漏洞分析

0

高危漏洞

5

中危漏洞

7

低危漏洞

9

警告

文件名 koubei_pc.apk
上传者 MAX丶
文件大小 47.063993453979MB
MD5 3dfc89ac0eef1961631d7883eb7090cf
包名 com.taobao.mobile.dipei
Main Activity com.eg.android.AlipayGphone.AlipayLogin
Min SDK 18
Target SDK 23

权限列表

# 名称 说明 提示
0 android.permission.CALL_PHONE 允许应用程序在您不介入的情况下拨打电话。恶意应用程序可借此在您的话费单上产生意外通话费。请注意,此权限不允许应用程序拨打紧急呼救电话。 警告
1 android.permission.READ_SMS 允许应用程序读取您的手机或SIM卡中存储的短信。恶意应用程序可借此读取您的机密信息。 警告
2 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
3 android.permission.ACCESS_FINE_LOCATION 访问精准的位置源,例如手机上的全球定位系统(如果有)。恶意应用程序可能会借此确定您所处的位置,并可能消耗额外的电池电量。 注意
4 android.permission.BLUETOOTH 允许应用程序查看本地蓝牙手机的配置,以及建立或接受与配对设备的连接。 注意
5 android.permission.BROADCAST_STICKY 允许应用程序发送顽固广播,这些广播在结束后仍会保留。恶意应用程序可能会借此使手机耗用太多内存,从而降低其速度或稳定性。 注意
6 android.permission.GET_TASKS 允许应用程序检索有关当前和最近运行的任务的信息。恶意应用程序可借此发现有关其他应用程序的保密信息。 注意
7 android.permission.READ_CONTACTS 允许应用程序读取您手机上存储的所有联系人(地址)数据。恶意应用程序可借此将您的数据发送给其他人。 注意
8 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
9 android.permission.RECEIVE_BOOT_COMPLETED 允许应用程序在系统完成启动后即自行启动。这样会延长手机的启动时间,而且如果应用程序一直运行,会降低手机的整体速度。 注意
10 android.permission.RECEIVE_SMS 允许应用程序接收和处理短信。恶意应用程序可借此监视您的信息,或者将信息删除而不向您显示。 注意
11 android.permission.RECORD_AUDIO 允许应用程序访问录音路径。 注意
12 android.permission.REORDER_TASKS 允许应用程序将任务移至前端和后台。恶意应用程序可借此强行进入前端,而不受您的控制。 注意
13 android.permission.SYSTEM_ALERT_WINDOW 允许应用程序显示系统警报窗口。恶意应用程序可借此掌控整个手机屏幕。 注意
14 android.permission.WRITE_SETTINGS 允许应用程序修改系统设置方面的数据。恶意应用程序可借此破坏您的系统配置。 注意
15 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
16 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
17 android.permission.AUTHENTICATE_ACCOUNTS 允许应用程序使用AccountManager的帐户身份验证程序功能,包括创建帐户以及获取和设置其密码。 提示
18 android.permission.BATTERY_STATS 允许修改收集的电池使用情况统计信息。普通应用程序不能使用此权限。 提示
19 android.permission.BLUETOOTH_ADMIN 允许应用程序配置本地蓝牙手机,以及发现远程设备并与其配对。 提示
20 android.permission.CAMERA 允许应用程序使用相机拍照,这样应用程序可随时收集进入相机镜头的图像。 提示
21 android.permission.CHANGE_CONFIGURATION 允许应用程序更改当前配置,例如语言设置或整体的字体大小。 提示
22 android.permission.CHANGE_WIFI_STATE 允许应用程序连接到WLAN接入点以及与WLAN接入点断开连接,并对配置的WLAN网络进行更改。 提示
23 android.permission.EXPAND_STATUS_BAR 允许应用程序展开或收拢状态栏。 提示
24 android.permission.FLASHLIGHT 允许应用程序控制闪光灯。 提示
25 android.permission.GET_ACCOUNTS 允许应用程序获取手机已知的帐户列表。 提示
26 android.permission.INTERNET 允许程序访问网络. 提示
27 android.permission.MANAGE_ACCOUNTS 允许应用程序执行添加、删除帐户及删除其密码之类的操作。 提示
28 android.permission.MODIFY_AUDIO_SETTINGS 允许应用程序修改整个系统的音频设置,如音量和路由。 提示
29 android.permission.READ_LOGS 允许应用程序从系统的各日志文件中读取信息。这样应用程序可以发现您的手机使用情况,但这些信息不应包含任何个人信息或保密信息。 提示
30 android.permission.USE_CREDENTIALS 允许应用程序请求身份验证标记。 提示
31 android.permission.VIBRATE 允许应用程序控制振动器。 提示
32 android.permission.WAKE_LOCK 允许应用程序防止手机进入休眠状态。 提示
33 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

com.eg.android.AlipayGphone.AlipayLogin
com.alipay.mobile.quinox.LauncherActivity
com.koubei.android.mist.page.MistPageActivity
com.alipay.mobile.nebulacore.ui.H5Activity
com.alipay.mobile.nebulacore.ui.H5TransActivity
com.alipay.mobile.nebulacore.ui.H5FileChooserActivity
com.alipay.mobile.nebulacore.ui.H5NetworkCheckActivity
com.alipay.mobile.nebulacore.dev.ui.H5DevSettingsActivity
com.alipay.mobile.nebulacore.dev.ui.H5DevConfigEditActivity
com.alipay.mobile.nebulacore.wallet.H5DevAppActivity
com.alipay.mobile.nebulacore.ui.H5Activity$H5Activity1
com.alipay.mobile.nebulacore.ui.H5Activity$H5Activity2
com.alipay.mobile.nebulacore.ui.H5Activity$H5Activity3
com.alipay.mobile.nebulacore.ui.H5Activity$H5Activity4
com.alipay.mobile.nebulacore.ui.H5Activity$H5Activity5
com.alipay.mobile.nebulacore.ui.H5TransActivity$H5TransActivity1
com.alipay.mobile.nebulacore.ui.H5TransActivity$H5TransActivity2
com.alipay.mobile.nebulacore.ui.H5TransActivity$H5TransActivity3
com.alipay.mobile.nebulacore.ui.H5TransActivity$H5TransActivity4
com.alipay.mobile.nebulacore.ui.H5TransActivity$H5TransActivity5
com.alipay.mobile.nebulacore.ui.H5NebulaAppActivity
com.alipay.android.phone.o2o.lifecircle.search.LifeCircleSearchActivity
com.alipay.android.phone.o2o.lifecircle.askquestion.AskQuestionActivity
com.alipay.android.phone.o2o.lifecircle.themedetail.ThemeDetailActivity
com.alipay.android.phone.o2o.lifecircle.questiondetail.QuestionDetailActivity
com.alipay.android.phone.o2o.lifecircle.addanswer.AddAnswerActivity
com.alipay.android.phone.o2o.lifecircle.askquestion.AddTopicActivity
com.alipay.android.phone.o2o.lifecircle.myquestion.LifeCircleMyQuestionActivity
com.alipay.android.phone.o2o.lifecircle.myquestion.LcMyQuestionSettingActivity
com.alipay.android.phone.o2o.lifecircle.askquestion.anim.AskAnimActivity
com.alipay.android.phone.discovery.o2ohome.Marketing.O2oMaskActivity
com.alipay.android.phone.discovery.o2ohome.dynamic.guess.GuessULikeActivity
com.alipay.android.phone.discovery.o2ohome.dynamic.headline.HeadlineActivity
com.koubei.android.o2ohome.floor.FloorActivity
com.alipay.mobile.security.faceauth.ui.uniform.FaceSampleActivity
com.alipay.mobile.security.faceauth.ui.bank.NavigationActivity
com.alipay.mobile.security.faceauth.ui.bank.LoginWebNavigationActivity
com.alipay.mobile.security.faceauth.ui.bank.WebNavigationActivity
com.alipay.mobile.security.faceauth.ui.uniform.FaceLoginActivity
com.alipay.mobile.security.faceauth.circle.ui.FaceCircleActivity
com.alipay.mobile.security.faceauth.circle.ui.SampleCircleActivity
com.alipay.mobile.security.faceauth.circle.ui.LoginCircleActivity
com.alipay.mobile.security.bio.handwriting.ui.MainActivity
com.alipay.android.phone.falcon.manager.CommonCardActivity
com.alipay.android.phone.falcon.manager.FalconAlbumImageActivity
com.alipay.android.phone.falcon.cardmanager.FalconCardNativeActivity
com.alipay.android.phone.falcon.IDFace.WebViewActivity
com.alipay.android.phone.falcon.activities.CardScanActivity
com.alipay.android.phone.falcon.activities.LandAutoScanActivity
com.alipay.android.phone.falcon.activities.PortraitAutoScanActivity
com.alipay.mobile.scan.as.main.MainCaptureActivity
com.alipay.mobile.scan.as.router.CodeRouteActivity
com.alipay.mobile.scan.as.router.ARCodeRouteActivity
com.alipay.mobile.scan.as.router.SdkCodeRouteActivity
com.alipay.mobile.scan.as.tool.ToolsCaptureActivity
com.alipay.mobile.scan.as.shortcut.ShortCutActivity
com.alipay.mobile.authlogin.ui.AliAuthLoginActivity_
com.alipay.mobile.security.login.ui.AlipayUserLoginActivity
com.eg.android.AlipayGphone.ResultActivity
com.alipay.mobile.android.security.avatar.ui.EditAvatarActivity
com.alipay.mobile.securitycommon.taobaobind.AliuserBindActivity
com.alipay.mobile.securitycommon.taobaobind.AliuserWaitingActivity
com.alipay.mobile.verifyidentity.ui.helper.DialogActivity
com.alipay.mobile.verifyidentity.ui.helper.NoticeActivity
com.alipay.mobile.verifyidentity.module.cert.ui.TransparentActivity
com.alipay.mobile.verifyidentity.module.menu.ui.MenuActivity
com.alipay.mobile.verifyidentity.module.dynamic.ui.DynamicActivity
com.alipay.module.face.ui.FaceInputUserInfo
com.alipay.mobile.verifyidentity.module.fingerprint.FingerprintCheckActivity
com.alipay.mobile.verifyidentity.module.nocaptcha.ui.VerifyActivity
com.alipay.mobile.verifyidentity.module.password.pay.ui.PayPwdHalfActivity
com.alipay.mobile.verifyidentity.module.password.pay.ui.PayPwdFullActivity
com.alipay.mobile.verifyidentity.module.qrcode.ui.VIQrCodeActivity
com.alipay.mobile.verifyidentity.module.safezone.ui.SafeZoneActivity
com.alipay.mobile.verifyidentity.module.shield.ui.ShieldActivity
com.alipay.mobile.verifyidentity.module.sms.ui.SmsActivity
com.alipay.mobile.accountfd.devicelock.ui.DeviceLockActivity
com.alipay.android.phone.o2o.purchase.goodsdetail.GoodsDetailActivity
com.alipay.android.phone.o2o.purchase.goodsdetail.windows.WindowPhotoActivity
com.alipay.android.phone.o2o.purchase.goodslist.GoodsListActivity
com.alipay.android.phone.o2o.purchase.orderdetail.OrderDetailActivity
com.alipay.android.phone.o2o.purchase.selectshop.SelectShopActivity
com.alipay.android.phone.o2o.purchase.resultPage.O2oRefundResultPageActivity
com.alipay.android.phone.o2o.purchase.resultPage.O2oUsedResultPageActivity
com.alipay.android.phone.o2o.purchase.orderlist.ProductOrderListActivity
com.alipay.android.phone.o2o.common.activity.PhotoPreviewActivity
com.alipay.android.phone.o2o.common.page.O2oMistPageActivity
com.alipay.android.phone.wallet.sharetoken.ui.SendShareTokenActivity
com.alipay.android.phone.wallet.sharetoken.ui.TokenDecodeActivity
com.alipay.mobile.liteprocess.LiteProcessActivity$LiteProcessActivity1
com.alipay.mobile.liteprocess.LiteProcessActivity$LiteProcessActivity2
com.alipay.mobile.liteprocess.LiteProcessActivity$LiteProcessActivity3
com.alipay.mobile.liteprocess.LiteProcessActivity$LiteProcessActivity4
com.alipay.mobile.liteprocess.LiteProcessActivity$LiteProcessActivity5
com.alipay.mobile.onsitepay9.payer.OspTabHostActivity
com.alipay.mobile.onsitepay9.payer.PaySuccessActivity
com.alipay.mobile.onsitepay9.payer.KoubeiPaySuccessActivity
com.alipay.mobile.onsitepay9.payer.InputPasswordActivity
com.alipay.mobile.onsitepay.payer.barcode.ChannelSelectorActivity_
com.alipay.mobile.browser.HtmlActivity
com.alipay.mobile.browser.HtmlActivityV2_
com.alipay.mobile.framework.service.common.SchemeStartActivity
com.alipay.mobile.permission.PermissionGateActivity
com.alipay.mobile.h5plugin.H5MapActivity
com.alipay.mobile.commonbiz.ui.network.diagnose.NetworkDiagnoseActivity
com.koubei.mobile.o2o.personal.activity.AboutActivity
com.koubei.mobile.o2o.personal.activity.MyAskActivity
com.koubei.mobile.o2o.personal.activity.SettingActivity
com.alipay.mobile.about.ui.FeedbackInfoActivity
com.alipay.mobile.about.ui.FeedbackGuideActivity
com.alipay.android.phone.namecertify.ui.ImageSupporterActivity
com.alipay.mobile.nebula.appcenter.apphandler.loadingview.H5LoadingActivity
com.alipay.android.phone.discovery.o2o.detail.activity.MerchantDetailsActivity
com.alipay.android.phone.discovery.o2o.dish.ShopDishesAlbumActivity
com.alipay.android.phone.discovery.o2o.album.activity.ShopAlbumActivity
com.alipay.android.phone.discovery.o2o.detail.activity.AvailableShops
com.alipay.android.phone.discovery.o2o.detail.activity.MerchantMapActivity
com.alipay.android.phone.discovery.o2o.search.activity.SearchResultActivity
com.alipay.android.phone.discovery.o2o.search.activity.CategoryHomeActivity
com.alipay.android.phone.discovery.o2o.search.activity.SearchActivity
com.alipay.android.phone.discovery.o2o.detail.activity.MerchantMarketingsActivity
com.alipay.android.phone.discovery.o2o.collectlist.activity.CollectListActivity
com.alipay.android.phone.discovery.o2o.choosepay.ChoosePaymentActivity
com.alipay.android.phone.discovery.o2o.search.activity.SearchMaskActivity
com.alipay.mobile.alipassapp.ui.list.activity.KbPresentableListActivity
com.alipay.mobile.alipassapp.ui.carddetail.activity.KbCardDetailActivity
com.alipay.mobile.alipassapp.ui.carddetail.activity.KbCardPreviewDetailActivity
com.alipay.mobile.alipassapp.ui.carddetail.activity.KbHyqyActivity
com.alipay.mobile.alipassapp.ui.BusinessAlipassList_
com.alipay.mobile.alipassapp.ui.passdetail.activity.AlipassDetailActivity_
com.alipay.mobile.alipassapp.ui.AlipassSMPreviewActivity_
com.alipay.mobile.alipassapp.ui.GetPresentActivityF
com.alipay.mobile.alipassapp.ui.MemberFirstDetailActivity
com.alipay.mobile.alipassapp.ui.passdetail.activity.AlipassMoreInfoActivity_
com.alipay.mobile.alipassapp.ui.SuitableStoresActivity_
com.alipay.mobile.alipassapp.ui.list.activity.v2.OffersEntryActivity
com.alipay.mobile.alipassapp.ui.list.activity.v2.list.CurrentCardListActivity
com.alipay.mobile.alipassapp.ui.list.activity.v2.list.CurrentPassListActivity
com.alipay.mobile.alipassapp.ui.list.activity.v2.list.CurrentTicketActivity
com.alipay.mobile.alipassapp.ui.list.activity.v2.list.ExpiredCardListActivity
com.alipay.mobile.alipassapp.ui.list.activity.v2.list.ExpiredPassActivity
com.alipay.mobile.alipassapp.ui.list.activity.v2.list.ExpiredTicketActivity
com.alipay.mobile.alipassapp.ui.carddetail.v2.CardDetailActivity
com.alipay.mobile.alipassapp.ui.passdetail.activity.v2.PassDetailActivity
alipassdetail.activity.O2OPassDetailActivity
com.alipay.mobile.rome.pushservice.integration.PushDialogActivity
com.alipay.android.phone.mobilecommon.multimediabiz.biz.live.LiveDownloadActivity
com.alipay.android.shareassist.ui.ShareSelectActivity
com.alipay.android.shareassist.ui.WeiboEditActivity
com.alipay.android.shareassist.ui.WeiboAuthActivity
com.alipay.auth.AuthWeiboActivity
com.alipay.android.shareassist.ui.WeiboFrindListActivity
com.tencent.connect.common.AssistActivity
com.tencent.tauth.AuthActivity
com.alipay.mobile.beehive.audio.activity.GeneralAudioPlayActivity
com.alipay.mobile.beehive.capture.activity.CaptureActivity
com.alipay.mobile.beehive.capture.activity.RecordPreviewActivity
com.alipay.mobile.beehive.capture.activity.LandscapeCaptureActivity
com.alipay.mobile.beehive.capture.activity.PortraitCaptureActivity
com.alipay.mobile.beehive.capture.activity.LandscapeRecordPreview
com.alipay.mobile.beehive.capture.activity.PortraitRecordPreview
com.alipay.mobile.beehive.capture.activity.LandscapeCaptureForCarInsuranceActivity
com.alipay.mobile.beehive.capture.activity.PortraitCaptureExtendActivity
com.alipay.mobile.beehive.imageedit.activity.DoodleActivity
com.alipay.mobile.beehive.cityselect.ui.SelectCityActivity_
com.alipay.mobile.beehive.cityselect.ui.SelectCityTinyActivity_
com.alipay.mobile.beehive.cityselect.ui.ProvinceCityListActivity_
com.alipay.mobile.beehive.compositeui.multilevel.MultilevelSelectActivity_
com.alipay.mobile.beehive.photo.ui.PhotoSelectActivity
com.alipay.mobile.beehive.photo.ui.PhotoPreviewActivity
com.alipay.mobile.beehive.photo.ui.PhotoEditActivity
com.alipay.mobile.beehive.photo.ui.RemotePhotoGridActivity
com.alipay.mobile.beehive.photo.ui.BrowsePhotoAsListActivity
com.alipay.mobile.beehive.photo.ui.VideoPreviewEditActivity
com.alipay.mobile.beehive.photo.ui.VideoPreviewActivity
com.alipay.mobile.beehive.poiselect.ui.PoiSelectActivity_
com.alipay.mobile.beehive.poiselect.ui.LocationDetailActivity
com.alipay.mobile.beehive.template.ui.DemoActivity
com.alipay.android.phone.voiceassistant.ui.VoiceAssistantActivity
com.alipay.android.phone.voiceassistant.ui.VoiceHelpActivity
com.alipay.android.app.TransProcessPayActivity
com.alipay.android.substitute.channels.SocialChannelActivity
com.alipay.mobile.phonecashier.activity.MspDispatchActivity
com.alipay.android.app.flybird.ui.scheme.FlybirdSchemeActivity
com.alipay.android.app.flybird.ui.window.FlyBirdWindowActivity
com.alipay.android.app.settings.FlybirdLocalViewActivity
com.alipay.android.app.ui.quickpay.window.MiniWebActivity
com.alipay.android.app.local.LocalViewActivity
com.alipay.android.app.vr.VrPayActivity
com.alipay.android.app.flybird.ui.window.specific.samsungpay.SamsungPaySpecificActivity
com.alipay.android.app.substitute.channels.PaycodeChannelActivity
com.alipay.android.app.settings.view.MspSettingsActivity
com.alipay.mobile.deviceAuthorization.ui.PermAuthActivity_
com.alipay.mobile.deviceAuthorization.ui.AuthAdminActivity_
com.alipay.mobile.deviceAuthorization.ui.ScanErrorActivity
com.alipay.mobile.deviceAuthorization.ui.AuthDetailsInfoActivity_
com.alipay.mobile.deviceAuthorization.ui.OtpInsideManageActivity
com.alipay.mobile.deviceAuthorization.ui.InsideDetailActivity
com.alipay.android.mapassist.ui.MapMainActivity
com.alipay.android.mapassist.ui.MapAssistActivity
com.alipay.android.mapassist.ui.RouteDetailActivity
com.koubei.mobile.authlogin.activity.AlipayAuthLoginActivity
com.koubei.mobile.launcher.guide.StartGuideActivity
com.taobao.mobile.dipei.ResultActivity
com.alipay.mobile.core.loading.impl.LoadingPage
com.alipay.android.phone.seauthenticator.iotauth.recommend.FingerAuthRecommendActivity
com.alipay.mobile.quinox.activity.StubActivity
com.koubei.mobile.o2o.commonbiz.payer.PaySuccessActivity
com.koubei.mobile.o2o.commonbiz.payer.InputPasswordActivity
com.koubei.mobile.o2o.commonbiz.paysuccess.activity.OnlinepaySuccessActivity
com.koubei.mobile.o2o.commonbiz.kbpayer.KbBarcodePayActivity
com.koubei.mobile.o2o.commonbiz.update.UpdateDialogActivity
com.ali.user.mobile.region.ui.ChoiceRegionActivity
com.ali.authlogin.mobile.login.AlipayAuthResultActivity
com.ali.user.mobile.register.ui.RegSixPasswordActivity
com.ali.user.mobile.register.ui.RegSuccessActivity
com.ali.user.mobile.register.ui.RegPurePhoneActivity
com.ali.user.mobile.register.ui.RegReadSmsActivity
com.ali.user.mobile.register.ui.RegManualSmsActivity
com.ali.user.mobile.register.ui.RegLoginPwdActivity
com.ali.user.mobile.register.ui.RegExistUserActivity
com.ali.user.mobile.login.ui.AliUserLoginActivity
com.ali.user.mobile.login.ui.LoginSixPasswordActivity
com.ali.user.mobile.login.ui.LoginManualSmsActivity
com.ali.user.mobile.login.ui.LoginQuerypwdActivity
com.ali.user.mobile.login.ui.AliuserGuideActivity
com.alipay.android.phone.discovery.o2o.comment.activity.SubmitCommentActivity
com.alipay.android.phone.discovery.o2o.comment.activity.CommentResultActivity
com.alipay.android.phone.discovery.o2o.personal.activity.DynamicMyOrderActivity
com.alipay.android.phone.discovery.o2o.personal.activity.DynamicMyCommentActivity
com.alipay.android.phone.discovery.o2o.personal.activity.DynamicMyCommentDetailsActivity
com.alipay.android.phone.discovery.o2o.comment.activity.CraftsmanRecommendActivity
com.alipay.android.phone.discovery.o2o.personal.activity.MyMessageActivity
com.alipay.android.phone.discovery.o2o.dynamic.activity.DynamicCommentListActivity
com.alipay.android.phone.discovery.o2o.comment.activity.DishesAlbumActivity

com.amap.api.location.APSService
com.alipay.mobile.logmonitor.ClientMonitorService
com.alipay.mobile.common.logging.process.LogServiceInToolsProcess
com.alipay.pushsdk.push.AppInfoRecvIntentService
com.alipay.pushsdk.deliver.PushReportIntentService
com.alipay.pushsdk.push.NotificationService
com.alipay.mobile.rome.pushservice.integration.RecvMsgIntentService
com.alipay.android.phone.mobilecommon.update.download.ExternalDownloadIntentService
com.taobao.android.sso.internal.PidGetterService
com.taobao.android.sso.internal.AuthenticationService
com.taobao.android.sso.internal.AlipayAuthenticationService
com.alipay.mobile.common.logging.process.LogServiceInlite1
com.alipay.mobile.common.logging.process.LogServiceInlite2
com.alipay.mobile.common.logging.process.LogServiceInlite3
com.alipay.mobile.common.logging.process.LogServiceInlite4
com.alipay.mobile.common.logging.process.LogServiceInlite5
com.alipay.mobile.common.logging.process.LogServiceInMainProcess
com.alibaba.analytics.AnalyticsService
com.alipay.android.phone.mobilecommon.dynamicrelease.DynamicReleaseRequestService
com.alipay.android.phone.mobilecommon.dynamicrelease.DynamicReleaseProcessService
com.alipay.android.phone.mobilesdk.apm.service.APMInnerService
com.alipay.mobile.liteprocess.LiteProcessService$LiteProcessService1
com.alipay.mobile.liteprocess.LiteProcessService$LiteProcessService2
com.alipay.mobile.liteprocess.LiteProcessService$LiteProcessService3
com.alipay.mobile.liteprocess.LiteProcessService$LiteProcessService4
com.alipay.mobile.liteprocess.LiteProcessService$LiteProcessService5
com.alipay.mobile.liteprocess.ipc.IpcMsgServer
com.alipay.mobile.liteprocess.ipc.IpcCallServer
com.alipay.mobile.common.fgbg.FgBgMonitorService
com.alipay.mobile.chatsdk.broadcastrecv.MsgIntentService
com.alipay.mobile.publicplatform.common.receiver.BroadcastHandlerService
com.alipay.mobile.base.datatransfer.DataExportService
com.ali.money.shield.mssdk.service.SmsIntentService
com.alipay.mobile.rome.pushservice.integration.PushDistributerService
com.alipay.mobile.nebulaappproxy.api.download.H5ExternalDownloadIntentService
com.alipay.mobile.nebulaappproxy.api.download.H5ExternalDownloadIntentService$H5ExternalDownloadIntentService1
com.alipay.mobile.nebulaappproxy.api.download.H5ExternalDownloadIntentService$H5ExternalDownloadIntentService2
com.alipay.mobile.nebulaappproxy.api.download.H5ExternalDownloadIntentService$H5ExternalDownloadIntentService3
com.alipay.mobile.nebulaappproxy.api.download.H5ExternalDownloadIntentService$H5ExternalDownloadIntentService4
com.alipay.mobile.nebulaappproxy.api.download.H5ExternalDownloadIntentService$H5ExternalDownloadIntentService5
com.alipay.android.app.vr.VrPayService
com.alipay.android.app.MspService
com.alipay.pushsdk.deliver.PushDelayMsgIntentService
com.alipay.pushsdk.push.NotificationService$InnerService
com.alipay.pushsdk.push.alive.PushJobService
org.rome.android.ipp.binder.IppService
com.alipay.android.phone.inside.InteractionService
com.alipay.android.launcher.service.LauncherService
com.alipay.android.launcher.service.LauncherService$InnerService
com.alipay.mobile.quinox.classloader.DexOptServiceInToolsProcess
com.koubei.mobile.o2o.commonbiz.appcenter.download.ExternalDownloadIntentService
com.koubei.mobile.o2o.pushservice.display.PushClickRouterService

com.alipay.mobile.logmonitor.ClientMonitorWakeupReceiver
com.alipay.mobile.common.logging.process.LogReceiverInToolsProcess
com.alipay.pushsdk.BroadcastActionReceiver
com.alipay.android.phone.mobilecommon.dynamicrelease.SyncConfigReceiver
com.alipay.mobile.logmonitor.TraceStubReceiver
com.alipay.mobile.logmonitor.ClientMonitorExtReceiver
com.alipay.mobile.notification.NotificationAlarmReceiver
com.alipay.mobile.notification.ClickPushReceiver
com.alipay.android.launcher.notify.StartupSlowClickReceiver
com.ali.money.shield.mssdk.antifraud.sms.receiver.SmsIntercept
com.alipay.mobile.security.thirdparty.AppSafetyChecker
com.alipay.mobile.security.thirdparty.SmsSafetyChecker
com.alipay.mobile.rome.pushservice.merchant.MerchantBroadcastReceiver
com.alipay.mobile.mpass.badge.shortcut.broadcast.AddBadgeBroadcastReceiver
com.alipay.android.app.AlarmReciver
com.alipay.android.app.CertPayReceiver
com.alipay.android.app.sdk.CashierOperationReceiver
com.alipay.mobile.quinox.splash.ProcessUtil$WorkerReceiver
com.koubei.mobile.commonbiz.LaunchReceiver
android.support.multidex.MultiDexPreloadReceiver

com.alipay.android.phone.mobilesdk.permission.guide.provider.DataProvider

第三方库

# 库名 介绍
0 com.dodola.patcher 纳尼?慢着!你说Android可以补丁更新,我读书不多,不要骗我。给我说道说道,保证打不死你。命令和测试apk在bsdiff_bspatch文件夹
1 com.amap.api 高德LBS开放平台将高德最专业的定位、地图、搜索、导航等能力,以API、SDK等形式向广大开发者免费开放
2 org.aspectj AspectJ Tools
3 net.lingala.zip4j zip4j -- Java处理zip压缩文件
4 android.support.multidex DEPRECATED
5 org.json 根据Gson库使用的要求,将JSONObject格式的String 解析成实体
6 com.j256.ormlite ORMLite Android functionality used in conjunction with ormlite-core.
7 com.alibaba.fastjson Fast JSON Processor https://github.com/alibaba/fastjson/wiki
8 com.androidquery AndroidQuery
9 com.amap.api 高德LBS开放平台将高德最专业的定位、地图、搜索、导航等能力,以API、SDK等形式向广大开发者免费开放
10 org.androidannotations.annotations Fast Android Development. Easy maintainance.
11 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
12 com.alipay.share.sdk 分享给支付宝好友功能
13 com.tencent.connect 腾讯开放平台
14 com.tencent.mm.sdk 微信支付
15 com.tencent.tauth 腾讯QQ互联平台为广大开发者整理了SDK列表,辅助开发者快速接入QQ登录、分享等功能。QQ互联是腾讯旗下的开放平台,通过QQ互联,网站主和开发者可以申请接入QQ登录、用户可以使用QQ账号登录接入的站点,通过添加分享和赞组件,将站点内容分享到QQ空间和朋友网,通过获取API授权,网站主还可以将用户操作同步到QQ空间和朋友网。
16 com.amap.api 高德LBS开放平台将高德最专业的定位、地图、搜索、导航等能力,以API、SDK等形式向广大开发者免费开放
17 com.nineoldandroids Android library for using the Honeycomb animation API on all versions of the platform back to 1.0!
18 com.google.protobuf Protocol Buffers - Google's data interchange format https://developers.google.com/protocol-buffers/
19 com.xiaomi.mipush.sdk 小米推送(MiPush)是小米公司为开发者提供的消息推送服务,通过在云端和客户端之间建立一条稳定、可靠的长连接,为开发者提供向客户端应用推送实时消息的服务,帮助开发者有效地拉动用户活跃。
20 org.apache.thrift Apache Thrift 是 Facebook 实现的一种高效的、支持多种编程语言的远程服务调用的框架。

静态扫描发现风险点

风险等级 风险名称

中危

检测到2处证书弱校验漏洞。

位置: classes.dex
com.taobao.android.ssologinwrapper.remote.SsoRemoteRequest$1;

位置: classes2.dex
com.alipay.mobile.common.transportext.biz.diagnose.network.Link$MyX509TrustManager;

当移动App客户端使用https或ssl/tls进行通信时,如果不校验证书的可信性,将存在中间人攻击漏洞,可导致信息泄露,传输数据被篡改,甚至通过中间人劫持将原有信息替换成恶意链接或恶意代码程序,以达到远程控制等攻击意图。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
www.wooyun.org/bugs/wooyun-2014-079358

参考资料:
http://drops.wooyun.org/tips/3296
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

该app需要移除大部分日志打印代码。
经扫描该包仍存在大量打日志代码,共发现103处打日志代码.(此处扫描的日志打印代码,是指调用android.util.Log.* 打印的.)
详情如下:

位置: classes.dex
com.alipay.mobile.monitor.track.spm.SpmMonitor;->(Landroid/content/Context;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.merge.MergeUtil;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.SpmMonitor;->a()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackReflector;->b(Landroid/view/View;)Landroid/view/View$OnClickListener;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackReflector;->c(Landroid/view/View;)Landroid/view/View$OnClickListener;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.monitor.tracker.BaseTracker;->(Lcom/alipay/mobile/common/logging/api/behavor/Behavor$Builder;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.SpmMonitor$2;->(Lcom/alipay/mobile/monitor/track/spm/SpmMonitor;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.merge.MergeCenter$MergeDispatcher$1;->(Lcom/alipay/mobile/monitor/track/spm/merge/MergeCenter$MergeDispatcher;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackIntegrator$5;->(Lcom/alipay/mobile/monitor/track/TrackIntegrator; Landroid/view/View; Ljava/lang/String; Ljava/lang/String; Z)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.interceptor.WindowManagerHook;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.c;->(Lcom/alipay/mobile/monitor/track/TrackAutoHelper; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackIntegrator$2;->(Lcom/alipay/mobile/monitor/track/TrackIntegrator; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackReflector;->b(Landroid/view/View; Landroid/view/View$OnClickListener;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackIntegrator$ActionInfo;->(Lcom/alipay/mobile/monitor/track/TrackIntegrator;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.SpmLogCator;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.monitor.tracker.SlideTracker;->(Lcom/alipay/mobile/common/logging/api/behavor/Behavor$Builder;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.AutoTracker;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.monitor.tracker.ExposeTracker;->(Lcom/alipay/mobile/common/logging/api/behavor/Behavor$Builder;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackIntegrator$4;->(Lcom/alipay/mobile/monitor/track/TrackIntegrator; Landroid/view/View; Landroid/view/ViewTreeObserver$OnGlobalLayoutListener;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackIntegrator;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.SpmMonitor$2;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.merge.MergeTask;->(Lcom/alipay/mobile/common/logging/api/behavor/Behavor$Builder;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.interceptor.AutoClickInterceptor;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.merge.MergeCenter;->(Lcom/alipay/mobile/monitor/track/spm/monitor/TrackerExecutor;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.interceptor.WindowManagerHook$WindowComparator;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.merge.MergeCenter$MergeDispatcher;->(Lcom/alipay/mobile/monitor/track/spm/merge/MergeCenter;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.interceptor.ClickInterceptorManager;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackReflector;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.monitor.TrackerQueue;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.monitor.TrackerExecutor;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.monitor.TrackerDispatcher;->(Ljava/util/concurrent/BlockingQueue;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.d;->(Lcom/alipay/mobile/monitor/track/TrackAutoHelper; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.agent.DefaultTrackAgent;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackIntegrator$1;->(Lcom/alipay/mobile/monitor/track/TrackIntegrator; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.monitor.tracker.MergeTracker;->(Lcom/alipay/mobile/common/logging/api/behavor/Behavor$Builder;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.SpmMonitor$LeaveHintReceiver;->(Lcom/alipay/mobile/monitor/track/spm/SpmMonitor;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.interceptor.WindowManagerHook$WindowType;->(Ljava/lang/String; I)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.merge.MergeCenter$1;->(Lcom/alipay/mobile/monitor/track/spm/merge/MergeCenter; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackIntegrator$PageInfo;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackReflector;->c(Landroid/view/View; Landroid/view/View$OnClickListener;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.SpmUtils;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackTouchDelegate$TrackClickListener;->(Lcom/alipay/mobile/monitor/track/TrackTouchDelegate;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackReflector;->()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.monitor.TrackerFactory;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackTouchDelegate;->(Landroid/widget/AdapterView; Landroid/view/View; Landroid/view/View; Lcom/alipay/mobile/monitor/track/interceptor/ClickInterceptorManager; Landroid/view/TouchDelegate; Ljava/lang/String; Ljava/lang/String; Z)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.SpmMonitor$1;->(Lcom/alipay/mobile/monitor/track/spm/SpmMonitor;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackIntegrator$3;->(Lcom/alipay/mobile/monitor/track/TrackIntegrator; Landroid/view/View; Ljava/lang/String; Ljava/lang/String; Z)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.SpmMonitorBinder;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.monitor.tracker.MergeExposeTracker;->(Lcom/alipay/mobile/common/logging/api/behavor/Behavor$Builder;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.TrackAutoHelper;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.monitor.track.spm.monitor.tracker.ClickTracker;->(Lcom/alipay/mobile/common/logging/api/behavor/Behavor$Builder;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I

位置: classes2.dex
com.alipay.mobile.securitycommon.aliauth.AuthFactory;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.adapter.mpaas.ResourceAdapterImpl;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.AliAuthResult;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.GeneralAuthWorker$1;->(Lcom/alipay/mobile/securitycommon/aliauth/GeneralAuthWorker; Lcom/alipay/mobile/common/rpc/RpcException;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.AliAuthConstants;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobileapp.biz.rpc.taobao.login.vo.AutoLoginPbRes;->(Lcom/alipay/mobileapp/biz/rpc/taobao/login/vo/AutoLoginPbRes;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.base.BaseActivity$1;->(Lcom/ali/user/mobile/base/BaseActivity; Landroid/widget/Button; Z)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.adapter.mpaas.LbsAdapterImpl;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.security.bio.utils.BioLog$a;->verbose(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.AliAuthCache$CacheWrap;->(Lcom/alipay/mobile/securitycommon/aliauth/AliAuthCache;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.taobao.BindTaobaoManager;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.GeneralAuthWorker;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.util.AliAuthUtil;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.security.bio.utils.BioLog$a;->debug(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.AliAuthConstants$Config;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.security.bio.utils.BioLog$a;->warn(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.util.EdgeUtils;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.security.bio.utils.BioLog$a;->error(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobileapp.biz.rpc.taobao.login.vo.BindTaobaoRes;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.UrlParser;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.adapter.mpaas.LbsAdapterImpl$1;->(Lcom/ali/user/mobile/adapter/mpaas/LbsAdapterImpl; Lcom/ali/user/mobile/lbs/LbsListener;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.base.BaseActivity$2;->(Lcom/ali/user/mobile/base/BaseActivity; Lcom/alipay/mobile/antui/dialog/AUListDialog; Ljava/util/ArrayList;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.base.BaseActivity;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.AliAuthService;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.AliAuthConstants$Key;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.adapter.mpaas.ImageAdapterImpl;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.AliAuthConstants$Result;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.AliAuthConstants$Value;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.adapter.mpaas.BaseLoginAdapter;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.adapter.mpaas.FrameworkAdapterImpl;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobileapp.biz.rpc.taobao.login.vo.AutoLoginPbReq;->(Lcom/alipay/mobileapp/biz/rpc/taobao/login/vo/AutoLoginPbReq;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.util.LogUtil;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.SsoAuthWorker;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.AliAuthConstants$SourceType;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.base.AdaptorActivity;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.security.bio.utils.BioLog$a;->info(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobileapp.biz.rpc.taobao.login.vo.BindTaobaoPbRes;->(Lcom/alipay/mobileapp/biz/rpc/taobao/login/vo/BindTaobaoPbRes;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.base.BaseActivity$3;->(Lcom/ali/user/mobile/base/BaseActivity; Landroid/view/View;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.util.TimeConsumingLogAgent;->(Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobile.securitycommon.aliauth.AliAuthCache;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ali.user.mobile.adapter.mpaas.ConfigAdapterImpl;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I

位置: classes4.dex
com.alipay.mobileapi.pushcore.build.BuildConfig;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.mobileapi.pushcore.api.BuildConfig;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I

位置: assets/template_check
kb.com.alipay.android.phone.discovery.o2o.search.resolver.TestResolver;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I

位置: assets/template_check.template_check
kb.com.alipay.android.phone.discovery.o2o.search.resolver.TestResolver;->()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I

位置: lib/armeabi/libsgnocaptcha.so
com.taobao.wireless.security.sdk.ui.VerifyActivity;->onResume()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.taobao.wireless.security.sdk.ui.VerifyActivity;->onCreate(Landroid/os/Bundle;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.alibaba.wireless.security.a.a;->startVerifyUI(Landroid/content/Context; Ljava/lang/String; Lcom/alibaba/wireless/security/open/nocaptcha/INocaptchaVerifyComponent$IActivityCallback; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.taobao.wireless.security.sdk.ui.VerifyActivity;->b()I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.taobao.wireless.security.sdk.ui.VerifyActivity;->onStart()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.taobao.wireless.security.sdk.ui.b;->onTouch(Landroid/view/View; Landroid/view/MotionEvent;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.taobao.wireless.security.sdk.ui.e;->handleMessage(Landroid/os/Message;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I

中危

检测到3个WebView远程执行漏洞。

位置: classes3.dex
com.alipay.mobile.nebulacore.web.H5WebView;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V

位置: lib/armeabi/libandroid-phone-wallet-nebulauc.so
com.uc.webview.export.WebView;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.alipay.mobile.nebulauc.impl.UCWebView;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V

Android API < 17之前版本存在远程代码执行安全漏洞,该漏洞源于程序没有正确限制使用addJavaScriptInterface方法,攻击者可以通过Java反射利用该漏洞执行任意Java对象的方法,导致远程代码执行安全漏洞。
(1)API等于高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252
http://drops.wooyun.org/papers/548

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis
https://developer.android.com/reference/android/webkit/WebView.html

中危

检测到426条敏感明文信息,建议移除。

位置: classes.dex
'10.0.0.172' used in: Lcom/alipay/mobile/common/utils/ConnectionUtil;->getWapIP()Ljava/lang/String;
'http://%s.tinyapp.alipay.com' used in: Lcom/alipay/mobile/liteprocess/perf/PerformanceLogger;->test(Ljava/lang/String;)V
'http://%s/rest/api3.do?' used in: Lcom/taobao/android/ssologinwrapper/utils/Utils;->a(Ljava/lang/String;)V
'http://(\\d{1,3}\\.){3}\\d{1,3}/generate_204' used in: Lcom/ali/money/shield/mssdk/antivirus/util/a;->b(Ljava/util/List;)Ljava/util/List;
'http://@' used in: Lcom/alibaba/wlc/sms/a/d;->a(Ljava/lang/String;)Ljava/util/List;
'http://abroad.apilocate.amap.com/mobile/binary' used in: Lcom/loc/cs;->a(Landroid/content/Context;)V
'http://abroad.apilocate.amap.com/mobile/binary' used in: Lcom/loc/cs;->d(Landroid/content/Context;)V
'http://abroad.apilocate.amap.com/mobile/binary' used in: Lcom/loc/cl;->a(Lcom/loc/co;)V
'http://abroad.apilocate.amap.com/mobile/binary' used in: Lcom/loc/cx;->a(Lcom/amap/api/location/AMapLocation;)Z
'http://adash.m.taobao.com/rest/sur' used in: Lcom/alibaba/analytics/core/Constants;->()V
'http://amdc.alipay.com/query' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->()V
'http://api.m.taobao.com/rest/api3.do?' used in: Lcom/taobao/android/ssologinwrapper/utils/Utils;->()V
'http://api.m.taobao.com/rest/api3.do?api=mtop.common.getTimestamp' used in: Lcom/alibaba/analytics/core/logbuilder/TimeStampAdjustMgr;->()V
'http://apilocate.amap.com/mobile/binary' used in: Lcom/loc/cs;->()V
'http://apilocate.amap.com/mobile/binary' used in: Lcom/loc/cs;->d(Landroid/content/Context;)V
'http://apilocatesrc.amap.com/mobile/binary' used in: Lcom/loc/cl;->b(Lcom/loc/co;)V
'http://apilocatesrc.amap.com/mobile/binary' used in: Lcom/loc/cl;->a(Lcom/loc/co;)V
'http://cgicol.amap.com/collection/writedata?ver=v1.0_ali&' used in: Lcom/loc/ce;->a(Lcom/loc/ce; I)V
'http://d.alipay.net/cpbSign/add.htm' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getCpbSignAddCmsUrl(Landroid/content/Context;)Ljava/lang/String;
'http://d.alipay.net/cpbSign/add.htm' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getCpbSignAddCmsUrl(Landroid/content/Context;)Ljava/lang/String;
'http://d.alipay.net/cpbSign/nonsupport.htm' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getNonsupportCmsUrl(Landroid/content/Context;)Ljava/lang/String;
'http://d.alipay.net/cpbSign/nonsupport.htm' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getNonsupportCmsUrl(Landroid/content/Context;)Ljava/lang/String;
'http://mali.alipay.com/batch_payment.do' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getInnerBatchPayPrefix2(Landroid/content/Context;)Ljava/lang/String;
'http://mali.alipay.com/w/trade_pay.do' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getInnerSinglePayPrefix2(Landroid/content/Context;)Ljava/lang/String;
'http://maliprod.alipay.com/batch_payment.do' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getInnerBatchPayPrefix1(Landroid/content/Context;)Ljava/lang/String;
'http://maliprod.alipay.com/w/trade_pay.do' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getInnerSinglePayPrefix1(Landroid/content/Context;)Ljava/lang/String;
'http://mdap-1-64.test.alipay.net' used in: Lcom/alipay/mobile/common/logging/LogContextImpl;->getLogHost()Ljava/lang/String;
'http://mdap-1-64.test.alipay.net' used in: Lcom/alipay/mobile/common/logging/LogContextImpl;->getLogHost()Ljava/lang/String;
'http://mdap.alipay.com/loggw/log.do' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getStatisticsUrl(Landroid/content/Context;)Ljava/lang/String;
'http://mdap.alipaylog.com' used in: Lcom/alipay/mobile/common/logging/LogContextImpl;->getLogHost()Ljava/lang/String;
'http://mdap.alipaylog.com/loggw/extLog.do' used in: Lcom/alipay/mobile/logmonitor/util/upload/UploadConstants;->a(Z)Ljava/lang/String;
'http://mdap.alipaylog.com/loggw/report_diangosis_upload_status.htm' used in: Lcom/alipay/mobile/logmonitor/util/upload/UploadConstants;->b(Z)Ljava/lang/String;
'http://mobilegw.alipay.com/mgw.htm' used in: Lcom/alipay/android/app/trans/config/RequestConfig;->A()V
'http://muvp.alibaba-inc.com/online/UploadRecords.do' used in: Lcom/ut/mini/internal/RealtimeDebugSwitch;->onActivityCreated(Landroid/app/Activity; Landroid/os/Bundle;)V
'http://restapi.amap.com' used in: Lcom/loc/q;->a(Landroid/content/Context;)Ljava/net/Proxy;
'http://restapi.amap.com/v3/config/district?' used in: Lcom/loc/a;->f(Landroid/os/Bundle;)V
'http://restapi.amap.com/v3/geocode/regeo' used in: Lcom/loc/bu;->a(D D)Lcom/autonavi/aps/amapapi/model/AMapLocationServer;
'http://restapi.amap.com/v3/iasdkauth' used in: Lcom/loc/l$b;->c()Ljava/lang/String;
'http://restapi.amap.com/v3/place/around?' used in: Lcom/loc/a;->d(Landroid/os/Bundle;)V
'http://restapi.amap.com/v3/place/text?' used in: Lcom/loc/a;->e(Landroid/os/Bundle;)V
'http://schemas.android.com/apk/res/android' used in: Landroid/support/graphics/drawable/TypedArrayUtils;->hasAttribute(Lorg/xmlpull/v1/XmlPullParser; Ljava/lang/String;)Z
'http://schemas.android.com/apk/res/android' used in: Lcom/taobao/android/sso/internal/Authenticator;->a(Lorg/xmlpull/v1/XmlPullParser;)Ljava/lang/String;
'http://www.donotshow.me/instead' used in: Lcom/alipay/mobile/logmonitor/analysis/TrafficPowerHandler;->a(Lcom/alipay/mobile/common/logging/api/monitor/DataflowModel;)Lcom/alipay/mobile/logmonitor/analysis/traffic/TrafficRecord;
'https://%s/rest/api3.do?' used in: Lcom/taobao/android/ssologinwrapper/utils/Utils;->a(Ljava/lang/String;)V
'https://api.foursquare.com/v2/venues/search?client_id=' used in: Lcom/alipay/mobilelbs/biz/impl/GeocodeServiceImpl;->doSearchPoiByFoursquare(Landroid/content/Context; Lcom/alipay/mobile/framework/service/OnPoiSearchListener; Lcom/alipay/mobile/map/model/SearchPoiRequest;)V
'https://api.m.taobao.com/rest/api3.do?' used in: Lcom/taobao/android/ssologinwrapper/utils/Utils;->()V
'https://applog.uc.cn/collect?chk=' used in: Lcom/uc/crashsdk/a/k;->b(Ljava/lang/String; Ljava/lang/String;)Z
'https://ccdcapi.alipay.com/cacheWapCardInfo.json' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getCcdcURL(Landroid/content/Context;)Ljava/lang/String;
'https://clientsc.alipay.com/account/gateway.htm' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getPoliceCenterUrl(Landroid/content/Context;)Ljava/lang/String;
'https://cschannel.alipay.com/mobile/csrouter.htm?platform=android' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getRobotUrl(Landroid/content/Context;)Ljava/lang/String;
'https://d.alipay.com' used in: Lcom/alipay/mobile/phonecashier/service/util/PhoneCashierUtil;->a(Ljava/lang/String; Landroid/app/Activity;)V
'https://d.alipay.com' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getCmsHost(Landroid/content/Context;)Ljava/lang/String;
'https://d.alipay.com/agreement/zw.htm' used in: Lcom/alipay/android/app/assist/MspUtilInterfaceImpl;->startFingerprintProtocol()V
'https://d.alipay.com/cpbSign/add.htm' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getCpbSignAddCmsUrl(Landroid/content/Context;)Ljava/lang/String;
'https://d.alipay.com/cpbSign/nonsupport.htm' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getNonsupportCmsUrl(Landroid/content/Context;)Ljava/lang/String;
'https://d.alipay.com/i/update.htm' used in: Lcom/alipay/mobile/framework/service/common/SchemeService;->()V
'https://d.alipay.com/mbresultyy/prc.htm' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getCmsUrl(Landroid/content/Context;)Ljava/lang/String;
'https://d.alipay.com/mbresultyy/public.htm' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getPublicUrl(Landroid/content/Context;)Ljava/lang/String;
'https://ds.alipay.com/help/qqshare.htm' used in: Lcom/alipay/mobile/common/share/ShareInitVavle$3;->isFilter(I Lcom/alipay/mobile/common/share/ShareContent;)Z
'https://ds.alipay.com/help/qqshare.htm' used in: Lcom/alipay/mobile/common/share/ShareInitVavle$4$1;->onFailed(I Ljava/lang/String;)V
'https://ds.alipay.com/help/wxshare.htm' used in: Lcom/alipay/mobile/common/share/ShareInitVavle$3;->isFilter(I Lcom/alipay/mobile/common/share/ShareContent;)Z
'https://ds.alipay.com/help/wxshare.htm' used in: Lcom/alipay/mobile/common/share/ShareInitVavle$4$1;->onFailed(I Ljava/lang/String;)V
'https://gjapplog.uc.cn/collect?chk=' used in: Lcom/uc/crashsdk/a/k;->b(Ljava/lang/String; Ljava/lang/String;)Z
'https://mcgw.alipay.com/sdklog.do' used in: Lcom/alipay/android/app/statistic/SDKConfig;->()V
'https://mclient.alipay.com/gateway.do' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getSafePayServerUrl(Landroid/content/Context;)Ljava/lang/String;
'https://mclient.alipay.com/gateway.do' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->()V
'https://mdap.alipay.com' used in: Lcom/alipay/mobile/common/logging/LogContextImpl;->getLogHost()Ljava/lang/String;
'https://mdap.alipay.com/loggw/eggExtLog.do' used in: Lcom/alipay/mobile/logmonitor/util/upload/UploadConstants;->a(Z)Ljava/lang/String;
'https://mdap.alipay.com/loggw/report_egg_diangosis_upload_status.htm' used in: Lcom/alipay/mobile/logmonitor/util/upload/UploadConstants;->b(Z)Ljava/lang/String;
'https://mdap.alipay.com/loggw/sdkLogUpload.do' used in: Lcom/alipay/android/phone/inside/log/LogUploader;->getLogUrl()Ljava/lang/String;
'https://mdap.alipay.com/loggw/tinyapp/queryConfig.do' used in: Lcom/alipay/mobile/logging/TinyLoggingConfigManager;->syncRequestLogConfig(Ljava/lang/String; Ljava/lang/String;)V
'https://mdap.alipay.com/loggw/tinyapp/testLogUpload.do' used in: Lcom/alipay/mobile/logging/TinyLoggingConfigManager;->uploadByAppId(Ljava/lang/String; Ljava/lang/String;)V
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/alipay/android/phone/inside/common/setting/InsideSetting;->getMobilegwUrl()Ljava/lang/String;
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/alipay/android/app/trans/config/RequestConfig;->A()V
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->()V
'https://mobiletestabc.alipaydev.com/mobilegw/net/mgw.htm' used in: Lcom/alipay/mobile/base/config/impl/ChannelConfigImpl;->attachContext(Lcom/alipay/mobile/framework/MicroApplicationContext;)V
'https://o.alipay.com/o2o/agreement.htm' used in: Lcom/koubei/mobile/launcher/TabLauncherFragment$13;->doReadAgreement()V
'https://o.alipay.com/o2o/agreement.htm' used in: Lcom/koubei/mobile/authlogin/activity/f;->onClick(Landroid/view/View;)V
'https://o.alipay.com/o2o/agreement.htm' used in: Lcom/koubei/mobile/authlogin/activity/m;->onClick(Landroid/view/View;)V
'https://o.alipay.com/o2o/agreement.htm' used in: Lcom/koubei/mobile/launcher/KbTabLauncherFragment$7;->doReadAgreement()V
'https://qd.alibaba.com/zt/alipayxposed/' used in: Lcom/alipay/mobile/base/security/e;->onClick(Landroid/content/DialogInterface; I)V
'https://render.alipay.com/p/s/i/' used in: Lcom/koubei/mobile/authlogin/activity/n;->onClick(Landroid/content/DialogInterface; I)V
'https://render.alipay.com/p/s/upload-applog/index' used in: Lcom/alipay/mobile/commonbiz/eggs/EggAppLogUploadUtils;->getUploadApplogEggPageUrl()Ljava/lang/String;
'https://render.alipay.com/p/s/voice-push/index?issue=process&source=local_push' used in: Lcom/alipay/android/launcher/notify/StartupSlowClickReceiver;->onReceive(Landroid/content/Context; Landroid/content/Intent;)V
'https://restapi.amap.com/v3/iasdkauth' used in: Lcom/loc/l$b;->c()Ljava/lang/String;
'https://wapcashier.alipay.com/home/resetPayPwd.htm?src=alipayclient&awid=' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getForgetPayPWD(Landroid/content/Context;)Ljava/lang/String;
'https://wappaygw.alipay.com/service/rest.htm' used in: Lcom/alipay/mobile/common/helper/ReadSettingServerUrl;->getOuterPayPrefix(Landroid/content/Context;)Ljava/lang/String;
'https://woodpecker.uc.cn/api/crashsdk/validate' used in: Lcom/uc/crashsdk/a/f;->h()Ljava/lang/String;
'javascript:alipayjsbridgeH5BackAction()' used in: Lcom/alipay/android/app/flybird/ui/window/MiniWebActivityAdapter;->a(Lcom/alipay/android/app/flybird/ui/window/MiniWebActivityAdapter; Ljava/lang/String;)V
"javascript:window.AlipayJSBridge.callListener('%s','%s', '%s');" used in: Lcom/alipay/android/app/flybird/ui/window/ab;->onPageFinished(Landroid/webkit/WebView; Ljava/lang/String;)V
"javascript:window.AlipayJSBridge.callListener('%s','%s', '%s');" used in: Lcom/alipay/android/app/flybird/ui/window/MiniWebActivityAdapter;->()V
"javascript:window.prompt(''+document.getElementsByTagName('html')[0].innerHTML+'');" used in: Lcom/alipay/android/app/flybird/ui/window/ab;->onPageFinished(Landroid/webkit/WebView; Ljava/lang/String;)V

位置: classes2.dex
'10.0.0.172' used in: Lcom/alipay/mobile/common/transport/utils/ConnectionUtil;->getWapIP()Ljava/lang/String;
'10.0.0.172' used in: Lcom/alipay/mobile/common/transport/TransportStrategy;->()V
'10.0.0.200' used in: Lcom/alipay/mobile/common/transport/TransportStrategy;->()V
'file:///[asset]/' used in: Lcom/alipay/android/phone/mobilecommon/multimediabiz/biz/utils/PathUtils;->isAlipayAssetsFile(Ljava/lang/String;)Z
'file:///[asset]/material/icons/' used in: Lcom/alipay/android/phone/mobilecommon/multimediabiz/biz/material/MaterialManager;->fillAssetsPresetResources(Lcom/alipay/android/phone/mobilecommon/multimedia/material/APBizMaterialPackage;)V
'file:///android_asset/html/nav/facewelcome.html' used in: Lcom/alipay/mobile/security/faceauth/circle/fragment/c;->handleMessage(Landroid/os/Message;)V
'file:///android_asset/html/nav/facewelcome.html' used in: Lcom/alipay/mobile/security/faceauth/circle/fragment/NavigationFragment;->onResume()V
'file:///android_asset/html/nav/facewelcome.html' used in: Lcom/alipay/mobile/security/faceauth/ui/bank/WebNavigationActivity;->onCreate(Landroid/os/Bundle;)V
'file:///android_asset/html/nav/facewelcome.html' used in: Lcom/alipay/mobile/security/faceauth/ui/bank/l;->handleMessage(Landroid/os/Message;)V
'http://%1$s/%2$s' used in: Lcom/alipay/android/phone/mobilecommon/multimediabiz/biz/client/api/infos/BaseApiInfo;->getApi()Ljava/lang/String;
'http://%1$s/%2$s' used in: Lcom/alipay/android/phone/mobilecommon/multimediabiz/biz/client/api/infos/BaseApiInfo;->getUrlApi()Ljava/lang/String;
'http://101.37.227.74:8440/Tsm/Handset/XRohPullServlet?Action=delete&serviceid=41&sep=41&sei=2B0601040181F861' used in: Lcom/alipay/android/phone/seauthenticator/iotauth/tsm/TSMAdapter$2;->run()V
'http://101.37.227.74:8440/Tsm/Handset/XRohPullServlet?Action=install&serviceid=41&sep=41&sei=2B0601040181F861' used in: Lcom/alipay/android/phone/seauthenticator/iotauth/tsm/TSMAdapter$3;->run()V
'http://amdc.alipay.com/query' used in: Lcom/alipay/mobile/common/transport/utils/ReadSettingServerUrl;->()V
'http://d.m.taobao.com/goAlipay.htm?' used in: Lcom/koubei/mobile/o2o/nebulabiz/KouBeiPayPlugin;->initPayUrls()V
'http://d.wapa.taobao.com/goAlipay.htm?' used in: Lcom/koubei/mobile/o2o/nebulabiz/KouBeiPayPlugin;->initPayUrls()V
'http://d.waptest.taobao.com/goAlipay.htm?' used in: Lcom/koubei/mobile/o2o/nebulabiz/KouBeiPayPlugin;->initPayUrls()V
'http://mdap.alipaylog.com/loggw/report_diangosis_upload_status.htm' used in: Lcom/alipay/pushsdk/net/http/biz/MonitorState;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V
'http://mobilecns.alipay.com' used in: Lcom/alipay/pushsdk/util/Constants;->d()Ljava/lang/String;
'http://mobilegw.dev03.alipay.net/mgw.htm' used in: Lcom/alipay/mobile/security/faceauth/service/impl/FaceRpcServiceImpl;->init()V
'http://mobilegw.dev03.alipay.net/mgw.htm' used in: Lcom/alipay/mobile/security/faceauth/service/impl/FaceRpcServiceImpl;->init()V
'http://mugw.alipay.com:443' used in: Lcom/alipay/mobile/common/nbnet/biz/util/URLConfigUtil;->()V
'http://s.tb.cn' used in: Lcom/alipay/ma/analyze/a/a;->()V
'http://schemas.android.com/apk/res-auto' used in: Lcom/alipay/mobile/commonui/widget/FontSizeSlider;->setAttributes(Landroid/util/AttributeSet;)V
'http://schemas.android.com/apk/res/android' used in: Lcom/alipay/mobile/commonui/widget/APTextView;->a(Landroid/content/Context; Landroid/util/AttributeSet;)V
'http://schemas.android.com/apk/res/android' used in: Lcom/alipay/mobile/commonui/widget/FontSizeSlider;->setAttributes(Landroid/util/AttributeSet;)V
'http://www.taobao.com' used in: Lcom/alipay/mobile/securitycommon/aliauth/GeneralAuthWorker;->b(Landroid/os/Bundle;)V
'https://csmobile.alipay.com/detailSolution.htm?knowledgeType=1&scene=app_saoyisao_yichang&questionId=201602124461' used in: Lcom/koubei/mobile/o2o/scan/config/KoubeiScanConfigs;->getExtentionConfigs()Ljava/util/Map;
'https://csmobile.alipay.com/hall/tips.htm?scene=mbill_tips&errorCode=MBILL_TIPS&bizNo=' used in: Lcom/koubei/mobile/o2o/commonbiz/payer/PaySuccessActivity;->onCreate(Landroid/os/Bundle;)V
'https://csmobile.alipay.com/hall/tips.htm?scene=mbill_tips&errorCode=MBILL_TIPS&bizNo=' used in: Lcom/koubei/mobile/o2o/commonbiz/paysuccess/activity/OnlinepaySuccessActivity;->onCreate(Landroid/os/Bundle;)V
'https://d.alipay.com/agreement/zw.html' used in: Lcom/alipay/android/phone/seauthenticator/iotauth/recommend/h;->onClick(Landroid/view/View;)V
'https://d.alipay.com/i/update.htm' used in: Lcom/koubei/mobile/o2o/commonbiz/service/impl/NewSchemeServiceImpl;->process(Landroid/net/Uri; Z)I
'https://d.m.taobao.com/goAlipay.htm?' used in: Lcom/koubei/mobile/o2o/nebulabiz/KouBeiPayPlugin;->initPayUrls()V
'https://d.wapa.taobao.com/goAlipay.htm?' used in: Lcom/koubei/mobile/o2o/nebulabiz/KouBeiPayPlugin;->initPayUrls()V
'https://d.waptest.taobao.com/goAlipay.htm?' used in: Lcom/koubei/mobile/o2o/nebulabiz/KouBeiPayPlugin;->initPayUrls()V
'https://gw.alipayobjects.com/os/nebulamng/AP_20000196-sign/3870x0jsih.amr' used in: Lcom/koubei/mobile/o2o/nebulabiz/appcenter/H5AppCenterPresetProviderImpl;->()V
'https://i.alipayobjects.com/' used in: Lcom/alipay/security/mobile/fingerprint/samsung/SamsungFingerPrintsOperation;->()V
'https://mali.alipay.com/batch_payment.do' used in: Lcom/koubei/mobile/o2o/nebulabiz/util/H5PayUtil;->initDefaultConfig()V
'https://mali.alipay.com/w/trade_pay.do' used in: Lcom/koubei/mobile/o2o/nebulabiz/util/H5PayUtil;->initDefaultConfig()V
'https://maliprod.alipay.com/batch_payment.do' used in: Lcom/koubei/mobile/o2o/nebulabiz/util/H5PayUtil;->initDefaultConfig()V
'https://maliprod.alipay.com/w/trade_pay.do' used in: Lcom/koubei/mobile/o2o/nebulabiz/util/H5PayUtil;->initDefaultConfig()V
'https://manifest.long.alipay.net:8443/' used in: Lcom/alipay/fido/message/Setting;->()V
'https://manifest.long.alipay.net:8443/' used in: Lcom/alipay/fido/message/Setting;->()V
'https://mclient.alipay.com/home/exterfaceAssign.htm' used in: Lcom/koubei/mobile/o2o/nebulabiz/util/H5PayUtil;->initDefaultConfig()V
'https://mobilecns.alipay.com' used in: Lcom/alipay/pushsdk/util/Constants;->e(Landroid/content/Context;)Ljava/lang/String;
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/ali/user/mobile/adapter/impl/AdapterHelper;->getMobilegw()Ljava/lang/String;
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/ali/user/mobile/adapter/impl/DefaultMobilegwAdapterImpl;->getMobilegw()Ljava/lang/String;
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/alipay/mobile/common/transport/utils/ReadSettingServerUrl;->()V
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/alipay/mobile/common/transportext/biz/shared/ExtTransportStrategy;->getSpdyUrl(Landroid/content/Context;)Ljava/lang/String;
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/alipay/security/mobile/util/AlipayWalletUtil;->isOnline()Z
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/ali/user/mobile/rpc/AlipayRpcConfig;->getUrl()Ljava/lang/String;
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/alipay/android/phone/falcon/upload/NetworkUtil;->isOnline(Landroid/content/Context;)Z
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/ali/user/mobile/rpc/AlipayRpcFactory;->(Landroid/content/Context; Ljava/lang/String;)V
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/alipay/pushsdk/util/PushRpcConfig;->a(Landroid/content/Context;)Ljava/lang/String;
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/alipay/mobile/common/transport/config/TransportConfigureItem;->()V
'https://mobileic.alipay.com/mic/common/fingerprintRegister.json' used in: Lcom/alipay/android/phone/seauthenticator/iotauth/recommend/b;->callback(Lcom/alipay/security/mobile/auth/message/AuthenticatorResponse;)V
'https://promotion.alipay.com/mgw.htm' used in: Lcom/alipay/mobile/common/transport/config/TransportConfigureItem;->()V
'https://render.alipay.com/p/f/fd-iztow1fi/index.html' used in: Lcom/ali/user/mobile/register/ui/RegPurePhoneActivity;->onCreate(Landroid/os/Bundle;)V
'https://render.alipay.com/p/f/fd-jc8nl2ej/index.html' used in: Lcom/koubei/mobile/o2o/commonbiz/kbpayer/g;->onClick(Landroid/view/View;)V
'https://s.tb.cn' used in: Lcom/alipay/ma/analyze/a/a;->()V
'https://t.alipayobjects.com/L1/71/900/androidSec/Alipaysec_common.apk' used in: Lcom/alipay/security/mobile/bracelet/xiaomi/XiaomiAuthenticator;->()V
'https://t.alipayobjects.com/L1/71/900/androidSec/Alipaysec_common.apk' used in: Lcom/alipay/security/mobile/auth/AuthenticatorFactory;->alipayFingerprintSolution(Landroid/content/Context;)Lcom/alipay/security/mobile/auth/IAuthenticator;
'https://tms.alicdn.com/go/chn/member/agreement.php' used in: Lcom/ali/user/mobile/register/ui/RegPurePhoneActivity;->onCreate(Landroid/os/Bundle;)V
'https://wappaygw.alipay.com/home/exterfaceAssign.htm' used in: Lcom/koubei/mobile/o2o/nebulabiz/util/H5PayUtil;->initDefaultConfig()V
'https://wappaygw.alipay.com/service/rest.htm' used in: Lcom/koubei/mobile/o2o/nebulabiz/util/H5PayUtil;->initDefaultConfig()V
'https://www.alipay.com/' used in: Lcom/koubei/mobile/o2o/nebulabiz/process/H5EventHandlerServiceImpl;->initCookie()V
'https://www.alipay.com/webviewbridge' used in: Lcom/ali/user/mobile/util/StringUtil;->addSecurityCallbackToUrl(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'https://www.alipay.com/webviewbridge' used in: Lcom/ali/user/mobile/util/StringUtil;->addCallbackToUrl(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'https://www.alipay.com/webviewbridge' used in: Lcom/ali/user/mobile/h5/AUH5Plugin;->checkWebviewBridge(Ljava/lang/String;)Z
'https://www.alipay.com/webviewbridge' used in: Lcom/ali/user/mobile/h5/H5Wrapper;->startPage(Ljava/lang/String; Lcom/ali/user/mobile/h5/AUH5Plugin;)V
'https://www.alipay.com/webviewbridge' used in: Lcom/ali/user/mobile/util/StringUtil;->addCallbackToUrl(Ljava/lang/String;)Ljava/lang/String;
"javascript:location.replace('" used in: Lcom/koubei/mobile/o2o/nebulabiz/H5AuthPlugin$2$1;->run()V
"javascript:setUserName('" used in: Lcom/alipay/mobile/security/faceauth/ui/bank/WebNavigationActivity$NavWebViewClient;->onPageFinished(Landroid/webkit/WebView; Ljava/lang/String;)V
"javascript:setUserName('" used in: Lcom/alipay/android/phone/falcon/IDFace/IDFaceWebViewClient;->onPageFinished(Landroid/webkit/WebView; Ljava/lang/String;)V
"javascript:setUserName('" used in: Lcom/alipay/mobile/security/faceauth/circle/fragment/NavWebViewClient;->onPageFinished(Landroid/webkit/WebView; Ljava/lang/String;)V
'www.baidu.com' used in: Lcom/alipay/mobile/common/transportext/amnet/AmnetDetect;->execute(Lcom/alipay/mobile/common/transportext/amnet/Configuration$Address; Lcom/alipay/mobile/common/transportext/amnet/NetTest;)V
'www.taobao.com' used in: Lcom/alipay/mobile/common/transportext/biz/diagnose/network/NetworkDiagnoseUtil;->sysProxy(Lcom/alipay/mobile/common/transportext/biz/diagnose/network/Configuration$Address; Z)Lcom/alipay/mobile/common/transportext/biz/diagnose/network/Configuration$Address;
'www.taobao.com' used in: Lcom/alipay/mobile/common/transportext/biz/diagnose/network/NetworkDiagnose;->launch()V
'www.taobao.com' used in: Lcom/alipay/mobile/common/transportext/biz/diagnose/network/NetworkCheck;->checkNetwork()V
'www.taobao.com' used in: Lcom/alipay/mobile/common/transportext/biz/diagnose/network/Traceroute$PingInf;->()V
'www.taobao.com' used in: Lcom/alipay/mobile/common/transportext/biz/diagnose/network/PingRoute$PingInf;->()V

位置: classes3.dex
'KOUBEI@GuessListResolver.item' used in: Lcom/alipay/android/phone/discovery/o2ohome/dynamic/blocksystem/resolver/MayLikeFoldedResolver;->resolve(Lcom/koubei/android/mist/api/TemplateContext; Lcom/koubei/android/mist/api/IResolver$ResolverHolder;)Z
'KOUBEI@GuessListResolver.item' used in: Lcom/alipay/android/phone/discovery/o2ohome/dynamic/blocksystem/resolver/MayLikeActiveResolver;->resolve(Lcom/koubei/android/mist/api/TemplateContext; Lcom/koubei/android/mist/api/IResolver$ResolverHolder;)Z
'KOUBEI@GuessListResolver.item' used in: Lcom/alipay/android/phone/discovery/o2ohome/dynamic/blocksystem/resolver/MayLikeKbResolver;->a(Landroid/view/View; Lcom/alibaba/fastjson/JSONObject;)V
'KOUBEI@GuessListResolver.item' used in: Lcom/alipay/android/phone/discovery/o2ohome/dynamic/blocksystem/resolver/MayLikeResolver;->resolve(Lcom/koubei/android/mist/api/TemplateContext; Lcom/koubei/android/mist/api/IResolver$ResolverHolder;)Z
'KOUBEI@MayLikeDetailResolver.item' used in: Lcom/alipay/android/phone/discovery/o2ohome/dynamic/blocksystem/resolver/MayLikeDetailResolver;->getItemView(Landroid/view/ViewGroup; Lcom/alipay/android/phone/discovery/o2ohome/koubei/node/LabelTitleBar$LabelItem; Z)Landroid/view/View;
'KOUBEI@PageWithTabsBlock.item' used in: Lcom/alipay/android/phone/discovery/o2ohome/dynamic/blocksystem/resolver/OneColResolver;->getItemView(Landroid/view/ViewGroup; Lcom/alipay/android/phone/discovery/o2ohome/koubei/node/LabelTitleBar$LabelItem; Z)Landroid/view/View;
'KOUBEI@PageWithTabsBlock.item' used in: Lcom/alipay/android/phone/discovery/o2ohome/dynamic/blocksystem/resolver/HeadLineResolver;->getItemView(Landroid/view/ViewGroup; Lcom/alipay/android/phone/discovery/o2ohome/koubei/node/LabelTitleBar$LabelItem; Z)Landroid/view/View;
'KOUBEI@TabBlock.item' used in: Lcom/alipay/android/phone/discovery/o2o/detail/resolver/DynamicTabResolver;->buildTabItem(Landroid/view/ViewGroup; Landroid/view/View; Ljava/lang/Object;)Landroid/view/View;
'KOUBEI@detail_fast_group_voucher_tab.item' used in: Lcom/alipay/android/phone/discovery/o2o/detail/resolver/DynamicFastGroupVoucherResolver;->buildTabItem(Landroid/view/ViewGroup; Landroid/view/View; Ljava/lang/Object;)Landroid/view/View;
'KOUBEI@detail_fast_recommend_voucher_tab.item' used in: Lcom/alipay/android/phone/discovery/o2o/detail/resolver/DynamicFastRecommendVoucherResolver;->buildTabItem(Landroid/view/ViewGroup; Landroid/view/View; Ljava/lang/Object;)Landroid/view/View;
'data:image' used in: Lcom/alipay/android/phone/o2o/o2ocommon/h5bridge/StandalonePlugin;->handleEvent(Lcom/alipay/mobile/h5container/api/H5Event; Lcom/alipay/mobile/h5container/api/H5BridgeContext;)Z
'data:image/gif;base64,' used in: Lcom/alipay/mobile/nebula/util/H5ImageUtil;->()V
'data:image/jpeg;base64,' used in: Lcom/alipay/mobile/nebula/util/H5ImageUtil;->()V
'data:image/png;base64,' used in: Lcom/alipay/mobile/nebula/util/H5ImageUtil;->()V
'data:image/x-icon;base64,' used in: Lcom/alipay/mobile/nebula/util/H5ImageUtil;->()V
'file:///' used in: Lcom/alipay/mobile/nebula/util/H5UrlHelper;->getOnlineHost(Ljava/lang/String;)Ljava/lang/String;
'file:///[asset]/' used in: Lcom/alipay/mobile/beehive/service/impl/FinChannelIconServiceImpl;->getFileUri(Ljava/lang/String;)Ljava/lang/String;
'file:///[asset]/' used in: Lcom/alipay/android/phone/o2o/common/view/O2OCommentSmileGradePlusView;->smilingShow(I)V
'http://api.m.taobao.com/rest/api3.do' used in: Landroid/taobao/service/appdevice/util/MTopUtils;->getMTopUrl(Landroid/content/Context;)Ljava/lang/String;
'http://api.wapa.taobao.com/rest/api3.do' used in: Landroid/taobao/service/appdevice/util/MTopUtils;->getMTopUrl(Landroid/content/Context;)Ljava/lang/String;
'http://api.waptest.taobao.com/rest/api3.do' used in: Landroid/taobao/service/appdevice/util/MTopUtils;->getMTopUrl(Landroid/content/Context;)Ljava/lang/String;
'http://apiinit.amap.com/v3/log/init' used in: Lcom/amap/api/mapcore/util/ff;->()V
'http://grid.amap.com/grid/%d/%d/%d?dpiType=webrd&lang=zh_cn&pack=%s&ds=0' used in: Lcom/amap/api/mapcore/util/v$1;->a(I I I)Ljava/lang/String;
'http://h5test.inc.alipay.net/case/index.html?__webview_options__=so%3DNO%26pd%3DNO' used in: Lcom/alipay/mobile/nebulacore/dev/ui/H5DevSettingFragment$11;->onClick(Landroid/view/View;)V
'http://h5test.inc.alipay.net/case/index.html?__webview_options__=so%3DNO%26pd%3DNO' used in: Lcom/alipay/mobile/nebulacore/dev/ui/H5DevSettingFragment$11;->onClick(Landroid/view/View;)V
'http://h5test.inc.alipay.net/perf/h5performance.html' used in: Lcom/alipay/mobile/nebulacore/dev/ui/H5DevSettingFragment$7;->onClick(Landroid/view/View;)V
'http://h5test.inc.alipay.net/perf/h5performance.html' used in: Lcom/alipay/mobile/nebulacore/dev/ui/H5DevSettingFragment$7;->onClick(Landroid/view/View;)V
'http://logs.amap.com/ws/log/upload?product=%s&type=%s&platform=%s&channel=%s&sign=%s' used in: Lcom/amap/api/mapcore/util/fp;->()V
'http://m.amap.com/detail/index/poiid=%s&src=alipay' used in: Lcom/alipay/mobile/beehive/poiselect/api/PoiItemExt;->buildUrl(Z)Ljava/lang/String;
'http://m.koubei.com/app' used in: Lcom/alipay/android/phone/discovery/o2o/detail/helper/O2OShareService;->()V
'http://mps.amap.com' used in: Lcom/amap/api/mapcore/util/a;->getMapSvrAddress()Ljava/lang/String;
'http://patriot.cs.pp.cn/api/resource.app.detect' used in: Lcom/alipay/mobile/nebulacore/util/H5PPQueryThread;->()V
'http://restapi.amap.com' used in: Lcom/amap/api/mapcore/util/fk;->a(Landroid/content/Context;)Ljava/net/Proxy;
'http://restapi.amap.com/v3/grasproad?' used in: Lcom/amap/api/mapcore/util/ey;->c()Ljava/lang/String;
'http://restapi.amap.com/v3/indoor/indoormaps' used in: Lcom/autonavi/amap/mapcore/IndoorMapLoader;->getMapAddress()Ljava/lang/String;
'http://schemas.android.com/apk/res/android' used in: Lcom/alipay/mobile/antui/basic/AUTextView;->initSelfDefAttrs(Landroid/content/Context; Landroid/util/AttributeSet;)V
'http://schemas.android.com/apk/res/android' used in: Lcom/alipay/android/phone/o2o/lifecircle/widget/SlidingTabLayout;->(Landroid/content/Context; Landroid/util/AttributeSet; I)V
'http://wap.amap.com/' used in: Lcom/alipay/mobile/beehive/util/MapUtil;->startNaviApp(Landroid/content/Context; Ljava/lang/String; D D Ljava/lang/String;)V
'http://wap.amap.com/' used in: Lcom/amap/api/maps/AMapUtils;->getLatestAMapApp(Landroid/content/Context;)V
'http://www.sj88.com/attachments/201412/26/13/1s7vdu1do.jpg' used in: Lcom/alipay/mobile/beehive/photo/ui/ax;->execute([Ljava/lang/Object;)Lcom/alipay/mobile/beehive/photo/data/PhotoResult;
'http://www.sj88.com/attachments/201412/26/13/1s7vdu1do.jpg' used in: Lcom/alipay/mobile/beehive/photo/ui/aw;->execute([Ljava/lang/Object;)Lcom/alipay/mobile/beehive/photo/data/PhotoResult;
'http://www.sj88.com/attachments/201412/26/13/1s7vdu1do.jpg' used in: Lcom/alipay/mobile/beehive/photo/ui/RemotePhotoGridActivity;->onCreate(Landroid/os/Bundle;)V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lcom/ta/utdid2/b/a/e;->a(Ljava/util/Map; Ljava/io/OutputStream;)V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lcom/ta/utdid2/b/a/a;->setFeature(Ljava/lang/String; Z)V
'https://a.alipayobjects.com/bridgeapi/1.0/jsready.js' used in: Lcom/alipay/mobile/nebulacore/core/H5ContentProviderImpl;->getContent(Landroid/net/Uri; Ljava/lang/String; Lcom/alipay/mobile/h5container/api/H5Page; Z Z)Landroid/webkit/WebResourceResponse;
'https://alipay.com/h5container/redirect_link.html' used in: Lcom/alipay/mobile/nebulacore/core/H5ContentProviderImpl;->getContent(Landroid/net/Uri; Ljava/lang/String; Lcom/alipay/mobile/h5container/api/H5Page; Z Z)Landroid/webkit/WebResourceResponse;
'https://alipay.com/h5container/security_link.html' used in: Lcom/alipay/mobile/nebulacore/core/H5ContentProviderImpl;->getContent(Landroid/net/Uri; Ljava/lang/String; Lcom/alipay/mobile/h5container/api/H5Page; Z Z)Landroid/webkit/WebResourceResponse;
'https://alipay.com/h5container/un_safe.html' used in: Lcom/alipay/mobile/nebulacore/core/H5ContentProviderImpl;->getContent(Landroid/net/Uri; Ljava/lang/String; Lcom/alipay/mobile/h5container/api/H5Page; Z Z)Landroid/webkit/WebResourceResponse;
'https://alipay.com/h5container/un_safe.html' used in: Lcom/alipay/mobile/nebulacore/plugin/H5UrlInterceptPlugin;->a(Lcom/alipay/mobile/h5container/api/H5Event;)Z
'https://alipay.com/h5container/white_link.html' used in: Lcom/alipay/mobile/nebulacore/core/H5ContentProviderImpl;->getContent(Landroid/net/Uri; Ljava/lang/String; Lcom/alipay/mobile/h5container/api/H5Page; Z Z)Landroid/webkit/WebResourceResponse;
'https://androidquery.appspot.com' used in: Lcom/androidquery/service/MarketService;->c()Ljava/lang/String;
'https://appx' used in: Lcom/alipay/mobile/nebulacore/core/H5ContentProviderImpl;->getContent(Landroid/net/Uri; Ljava/lang/String; Lcom/alipay/mobile/h5container/api/H5Page; Z Z)Landroid/webkit/WebResourceResponse;
'https://appx/af-appx.min.js' used in: Lcom/alipay/mobile/nebulacore/web/H5WebViewClient;->(Lcom/alipay/mobile/nebulacore/core/H5PageImpl;)V
'https://audid-api.taobao.com/v2.0/a/audid/req/' used in: Lcom/ta/audid/f/g;->a(Ljava/lang/String;)Z
'https://bugme.anyproxy.io:5680' used in: Lcom/alipay/mobile/nebulacore/dev/provider/H5DevPlugin;->interceptEvent(Lcom/alipay/mobile/h5container/api/H5Event; Lcom/alipay/mobile/h5container/api/H5BridgeContext;)Z
'https://d.alipay.com' used in: Lcom/alipay/mobile/nebula/util/H5Utils$1;->()V
'https://d.alipay.com/360down/download.htm' used in: Lcom/alipay/mobile/framework/service/ext/security/QihooGuardService;->openQihooDownload()V
'https://d.alipay.com/i/index.htm?iframeSrc=' used in: Lcom/alipay/android/phone/discovery/o2o/comment/helper/ShareHelper;->a(I)Lcom/koubei/android/o2oadapter/api/share/IShare$ShareConfig;
'https://d.alipay.com/i/index.htm?iframeSrc=' used in: Lcom/alipay/android/phone/o2o/lifecircle/util/QuestionDetailShareUtil;->a(I)Lcom/koubei/android/o2oadapter/api/share/IShare$ShareConfig;
'https://ds.alipay.com' used in: Lcom/alipay/mobile/nebula/util/H5Utils$1;->()V
'https://ds.alipay.com/?nojump=true&from=alipass' used in: Lcom/alipay/mobile/alipassapp/ui/common/r;->onClick()V
'https://ds.alipay.com/?nojump=true&from=o2o' used in: Lcom/alipay/android/phone/discovery/o2o/detail/helper/DetailUtils$1$1;->onClick()V
'https://ds.alipay.com/?nojump=true&from=o2o' used in: Lalipassdetail/d/c;->onClick()V
'https://ds.alipay.com/?scheme=' used in: Lcom/alipay/mobile/nebulacore/plugin/H5PagePlugin;->handleEvent(Lcom/alipay/mobile/h5container/api/H5Event; Lcom/alipay/mobile/h5container/api/H5BridgeContext;)Z
'https://ds.alipay.com/error/redirectLink.htm' used in: Lcom/alipay/mobile/nebulacore/plugin/H5ClipboardPlugin;->setClipboard(Lcom/alipay/mobile/h5container/api/H5Event; Lcom/alipay/mobile/h5container/api/H5BridgeContext;)V
'https://ds.alipay.com/error/redirectLink.htm' used in: Lcom/alipay/mobile/nebulacore/plugin/H5PagePlugin;->handleEvent(Lcom/alipay/mobile/h5container/api/H5Event; Lcom/alipay/mobile/h5container/api/H5BridgeContext;)Z
'https://ds.alipay.com/error/redirectLink.htm?url=' used in: Lcom/alipay/mobile/nebulacore/plugin/H5UrlInterceptPlugin;->a(Lcom/alipay/mobile/h5container/api/H5Event;)Z
'https://ds.alipay.com/error/securityLink.htm' used in: Lcom/alipay/mobile/nebulacore/plugin/H5ClipboardPlugin;->setClipboard(Lcom/alipay/mobile/h5container/api/H5Event; Lcom/alipay/mobile/h5container/api/H5BridgeContext;)V
'https://ds.alipay.com/error/securityLink.htm' used in: Lcom/alipay/mobile/nebulacore/plugin/H5PagePlugin;->handleEvent(Lcom/alipay/mobile/h5container/api/H5Event; Lcom/alipay/mobile/h5container/api/H5BridgeContext;)Z
'https://ds.alipay.com/error/securityLink.htm?url=' used in: Lcom/alipay/mobile/nebulacore/plugin/H5ApkLoadPlugin;->interceptEvent(Lcom/alipay/mobile/h5container/api/H5Event; Lcom/alipay/mobile/h5container/api/H5BridgeContext;)Z
'https://ds.alipay.com/error/securityLink.htm?url=' used in: Lcom/alipay/mobile/nebulacore/plugin/H5UrlInterceptPlugin;->a(Lcom/alipay/mobile/h5container/api/H5Event;)Z
'https://ds.alipay.com/error/securityLink.htm?url=' used in: Lcom/alipay/mobile/nebulacore/core/H5PageImpl;->a(Lcom/alipay/mobile/nebulacore/core/H5PageImpl; Ljava/lang/String;)V
'https://ds.alipay.com/fd-in15xm06/index.html' used in: Lcom/alipay/mobile/nebulacore/plugin/H5UrlInterceptPlugin;->a(Ljava/lang/String; Ljava/lang/String;)Z
'https://entphz.alipay.com/postToken.json' used in: Lcom/alipay/apmobilesecuritysdk/proxydetect/EntpClient;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)V
'https://entpsz.alipay.com/postToken.json' used in: Lcom/alipay/apmobilesecuritysdk/proxydetect/EntpClient;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)V
'https://feedback.taobao.com/h5/m/feedbacks?productId=1060&source=kbsearch' used in: Lcom/alipay/android/phone/discovery/o2o/search/resolver/RecommendTipResolver$TipHolder$2;->onClick(Landroid/view/View;)V
'https://gw.alipayobjects.com/zos/rmsportal/jopPjSaSusQAdzyNHMVQ.png' used in: Lcom/alipay/android/phone/discovery/o2ohome/dynamic/blocksystem/resolver/HeadlinePortalExtResolver;->a(Landroid/view/View; Lcom/alipay/android/phone/discovery/o2ohome/dynamic/blocksystem/resolver/HeadlinePortalExtResolver$Content; I)V
'https://hpmweb.alipay.com/bugme/domScript' used in: Lcom/alipay/mobile/nebulacore/dev/provider/H5DevPlugin;->interceptEvent(Lcom/alipay/mobile/h5container/api/H5Event; Lcom/alipay/mobile/h5container/api/H5BridgeContext;)Z
'https://hpmweb.alipay.com/report/android/batch' used in: Lcom/alipay/mobile/nebulacore/dev/bugme/H5BugmeBatchedScheduler;->onSchedule(Ljava/util/List;)V
'https://hpmweb.alipay.com/report/upload/android' used in: Lcom/alipay/mobile/nebulacore/dev/bugme/H5BugmeApplogUploader;->uploadFile(Ljava/util/Map; Ljava/io/File;)V
'https://nebula.alipay.com/api/app' used in: Lcom/alipay/mobile/nebula/appcenter/openapi/H5AppBizHttpProviderImpl;->rpcCall(Lcom/alipay/mobile/nebula/appcenter/model/AppReq;)Ljava/lang/String;
'https://render.alipay.com/p/f/best-koubei/index.html' used in: Lcom/alipay/android/phone/discovery/o2ohome/dynamic/blocksystem/resolver/HotCommentResolver$1;->onClick(Landroid/view/View;)V
'https://render.alipay.com/p/h5/voucherDetail/offline/www/index.html?' used in: Lcom/alipay/android/phone/discovery/o2o/O2oApp;->a()V
'https://render.alipay.com/p/s/h5container/index' used in: Lcom/alipay/mobile/nebulacore/core/H5ContentProviderImpl;->(Lcom/alipay/mobile/h5container/api/H5Page;)V
'https://render.alipay.com/p/s/h5misc/resource_error?url=' used in: Lcom/alipay/mobile/nebulacore/plugin/H5UrlInterceptPlugin;->interceptXiaoChengXu(Ljava/lang/String; Ljava/lang/String; Lcom/alipay/mobile/h5container/api/H5Page;)Z
'https://render.alipay.com/p/s/i' used in: Lcom/alipay/mobile/nebula/util/H5Utils$1;->()V
'https://render.alipay.com/p/s/tinyapperror/?appId=%s&errorCode=1001' used in: Lcom/alipay/mobile/nebula/appcenter/apphandler/H5AppHandler;->updateFail(Ljava/lang/String; Ljava/lang/String; Lcom/alipay/mobile/nebula/appcenter/apphandler/H5StartAppInfo; Lcom/alipay/mobile/nebula/appcenter/apphandler/loadingview/H5LoadingManager; Ljava/lang/String; Lcom/alipay/mobile/nebula/appcenter/model/AppInfo; Ljava/lang/String; Ljava/lang/String; Landroid/os/Bundle; Z)V
'https://render.alipay.com/p/z/fd-lifecircle/location.html?' used in: Lcom/alipay/mobile/beehive/poiselect/api/PoiItemExt;->buildUrl(Z)Ljava/lang/String;
'https://resource/' used in: Lcom/alipay/mobile/nebula/resourcehandler/H5ResourceHandlerUtil;->localIdToUrl(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'https://restapi.amap.com/v3/iasdkauth' used in: Lcom/amap/api/mapcore/util/fe$b;->c()Ljava/lang/String;
"javascript:(function(){if(typeof AlipayJSBridge === 'object'){" used in: Lcom/alipay/mobile/nebulacore/bridge/H5BridgeImpl$5;->run()V
"javascript:(function(){if(typeof AlipayJSBridge === 'object'){" used in: Lcom/alipay/mobile/nebulacore/bridge/H5BridgeImpl;->a(Lcom/alipay/mobile/nebulacore/bridge/H5BridgeImpl; Lcom/alipay/mobile/h5container/api/H5Event;)V
"javascript:(function(){if(typeof AlipayJSBridge === 'object'){AlipayJSBridge.devPerformance4Test='" used in: Lcom/alipay/mobile/nebula/util/TestDataUtils;->injectJSParams(Lcom/alipay/mobile/nebula/webview/APWebView;)V
'javascript:(function(){window.ALIPAYVIEWAPPEARED=1})();' used in: Lcom/alipay/mobile/nebulacore/core/H5PageImpl;->injectPageReady()V
"javascript:if(typeof AlipayJSBridge === 'object'){AlipayJSBridge." used in: Lcom/alipay/mobile/nebulacore/web/H5ScriptLoader;->setParamsToWebPage(Ljava/lang/String; Ljava/lang/String;)V
"javascript:location.replace('" used in: Lcom/alipay/mobile/nebulacore/ui/H5FragmentManager;->addFragment(Landroid/os/Bundle; Z Z)V
"javascript:location.replace('" used in: Lcom/alipay/mobile/nebulacore/plugin/H5UrlInterceptPlugin;->a(Ljava/lang/String; Ljava/lang/String;)Z
"javascript:location.replace('" used in: Lcom/alipay/mobile/nebulacore/core/H5PageImpl;->replace(Ljava/lang/String;)V
'javascript:{window.__alipayConsole__ = window.console}' used in: Lcom/alipay/mobile/nebulacore/web/H5WebChromeClient;->onReceivedTitle(Lcom/alipay/mobile/nebula/webview/APWebView; Ljava/lang/String;)V
'www.25pp.com/down' used in: Lcom/alipay/mobile/nebulacore/plugin/H5UrlInterceptPlugin;->a(Lcom/alipay/mobile/h5container/api/H5Event;)Z

位置: classes4.dex
'10.0.0.172' used in: Lcom/tencent/stat/common/k;->a(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.200' used in: Lcom/tencent/stat/common/k;->a(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'701339@zhifubao_android_7.1.2' used in: Lcom/alipay/mobilesecurity/taobao/sso/util/TaobaoSsoLoginUtils;->obtainTaobaoDeviceId(Ljava/lang/String; Landroid/content/Context;)Ljava/lang/String;
'701339@zhifubao_android_7.1.2' used in: Lcom/alipay/mobilesecurity/taobao/sso/SsoRemoteRequestParam;->getTtid()Ljava/lang/String;
'701339@zhifubao_android_7.1.2' used in: Lcom/alipay/mobile/security/authcenter/login/biz/AlipayDataProvider;->getTaobaoSsoTtid()Ljava/lang/String;
'KOUBEI@PageWithTabsBlock.item' used in: Lcom/koubei/mobile/o2o/personal/blocksystem/resolver/HeadMyTabResolver;->getItemView(Landroid/view/ViewGroup; Lcom/koubei/mobile/o2o/personal/node/LabelTitleBar$LabelItem; Z)Landroid/view/View;
'file:///[asset]/' used in: Lcom/alipay/multimedia/widget/APMGifView;->a(Ljava/lang/String;)Ljava/lang/String;
'file:///[asset]/nearbytab.gif' used in: Lcom/koubei/phone/android/kbnearby/NearbyWidgetGroup;->startTabAnim(Ljava/lang/String;)V
'http://127.0.0.1:' used in: Lcom/alipay/multimedia/network/LocalNetworkProxy;->getRequestUrl()Ljava/lang/String;
'http://appsupport.qq.com/cgi-bin/appstage/mstats_report' used in: Lcom/tencent/open/c/c;->a(Ljava/lang/String; Landroid/os/Bundle; Z)V
'http://appsupport.qq.com/cgi-bin/qzapps/mapp_addapp.cgi' used in: Lcom/tencent/connect/auth/d;->onClick(Landroid/view/View;)V
'http://appsupport.qq.com/cgi-bin/qzapps/mapp_addapp.cgi' used in: Lcom/tencent/connect/auth/c;->(Lcom/tencent/connect/auth/AuthAgent; Lcom/tencent/tauth/IUiListener;)V
'http://cgi.connect.qq.com/qqconnectopen/openapi/policy_conf' used in: Lcom/tencent/open/utils/d;->run()V
'http://cgi.connect.qq.com/qqconnectutil/sdk' used in: Lcom/tencent/connect/a/a;->a(Landroid/content/Context; Lcom/tencent/connect/auth/QQToken;)V
'http://cgi.qplus.com/report/report' used in: Lcom/tencent/open/utils/e;->run()V
'http://fusion.qq.com/cgi-bin/qzapps/unified_jump?appid=%1$s&from=%2$s&isOpenAppID=1' used in: Lcom/alipay/android/shareassist/api/QZoneShare$1;->run()V
'http://fusion.qq.com/cgi-bin/qzapps/unified_jump?appid=%1$s&from=%2$s&isOpenAppID=1' used in: Lcom/tencent/connect/share/QQShare;->a(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://m.laiwang.com' used in: Lcom/laiwang/sdk/openapi/f;->onClick(Landroid/content/DialogInterface; I)V
'http://m.laiwang.com' used in: Lcom/laiwang/sdk/openapi/LWAPI;->a(Landroid/content/Context; I)V
'http://openmobile.qq.com/api/check2?page=qzshare.html&loginpage=loginindex.html&logintype=qzone' used in: Lcom/alipay/android/shareassist/api/QZoneShare$1;->run()V
'http://openmobile.qq.com/api/check?page=shareindex.html&style=9' used in: Lcom/tencent/connect/share/QQShare;->a(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://openmobile.qq.com/oauth2.0/m_authorize?' used in: Lcom/tencent/connect/auth/AuthAgent;->e(Lcom/tencent/connect/auth/AuthAgent;)V
'http://pingma.qq.com:80/mstat/report' used in: Lcom/tencent/stat/StatConfig;->()V
'http://qzs.qq.com' used in: Lcom/tencent/connect/auth/a;->a(Ljava/lang/Object;)V
'http://qzs.qq.com/open/mobile/login/qzsjump.html?' used in: Lcom/tencent/connect/auth/AuthDialog;->n(Lcom/tencent/connect/auth/AuthDialog;)Ljava/lang/String;
'http://qzs.qq.com/open/mobile/login/qzsjump.html?' used in: Lcom/tencent/connect/auth/k;->onReceivedError(Landroid/webkit/WebView; I Ljava/lang/String; Ljava/lang/String;)V
'http://wspeed.qq.com/w.cgi' used in: Lcom/tencent/open/a/b;->a(Landroid/content/Context; Ljava/lang/String;)V
'https://api.weibo.com/2/friendships/friends.json' used in: Lcom/alipay/android/shareassist/ui/WeiboFrindListActivity;->a()V
'https://api.weibo.com/2/search/suggestions/at_users.json' used in: Lcom/alipay/android/shareassist/ui/WeiboFrindListActivity;->e(Lcom/alipay/android/shareassist/ui/WeiboFrindListActivity;)V
'https://api.weibo.com/2/statuses/update.json' used in: Lcom/alipay/android/shareassist/ui/WeiboEditActivity;->a(Ljava/lang/String;)V
'https://api.weibo.com/2/statuses/upload.json' used in: Lcom/alipay/android/shareassist/ui/WeiboEditActivity;->a(Ljava/lang/String;)V
'https://api.weibo.com/2/users/show.json' used in: Lcom/alipay/mobile/framework/service/impl/ShareServiceImpl;->getWeiboUserPic(Ljava/lang/String; Ljava/lang/String; I Lcom/alipay/mobile/common/share/GetWeiboUserPicListener;)V
'https://api.weixin.qq.com/sns/oauth2/access_token' used in: Lcom/alipay/android/shareassist/misc/WeixinApiRequest;->(Ljava/lang/String; Lcom/alipay/mobile/common/share/GetWeixinUserPicListener;)V
'https://api.weixin.qq.com/sns/userinfo' used in: Lcom/alipay/android/shareassist/misc/WeixinApiRequest;->(Ljava/lang/String; Lcom/alipay/mobile/common/share/GetWeixinUserPicListener;)V
'https://csmobile.alipay.com/detailSolution.htm?knowledgeType=1&scene=app_fukuanma_yw&questionId=201602125145' used in: Lcom/alipay/mobile/onsitepay9/payer/fragments/bv;->onItemClick(I)V
'https://csmobile.alipay.com/detailSolution.htm?knowledgeType=1&scene=app_fukuanma_yw&questionId=201602125145' used in: Lcom/alipay/mobile/onsitepay9/payer/fragments/k;->onItemClick(I)V
'https://csmobile.alipay.com/detailSolution.htm?knowledgeType=1&scene=app_questionId_stats&questionId=565809' used in: Lcom/alipay/mobile/onsitepay9/payer/fragments/ae;->onClick(Landroid/view/View;)V
'https://csmobile.alipay.com/detailSolution.htm?knowledgeType=1&scene=app_questionId_stats&questionId=565809' used in: Lcom/alipay/mobile/onsitepay9/payer/fragments/cm;->onClick(Landroid/view/View;)V
'https://csmobile.alipay.com/detailSolution.htm?knowledgeType=1&scene=app_questionId_stats&questionId=565809' used in: Lcom/alipay/mobile/onsitepay9/payer/fragments/k;->onItemClick(I)V
'https://csmobile.alipay.com/detailSolution.htm?knowledgeType=1&scene=app_questionId_stats&questionId=565809' used in: Lcom/alipay/mobile/onsitepay9/payer/fragments/bv;->onItemClick(I)V
'https://csmobile.alipay.com/detailSolution.htm?questionId=201602034299&token=csm927cf0e915214340a783de82388eba4b&knowledgeType=1' used in: Lcom/alipay/mobile/scan/ui/l;->onClick()V
'https://csmobile.alipay.com/detailSolution.htm?questionId=201602034299&token=csm927cf0e915214340a783de82388eba4b&knowledgeType=1' used in: Lcom/alipay/phone/scancode/a/k;->getExtentionConfigs()Ljava/util/Map;
'https://csmobile.alipay.com/hall/tips.htm?scene=mbill_tips&errorCode=MBILL_TIPS&bizNo=' used in: Lcom/alipay/mobile/onsitepay9/payer/PaySuccessActivity;->onCreate(Landroid/os/Bundle;)V
'https://csmobile.alipay.com/hall/tips.htm?scene=mbill_tips&errorCode=MBILL_TIPS&bizNo=' used in: Lcom/alipay/mobile/onsitepay9/payer/KoubeiPaySuccessActivity;->onCreate(Landroid/os/Bundle;)V
'https://csmobile.alipay.com/mypa/generalRobot.htm?scene=kb-jiepingfankui' used in: Lcom/alipay/mobile/about/ui/FeedbackGuideActivity;->goHelpMain()V
'https://ds.alipay.com/fd-o2o/help.html' used in: Lcom/koubei/mobile/o2o/personal/fragment/PersonalMainFragment$6;->onItemClick(I)V
'https://feedback.taobao.com/h5/m/feedbacks?productId=1060&source=koubei_tab' used in: Lcom/koubei/mobile/o2o/personal/activity/AboutActivity;->goToFeedback()V
'https://o.alipay.com/o2o/agreement.htm' used in: Lcom/koubei/mobile/o2o/personal/activity/AboutActivity;->goToAgreement()V
'https://open.weibo.cn/oauth2/access_token' used in: Lcom/alipay/android/shareassist/ui/WeiboAuthActivity;->a(Landroid/os/Bundle;)V
'https://open.weibo.cn/oauth2/access_token' used in: Lcom/alipay/auth/AuthWeiboActivity;->a(Landroid/os/Bundle;)V
'https://open.weibo.cn/oauth2/authorize?response_type=code&display=mobile&redirect_uri=' used in: Lcom/alipay/android/shareassist/ui/WeiboAuthActivity;->d()V
'https://open.weibo.cn/oauth2/authorize?response_type=token&display=mobile&redirect_uri=' used in: Lcom/alipay/auth/AuthWeiboActivity;->d()V
'https://openmobile.qq.com/' used in: Lcom/tencent/open/utils/HttpUtils;->a(Lcom/tencent/connect/auth/QQToken; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle; Ljava/lang/String;)Lorg/json/JSONObject;
'https://openmobile.qq.com/user/user_login_statis' used in: Lcom/tencent/connect/auth/AuthAgent;->a(Lcom/tencent/connect/auth/AuthAgent; Ljava/lang/String;)V
'https://pic.alipayobjects.com/i/mobileapp/png/201410/3dIQjERc5F.png' used in: Lcom/alipay/android/shareassist/ShareAssistApp;->share(Landroid/content/Context; I Lcom/alipay/mobile/common/share/ShareContent; Ljava/lang/String;)V
'https://render.alipay.com/p/f/fd-j31d2kdt/index.html' used in: Lcom/koubei/mobile/o2o/personal/activity/AboutActivity;->goToIntellectualPropertyAnnouncement()V
'https://resource/' used in: Lcom/alipay/multimedia/js/base/MMH5SimplePlugin;->decodeToPath(Ljava/lang/String;)Ljava/lang/String;
'https://www.koubei.com/' used in: Lcom/alipay/auth/AuthWeiboActivity;->d()V
'https://www.koubei.com/' used in: Lcom/alipay/auth/AuthWeiboActivity;->onCreate(Landroid/os/Bundle;)V
'https://www.koubei.com/' used in: Lcom/alipay/auth/c;->onPageStarted(Landroid/webkit/WebView; Ljava/lang/String; Landroid/graphics/Bitmap;)V
'https://www.koubei.com/' used in: Lcom/alipay/android/shareassist/ui/WeiboAuthActivity;->()V
'https://www.koubei.com/' used in: Lcom/alipay/auth/AuthWeiboActivity;->a(Landroid/os/Bundle;)V

位置: lib/armeabi/libandroid-phone-mobilecommon-mapbiz.so
'http://wap.amap.com/' used in: Lcom/alipay/android/mapassist/ui/MapMainActivity;->a(Lcom/alipay/android/mapassist/ui/MapMainActivity; Ljava/lang/String; Ljava/lang/Double; Ljava/lang/Double; Lcom/amap/api/maps/model/Marker;)V
'http://wap.amap.com/' used in: Lcom/alipay/mobile/map/widget/impl/APMapViewImpl;->startNaviApp(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Double; Ljava/lang/Double; Lcom/amap/api/maps/model/Marker;)V
'https://maps.google.com/maps?q=' used in: Lcom/alipay/android/mapassist/ui/MapMainActivity;->a(Lcom/alipay/android/mapassist/ui/MapMainActivity; Ljava/lang/String; Ljava/lang/Double; Ljava/lang/Double; Lcom/amap/api/maps/model/Marker;)V

位置: lib/armeabi/libandroid-phone-mobilecommon-tag.so
'http://www.ccil.org/~cowan/tagsoup/features/bogons-empty' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://www.ccil.org/~cowan/tagsoup/features/bogons-empty' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setFeature(Ljava/lang/String; Z)V
'http://www.ccil.org/~cowan/tagsoup/features/cdata-elements' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://www.ccil.org/~cowan/tagsoup/features/cdata-elements' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setFeature(Ljava/lang/String; Z)V
'http://www.ccil.org/~cowan/tagsoup/features/default-attributes' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://www.ccil.org/~cowan/tagsoup/features/default-attributes' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setFeature(Ljava/lang/String; Z)V
'http://www.ccil.org/~cowan/tagsoup/features/ignorable-whitespace' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://www.ccil.org/~cowan/tagsoup/features/ignorable-whitespace' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setFeature(Ljava/lang/String; Z)V
'http://www.ccil.org/~cowan/tagsoup/features/ignore-bogons' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://www.ccil.org/~cowan/tagsoup/features/ignore-bogons' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setFeature(Ljava/lang/String; Z)V
'http://www.ccil.org/~cowan/tagsoup/features/restart-elements' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://www.ccil.org/~cowan/tagsoup/features/restart-elements' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setFeature(Ljava/lang/String; Z)V
'http://www.ccil.org/~cowan/tagsoup/features/root-bogons' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://www.ccil.org/~cowan/tagsoup/features/root-bogons' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setFeature(Ljava/lang/String; Z)V
'http://www.ccil.org/~cowan/tagsoup/features/translate-colons' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://www.ccil.org/~cowan/tagsoup/features/translate-colons' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setFeature(Ljava/lang/String; Z)V
'http://www.ccil.org/~cowan/tagsoup/properties/auto-detector' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setProperty(Ljava/lang/String; Ljava/lang/Object;)V
'http://www.ccil.org/~cowan/tagsoup/properties/auto-detector' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->getProperty(Ljava/lang/String;)Ljava/lang/Object;
'http://www.ccil.org/~cowan/tagsoup/properties/scanner' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setProperty(Ljava/lang/String; Ljava/lang/Object;)V
'http://www.ccil.org/~cowan/tagsoup/properties/scanner' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->getProperty(Ljava/lang/String;)Ljava/lang/Object;
'http://www.ccil.org/~cowan/tagsoup/properties/schema' used in: Lcom/alipay/tag/html/Html;->fromHtml(F Ljava/lang/String; Lcom/alipay/tag/html/Html$ImageGetter; Lcom/alipay/tag/html/Html$TagHandler;)Landroid/text/Spanned;
'http://www.ccil.org/~cowan/tagsoup/properties/schema' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setProperty(Ljava/lang/String; Ljava/lang/Object;)V
'http://www.ccil.org/~cowan/tagsoup/properties/schema' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->getProperty(Ljava/lang/String;)Ljava/lang/Object;
'http://www.w3.org/1999/xhtml' used in: Lcom/alipay/ccil/cowan/tagsoup/HTMLSchema;->()V
'http://www.w3.org/1999/xhtml' used in: Lcom/alipay/ccil/cowan/tagsoup/XMLWriter;->endElement(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V
'http://www.w3.org/XML/1998/namespace' used in: Lcom/alipay/ccil/cowan/tagsoup/ElementType;->namespace(Ljava/lang/String; Z)Ljava/lang/String;
'http://xml.org/sax/features/external-general-entities' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/external-parameter-entities' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/is-standalone' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/lexical-handler/parameter-entities' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/namespace-prefixes' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/namespaces' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/namespaces' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setFeature(Ljava/lang/String; Z)V
'http://xml.org/sax/features/resolve-dtd-uris' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/string-interning' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/use-attributes2' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/use-entity-resolver2' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/use-locator2' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/validation' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/xml-1.1' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/features/xmlns-uris' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->()V
'http://xml.org/sax/properties/lexical-handler' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->setProperty(Ljava/lang/String; Ljava/lang/Object;)V
'http://xml.org/sax/properties/lexical-handler' used in: Lcom/alipay/ccil/cowan/tagsoup/Parser;->getProperty(Ljava/lang/String;)Ljava/lang/Object;
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lcom/alipay/tag/html/XmlUtils;->writeListXml(Ljava/util/List; Ljava/io/OutputStream;)V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lcom/alipay/tag/html/FastXmlSerializer;->setFeature(Ljava/lang/String; Z)V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lcom/alipay/tag/html/XmlUtils;->writeMapXml(Ljava/util/Map; Ljava/io/OutputStream;)V

位置: lib/armeabi/libandroid-phone-securitycommon-namecertifybiz.so
'https://custweb.alipay.com/certify/personal/mobile/' used in: Lcom/alipay/android/phone/namecertify/service/impl/NameCertifyServiceImpl;->a()Ljava/lang/String;

位置: lib/armeabi/libandroid-phone-securitycommon-taobaobind.so
'https://www.alipay.com/webviewbridge' used in: Lcom/alipay/mobile/securitycommon/taobaobind/util/TaobaoBindUtil;->addSecurityCallbackToUrl(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'https://www.alipay.com/webviewbridge' used in: Lcom/alipay/mobile/securitycommon/taobaobind/util/TaobaoBindUtil;->addCallbackToUrl(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'https://www.alipay.com/webviewbridge' used in: Lcom/alipay/mobile/securitycommon/taobaobind/util/AUH5Plugin;->checkWebviewBridge(Ljava/lang/String;)Z
'https://www.alipay.com/webviewbridge' used in: Lcom/alipay/mobile/securitycommon/taobaobind/util/H5Wrapper;->startPage(Ljava/lang/String; Lcom/alipay/mobile/securitycommon/taobaobind/util/AUH5Plugin;)V
'https://www.alipay.com/webviewbridge' used in: Lcom/alipay/mobile/securitycommon/taobaobind/util/TaobaoBindUtil;->addCallbackToUrl(Ljava/lang/String;)Ljava/lang/String;

位置: lib/armeabi/libandroid-phone-thirdparty-amapsearch.so
'10.0.0.172' used in: Lcom/amap/api/services/core/ar;->b(Landroid/content/Context;)Ljava/net/Proxy;
'10.0.0.200' used in: Lcom/amap/api/services/core/ar;->b(Landroid/content/Context;)Ljava/net/Proxy;
'http://apiinit.amap.com/v3/log/init' used in: Lcom/amap/api/services/core/ak;->()V
'http://logs.amap.com/ws/log/upload?product=%s&type=%s&platform=%s&channel=%s&sign=%s' used in: Lcom/amap/api/services/core/aw;->()V
'http://m5.amap.com/ws/mapapi/shortaddress/transform' used in: Lcom/amap/api/services/core/ac;->g()Ljava/lang/String;
'http://restapi.amap.com' used in: Lcom/amap/api/services/core/ar;->a(Landroid/content/Context;)Ljava/net/Proxy;
'http://restapi.amap.com/v3' used in: Lcom/amap/api/services/core/h;->a()Ljava/lang/String;
'http://wb.amap.com/?n=%f,%f,%f,%f,%d&sourceapplication=openapi/0' used in: Lcom/amap/api/services/share/ShareSearch;->()V
'http://wb.amap.com/?p=%s,%f,%f,%s,%s&sourceapplication=openapi/0' used in: Lcom/amap/api/services/share/ShareSearch;->()V
'http://wb.amap.com/?q=%f,%f,%s&sourceapplication=openapi/0' used in: Lcom/amap/api/services/share/ShareSearch;->()V
'http://wb.amap.com/?r=%f,%f,%s,%f,%f,%s,%d,%d,%d,%s,%s,%s&sourceapplication=openapi/0' used in: Lcom/amap/api/services/share/ShareSearch;->()V
'http://yuntuapi.amap.com' used in: Lcom/amap/api/services/core/h;->b()Ljava/lang/String;
'https://restapi.amap.com/v3' used in: Lcom/amap/api/services/core/h;->a()Ljava/lang/String;
'https://restapi.amap.com/v3/fastconnect' used in: Lcom/amap/api/services/core/an$b;->g()Ljava/lang/String;
'https://yuntuapi.amap.com' used in: Lcom/amap/api/services/core/h;->b()Ljava/lang/String;

位置: lib/armeabi/libandroid-phone-thirdparty-xiaomipush.so
'10.0.0.200' used in: Lcom/xiaomi/channel/commonutils/network/d;->b(Landroid/content/Context; Ljava/net/URL;)Ljava/net/HttpURLConnection;
'http://%1$s/diagnoses/v1/report' used in: Lcom/xiaomi/network/UploadHostStatHelper;->a(Ljava/lang/String; Ljava/lang/String;)V
'http://%1$s/gslb/?ver=3.0' used in: Lcom/xiaomi/network/HostManagerV2;->getRemoteFallbackJSON(Ljava/util/ArrayList; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'http://%1$s/gslb/gslb/getbucket.asp?ver=3.0' used in: Lcom/xiaomi/network/HostManager;->getRemoteFallbackJSON(Ljava/util/ArrayList; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'http://10.237.12.17:9085/pass/register' used in: Lcom/xiaomi/push/service/h;->a()Ljava/lang/String;
'http://10.237.12.17:9085/pass/register' used in: Lcom/xiaomi/push/service/h;->a()Ljava/lang/String;
'http://resolver.msg.xiaomi.net/psc/?t=a' used in: Lcom/xiaomi/push/service/ad;->b()V
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/smack/util/c;->a([B)V
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/smack/g;->a(Lcom/xiaomi/smack/g;)V
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/smack/j;->()V
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/smack/provider/c;->b()V
'www.baidu.com:80' used in: Lcom/xiaomi/push/service/ax;->run()V

位置: lib/armeabi/libandroid-phone-wallet-nebulauc.so
'http://119.147.224.154:8012/upload' used in: Lcom/uc/webview/export/extension/BreakpadConfig;->(Ljava/lang/String;)V
'https://alipay.kylinBridge' used in: Lcom/alipay/mobile/nebulauc/impl/serviceworker/H5ServiceWorkerControllerProviderImpl;->shouldInterceptRequest4ServiceWorker(Lcom/alipay/mobile/nebula/webview/APWebResourceRequest;)Landroid/webkit/WebResourceResponse;
'https://alipay.kylinBridge' used in: Lcom/alipay/mobile/nebulauc/impl/UcServiceSetup$9;->shouldInterceptRequest(Lcom/uc/webview/export/WebResourceRequest;)Lcom/uc/webview/export/WebResourceResponse;
'https://applog.uc.cn/collect?uc_param_str=&chk=' used in: Lcom/uc/webview/export/internal/uc/wa/a;->a(Ljava/lang/String; Z)Ljava/lang/String;
'https://appx/af-appx.min.js' used in: Lcom/alipay/mobile/nebulauc/impl/UCWebView;->preloadAppxJs()V
'https://gw.alicdn.com/bao/uploaded/LB1KgvQQpXXXXauXVXXXXXXXXXX.zip' used in: Lcom/alipay/mobile/nebulauc/impl/UcServiceSetup;->initCore(Z)V
'https://www.alipay.com' used in: Lcom/alipay/mobile/nebulauc/impl/serviceworker/H5ServiceWorkerPageManager;->getInstance(Landroid/content/Context;)Lcom/alipay/mobile/h5container/api/H5Page;
'javascript:document.activeElement && document.activeElement.blur()' used in: Lcom/alipay/mobile/nebulauc/impl/view/H5NumInputKeyboard;->sendBlurToFocusElement()V

位置: lib/armeabi/libandroid-phone-wallet-o2opurchase.so
'https://d.alipay.com/i/index.htm?iframeSrc=' used in: Lcom/alipay/android/phone/o2o/purchase/goodsdetail/utils/ShareUtils;->a(I)Lcom/koubei/android/o2oadapter/api/share/IShare$ShareConfig;

中危

检测到6处setSavePassword密码明文存储漏洞。

位置: classes.dex
com.alipay.android.app.vr.base.widget.VRWebView;
com.alipay.android.app.flybird.ui.window.MiniWebActivityAdapter;

位置: classes3.dex
com.androidquery.util.WebImage;
com.alipay.mobile.nebulacore.android.AndroidWebSettings;

位置: classes4.dex
com.tencent.connect.auth.a;

位置: lib/armeabi/libandroid-phone-wallet-nebulauc.so
com.uc.webview.export.WebSettings;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

低危

检测到1处SecureRandom使用不当。

位置: classes.dex
com.alipay.mobile.common.logging.util.AESUtil;->getRawKey

SecureRandom的使用不当会导致生成的随机数可被预测,该漏洞存在于Android系统随机生成数字串安全密钥的环节中。该漏洞的生成原因是对SecureRandom类的不正确使用方式导致生成的随机数不随机。建议:
(1)不要使用自定义随机源代替系统默认随机源(推荐)除非有特殊需求,在使用SecureRandom类时,不要调用以下函数:SecureRandom类下SecureRandom(byte[]seed)、setSeed(long seed)和setSeed(byte[]seed)方法。
(2)在调用setSeed方法前先调用任意nextXXX方法。具体做法是调用setSeed方法前先调用一次SecureRandom#nextBytes(byte[]bytes)方法,可以避免默认随机源被替代,详细见参考资料。

参考资料:
https://developer.android.com/reference/java/security/SecureRandom.html
http://drops.wooyun.org/papers/5164
http://jaq.alibaba.com/blog.htm?id=47

低危

检测到3个WebView系统隐藏接口未移除。

位置: classes.dex
com.alipay.android.app.flybird.ui.window.MiniWebActivityAdapter;->a(Landroid.os.Bundle; Landroid.app.Activity;)V

位置: classes3.dex
com.alipay.mobile.nebulacore.android.AndroidWebView;->(Landroid.content.Context;)V
com.androidquery.util.WebImage;->load()V

android webview组件包含3个隐藏的系统接口:searchBoxJavaBridge_,accessibilityTraversal以及accessibility,恶意程序可以利用它们实现远程代码执行。
如果使用了WebView,那么使用WebView.removeJavascriptInterface(String name) API,显示的移除searchBoxJavaBridge_、accessibility、accessibilityTraversal这三个接口。

参考资料:
http://wolfeye.baidu.com/blog/android-webview/
http://blog.csdn.net/u013107656/article/details/51729398
http://wolfeye.baidu.com/blog/android-webview-cve-2014-7224/

低危

检测3处Intent Scheme URI漏洞。

位置: classes.dex
Lcom/alipay/android/phone/mobilesdk/permission/guide/t;->a(Landroid/content/Context; Ljava/lang/String;)Landroid/content/Intent;

位置: classes3.dex
Lcom/alipay/mobile/nebulacore/plugin/H5UrlInterceptPlugin;->a(Ljava/lang/String;)Z

位置: lib/armeabi/libandroid-phone-thirdparty-xiaomipush.so
Lcom/xiaomi/mipush/sdk/f;->a(Landroid/content/Context; Ljava/lang/String; Ljava/util/Map;)Landroid/content/Intent;


Intent Scheme URI是一种特殊的URL格式,用来通过Web页面启动已安装应用的Activity组件,大多数主流浏览器都支持此功能。如果在app中,没有检查获取到的load_url的值,攻击者可以构造钓鱼网站,诱导用户点击加载,就可以盗取用户信息。所以,对Intent URI的处理不当时,就会导致基于Intent的攻击。建议:
如果使用了Intent.parseUri函数,获取的intent必须严格过滤,intent至少包含addCategory(“android.intent.category.BROWSABLE”),setComponent(null),setSelector(null)3个策略。

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://drops.wooyun.org/papers/2893
http://drops.wooyun.org/mobile/15202

低危

检测到19处AES/DES弱加密风险。

位置: classes.dex
com.alipay.mobile.common.logging.util.AESUtil;->decrypt([B [B I I)[B
com.alipay.mobile.tianyanadapter.logging.utils.ColorUtil;->decrypt([B [B)[B
com.alipay.android.app.framework.encrypt.Des;->a(I Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.mobile.common.logging.util.AESUtil;->encrypt([B [B I I)[B
Lcom/alipay/android/app/framework/encrypt/TriDes;->()V
com.alipay.mobile.common.security.Des;->doFinal(I Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.mobile.tianyanadapter.logging.utils.ColorUtil;->encrypt([B [B)[B
com.alipay.mobile.common.security.Des;->doFinal(I [B Ljava.lang.String;)[B
Lcom/loc/ch;->b([B [B)[B

位置: classes2.dex
com.alipay.mobile.common.transport.utils.Des;->doFinal(I [B Ljava.lang.String;)[B
Lcom/alipay/security/mobile/module/bracelet/lib/util/Utils;->AESEncrypt([B [B)[B
com.alipay.mobile.common.transport.utils.Des;->doFinal(I Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
Lcom/alipay/security/mobile/alipayauthenticatorservice/bracelet/util/AESUtil;->AESEncrypt([B [B)[B

位置: classes4.dex
Lcom/alipay/mobile/security/otp/service/OtpSeedCryptor;->a(Ljava/lang/String;)Ljava/lang/String;
com.tencent.mm.sdk.platformtools.LogHelper;->writeToStream(Ljava.io.PrintStream; [B Ljava.lang.String; Ljava.lang.String;)V
Lcom/alipay/mobile/security/otp/service/AlipayIDCode;->encryptDesEcb([B [B)[B
Lcom/alipay/mobile/security/otp/service/OtpSeedCryptor;->b(Ljava/lang/String;)[B
Lcom/alipay/mobile/security/otp/service/AlipayIDCode;->decryptDesEcb([B [B)[B
Lcom/alipay/multimedia/utils/MusicUtils;->initAESCipher(I Ljava/lang/String; Z)Ljavax/crypto/Cipher;

使用AES/DES/DESede加密算法时,如果使用ECB模式,容易受到攻击风险,造成信息泄露。建议在使用AES/DES/DESede加密算法时,应显示指定使用CBC或CFB加密模式

参考资料:
http://blog.csdn.net/u013107656/article/details/51997957
https://developer.android.com/reference/javax/crypto/Cipher.html
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

低危

非debug包,需要通过打包平台proguard脚本,移除大部分系统输出代码。
经扫描该包仍存在大量系统输出代码,共发现47处系统输出代码.(此处扫描的系统输出代码,是指调用System.out.print*输出的,本应在打包平台移除的系统输出代码.)
各个bundle系统输出代码详情如下:

位置: classes.dex
com.loc.e;
org.aspectj.lang.SoftException;

位置: classes2.dex
com.alipay.mobile.common.transportext.biz.diagnose.network.Link;
com.alibaba.sqlcrypto.DatabaseUtils;

位置: classes3.dex
com.alibaba.wireless.security.open.SecException;
com.amap.api.mapcore.util.br;
com.amap.api.mapcore.util.bo;

位置: classes4.dex
com.tencent.open.utils.Util;
com.tencent.mm.sdk.platformtools.LogHelper;

位置: classes5.dex
com.alipay.android.hackbyte.ClassVerifier;

位置: lib/armeabi/libandroid-phone-mobilecommon-tag.so
com.alipay.ccil.cowan.tagsoup.Element;
com.alipay.tag.html.HtmlToSpannedConverter$Bold;
com.alipay.tag.html.HtmlToSpannedConverter$Blockquote;
com.alipay.ccil.cowan.tagsoup.XMLWriter$1;
com.alipay.tag.html.HtmlToSpannedConverter$Big;
com.alipay.tag.html.HtmlToSpannedConverter$Strike;
com.alipay.ccil.cowan.tagsoup.PYXScanner;
com.alipay.tag.html.HtmlToSpannedConverter$URLSpanNoUnderline;
com.alipay.tag.html.XmlUtils;
com.alipay.ccil.cowan.tagsoup.Schema;
com.alipay.tag.html.HtmlToSpannedConverter$Monospace;
com.alipay.tag.html.HtmlToSpannedConverter;
com.alipay.tag.html.HtmlToSpannedConverter$Italic;
com.alipay.tag.html.HtmlToSpannedConverter$Super;
com.alipay.tag.html.Html$HtmlParser;
com.alipay.tag.html.FastXmlSerializer;
com.alipay.ccil.cowan.tagsoup.HTMLSchema;
com.alipay.tag.html.HtmlUtils;
com.alipay.tag.html.HtmlToSpannedConverter$Font;
com.alipay.ccil.cowan.tagsoup.Parser;
com.alipay.tag.html.HtmlToSpannedConverter$Header;
com.alipay.tag.html.ArrayUtils;
com.alipay.tag.html.HtmlToSpannedConverter$Small;
com.alipay.ccil.cowan.tagsoup.PYXWriter;
com.alipay.tag.html.Html;
com.alipay.ccil.cowan.tagsoup.XMLWriter;
com.alipay.tag.html.HtmlToSpannedConverter$Underline;
com.alipay.ccil.cowan.tagsoup.ElementType;
com.alipay.tag.html.HtmlToSpannedConverter$Sub;
com.alipay.tag.html.HtmlToSpannedConverter$Href;
com.alipay.ccil.cowan.tagsoup.AttributesImpl;
com.alipay.ccil.cowan.tagsoup.HTMLScanner;
com.alipay.ccil.cowan.tagsoup.Parser$1;

位置: lib/armeabi/libandroid-phone-thirdparty-xiaomipush.so
com.xiaomi.smack.p;
com.xiaomi.smack.j;
com.xiaomi.smack.util.c;
com.xiaomi.push.service.ac;

低危

检测到1处主机名弱校验检测漏洞。

位置: classes.dex
com.taobao.android.ssologinwrapper.remote.SsoRemoteRequest$2;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

自定义HostnameVerifier类,却不实现其verify方法验证域名直接返回true,直接接受任意域名。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考资料:
http://drops.wooyun.org/tips/3296
https://www.91ri.org/12534.html

低危

检测到1处地方在自定义实现的WebViewClient类在onReceivedSslError调用proceed()方法。

位置: classes.dex
com.alipay.android.app.flybird.ui.window.ab;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V

Android WebView组件加载网页发生证书认证错误时,会调用WebViewClient类的onReceivedSslError方法,如果该方法实现调用了handler.proceed()来忽略该证书错误,则会受到中间人攻击的威胁,可能导致隐私泄露。建议:
当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0109266

参考资料:
https://jaq.alibaba.com/blog.htm?id=60
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/

警告

检测到68处addFlags使用Intent.FLAG_ACTIVITY_NEW_TASK。

位置: classes.dex
com.koubei.mobile.launcher.quinox.KoubeiLauncherActivityAgent$7;->onClick
com.alipay.mobile.phonecashier.service.util.PhoneCashierUtil;->a
com.alipay.mobile.phonecashier.apps.MspDispatchApp;->onDestroy
com.alipay.android.app.flybird.ui.window.widget.SharePayDialog;->d
com.alipay.android.app.helper.SocialBizHelper;->a
com.alipay.mobile.phonecashier.apps.LocalViewApp;->showLocalView
com.koubei.mobile.launcher.TabLauncherBroadcastReceiver;->onReceive
com.alipay.mobile.commonbiz.locpermissionsetting.LocationPermissionSetting;->jumpPermissionPage
com.alipay.mobile.commonbiz.pushsetting.PushWhitelistSetting$1;->onClick
com.alipay.android.app.assist.MspUtilInterfaceImpl;->processScheme
com.koubei.mobile.launcher.TabLauncherFragment$14;->doGoLogin
com.alipay.android.app.assist.MspUtilInterfaceImpl;->jumpToLauncherActivity
com.alipay.android.substitute.channels.b;->onItemClick
com.alipay.android.launcher.notify.StartupSlowClickReceiver;->a
com.alipay.mobile.rome.pushservice.integration.PushDistributerService;->onHandleIntent
com.alipay.mobile.phonecashier.apps.AccountAuthApp;->startThirdParty
com.alipay.mobile.core.impl.MicroApplicationContextImpl;->startActivity
com.alipay.android.phone.inside.common.info.DeviceInfo;->installApk
com.alipay.mobile.base.security.e;->onClick
com.alipay.mobile.permission.c;->onClick
com.alipay.mobile.commonbiz.pushsetting.PushWhitelistSetting$2;->onClick
com.ali.money.shield.mssdk.api.SecurityManager;->startMoneyshieldAntiVirus
com.alipay.android.launcher.notify.StartupSlowClickReceiver;->onReceive
com.alipay.mobile.rome.pushservice.integration.RecvMsgIntentService;->onHandleIntent
com.alipay.android.phone.inside.cashier.utils.CashierOperation;->sendOperationRequest
com.alipay.mobile.common.info.DeviceInfo;->installApk
com.alipay.android.app.util.BaseHelper;->installApk
com.alipay.mobile.commonbiz.permissions.BaseJumper;->jump2AppInfo
com.alipay.mobile.phonecashier.service.a;->startActivity

位置: classes2.dex
com.alipay.android.phone.falcon.cardmanager.FalconTaskManager;->handleActivity
com.alipay.security.mobile.agent.AlipayAuthenticator;->init
com.ali.user.mobile.login.PasswordLoginServiceImpl;->launchPasswordLogin
com.alipay.mobile.accountfd.devicelock.ui.DeviceLockActivity$3;->run
com.alipay.mobile.accountfd.devicelock.DeviceLockMsgReceiver$1;->run
com.alipay.android.phone.falcon.cardmanager.FalconTaskManager;->startCardScanActivity
com.koubei.mobile.o2o.nebulabiz.H5DownloadPlugin;->processInstallApk
com.alipay.android.phone.falcon.IDFace.IDFaceJumpController;->gotoH5GuidePage
com.ali.user.mobile.register.region.RegionChoice;->a
com.ali.user.mobile.login.SupplyQueryPasswordServiceImpl;->supplyQueryPassword
com.alipay.android.phone.falcon.cardmanager.FalconTaskManager;->startCommonCardActivity
com.alipay.security.mobile.util.CommonUtils;->notifyUpdate
com.koubei.mobile.o2o.commonbiz.update.UpdateUtil;->handleUpdateWithDialog
com.alipay.android.phone.falcon.cardmanager.FalconTaskManager;->startAlbumActivity
com.alipay.security.mobile.agent.AlipayAuthenticator$Connection;->bindService

位置: classes3.dex
com.alipay.mobile.nebulacore.core.NebulaServiceImpl$5;->onReceive
com.alipay.mobile.nebulacore.dev.provider.H5BugMeManagerImpl;->openSettingPanel

位置: classes4.dex
com.alipay.phone.scancode.h.h;->onClick
com.alipay.mobile.personalbase.share.ShareUtils;->callBackCallerApp
com.tencent.mm.sdk.platformtools.Util;->getInstallPackIntent
com.tencent.mm.sdk.channel.MMessageAct;->send
com.tencent.connect.auth.k;->shouldOverrideUrlLoading
com.alipay.mobile.onsitepay.payer.BarcodePayerApp;->a
com.alipay.mobile.onsitepay.payer.h;->a
com.alipay.android.shareassist.ShareAssistApp;->share
com.alipay.mobile.security.securitycommon.clientsecurity.SecurityUtil;->callPhoneDial
com.alipay.phone.scancode.h.b;->e
com.alipay.share.sdk.openapi.channel.APMessageAct;->a
com.tencent.open.utils.Util;->a
com.android.dingtalk.share.ddsharemodule.DDMessageAct;->sendDDFriend
com.alipay.android.shareassist.ShareAssistApp;->onStart

位置: lib/armeabi/libandroid-phone-securitycommon-taobaobind.so
com.alipay.mobile.securitycommon.taobaobind.TaobaoBindService;->a

位置: lib/armeabi/libandroid-phone-securitycommon-verifyidentitybiz.so
com.alipay.mobile.verifyidentity.engine.MicroModuleContext;->startActivityByContext
com.alipay.mobile.verifyidentity.alipay.listener.SchemeVIListener;->schemeCallback

位置: lib/armeabi/libandroid-phone-thirdparty-xiaomipush.so
com.xiaomi.mipush.sdk.f;->a
com.xiaomi.push.service.s;->a

位置: lib/armeabi/libandroid-phone-wallet-authorizationbiz.so
com.alipay.mobile.deviceAuthorization.ui.b;->onClick
com.alipay.mobile.deviceAuthorization.ui.m;->onClick
com.alipay.mobile.deviceAuthorization.ui.t;->onClick

APP创建Intent传递数据到其他Activity,如果创建的Activity不是在同一个Task中打开,就很可能被其他的Activity劫持读取到Intent内容,跨Task的Activity通过Intent传递敏感信息是不安全的。建议:
尽量避免使用包含FLAG_ACTIVITY_NEW_TASK标志的Intent来传递敏感信息。

参考资料:
http://wolfeye.baidu.com/blog/intent-data-leak

警告

检测到24个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

activity com.alipay.mobile.quinox.LauncherActivity
activity com.eg.android.AlipayGphone.ResultActivity
activity com.alipay.mobile.framework.service.common.SchemeStartActivity
activity com.alipay.mobile.h5plugin.H5MapActivity
activity com.tencent.tauth.AuthActivity
activity com.alipay.android.app.TransProcessPayActivity
activity com.alipay.android.app.flybird.ui.scheme.FlybirdSchemeActivity
activity com.alipay.android.app.flybird.ui.window.FlyBirdWindowActivity
activity com.alipay.android.app.settings.FlybirdLocalViewActivity
activity com.alipay.android.app.local.LocalViewActivity
activity com.alipay.android.app.vr.VrPayActivity
activity com.koubei.mobile.authlogin.activity.AlipayAuthLoginActivity
activity com.taobao.mobile.dipei.ResultActivity
activity com.ali.authlogin.mobile.login.AlipayAuthResultActivity
activity-alias com.alipay.mobile.quinox.LauncherActivity.alias
service com.taobao.android.sso.internal.PidGetterService
service com.alipay.mobile.base.datatransfer.DataExportService
service com.alipay.android.app.vr.VrPayService
service com.alipay.android.app.MspService
service org.rome.android.ipp.binder.IppService
receiver com.alipay.pushsdk.BroadcastActionReceiver
receiver com.alipay.mobile.security.thirdparty.AppSafetyChecker
receiver com.alipay.mobile.security.thirdparty.SmsSafetyChecker
receiver com.alipay.android.app.CertPayReceiver

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测到3个导出的隐式Service组件。
service com.alipay.android.app.vr.VrPayService
service com.alipay.android.app.MspService
service org.rome.android.ipp.binder.IppService

建议:为了确保应用的安全性,启动Service时,请始终使用显式Intent,且不要为服务声明Intent过滤器。使用隐式Intent启动服务存在安全隐患,因为您无法确定哪些服务将响应Intent,且用户无法看到哪些服务已启动。从Android 5.0(API 级别 21)开始,如果使用隐式 Intent 调用 bindService(),系统会抛出异常。

参考资料:
https://developer.android.com/guide/components/intents-filters.html#Types

警告

检测4处組件設置了android.intent.category.BROWSABLE属性。
com.alipay.mobile.framework.service.common.SchemeStartActivity
com.tencent.tauth.AuthActivity
com.alipay.android.app.flybird.ui.scheme.FlybirdSchemeActivity
com.alipay.mobile.quinox.LauncherActivity.alias


在AndroidManifest文件中定义了android.intent.category.BROWSABLE属性的组件,可以通过浏览器唤起,这会导致远程命令执行漏洞攻击。建议:
(1)APP中任何接收外部输入数据的地方都是潜在的攻击点,过滤检查来自网页的参数。
(2)不要通过网页传输敏感信息,有的网站为了引导已经登录的用户到APP上使用,会使用脚本动态的生成URL Scheme的参数,其中包括了用户名、密码或者登录态token等敏感信息,让用户打开APP直接就登录了。恶意应用也可以注册相同的URL Sechme来截取这些敏感信息。Android系统会让用户选择使用哪个应用打开链接,但是如果用户不注意,就会使用恶意应用打开,导致敏感信息泄露或者其他风险。

參考案例:
http://www.wooyun.org/bugs/wooyun-2014-073875
http://www.wooyun.org/bugs/wooyun-2014-067798

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://www.jssec.org/dl/android_securecoding_en.pdf
http://drops.wooyun.org/mobile/15202
http://blog.csdn.net/l173864930/article/details/36951805
http://drops.wooyun.org/papers/2893

警告

检测到11潜在的XSS漏洞。

位置: classes.dex
com.alipay.android.app.ui.quickpay.window.web.JsWebViewWindow;->init(Z)V
com.alipay.android.app.ui.quickpay.window.web.JsWebViewWindow;->init(Z)V

位置: classes2.dex
com.alipay.android.phone.falcon.IDFace.WebViewActivity;->initWebView(Landroid.webkit.WebView;)V
com.alipay.mobile.security.faceauth.ui.bank.WebNavigationActivity;->onCreate(Landroid.os.Bundle;)V
com.alipay.mobile.security.faceauth.circle.fragment.NavigationFragment;->onCreateView(Landroid.view.LayoutInflater; Landroid.view.ViewGroup; Landroid.os.Bundle;)Landroid.view.View;

位置: classes3.dex
com.androidquery.util.WebImage;->load()V

位置: classes4.dex
com.alipay.birdnest.view.WebViewWrapper;->createView(Landroid.content.Context; Lcom.alipay.birdnest.api.BirdNestEngine$UiWidgetProvider$LoadUrlListener;)Landroid.view.View;
com.tencent.connect.auth.AuthDialog;->onCreate(Landroid.os.Bundle;)V
com.alipay.android.shareassist.ui.WeiboAuthActivity;->onCreate(Landroid.os.Bundle;)V
com.alipay.auth.AuthWeiboActivity;->onCreate(Landroid.os.Bundle;)V
com.tencent.connect.auth.a;->a(Ljava.lang.Object;)V

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到35处IvParameterSpec的使用。

位置: classes.dex
com.alipay.android.app.framework.encrypt.TriDesCBC;->a(Ljava.lang.String; [B)[B
com.alipay.android.app.framework.encrypt.TriDesCBC;->b(Ljava.lang.String; [B)[B
com.alipay.android.phone.inside.log.util.sec.DesCBC;->decrypt(Ljava.lang.String; [B)[B
com.alipay.android.phone.inside.log.util.sec.DesCBC;->encrypt(Ljava.lang.String; [B)[B
com.alipay.android.phone.inside.security.util.DesCBC;->decrypt(Ljava.lang.String; [B)[B
com.alipay.android.phone.inside.security.util.DesCBC;->encrypt(Ljava.lang.String; [B)[B
com.alipay.inside.security.server.util.DesCBC;->decrypt(Ljava.lang.String; [B)[B
com.alipay.inside.security.server.util.DesCBC;->encrypt(Ljava.lang.String; [B)[B
com.loc.ch;->()V
com.loc.ch;->a([B)[B
com.loc.ch;->c([B Ljava.lang.String;)[B
com.loc.ch;->d([B Ljava.lang.String;)[B
com.loc.l;->a(Landroid.content.Context; Lcom.loc.s; Ljava.lang.String;)Lcom.loc.l$a;
com.loc.o;->a([B [B [B)[B
com.uc.crashsdk.a.e;->a([B [B Z Z)[B

位置: classes2.dex
com.alipay.android.phone.mobilecommon.multimediabiz.biz.file.FileSecurityTool;->initAESCipher(Landroid.content.Context; I Ljava.lang.String; Lcom.alipay.android.phone.mobilecommon.multimediabiz.biz.file.FileSecurityTool$FileSecurityReport;)Ljavax.crypto.Cipher;
com.alipay.android.phone.mobilecommon.multimediabiz.biz.utils.AESUtils;->initAESCipher(Ljava.lang.String; I)Ljavax.crypto.Cipher;
com.alipay.mobile.security.bio.security.AESEncrypt;->decrypt([B Ljava.lang.String;)[B
com.alipay.mobile.security.bio.security.AESEncrypt;->decrypt([B [B)[B
com.alipay.mobile.security.bio.security.AESEncrypt;->encrypt(Ljava.lang.String; Ljava.lang.String;)[B
com.alipay.mobile.security.bio.security.AESEncrypt;->encrypt([B [B)[B

位置: classes3.dex
com.alipay.security.mobile.module.crypto.SecurityUtils;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.security.mobile.module.crypto.SecurityUtils;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.security.mobile.module.crypto.SecurityUtils;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.security.mobile.module.crypto.SecurityUtils;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.amap.api.mapcore.util.fe;->a(Landroid.content.Context; Lcom.amap.api.mapcore.util.fm; Ljava.lang.String; Ljava.util.Map;)Lcom.amap.api.mapcore.util.fe$a;
com.amap.api.mapcore.util.fi;->b([B [B)[B
com.ta.utdid2.a.a.a;->j(Ljava.lang.String;)Ljava.lang.String;
com.ta.utdid2.a.a.a;->k(Ljava.lang.String;)Ljava.lang.String;

位置: classes4.dex
com.alipay.multimedia.utils.MusicUtils;->initAESCipher(I Ljava.lang.String; Z)Ljavax.crypto.Cipher;

位置: lib/armeabi/libandroid-phone-securitycommon-verifyidentitybiz.so
com.alipay.mobile.verifyidentity.log.utils.TriDesCBC;->decrypt(Ljava.lang.String; [B)[B
com.alipay.mobile.verifyidentity.log.utils.TriDesCBC;->encrypt(Ljava.lang.String; [B)[B

位置: lib/armeabi/libandroid-phone-thirdparty-amapsearch.so
com.amap.api.services.core.ap;->b([B [B)[B

位置: lib/armeabi/libandroid-phone-thirdparty-xiaomipush.so
com.xiaomi.mipush.sdk.e;->a([B I)Ljavax.crypto.Cipher;

位置: lib/armeabi/libandroid-phone-wallet-nebulauc.so
com.uc.webview.export.internal.uc.wa.f;->a([B)[B

使用IVParameterSpec函数,如果使用了固定的初始化向量,那么密码文本可预测性高得多,容易受到字典攻击等。建议禁止使用常量初始化矢量构造IVParameterSpec,使用聚安全提供的安全组件。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到1处socket通信。

位置: classes.dex
Lcom.loc.e$c;->run

Android应用通常使用PF_UNIX、PF_INET、PF_NETLINK等不同domain的socket来进行本地IPC或者远程网络通信,这些暴露的socket代表了潜在的本地或远程攻击面,历史上也出现过不少利用socket进行拒绝服务、root提权或者远程命令执行的案例特别是PF_INET类型的网络socket,可以通过网络与Android应用通信,其原本用于linux环境下开放网络服务,由于缺乏对网络调用者身份或者本地调用者id、permission等细粒度的安全检查机制,在实现不当的情况下,可以突破Android的沙箱限制,以被攻击应用的权限执行命令,通常出现比较严重的漏洞

参考案例:
http://www.wooyun.org/bugs/wooyun-2015-0148406
http://www.wooyun.org/bugs/wooyun-2015-0145365

参考资料:
http://wolfeye.baidu.com/blog/open-listen-port
http://blog.csdn.net/jltxgcy/article/details/50686858
https://www.bigniu.com/article/view/10
http://drops.wooyun.org/mobile/6973

警告

检测到 21处url没有使用安全的https链接。

位置: classes.dex
http://amdc.alipay.com/
http://d.alipay.net/
http://mali.alipay.com/
http://maliprod.alipay.com/
http://mdap-1-64.test.alipay.net
http://mdap.alipay.com/
http://mdap.alipaylog.com
http://mdap.alipaylog.com/
http://mobilegw.alipay.com/

位置: classes2.dex
http://amdc.alipay.com/
http://d.m.taobao.com/
http://d.wapa.taobao.com/
http://d.waptest.taobao.com/
http://mdap.alipaylog.com/
http://mobilecns.alipay.com
http://mobilegw.aaa.alipay.net/
http://mobilegw.dev03.alipay.net/
http://mugw.alipay.com:443

位置: classes3.dex
http://h5test.inc.alipay.net/
http://wapcenter.stable.alipay.net/
http://wapcenter.test.alipay.net/

参考资料:
https://jaq.alibaba.com/blog.htm?id=60
https://developer.android.com/training/articles/security-ssl.html

警告

检测到56处使用了加解密算法。密钥处理不当可能会导致信息泄露。

位置: classes.dex
com.loc.o;->a([B [B [B)[B
com.alipay.android.phone.inside.security.util.DesCBC;->encrypt(Ljava.lang.String; [B)[B
com.alipay.android.phone.inside.log.util.sec.DesCBC;->decrypt(Ljava.lang.String; [B)[B
com.alipay.mobile.common.security.Des;->doFinal(I Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
net.lingala.zip4j.crypto.PBKDF2.a;->b([B)V
com.ali.money.shield.mssdk.antifraud.tel.c.a;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.android.phone.inside.log.util.sec.DesCBC;->encrypt(Ljava.lang.String; [B)[B
com.loc.ch;->a([B [B)[B
com.alipay.inside.security.server.util.DesCBC;->encrypt(Ljava.lang.String; [B)[B
com.alipay.android.phone.inside.security.util.DesCBC;->decrypt(Ljava.lang.String; [B)[B
com.alipay.inside.security.server.util.DesCBC;->decrypt(Ljava.lang.String; [B)[B
com.alipay.mobile.common.security.Des;->doFinal(I [B Ljava.lang.String;)[B
com.loc.ch;->b(Ljava.lang.String;)Ljavax.crypto.spec.SecretKeySpec;
com.alipay.mobile.common.logging.util.AESUtil;->decrypt([B [B I I)[B
com.loc.ch;->b([B [B)[B
com.uc.crashsdk.a.e;->a([B [B Z Z)[B
com.alipay.android.app.framework.encrypt.TriDesCBC;->a(Ljava.lang.String; [B)[B
com.alipay.mobile.tianyanadapter.logging.utils.ColorUtil;->encrypt([B [B)[B
com.alipay.android.app.framework.encrypt.TriDesCBC;->b(Ljava.lang.String; [B)[B
com.alipay.mobile.tianyanadapter.logging.utils.ColorUtil;->decrypt([B [B)[B
com.alipay.android.app.framework.encrypt.Des;->a(I Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.mobile.common.logging.util.AESUtil;->encrypt([B [B I I)[B
com.alipay.android.app.framework.encrypt.TriDes;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.loc.l;->a(Landroid.content.Context; Lcom.loc.s; Ljava.lang.String;)Lcom.loc.l$a;
com.loc.ch;->a([B)[B

位置: classes2.dex
com.alipay.android.phone.mobilecommon.multimediabiz.biz.utils.AESUtils;->initAESCipher(Ljava.lang.String; I)Ljavax.crypto.Cipher;
com.alipay.mobile.common.transport.utils.Des;->doFinal(I [B Ljava.lang.String;)[B
com.alipay.security.mobile.util.Utils;->getHmacSignature([B)Ljava.lang.String;
com.alipay.mobile.security.bio.utils.DESCoder;->decryptMode([B Ljava.lang.String;)[B
com.alipay.mobile.security.bio.security.AESEncrypt;->encrypt(Ljava.lang.String; Ljava.lang.String;)[B
com.alipay.mobile.security.bio.security.AESEncrypt;->decrypt([B Ljava.lang.String;)[B
com.alipay.mobile.common.transport.utils.Des;->doFinal(I Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.mobile.security.bio.security.AESEncrypt;->decrypt([B [B)[B
com.alipay.mobile.security.bio.utils.DESCoder;->encryptMode([B Ljava.lang.String;)[B
com.alipay.security.mobile.alipayauthenticatorservice.bracelet.util.AESUtil;->AESEncrypt([B [B)[B
com.alipay.security.mobile.module.bracelet.lib.util.Utils;->AESEncrypt([B [B)[B
com.alipay.android.phone.mobilecommon.multimediabiz.biz.file.FileSecurityTool;->initAESCipher(Landroid.content.Context; I Ljava.lang.String; Lcom.alipay.android.phone.mobilecommon.multimediabiz.biz.file.FileSecurityTool$FileSecurityReport;)Ljavax.crypto.Cipher;
com.alipay.mobile.security.bio.security.AESEncrypt;->encrypt([B [B)[B

位置: classes3.dex
com.alipay.security.mobile.module.crypto.SecurityUtils;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.ta.utdid2.a.a.a;->k(Ljava.lang.String;)Ljava.lang.String;
com.amap.api.mapcore.util.fe;->a(Landroid.content.Context; Lcom.amap.api.mapcore.util.fm; Ljava.lang.String; Ljava.util.Map;)Lcom.amap.api.mapcore.util.fe$a;
com.ta.utdid2.a.a.a;->j(Ljava.lang.String;)Ljava.lang.String;
com.alipay.security.mobile.module.crypto.SecurityUtils;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.amap.api.mapcore.util.fi;->b([B [B)[B
com.ta.utdid2.device.c;->b([B)Ljava.lang.String;

位置: classes4.dex
com.alipay.mobile.security.otp.service.AlipayIDCode;->decryptDesEcb([B [B)[B
com.alipay.multimedia.utils.MusicUtils;->initAESCipher(I Ljava.lang.String; Z)Ljavax.crypto.Cipher;
com.alipay.mobile.security.otp.service.OtpSeedCryptor;->a(Ljava.lang.String;)Ljava.lang.String;
com.alipay.mobile.security.otp.service.AlipayIDCode;->encryptDesEcb([B [B)[B
com.alipay.mobile.security.otp.service.OtpSeedCryptor;->b(Ljava.lang.String;)[B

位置: lib/armeabi/libandroid-phone-securitycommon-verifyidentitybiz.so
com.alipay.mobile.verifyidentity.log.utils.TriDesCBC;->decrypt(Ljava.lang.String; [B)[B
com.alipay.mobile.verifyidentity.log.utils.TriDesCBC;->encrypt(Ljava.lang.String; [B)[B

位置: lib/armeabi/libandroid-phone-thirdparty-amapsearch.so
com.amap.api.services.core.ap;->b([B [B)[B

位置: lib/armeabi/libandroid-phone-thirdparty-voicesdk.so
com.alibaba.idst.nls.internal.protocol.NlsRequestAuth;->digestMsg()Ljava.lang.String;

位置: lib/armeabi/libandroid-phone-thirdparty-xiaomipush.so
com.xiaomi.mipush.sdk.e;->a([B I)Ljavax.crypto.Cipher;

位置: lib/armeabi/libandroid-phone-wallet-nebulauc.so
com.uc.webview.export.internal.uc.wa.f;->a([B)[B

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0105766
http://www.wooyun.org/bugs/wooyun-2015-0162907
http://www.wooyun.org/bugs/wooyun-2010-0187287

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html


动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书