0

高危漏洞

5

中危漏洞

2

低危漏洞

4

警告

文件名 mtools.apk
上传者 Wilson
文件大小 3.0720224380493MB
MD5 098e81843339db9703378c590c47430b
包名 tk.toolkeys.mtools
Main Activity tk.toolkeys.mtools.MainActivity
Min SDK 19
Target SDK 28

权限列表

# 名称 说明 提示
0 android.permission.BLUETOOTH 允许应用程序查看本地蓝牙手机的配置,以及建立或接受与配对设备的连接。 注意
1 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
2 android.permission.BLUETOOTH_ADMIN 允许应用程序配置本地蓝牙手机,以及发现远程设备并与其配对。 提示
3 android.permission.INTERNET 允许程序访问网络. 提示
4 android.permission.VIBRATE 允许应用程序控制振动器。 提示
5 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

tk.toolkeys.mtools.MainActivity
tk.toolkeys.mtools.activity.SnifferActivity
tk.toolkeys.mtools.activity.UnlockActivity
tk.toolkeys.mtools.activity.SettingsActivity
tk.toolkeys.mtools.activity.OrderActivity
tk.toolkeys.mtools.activity.WebViewActivity
tk.toolkeys.mtools.activity.GuideActivity

android.support.v4.content.FileProvider
com.squareup.picasso.PicassoProvider

第三方库

# 库名 介绍
0 com.tencent.bugly 腾讯Bugly,面向移动开发者提供最专业的Crash监控、崩溃分析等质量跟踪服务,为您修复用户的每一次Crash!

静态扫描发现风险点

风险等级 风险名称

中危

检测到当前标志被设置成true或没设置,这会导致adb调试备份允许恶意攻击者复制应用程序数据,造成数据泄露。

中危

该app需要移除大部分日志打印代码。
经扫描该包仍存在大量打日志代码,共发现92处打日志代码.(此处扫描的日志打印代码,是指调用android.util.Log.* 打印的.)
详情如下:

位置: classes.dex
com.tencent.bugly.yaq.crashreport.CrashReport;->getUserData(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setSdkExtraData(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setAuditEnable(Landroid/content/Context; Z)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->postCatchedException(Ljava/lang/Throwable; Ljava/lang/Thread; Z)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setUserId(Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getAppVer()Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.BuglyLog;->i(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setUserId(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getAppChannel()Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.wrapper.proxyapplication.MultiDexForTinker;->getprefixname(Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->removeUserData(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getUserId()Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.b;->a(Landroid/content/Context; Lcom/tencent/bugly/yaq/BuglyStrategy;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->enableObtainId(Landroid/content/Context; Z)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->testNativeCrash(Z Z Z)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setIsAppForeground(Landroid/content/Context; Z)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getUserDatasSize(Landroid/content/Context;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setHandleNativeCrashInJava(Z)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.proguard.x;->a(I Ljava/lang/String; [Ljava/lang/Object;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->closeNativeReport()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->closeBugly()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setCrashRegularFilter(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.BuglyLog;->w(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setUserId(Landroid/content/Context; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->startCrashReport()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getAllUserDataKeys(Landroid/content/Context;)Ljava/util/Set;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->enableObtainId(Landroid/content/Context; Z)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setUserId(Landroid/content/Context; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.BuglyLog;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.proguard.x;->a(I Ljava/lang/String; [Ljava/lang/Object;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setHandleNativeCrashInJava(Z)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setSessionIntervalMills(J)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->testANRCrash()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getAppChannel()Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.wrapper.proxyapplication.MultiDex$V19;->makeDexElements(Ljava/lang/Object; Ljava/util/ArrayList; Ljava/io/File; Ljava/util/ArrayList;)[Ljava/lang/Object;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.b;->a(Landroid/content/Context; Lcom/tencent/bugly/yaq/BuglyStrategy;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getUserSceneTagId(Landroid/content/Context;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getAppVer()Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.wrapper.proxyapplication.MultiDex$V4;->install(Ljava/lang/ClassLoader; Ljava/lang/reflect/Field; Ljava/util/List; Ljava/io/File;)Ljava/util/ArrayList;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.wrapper.proxyapplication.MultiDex$V19;->install(Ljava/lang/ClassLoader; Ljava/lang/reflect/Field; Ljava/util/List; Ljava/io/File; Z Z)Ljava/util/ArrayList;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getSdkExtraData(Landroid/content/Context;)Ljava/util/Map;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getAppID()Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.wrapper.proxyapplication.MultiDex;->getprefixname(Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->testANRCrash()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setJavascriptMonitor(Lcom/tencent/bugly/yaq/crashreport/CrashReport$WebViewInterface; Z Z)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setBuglyDbName(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.wrapper.proxyapplication.MultiDex;->installDexes(Ljava/lang/ClassLoader; Ljava/lang/String; Ljava/lang/String; Z Z)Ljava/util/ArrayList;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->putUserData(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getUserId()Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.BuglyLog;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getSdkExtraData()Ljava/util/Map;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setIsDevelopmentDevice(Landroid/content/Context; Z)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setAuditEnable(Landroid/content/Context; Z)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setUserSceneTag(Landroid/content/Context; I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getSdkExtraData()Ljava/util/Map;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->closeCrashReport()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->isLastSessionCrash()Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getUserData(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getUserSceneTagId(Landroid/content/Context;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setBuglyDbName(Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setAppChannel(Landroid/content/Context; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.wrapper.proxyapplication.MultiDexForTinker$V19;->makeDexElements(Ljava/lang/Object; Ljava/util/ArrayList; Ljava/io/File; Ljava/util/ArrayList;)[Ljava/lang/Object;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->putSdkData(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->isLastSessionCrash()Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->postException(Ljava/lang/Thread; I Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/util/Map;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getAppID()Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.b;->a(Landroid/content/Context; Ljava/lang/String; Z Lcom/tencent/bugly/yaq/BuglyStrategy;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->testJavaCrash()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setServerUrl(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->testNativeCrash(Z Z Z)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setCrashRegularFilter(Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.wrapper.proxyapplication.Util;->Comparetxtinzip(Ljava/util/zip/ZipFile; Ljava/lang/String; Ljava/io/File;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->postCatchedException(Ljava/lang/Throwable; Ljava/lang/Thread; Z)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.wrapper.proxyapplication.MultiDexForTinker;->installDexes(Ljava/lang/ClassLoader; Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.BuglyLog;->v(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setAppPackage(Landroid/content/Context; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.wrapper.proxyapplication.Util;->deleteDir(Ljava/io/File;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.proguard.x;->a(I Ljava/lang/String; [Ljava/lang/Object;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.Bugly;->init(Landroid/content/Context; Ljava/lang/String; Z Lcom/tencent/bugly/yaq/BuglyStrategy;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->closeNativeReport()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setCrashFilter(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setCrashFilter(Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->removeUserData(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->testJavaCrash()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setAppVersion(Landroid/content/Context; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getAllUserDataKeys(Landroid/content/Context;)Ljava/util/Set;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setUserSceneTag(Landroid/content/Context; I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->postException(Ljava/lang/Thread; I Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/util/Map;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.proguard.x;->a(I Ljava/lang/String; [Ljava/lang/Object;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->getUserDatasSize(Landroid/content/Context;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.b;->a(Landroid/content/Context; Ljava/lang/String; Z Lcom/tencent/bugly/yaq/BuglyStrategy;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.bugly.yaq.crashreport.CrashReport;->setJavascriptMonitor(Landroid/webkit/WebView; Z Z)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I

中危

检测到1个WebView远程执行漏洞。

位置: classes.dex
com.tencent.bugly.yaq.crashreport.CrashReport$1;->addJavascriptInterface(Lcom.tencent.bugly.yaq.crashreport.crash.h5.H5JavaScriptInterface; Ljava.lang.String;)V

Android API < 17之前版本存在远程代码执行安全漏洞,该漏洞源于程序没有正确限制使用addJavaScriptInterface方法,攻击者可以通过Java反射利用该漏洞执行任意Java对象的方法,导致远程代码执行安全漏洞。
(1)API等于高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252
http://drops.wooyun.org/papers/548

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis
https://developer.android.com/reference/android/webkit/WebView.html

中危

检测到2条敏感明文信息,建议移除。

位置: classes.dex
'http://android.bugly.qq.com/rqd/async' used in: Lcom/tencent/bugly/yaq/crashreport/common/strategy/StrategyBean;->()V
'http://rqd.uu.qq.com/rqd/sync' used in: Lcom/tencent/bugly/yaq/crashreport/common/strategy/StrategyBean;->()V

中危

检测到1处setSavePassword密码明文存储漏洞。

位置: classes.dex
com.tencent.bugly.yaq.crashreport.CrashReport$1;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

低危

检测到2处使用了DES弱加密算法。

位置: classes.dex
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/bugly/yaq/proguard/af;->a([B)[B
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/bugly/yaq/proguard/af;->b([B)[B

使用弱加密算法会大大增加黑客攻击的概率,黑客可能会破解隐私数据、猜解密钥、中间人攻击等,造成隐私信息的泄漏,甚至造成财产损失。建议使用AES加密算法。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

低危

非debug包,需要通过打包平台proguard脚本,移除大部分系统输出代码。
经扫描该包仍存在大量系统输出代码,共发现2处系统输出代码.(此处扫描的系统输出代码,是指调用System.out.print*输出的,本应在打包平台移除的系统输出代码.)
各个bundle系统输出代码详情如下:

位置: classes.dex
com.tencent.bugly.yaq.proguard.f;
com.wrapper.proxyapplication.CustomerClassLoader;

警告

检测到1潜在的XSS漏洞。

位置: classes.dex
com.tencent.bugly.yaq.crashreport.CrashReport$1;->setJavaScriptEnabled(Z)V

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到5处IvParameterSpec的使用。

位置: classes.dex
com.tencent.bugly.yaq.proguard.ae;->a([B)[B
com.tencent.bugly.yaq.proguard.ae;->b([B)[B
com.tencent.bugly.yaq.proguard.af;->a([B)[B
com.tencent.bugly.yaq.proguard.af;->b([B)[B
com.tencent.bugly.yaq.proguard.z;->a(I [B [B)[B

使用IVParameterSpec函数,如果使用了固定的初始化向量,那么密码文本可预测性高得多,容易受到字典攻击等。建议禁止使用常量初始化矢量构造IVParameterSpec,使用聚安全提供的安全组件。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到1处provider的grantUriPermissions设置为true。
android.support.v4.content.FileProvider


grant-uri-permission若设置为true,可被其它程序员通过uri访问到content provider的内容,容易造成信息泄露。

参考资料:
https://security.tencent.com/index.php/blog/msg/6

警告

检测到3处使用了加解密算法。密钥处理不当可能会导致信息泄露。

位置: classes.dex
com.tencent.bugly.yaq.proguard.z;->a(I [B [B)[B
com.tencent.bugly.yaq.proguard.ae;->b([B)[B
com.tencent.bugly.yaq.proguard.ae;->a([B)[B

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0105766
http://www.wooyun.org/bugs/wooyun-2015-0162907
http://www.wooyun.org/bugs/wooyun-2010-0187287

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html


动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书