used in: Lcom/growingio/android/sdk/autoburry/VdsJsHelper;->getCirclePluginSrc(Landroid/content/Context;)Ljava/lang/String;
"javascript:(function(){try{var p=document.createElement('script');p.src='%s';document.head.appendChild(p);}catch(e){}})()" used in: Lcom/growingio/android/sdk/autoburry/VdsJsHelper;->getWebCirclePluginSrc()Ljava/lang/String;
'javascript:hideBody();' used in: Lcom/growingio/android/sdk/circle/HybridEventEditDialog;->detachWebView()V
'xxxx@xxxx.com' used in: Lcom/huawei/android/pushselfshow/utils/a;->d(Landroid/content/Context;)Z

位置: classes2.dex
'file:///assets/' used in: Lcom/opensource/svgaplayer/g;->a(Ljava/lang/String; Lcom/opensource/svgaplayer/g$b;)V
'http://100.69.165.28/agoo/report' used in: Lcom/taobao/accs/b/a;->(Landroid/content/Context;)V
'http://100.69.168.33/agoo/report' used in: Lcom/taobao/accs/b/a;->(Landroid/content/Context;)V
'http://223.252.220.223/lbs/conf' used in: Lcom/qiyukf/nimlib/b/d$a;->()V
'http://223.252.220.223/lbsrc/conf.jsp' used in: Lcom/qiyukf/nimlib/b/d$a;->()V
'http://agoodm.m.taobao.com/agoo/report' used in: Lcom/taobao/accs/b/a;->(Landroid/content/Context;)V
'http://agoodm.wapa.taobao.com/agoo/report' used in: Lcom/taobao/accs/b/a;->(Landroid/content/Context;)V
'http://android.bugly.qq.com/rqd/async' used in: Lcom/tencent/bugly/beta/upgrade/BetaUploadStrategy;->()V
'http://cfg.imtt.qq.com/tbs?v=2&mk=' used in: Lcom/tencent/smtt/utils/v;->(Landroid/content/Context;)V
'http://cgi.connect.qq.com/qqconnectopen/openapi/policy_conf' used in: Lcom/tencent/open/d/e$1;->run()V
'http://debugtbs.qq.com' used in: Lcom/tencent/smtt/sdk/WebView;->showDebugView(Ljava/lang/String;)Z
'http://debugx5.qq.com' used in: Lcom/tencent/smtt/sdk/WebView;->showDebugView(Ljava/lang/String;)Z
'http://fusion.qq.com/cgi-bin/qzapps/unified_jump?appid=%1$s&from=%2$s&isOpenAppID=1' used in: Lcom/tencent/connect/b/a;->a(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/b;)V
'http://io-event.cn-shenzhen.log.aliyuncs.com/logstores/xiao-service/' used in: Lcom/xinghuolive/live/common/d/b;->()V
'http://localhost/' used in: Lretrofit2/Response;->error(I Lokhttp3/ResponseBody;)Lretrofit2/Response;
'http://localhost/' used in: Lretrofit2/Response;->success(Ljava/lang/Object; Lokhttp3/Headers;)Lretrofit2/Response;
'http://localhost/' used in: Lretrofit2/Response;->success(Ljava/lang/Object;)Lretrofit2/Response;
'http://log.tbs.qq.com/ajax?c=dl&k=' used in: Lcom/tencent/smtt/utils/v;->(Landroid/content/Context;)V
'http://log.tbs.qq.com/ajax?c=pu&tk=' used in: Lcom/tencent/smtt/utils/v;->(Landroid/content/Context;)V
'http://log.tbs.qq.com/ajax?c=pu&v=2&k=' used in: Lcom/tencent/smtt/utils/v;->(Landroid/content/Context;)V
'http://log.tbs.qq.com/ajax?c=ucfu&k=' used in: Lcom/tencent/smtt/utils/v;->(Landroid/content/Context;)V
'http://log.tbs.qq.com/ajax?c=ul&v=2&k=' used in: Lcom/tencent/smtt/utils/v;->(Landroid/content/Context;)V
'http://mdc.html5.qq.com/d/directdown.jsp?channel_id=11041' used in: Lcom/tencent/smtt/sdk/b/a/d;->onClick(Landroid/view/View;)V
'http://mdc.html5.qq.com/d/directdown.jsp?channel_id=11047' used in: Lcom/tencent/smtt/sdk/b/a/d;->onClick(Landroid/view/View;)V
'http://mdc.html5.qq.com/mh?channel_id=50079&u=' used in: Lcom/tencent/smtt/sdk/a/d;->a(Landroid/content/Context;)Lcom/tencent/smtt/sdk/a/d$a;
'http://mqqad.html5.qq.com/adjs' used in: Lcom/tencent/smtt/utils/v;->(Landroid/content/Context;)V
'http://openmobile.qq.com/oauth2.0/m_jump_by_version?' used in: Lcom/tencent/connect/common/a;->a(Ljava/lang/String;)Ljava/lang/String;
'http://pms.mb.qq.com/rsp204' used in: Lcom/tencent/smtt/sdk/ak;->m()Z
'http://qiyukf.netease.com' used in: Lcom/qiyukf/unicorn/e/b/a;->a()Ljava/lang/String;
'http://qiyukf.netease.com' used in: Lcom/qiyukf/unicorn/e/b/a;->b()Ljava/lang/String;
'http://qzs.qq.com/open/mobile/login/qzsjump.html?' used in: Lcom/tencent/connect/auth/a$a;->onReceivedError(Landroid/webkit/WebView; I Ljava/lang/String; Ljava/lang/String;)V
'http://qzs.qq.com/open/mobile/login/qzsjump.html?' used in: Lcom/tencent/connect/auth/a;->a()Ljava/lang/String;
'http://schemas.android.com/apk/res/android' used in: Lpl/droidsonroids/gif/GifTextureView;->a(Landroid/util/AttributeSet; I I)V
'http://schemas.android.com/apk/res/android' used in: Lpl/droidsonroids/gif/GifTextView;->a(Landroid/util/AttributeSet; I I)V
'http://schemas.android.com/apk/res/android' used in: Lpl/droidsonroids/gif/f$a;->a(Landroid/widget/ImageView; Landroid/util/AttributeSet; Z)I
'http://soft.tbs.imtt.qq.com/17421/tbs_res_imtt_tbs_DebugPlugin_DebugPlugin.tbs' used in: Lcom/tencent/smtt/utils/i;->run()V
'http://wup.imtt.qq.com:8080' used in: Lcom/tencent/smtt/utils/v;->(Landroid/content/Context;)V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lcom/ta/utdid2/b/a/e;->a(Ljava/util/Map; Ljava/io/OutputStream;)V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lcom/ta/utdid2/b/a/a;->setFeature(Ljava/lang/String; Z)V
'http://ysf.online' used in: Lcom/qiyukf/unicorn/e/b/a;->b()Ljava/lang/String;
'http://ysf.space' used in: Lcom/qiyukf/unicorn/e/b/a;->a()Ljava/lang/String;
'http://ysf.space' used in: Lcom/qiyukf/unicorn/e/b/a;->b()Ljava/lang/String;
'https://api.xhwx100.com/goat/' used in: Lcom/xinghuolive/live/common/d/b;->a(Ljava/lang/String; Ljava/util/Map;)V
'https://api.xhwx100.com/goat/' used in: Lcom/xinghuolive/live/control/a/b;->a(Landroid/content/Context;)V
'https://api.xhwx100.com/goat/' used in: Lcom/xinghuolive/live/control/a/b;->()V
'https://api.xiao100.com/xpet/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://api.xiao100.com/xpet/' used in: Lcom/xinghuolive/live/control/a/c;->a(Landroid/content/Context;)V
'https://appsupport.qq.com/cgi-bin/appstage/mstats_batch_report' used in: Lcom/tencent/open/b/g$5;->run()V
'https://dev-api.xhwx100.com/' used in: Lcom/xinghuolive/live/control/a/b;->()V
'https://dev-api.xiao100.com/xpet/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://dev-la.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://dev-login.xiao100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://dev.xhwx100.com/' used in: Lcom/xinghuolive/live/control/a/b;->()V
'https://devm.xhwx100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://dr.netease.im/1.gif' used in: Lcom/netease/nimlib/d/d$a;->()V
'https://huatuocode.huatuo.qq.com' used in: Lcom/tencent/open/b/d;->a(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/Long; I I Ljava/lang/String;)V
'https://image-cdn.xiaozhibo.com' used in: Lcom/xinghuolive/live/common/a/i;->a(Ljava/lang/String; I I)Ljava/lang/String;
'https://la.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://la.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->a(Landroid/content/Context;)V
'https://la.xiaojiaoyu100.com/app/patriarch-service-h5' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://la.xiaojiaoyu100.com/app/patriarch-service-h5' used in: Lcom/xinghuolive/live/control/a/c;->a(Landroid/content/Context;)V
'https://lbs.netease.im/lbs/conf.jsp' used in: Lcom/netease/nimlib/d/d$a;->()V
'https://lbs.netease.im/lbs/conf.jsp' used in: Lcom/qiyukf/nimlib/b/d$a;->()V
'https://login.xiao100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://login.xiao100.com/' used in: Lcom/xinghuolive/live/control/a/c;->a(Landroid/content/Context;)V
'https://long.open.weixin.qq.com/connect/l/qrconnect?f=json&uuid=%s' used in: Lcom/tencent/mm/opensdk/diffdev/a/f;->(Ljava/lang/String; Lcom/tencent/mm/opensdk/diffdev/OAuthListener;)V
'https://m.xhwx100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://m.xhwx100.com/' used in: Lcom/xinghuolive/live/control/a/c;->a(Landroid/content/Context;)V
'https://mobile-teaching-dev.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://mobile-teaching-pre.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://mobile-teaching-test.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://mobile-teaching.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://mobile-teaching.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->a(Landroid/content/Context;)V
'https://nim.qiyukf.com' used in: Lcom/qiyukf/unicorn/e/b/a;->b()Ljava/lang/String;
'https://nosup-hz1.127.net' used in: Lcom/netease/nimlib/j/a/b/a/c;->a(Z)V
'https://open.weixin.qq.com/connect/sdk/qrconnect?appid=%s&noncestr=%s×tamp=%s&scope=%s&signature=%s' used in: Lcom/tencent/mm/opensdk/diffdev/a/d;->()V
'https://openmobile.qq.com/' used in: Lcom/tencent/open/d/a;->a(Lcom/tencent/connect/auth/c; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle; Ljava/lang/String;)Lorg/json/JSONObject;
'https://pre-api.xhwx100.com/goat/' used in: Lcom/xinghuolive/live/control/a/b;->()V
'https://pre-api.xiao100.com/xpet/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://pre-la.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://pre-la.xiaojiaoyu100.com/app/patriarch-service-h5' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://pre-login.xiao100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://pre.xhwx100.com/' used in: Lcom/xinghuolive/live/control/a/b;->()V
'https://prem.xhwx100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://qy-swallow.qiyukf.com' used in: Lcom/qiyukf/unicorn/e/b/a;->a()Ljava/lang/String;
'https://resource-teaching.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/b;->c()Ljava/lang/String;
'https://spark-upload.oss-cn-shenzhen.aliyuncs.com/' used in: Lcom/xinghuolive/live/MainActivity;->q()V
'https://spark-upload.oss-cn-shenzhen.aliyuncs.com/' used in: Lcom/xinghuolive/live/MainActivity;->p()V
'https://support.qq.com/product/59384' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://support.qq.com/product/59384' used in: Lcom/xinghuolive/live/control/a/c;->a(Landroid/content/Context;)V
'https://support.qq.com/product/59801' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://test-api.xhwx100.com/goat/' used in: Lcom/xinghuolive/live/control/a/b;->()V
'https://test-api.xiao100.com/xpet/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://test-la.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://test-la.xiaojiaoyu100.com/app/patriarch-service-h5' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://test-login.xiao100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://test.xhwx100.com/' used in: Lcom/xinghuolive/live/control/a/b;->()V
'https://testm.xhwx100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://tutor-dev.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://tutor-pre.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://tutor-test.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://tutor.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->()V
'https://tutor.xiaojiaoyu100.com/' used in: Lcom/xinghuolive/live/control/a/c;->a(Landroid/content/Context;)V
'https://waitress-oss.xiaozhibo.com' used in: Lcom/xinghuolive/live/common/a/i;->a(Ljava/lang/String; I I)Ljava/lang/String;
'https://wannos.127.net/lbs' used in: Lcom/netease/nimlib/j/a/b/a/c;->e()Z
'https://wanproxy.127.net/lbs' used in: Lcom/qiyukf/nimlib/b$1;->d()Ljava/lang/String;
'https://webtest.netease.im/1.gif' used in: Lcom/netease/nimlib/d/d$a;->()V
'https://webtest.netease.im/lbs/conf.jsp' used in: Lcom/netease/nimlib/d/d$a;->()V
'https://webtest.netease.im/lbsrc/conf.jsp' used in: Lcom/netease/nimlib/d/d$a;->()V
'https://wspeed.qq.com/w.cgi' used in: Lcom/tencent/open/b/g$4;->run()V
'https://www.xhwx100.com/' used in: Lcom/xinghuolive/live/control/a/b;->a(Landroid/content/Context;)V
'https://www.xhwx100.com/' used in: Lcom/xinghuolive/live/control/a/b;->()V
'javascript:(%s)()' used in: Lcom/xinghuolive/live/common/activity/XPetWebActivity$a;->onPageFinished(Lcom/tencent/smtt/sdk/WebView; Ljava/lang/String;)V
'javascript:NotifyH5("%s")' used in: Lcom/xinghuolive/live/control/live/game/GameInClassFragment;->c(Ljava/lang/String;)V
'javascript:Utils.NativeHelper.appSharePet(%d,%d)' used in: Lcom/xinghuolive/live/common/activity/XPetWebActivity$5;->a(Lcom/xinghuolive/live/control/b/a$al;)V
'javascript:Utils.NativeHelper.onAppResume()' used in: Lcom/xinghuolive/live/common/activity/XPetWebActivity;->onResume()V
'javascript:document.body.style.paddingTop="30px"; void 0' used in: Lcom/xinghuolive/live/control/curriculum/select/SelectCurriculumItemFragment;->g()V
'javascript:document.body.style.paddingTop="30px"; void 0' used in: Lcom/xinghuolive/live/control/curriculum/select/SelectCurriculumItemFragment;->h()V
"javascript:document.getElementsByTagName('HEAD').item(0).removeChild(document.getElementById('QQBrowserSDKNightMode'));" used in: Lcom/tencent/smtt/sdk/WebView;->switchNightMode(Z)V
"javascript:document.getElementsByTagName('HEAD').item(0).removeChild(document.getElementById('QQBrowserSDKNightMode'));" used in: Lcom/tencent/smtt/sdk/WebView;->(Landroid/content/Context; Landroid/util/AttributeSet; I Ljava/util/Map; Z)V
"javascript:onMessageFromXhwxApp('choose', '" used in: Lcom/xinghuolive/live/control/curriculum/select/NewSelectCurriculumFragment;->g()V
"javascript:var style = document.createElement('style');style.type='text/css';style.id='QQBrowserSDKNightMode';style.innerHTML='html,body{background:none !important;background-color: #1d1e2a !important;}html *{background-color: #1d1e2a !important; color:#888888 !important;border-color:#3e4f61 !important;text-shadow:none !important;box-shadow:none !important;}a,a *{border-color:#4c5b99 !important; color:#2d69b3 !important;text-decoration:none !important;}a:visited,a:visited *{color:#a600a6 !important;}a:active,a:active *{color:#5588AA !important;}input,select,textarea,option,button{background-image:none !important;color:#AAAAAA !important;border-color:#4c5b99 !important;}form,div,button,span{background-color:#1d1e2a !important; border-color:#4c5b99 !important;}img{opacity:0.5}';document.getElementsByTagName('HEAD').item(0).appendChild(style);" used in: Lcom/tencent/smtt/sdk/WebView;->switchToNightMode()V
"javascript:var style = document.createElement('style');style.type='text/css';style.id='QQBrowserSDKNightMode';style.innerHTML='html,body{background:none !important;background-color: #1d1e2a !important;}html *{background-color: #1d1e2a !important; color:#888888 !important;border-color:#3e4f61 !important;text-shadow:none !important;box-shadow:none !important;}a,a *{border-color:#4c5b99 !important; color:#2d69b3 !important;text-decoration:none !important;}a:visited,a:visited *{color:#a600a6 !important;}a:active,a:active *{color:#5588AA !important;}input,select,textarea,option,button{background-image:none !important;color:#AAAAAA !important;border-color:#4c5b99 !important;}form,div,button,span{background-color:#1d1e2a !important; border-color:#4c5b99 !important;}img{opacity:0.5}';document.getElementsByTagName('HEAD').item(0).appendChild(style);" used in: Lcom/tencent/smtt/sdk/WebView;->switchNightMode(Z)V
"javascript:var style = document.createElement('style');style.type='text/css';style.id='QQBrowserSDKNightMode';style.innerHTML='html,body{background:none !important;background-color: #1d1e2a !important;}html *{background-color: #1d1e2a !important; color:#888888 !important;border-color:#3e4f61 !important;text-shadow:none !important;box-shadow:none !important;}a,a *{border-color:#4c5b99 !important; color:#2d69b3 !important;text-decoration:none !important;}a:visited,a:visited *{color:#a600a6 !important;}a:active,a:active *{color:#5588AA !important;}input,select,textarea,option,button{background-image:none !important;color:#AAAAAA !important;border-color:#4c5b99 !important;}form,div,button,span{background-color:#1d1e2a !important; border-color:#4c5b99 !important;}img{opacity:0.5}';document.getElementsByTagName('HEAD').item(0).appendChild(style);" used in: Lcom/tencent/smtt/sdk/WebView;->(Landroid/content/Context; Landroid/util/AttributeSet; I Ljava/util/Map; Z)V
'javascript:window.JsBridge&&JsBridge.callback(' used in: Lcom/tencent/open/a$a;->a(Ljava/lang/Object;)V
'javascript:window.JsBridge&&JsBridge.callback(' used in: Lcom/tencent/open/a$a;->a()V
'www.163.com' used in: Lcom/netease/nimlib/r/h;->d()Ljava/util/List;
'www.qq.com' used in: Lcom/tencent/smtt/sdk/ak;->k()Z

中危

检测到5处setSavePassword密码明文存储漏洞。

位置: classes.dex
com.growingio.android.sdk.collection.DeviceUUIDFactory;
com.growingio.android.sdk.autoburry.VdsJsHelper;
com.growingio.android.sdk.circle.HybridEventEditDialog;

位置: classes2.dex
com.tencent.smtt.sdk.WebSettings;
com.tencent.bugly.crashreport.CrashReport$1;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

低危

检测到2处使用了DES弱加密算法。

位置: classes2.dex
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/bugly/proguard/az;->b([B)[B
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/bugly/proguard/az;->a([B)[B

使用弱加密算法会大大增加黑客攻击的概率,黑客可能会破解隐私数据、猜解密钥、中间人攻击等,造成隐私信息的泄漏,甚至造成财产损失。建议使用AES加密算法。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

低危

检测4处Intent Scheme URI漏洞。

位置: classes.dex
Lcom/huawei/android/pushselfshow/a/a;->f()V
Lcom/huawei/android/pushselfshow/c/d;->b(Landroid/content/Context; Lcom/huawei/android/pushselfshow/b/a;)Landroid/content/Intent;
Lcom/huawei/android/pushselfshow/richpush/html/a/d;->a(Ljava/lang/String; Ljava/lang/String; Z)V

位置: classes2.dex
Lcom/xiaomi/mipush/sdk/f;->a(Landroid/content/Context; Ljava/lang/String; Ljava/util/Map;)Landroid/content/Intent;


Intent Scheme URI是一种特殊的URL格式,用来通过Web页面启动已安装应用的Activity组件,大多数主流浏览器都支持此功能。如果在app中,没有检查获取到的load_url的值,攻击者可以构造钓鱼网站,诱导用户点击加载,就可以盗取用户信息。所以,对Intent URI的处理不当时,就会导致基于Intent的攻击。建议:
如果使用了Intent.parseUri函数,获取的intent必须严格过滤,intent至少包含addCategory(“android.intent.category.BROWSABLE”),setComponent(null),setSelector(null)3个策略。

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://drops.wooyun.org/papers/2893
http://drops.wooyun.org/mobile/15202

低危

检测到8处AES/DES弱加密风险。

位置: classes.dex
com.coloros.mcssdk.c.b;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
Lcom/growingio/android/sdk/utils/EncryptionUtil;->ecbDecrypt(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;

位置: classes2.dex
Lcom/tencent/smtt/utils/o;->c([B)[B
Lcom/qiyukf/unicorn/h/b;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)[B
Lcom/tencent/smtt/utils/o;->b([B Ljava/lang/String;)[B
Lcom/tencent/smtt/utils/o;->()V
Lcom/qiyukf/unicorn/h/b;->b(Landroid/content/Context; [B Ljava/lang/String;)[B
Lcom/tencent/smtt/utils/o;->a([B Ljava/lang/String;)[B

使用AES/DES/DESede加密算法时,如果使用ECB模式,容易受到攻击风险,造成信息泄露。建议在使用AES/DES/DESede加密算法时,应显示指定使用CBC或CFB加密模式

参考资料:
http://blog.csdn.net/u013107656/article/details/51997957
https://developer.android.com/reference/javax/crypto/Cipher.html
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

低危

检测到2处主机名弱校验检测漏洞。

位置: classes.dex
anet.channel.util.i$a;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

位置: classes2.dex
com.qiyukf.basesdk.b.a.c.b$2;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

自定义HostnameVerifier类,却不实现其verify方法验证域名直接返回true,直接接受任意域名。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考资料:
http://drops.wooyun.org/tips/3296
https://www.91ri.org/12534.html

低危

检测到3处RSA算法不使用padding。

位置: classes2.dex
'RSA/ECB/NoPadding' used in: Lcom/tencent/smtt/utils/o;->()V
'RSA/ECB/NoPadding' used in: Lcom/tencent/smtt/utils/p;->a(Ljava/lang/String;)Ljava/lang/String;
'RSA/ECB/NoPadding' used in: Lcom/tencent/smtt/utils/p;->c()Ljava/lang/String;

使用RSA公钥时通常会绑定一个padding,原因是为了防止一些依赖于no padding时对RSA算法的攻击。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到19个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

activity com.xinghuolive.live.wxapi.WXEntryActivity
activity com.tencent.tauth.AuthActivity
activity com.xinghuolive.live.domain.push.PopupPushActivity
service com.xinghuolive.live.control.msg.push.MessageIntentService
service com.alibaba.sdk.android.push.channel.CheckService
service com.taobao.accs.ChannelService
service com.taobao.accs.data.MsgDistributeService
service org.android.agoo.accs.AgooService
service com.alibaba.sdk.android.push.AliyunPushIntentService
service com.alibaba.sdk.android.push.channel.TaobaoRecvService
service com.xiaomi.mipush.sdk.PushMessageHandler
service com.coloros.mcssdk.PushService
receiver com.taobao.accs.EventReceiver
receiver com.taobao.accs.ServiceReceiver
receiver com.taobao.agoo.AgooCommondReceiver
receiver com.alibaba.sdk.android.push.SystemEventReceiver
receiver com.alibaba.sdk.android.push.MiPushBroadcastReceiver
receiver com.xiaomi.push.service.receivers.NetworkStatusReceiver
receiver com.alibaba.sdk.android.push.HuaWeiReceiver

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测到8个导出的隐式Service组件。
service com.xinghuolive.live.control.msg.push.MessageIntentService
service com.alibaba.sdk.android.push.channel.CheckService
service com.taobao.accs.ChannelService
service com.taobao.accs.data.MsgDistributeService
service org.android.agoo.accs.AgooService
service com.alibaba.sdk.android.push.AliyunPushIntentService
service com.alibaba.sdk.android.push.channel.TaobaoRecvService
service com.coloros.mcssdk.PushService

建议:为了确保应用的安全性,启动Service时,请始终使用显式Intent,且不要为服务声明Intent过滤器。使用隐式Intent启动服务存在安全隐患,因为您无法确定哪些服务将响应Intent,且用户无法看到哪些服务已启动。从Android 5.0(API 级别 21)开始,如果使用隐式 Intent 调用 bindService(),系统会抛出异常。

参考资料:
https://developer.android.com/guide/components/intents-filters.html#Types

警告

检测2处組件設置了android.intent.category.BROWSABLE属性。
com.xinghuolive.live.SplashActivity
com.tencent.tauth.AuthActivity


在AndroidManifest文件中定义了android.intent.category.BROWSABLE属性的组件,可以通过浏览器唤起,这会导致远程命令执行漏洞攻击。建议:
(1)APP中任何接收外部输入数据的地方都是潜在的攻击点,过滤检查来自网页的参数。
(2)不要通过网页传输敏感信息,有的网站为了引导已经登录的用户到APP上使用,会使用脚本动态的生成URL Scheme的参数,其中包括了用户名、密码或者登录态token等敏感信息,让用户打开APP直接就登录了。恶意应用也可以注册相同的URL Sechme来截取这些敏感信息。Android系统会让用户选择使用哪个应用打开链接,但是如果用户不注意,就会使用恶意应用打开,导致敏感信息泄露或者其他风险。

參考案例:
http://www.wooyun.org/bugs/wooyun-2014-073875
http://www.wooyun.org/bugs/wooyun-2014-067798

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://www.jssec.org/dl/android_securecoding_en.pdf
http://drops.wooyun.org/mobile/15202
http://blog.csdn.net/l173864930/article/details/36951805
http://drops.wooyun.org/papers/2893

警告

检测到7潜在的XSS漏洞。

位置: classes.dex
com.growingio.android.sdk.autoburry.VdsJsHelper;->wrapWebChromeClient(Landroid.view.View;)V
com.growingio.android.sdk.circle.HybridEventEditDialog;->prepareWebView(Landroid.content.Context;)V
com.huawei.android.pushselfshow.richpush.html.HtmlViewer;->a()V

位置: classes2.dex
com.tencent.connect.auth.a;->d()V
com.tencent.bugly.crashreport.CrashReport$1;->setJavaScriptEnabled(Z)V
com.tencent.open.TDialog;->b()V
com.tencent.open.c;->c()V

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到12处IvParameterSpec的使用。

位置: classes.dex
com.huawei.android.pushagent.a.a.a.a;->a(Ljava.lang.String;)Ljava.lang.String;
com.huawei.android.pushagent.a.a.a.a;->b(Ljava.lang.String;)Ljava.lang.String;

位置: classes2.dex
com.ta.utdid2.a.a.a;->a([B [B)[B
com.ta.utdid2.a.a.a;->b([B [B)[B
com.tencent.bugly.proguard.aq;->a(I [B [B)[B
com.xiaomi.mipush.sdk.e;->a([B I)Ljavax.crypto.Cipher;
org.android.agoo.common.d;->()V
org.android.agoo.common.d;->a(Ljavax.crypto.spec.SecretKeySpec; [B)Ljavax.crypto.Cipher;
com.tencent.bugly.proguard.ay;->a([B)[B
com.tencent.bugly.proguard.ay;->b([B)[B
com.tencent.bugly.proguard.az;->a([B)[B
com.tencent.bugly.proguard.az;->b([B)[B

使用IVParameterSpec函数,如果使用了固定的初始化向量,那么密码文本可预测性高得多,容易受到字典攻击等。建议禁止使用常量初始化矢量构造IVParameterSpec,使用聚安全提供的安全组件。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到1处调用不安全的方法:SSLCertificateSocketFactory#getInsecure。

位置: classes2.dex
Lcom.tencent.open.d.i;->


SSLCertificateSocketFactory#getInsecure方法无法执行SSL验证检查,使得网络通信遭受中间人攻击。建议:
移除SSLCertificateSocketFactory#getInsecure方法。

参考资料:
https://developer.android.com/reference/android/net/SSLCertificateSocketFactory.html
http://developer.android.com/reference/android/net/SSLCertificateSocketFactory.html#getInsecure(int, android.net.SSLSessionCache)

警告

检测到3处provider的grantUriPermissions设置为true。
android.support.v4.content.FileProvider
com.qiyukf.nim.uikit.provider.UnicornProvider
com.tencent.bugly.beta.utils.BuglyFileProvider


grant-uri-permission若设置为true,可被其它程序员通过uri访问到content provider的内容,容易造成信息泄露。

参考资料:
https://security.tencent.com/index.php/blog/msg/6


动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书