漏洞分析

0

高危漏洞

6

中危漏洞

3

低危漏洞

9

警告

文件名 SmartSchool_android.apk
上传者 Nepire
文件大小 3.3908615112305MB
MD5 7be78775fbc79b912d1f5b66325fa81a
包名 org.hemeiyun.school
Main Activity com.sxy.activity.MainActivity
Min SDK 10
Target SDK 19

权限列表

# 名称 说明 提示
0 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
1 android.permission.ACCESS_FINE_LOCATION 访问精准的位置源,例如手机上的全球定位系统(如果有)。恶意应用程序可能会借此确定您所处的位置,并可能消耗额外的电池电量。 注意
2 android.permission.BLUETOOTH 允许应用程序查看本地蓝牙手机的配置,以及建立或接受与配对设备的连接。 注意
3 android.permission.BROADCAST_STICKY 允许应用程序发送顽固广播,这些广播在结束后仍会保留。恶意应用程序可能会借此使手机耗用太多内存,从而降低其速度或稳定性。 注意
4 android.permission.GET_TASKS 允许应用程序检索有关当前和最近运行的任务的信息。恶意应用程序可借此发现有关其他应用程序的保密信息。 注意
5 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
6 android.permission.RECEIVE_BOOT_COMPLETED 允许应用程序在系统完成启动后即自行启动。这样会延长手机的启动时间,而且如果应用程序一直运行,会降低手机的整体速度。 注意
7 android.permission.WRITE_SETTINGS 允许应用程序修改系统设置方面的数据。恶意应用程序可借此破坏您的系统配置。 注意
8 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
9 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
10 android.permission.BATTERY_STATS 允许修改收集的电池使用情况统计信息。普通应用程序不能使用此权限。 提示
11 android.permission.INTERNET 允许程序访问网络. 提示
12 android.permission.KILL_BACKGROUND_PROCESSES 无论内存资源是否紧张,都允许应用程序结束其他应用程序的后台进程。 提示
13 android.permission.READ_LOGS 允许应用程序从系统的各日志文件中读取信息。这样应用程序可以发现您的手机使用情况,但这些信息不应包含任何个人信息或保密信息。 提示
14 android.permission.RESTART_PACKAGES 允许程序自己重启或重启其他程序 提示
15 android.permission.VIBRATE 允许应用程序控制振动器。 提示
16 android.permission.WAKE_LOCK 允许应用程序防止手机进入休眠状态。 提示
17 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

com.sxy.activity.MainActivity
com.sxy.activity.GameDetailActivity
com.sxy.activity.ForumActivity
com.sxy.activity.PersonalCenterActivity
com.sxy.activity.SettingActivity
com.sxy.activity.PostActivity
com.sxy.activity.ModifyPasswordActivity
com.sxy.activity.SendPostActivity
com.sxy.activity.MessageActivity
com.sxy.activity.Login1Activity
com.sxy.activity.RegisterActivity
com.sxy.activity.AboutMe
com.sxy.activity.ShareApp
com.sxy.activity.LoginActivity
com.sxy.activity.CheckInputActivity
com.sxy.activity.WebActivity
com.umeng.update.UpdateDialogActivity
com.umeng.socialize.view.ShareActivity
com.umeng.socialize.view.CommentActivity
com.umeng.socialize.view.CommentDetail
com.sxy.wxapi.WXEntryActivity
com.umeng.fb.ConversationActivity
com.umeng.fb.ContactActivity
com.tencent.android.tpush.XGPushActivity
com.tencent.tauth.AuthActivity
com.tencent.connect.common.AssistActivity

com.dmfive.net.upload.UploadService
com.umeng.update.net.DownloadingService
com.tencent.android.tpush.service.XGPushService
com.tencent.android.tpush.rpc.XGRemoteService

com.sxy.receiver.UploadReceiver
com.tencent.android.tpush.XGPushReceiver
com.sxy.receiver.MessageReceiver

第三方库

# 库名 介绍
0 com.umeng.analytics 友盟统计分析平台是国内最大的移动应用统计分析平台。
1 com.tencent.mm.sdk 微信支付
2 com.tencent.connect 腾讯开放平台
3 com.tencent.tauth 腾讯QQ互联平台为广大开发者整理了SDK列表,辅助开发者快速接入QQ登录、分享等功能。QQ互联是腾讯旗下的开放平台,通过QQ互联,网站主和开发者可以申请接入QQ登录、用户可以使用QQ账号登录接入的站点,通过添加分享和赞组件,将站点内容分享到QQ空间和朋友网,通过获取API授权,网站主还可以将用户操作同步到QQ空间和朋友网。
4 me.maxwin Pinterest style ListView for Android
5 com.huewu.pla.lib An Android multi column list view like Pinterest.
6 com.umeng.update 友盟自动更新(Android)帮助开发者将移动终端上的应用升级到最新版本,是进行存量用户更新的有效手段。现在已经有数万款应用在使用友盟自动更新服务。
7 com.tencent.android.tpush 多种推送方式灵活方便\n推送目标分类 精准营销\n推送数据统计 效果跟踪
8 com.unionpay.uppay 银联支付
9 com.alimama.mobile Tanx移动SDK支持横幅、插屏、推荐墙三种推广样式。在保证稳定服务的同时,通过灵活的架构,接入多种着陆方式的推广资源,及应用、电商、品牌等多种推广内容资源。综合优化流量价值,实现媒体收益与用户体验的平衡。
10 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
11 org.apache.http The Apache HttpComponents™ project is responsible for creating and maintaining a toolset of low level Java components focused on HTTP and associated protocols.
12 com.unionpay.mobile 银联支付涵盖便民服务、金融服务、商旅出行、休闲娱乐、电子商城等多种应用。可轻松为手机充值、购买保险、查询银行卡余额、预订酒店机票、代购火车票和购买时令商品。随时随地提供“一站式”移动支付生活服务。
13 com.umeng.socialize 社会化组件帮您接入和升级各种社交平台,快速武装您的应用!
14 com.unionpay.uppay 银联支付
15 com.unionpay.mobile 银联支付涵盖便民服务、金融服务、商旅出行、休闲娱乐、电子商城等多种应用。可轻松为手机充值、购买保险、查询银行卡余额、预订酒店机票、代购火车票和购买时令商品。随时随地提供“一站式”移动支付生活服务。

静态扫描发现风险点

风险等级 风险名称

中危

检测到当前标志被设置成true或没设置,这会导致adb调试备份允许恶意攻击者复制应用程序数据,造成数据泄露。

中危

该app需要移除大部分日志打印代码。
经扫描该包仍存在大量打日志代码,共发现281处打日志代码.(此处扫描的日志打印代码,是指调用android.util.Log.* 打印的.)
详情如下:

位置: classes.dex
com.dmfive.server.HeardService;->stop()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.nocard.views.listview.e;->a()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.stat.a.k;->a(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.utils.h;->a(I Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.sxy.util.CommonUtil;->Save(Ljava/lang/String; Landroid/graphics/Bitmap; I)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.alimama.mobile.csdk.umupdate.a.g;->b(Ljava/lang/String; [Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.DeviceConfig;->getMac(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->a(Landroid/content/Context; Ljava/lang/String; J J J I Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->b(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mid.api.MidService;->getMid(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.Log;->v(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.ui.e;->onDismiss()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.Log;->w(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.Log;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.stat.a.i;->e(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TDialog$JsListener;->onCancelAddShare(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.sso.UMQQSsoHandler;->loginDeal()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.PublishActivity$4;->onTextChanged(Ljava/lang/CharSequence; I I I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.upd.b;->c(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.image.BitmapLoader;->getBitmap(Ljava/lang/String;)Landroid/graphics/Bitmap;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.sxy.receiver.MessageReceiver;->onSetTagResult(Landroid/content/Context; I Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bj;->b(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.SocialApiIml;->a(Landroid/app/Activity; Landroid/content/Intent; Ljava/lang/String; Landroid/os/Bundle; Ljava/lang/String; Lcom/tencent/tauth/IUiListener;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.Log;->i(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.PKDialog;->(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Lcom/tencent/tauth/IUiListener; Lcom/tencent/connect/auth/QQToken;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.tools.Log6;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.Util;->isMobileQQSupportShare(Landroid/content/Context;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.tools.Log6;->v(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.fb.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.b.b;->f(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.sso.UMQQSsoHandler$3;->onError(Lcom/tencent/tauth/UiError;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.Log;->i(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.service.channel.security.TpnsSecurity;->checkTpnsSecurityLibSo(Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.weixin.view.WXCallbackActivity;->handleIntent(Landroid/content/Intent;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.Util;->getAppVersion(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.share.a$4;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.Authorize;->onCreate(Landroid/os/Bundle;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mid.util.Util;->isNetworkAvailable(Landroid/content/Context;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mid.api.MidService;->a(Landroid/content/Context; Lcom/tencent/mid/api/MidCallback;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.tools.Log6;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->c(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.controller.impl.f;->onError(Lcom/umeng/socialize/exception/SocializeException; Lcom/umeng/socialize/bean/SHARE_MEDIA;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->info(Ljava/lang/Object;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bj;->b(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.server.HeardService;->start()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.weixin.view.WXCallbackActivity;->onNewIntent(Landroid/content/Intent;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->c(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.auth.AuthAgent$FeedConfirmListener;->onComplete(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.OauthHelper;->setUsid(Landroid/content/Context; Lcom/umeng/socialize/bean/SHARE_MEDIA; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.AsynLoadImg;->getbitmap(Ljava/lang/String;)Landroid/graphics/Bitmap;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.HttpUtils;->request(Lcom/tencent/connect/auth/QQToken; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle; Ljava/lang/String;)Lorg/json/JSONObject;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.network.ReqParam;->addParam(Ljava/lang/String; [B)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->debug(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.upd.b;->b(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.SocialApiIml;->voice(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.api.util.Util;->getConfig()Ljava/util/Properties;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.sso.SinaSsoHandler;->authorizeCallBack(I I Landroid/content/Intent;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->verbose(Ljava/lang/Object;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.PublishActivity$8;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bj;->c(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.upd.b;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.Log;->d(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.OpenConfig;->b(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.rpc.h;->a()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.utils.h;->a(I Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.upviews.b;->handleMessage(Landroid/os/Message;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.fb.util.Log;->v(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.network.HttpReqWeiBo;->processResponse(Ljava/io/InputStream;)Ljava/lang/Object;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.sso.UMQQSsoHandler$4;->onError(Lcom/tencent/tauth/UiError;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.controller.impl.k;->onComplete(Landroid/os/Bundle; Lcom/umeng/socialize/bean/SHARE_MEDIA;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.network.ReqParam;->toString()Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.BitmapUtils;->closeInputStream(Ljava/io/InputStream;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->e()I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->b()Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.net.base.SocializeRequest;->packParamsMap(Ljava/lang/String; Ljava/lang/String;)Ljava/util/Map;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.BitmapUtils;->getBitmapStream(Ljava/lang/String;)Ljava/io/InputStream;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.FriendActivity;->getJsonData(Lorg/json/JSONObject;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.utils.h;->a(I Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.b.b;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.controller.impl.n;->postShareMulti(Landroid/content/Context; Lcom/umeng/socialize/controller/listener/SocializeListeners$MulStatusListener; [Lcom/umeng/socialize/bean/SHARE_MEDIA;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.c;->a(Landroid/graphics/Bitmap;)Landroid/graphics/Bitmap;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.Log;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.controller.impl.w;->setShareMedia(Lcom/umeng/socialize/media/UMediaObject;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.SocialApiIml$c;->onComplete(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.tools.FunctionTools;->saveBmpToSd(Landroid/graphics/Bitmap; Ljava/lang/String; I)Landroid/graphics/Bitmap;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.AsynLoadImg$1;->handleMessage(Landroid/os/Message;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->a(Landroid/content/Context; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.tools.Log6;->v(Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.b$1;->onConsoleMessage(Landroid/webkit/ConsoleMessage;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.controller.impl.q;->onComplete(Landroid/os/Bundle; Lcom/umeng/socialize/bean/SHARE_MEDIA;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.network.HttpReq;->runReq()Ljava/lang/Object;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->error(Ljava/lang/Exception;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TDialog$JsListener;->onCancelInvite()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.utils.h;->a(I Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TaskGuide$e;->onInterceptTouchEvent(Landroid/view/MotionEvent;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.service.channel.security.TpnsSecurity;->checkTpnsSecurityLibSo(Landroid/content/Context;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.controller.impl.n;->a(Landroid/content/Context; [Lcom/umeng/socialize/bean/SNSPair; Lcom/umeng/socialize/bean/UMShareMsg;)Lcom/umeng/socialize/bean/MultiStatus;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bj;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.BitmapUtils;->bitmap2Bytes(Landroid/graphics/Bitmap;)[B==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bj;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.Util;->logd(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.b$1;->onConsoleMessage(Ljava/lang/String; I Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.fb.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a;->a(Landroid/webkit/WebView; Ljava/lang/String;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.DeviceConfig;->getDeviceId(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.PKDialog;->onKeyboardShown(I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.bean.CallbackConfig;->a(Lcom/umeng/socialize/bean/CallbackConfig$ICallbackListener; Z I)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.FriendActivity;->search(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->b(Landroid/content/Context; I)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TDialog$JsListener;->onCancel(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.upd.b;->b(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TDialog$JsListener;->onComplete(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b$a;->onCreate(Landroid/database/sqlite/SQLiteDatabase;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.stat.a.k;->f(Landroid/content/Context;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.share.a;->a(Landroid/content/Context; Ljava/lang/String; Lcom/tencent/utils/AsynLoadImgBack;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.upd.b;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.server.HeardService;->log(Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mid.api.b;->onFail(I Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.PublishActivity;->onActivityResult(I I Landroid/content/Intent;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.OauthHelper;->remove(Landroid/content/Context; Lcom/umeng/socialize/bean/SHARE_MEDIA;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.ServerSetting;->getEnvUrl(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.BitmapUtils;->bitmap2Bytes(Landroid/graphics/Bitmap;)[B==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.sxy.receiver.MessageReceiver;->onNotifactionClickedResult(Landroid/content/Context; Lcom/tencent/android/tpush/XGPushClickedResult;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.XGPushManager;->getNotificationBuilder(Landroid/content/Context; I)Lcom/tencent/android/tpush/XGPushNotificationBuilder;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.image.BitmapLoader$2;->removeEldestEntry(Ljava/util/Map$Entry;)Z==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.sso.UMQQSsoHandler;->shareToQQ()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.weixin.view.WXCallbackActivity;->onCreate(Landroid/os/Bundle;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.sxy.receiver.MessageReceiver;->onDeleteTagResult(Landroid/content/Context; I Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.rpc.g;->a()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bj;->a(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b$a;->onUpgrade(Landroid/database/sqlite/SQLiteDatabase; I I)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.tools.FunctionTools;->saveBmpToSd(Landroid/graphics/Bitmap; Ljava/lang/String; I)Landroid/graphics/Bitmap;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.fb.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.tools.Log6;->e(Ljava/lang/String; [Ljava/lang/StackTraceElement;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.controller.impl.a;->doOauthVerify(Landroid/content/Context; Lcom/umeng/socialize/bean/SHARE_MEDIA; Lcom/umeng/socialize/controller/listener/SocializeListeners$UMAuthListener;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->b(Landroid/content/Context;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.AsynLoadImg;->saveFile(Landroid/graphics/Bitmap; Ljava/lang/String;)Z==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.OauthHelper;->getAuthenticatedPlatform(Landroid/content/Context;)Ljava/util/Map;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.XGPushManager;->enableService(Landroid/content/Context; Z)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->b(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.fb.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.share.a$2;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c$1;->run()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.utils.h;->a(I Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bj;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.sxy.receiver.MessageReceiver;->onTextMessage(Landroid/content/Context; Lcom/tencent/android/tpush/XGPushTextMessage;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.Log;->w(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.rpc.g;->a()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.PublishActivity;->onResume()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mid.api.a;->onFail(I Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.upd.b;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.fb.util.Log;->e(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->a(Ljava/util/ArrayList;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.BitmapUtils;->init()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TDialog;->onConsoleMessage(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.auth.AuthDialog;->e()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.share.QzoneShare;->a(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.api.adapter.FriendAdapter$1;->doInBackground([Ljava/lang/String;)Landroid/graphics/Bitmap;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.controller.impl.a;->a([Lcom/umeng/socialize/bean/SHARE_MEDIA;)[Lcom/umeng/socialize/bean/SHARE_MEDIA;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a;->a(Ljava/lang/String; Ljava/lang/String; Ljava/util/List; Lcom/tencent/open/a$a;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.alimama.mobile.csdk.umupdate.models.Promoter;->a(Ljava/lang/String;)Ljava/lang/Class;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mid.util.Util;->getSimOperator(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b$a;->onUpgrade(Landroid/database/sqlite/SQLiteDatabase; I I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bj;->e(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->error(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.sso.SinaSsoHandler;->authorizeCallBack(I I Landroid/content/Intent;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->a(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.alimama.mobile.csdk.umupdate.a.g;->d(Ljava/lang/String; [Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.sxy.receiver.MessageReceiver;->onUnregisterResult(Landroid/content/Context; I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.alimama.mobile.csdk.umupdate.a.g;->e(Ljava/lang/String; [Ljava/lang/Object;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.rpc.h;->a(Ljava/lang/String; Lcom/tencent/android/tpush/rpc/d;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.image.BitmapLoader$1;->entryRemoved(Z Ljava/lang/String; Landroid/graphics/Bitmap; Landroid/graphics/Bitmap;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.fb.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.tools.Log6;->d(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.share.a;->a(Landroid/content/Context; Ljava/util/ArrayList; Lcom/tencent/utils/AsynLoadImgBack;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.SystemUtils;->checkMobileQQ(Landroid/content/Context;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.upd.b;->a(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weiyun.FileManager$DownLoadImp$3;->run()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.location.DefaultLocationProvider;->requestLocation(Landroid/content/Context; I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->d()Ljava/util/ArrayList;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.PKDialog$THandler;->handleMessage(Landroid/os/Message;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b$a;->onCreate(Landroid/database/sqlite/SQLiteDatabase;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c$1;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.controller.impl.z;->a()Lcom/umeng/socialize/net/m;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.ServerSetting;->setEnvironment(Landroid/content/Context; I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.a.a;->c(Landroid/content/Context; Lcom/tencent/connect/auth/QQToken;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.stat.a.k;->a(Landroid/content/Context; I)Lorg/json/JSONArray;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.ConversationActivity;->onResult(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.huewu.pla.lib.MultiColumnPullToRefreshListView;->onScrollChanged(I I I I)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->a(Landroid/content/Context; I)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.Authorize$4;->onPageFinished(Landroid/webkit/WebView; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TaskGuide$c;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.net.utils.SocializeNetUtils;->getBaseQuery(Landroid/content/Context; Lcom/umeng/socialize/bean/SocializeEntity; I)Ljava/util/Map;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->c(Landroid/content/Context;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.weixin.view.WXCallbackActivity;->handleIntent(Landroid/content/Intent;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.FriendActivity;->onResult(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.share.QQShare;->a(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.xmpp.XmppTool$1;->run()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.api.util.Util;->getLocation(Landroid/content/Context;)Landroid/location/Location;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; I J J J Ljava/lang/String;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.api.BaseAPI$1;->onResult(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.fb.util.Log;->i(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.fb.util.Log;->w(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->d(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mid.util.Util;->logInfo(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mid.util.Util;->getExternalStorageInfo(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.AsynLoadImg;->save(Ljava/lang/String; Lcom/tencent/utils/AsynLoadImgBack;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.bean.BaseMsg;->(Landroid/os/Parcel;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->a()Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.ServerSetting;->getEnvUrl(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.alimama.mobile.csdk.umupdate.a.g;->a(Ljava/lang/String; [Ljava/lang/Object;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.service.l;->a(Landroid/content/Context;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.s;->onSuccess(Ljava/lang/Object; I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.net.z;->parseJsonObject()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.PKDialog;->onKeyboardHidden()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.upd.b;->c(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.share.a;->b(Ljava/lang/String; I I)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.dmfive.tools.Log6;->e(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.sxy.receiver.MessageReceiver;->onRegisterResult(Landroid/content/Context; I Lcom/tencent/android/tpush/XGPushRegisterResult;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TDialog$THandler;->handleMessage(Landroid/os/Message;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->b(Landroid/content/Context;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.PublishActivity;->getarea([I)[I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TaskGuide$e;->onTouchEvent(Landroid/view/MotionEvent;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bj;->d(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.OauthHelper;->getAccessTokenForQQ(Landroid/content/Context;)[Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.PKDialog$JsListener;->onComplete(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.share.QQShare;->b(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.d;->(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.FriendActivity$6;->onScroll(Landroid/widget/AbsListView; I I I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.PublishActivity$4;->afterTextChanged(Landroid/text/Editable;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.upd.b;->d(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.alimama.mobile.csdk.umupdate.a.g;->c(Ljava/lang/String; [Ljava/lang/Object;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; I J J J Ljava/lang/String;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.Log;->e(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.XGPushManager;->a(Landroid/content/Context; Lcom/tencent/android/tpush/XGLocalMessage; J)J==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.sso.UMQQSsoHandler;->shareToQQ()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TDialog$JsListener;->onAddShare(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.update.UpdateDialogActivity;->onCreate(Landroid/os/Bundle;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.OauthHelper;->saveQQAccessToken(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.b.b;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.s;->onFail(Ljava/lang/Object; I Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.stat.a.k;->b(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.stat.a.i;->g(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.Authorize$3;->onProgressChanged(Landroid/webkit/WebView; I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.widgets.n;->a(Landroid/view/View;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.controller.impl.y;->a()Lcom/umeng/socialize/net/j;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->a(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.service.XGPushService;->onStartCommand(Landroid/content/Intent; I I)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.SocialApiIml$a;->onComplete(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->c()Ljava/util/ArrayList;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.AsynLoadImg$2;->run()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.utils.HttpUtils;->upload(Lcom/tencent/connect/auth/QQToken; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle;)Lorg/json/JSONObject;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.stat.a.k;->f(Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->c(Landroid/content/Context;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.utils.Log;->v(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->warn(Ljava/lang/Object;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.PublishActivity$1;->handleMessage(Landroid/os/Message;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.socialize.controller.impl.n;->e(Landroid/app/Activity;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weiyun.FileManager$DownLoadImp$3;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.PKDialog;->onConsoleMessage(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.stat.a.i;->c(Ljava/lang/Object;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.fb.util.Log;->d(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mid.util.Util;->getLinkedWay(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bj;->c(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->a(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.android.tpush.stat.a.i;->a(Ljava/lang/Object;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->e(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.weibo.sdk.android.component.PublishActivity;->onResult(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.upd.b;->e(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I

位置: assets/UPPayPluginEx.apk
com.unionpay.mobile.android.utils.h;->a(I Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.utils.h;->a(I Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.upviews.b;->handleMessage(Landroid/os/Message;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.nocard.views.listview.e;->a()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.utils.h;->a(I Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.ui.e;->onDismiss()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.utils.h;->a(I Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.widgets.n;->a(Landroid/view/View;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.unionpay.mobile.android.utils.h;->a(I Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I

中危

检测到1个WebView远程执行漏洞。

位置: classes.dex
com.sxy.activity.WebActivity;->initView()V

Android API < 17之前版本存在远程代码执行安全漏洞,该漏洞源于程序没有正确限制使用addJavaScriptInterface方法,攻击者可以通过Java反射利用该漏洞执行任意Java对象的方法,导致远程代码执行安全漏洞。
(1)API等于高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252
http://drops.wooyun.org/papers/548

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis
https://developer.android.com/reference/android/webkit/WebView.html

中危

检测到129条敏感明文信息,建议移除。

位置: classes.dex
'10.0.0.172' used in: Lcom/tencent/stat/common/StatCommonHelper;->getHttpProxy(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.172' used in: Lcom/tencent/mid/util/Util;->getHttpProxy(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.172' used in: Lcom/tencent/android/tpush/service/d/a;->b(Landroid/content/Context;)Ljava/lang/String;
'10.0.0.172' used in: Lcom/tencent/android/tpush/stat/a/g;->a(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.172' used in: Lu/aly/r;->(Landroid/content/Context;)V
'10.0.0.200' used in: Lcom/tencent/stat/common/StatCommonHelper;->getHttpProxy(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.200' used in: Lcom/tencent/mid/util/Util;->getHttpProxy(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.200' used in: Lcom/tencent/android/tpush/service/d/a;->b(Landroid/content/Context;)Ljava/lang/String;
'10.0.0.200' used in: Lcom/tencent/android/tpush/stat/a/g;->a(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'http://alog.umeng.co/app_logs' used in: Lcom/umeng/analytics/a;->()V
'http://alog.umeng.com/app_logs' used in: Lcom/umeng/analytics/a;->()V
'http://app.wit.xmut.edu.cn/' used in: Lcom/sxy/receiver/MessageReceiver;->onNotifactionClickedResult(Landroid/content/Context; Lcom/tencent/android/tpush/XGPushClickedResult;)V
'http://app.wit.xmut.edu.cn/' used in: Lcom/sxy/activity/WebActivity;->getWebUrl(Ljava/lang/String;)Ljava/lang/String;
'http://app.wit.xmut.edu.cn/appUploadFile.php' used in: Lcom/sxy/net/Request;->pickerUpload(Landroid/content/Context; Ljava/util/List;)Ljava/lang/String;
'http://app.wit.xmut.edu.cn/notice/item.html?remote_user_id=app.mobile.ligong&user_id=' used in: Lcom/sxy/fragment/HomePageFragment$2;->onCarouselClick(Lcom/sxy/model/ADInfo;)V
'http://app.wit.xmut.edu.cn:8084/service/utf-8/' used in: Lcom/sxy/net/Request;->doGetApi(Ljava/lang/String; Ljava/util/Map; Lcom/sxy/net/RequestCallback;)J
'http://app.wit.xmut.edu.cn:8084/service/utf-8/' used in: Lcom/sxy/net/Request;->apiUpdateUserInfo(Landroid/content/Context; I Ljava/lang/String;)Ljava/lang/String;
'http://appact.qzone.qq.com/appstore_activity_task_pcpush_sdk' used in: Lcom/tencent/open/TaskGuide;->e(I)V
'http://appact.qzone.qq.com/appstore_activity_task_pcpush_sdk' used in: Lcom/tencent/open/TaskGuide;->showTaskGuideWindow(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://appsupport.qq.com/cgi-bin/qzapps/mapp_addapp.cgi' used in: Lcom/tencent/connect/auth/AuthAgent$FeedConfirmListener;->(Lcom/tencent/connect/auth/AuthAgent; Lcom/tencent/tauth/IUiListener;)V
'http://au.umeng.co/api/check_app_update' used in: Lcom/umeng/update/b;->(Landroid/content/Context;)V
'http://au.umeng.com/api/check_app_update' used in: Lcom/umeng/update/b;->(Landroid/content/Context;)V
'http://bbs.shangxiyou.com/mobapi/' used in: Lcom/sxy/net/Request;->changePortrait(Landroid/content/Context; Lcom/sxy/model/UserModel; Ljava/lang/String;)Ljava/lang/String;
'http://bbs.shangxiyou.com/mobapi/' used in: Lcom/sxy/net/Request;->reply(Landroid/content/Context; Lcom/sxy/model/ForumTopic; I Ljava/lang/String; Lcom/sxy/model/UserModel; Ljava/util/List;)Ljava/lang/String;
'http://bbs.shangxiyou.com/mobapi/' used in: Lcom/sxy/net/Request;->sendPost(Landroid/content/Context; Lcom/sxy/model/ForumTopic; Lcom/sxy/model/UserModel; Ljava/util/List;)Ljava/lang/String;
'http://bbs.shangxiyou.com/mobapi/' used in: Lcom/sxy/net/Request;->doGetBBS(Ljava/lang/String; Ljava/util/Map; Lcom/sxy/net/RequestCallback;)J
'http://cgi.connect.qq.com/qqconnectopen/openapi/policy_conf' used in: Lcom/tencent/utils/OpenConfig$1;->run()V
'http://cgi.connect.qq.com/qqconnectutil/sdk' used in: Lcom/tencent/connect/a/a;->c(Landroid/content/Context; Lcom/tencent/connect/auth/QQToken;)V
'http://cgi.qplus.com/report/report' used in: Lcom/tencent/utils/Util$1;->run()V
'http://feedback.umeng.com/feedback/feedbacks' used in: Lcom/umeng/fb/net/FbClient;->sendUserTitleReply(Lcom/umeng/fb/model/UserTitleReply;)Z
'http://feedback.umeng.com/feedback/reply' used in: Lcom/umeng/fb/net/FbClient;->sendUserReply(Lcom/umeng/fb/model/UserReply;)Z
'http://feedback.umeng.com/feedback/reply' used in: Lcom/umeng/fb/net/FbClient;->getDevReply(Ljava/util/List; Ljava/lang/String; Ljava/lang/String;)Ljava/util/List;
'http://fusion.qq.com/cgi-bin/qzapps/mapp_lbs_delete.cgi' used in: Lcom/tencent/tauth/LocationApi;->deleteLocation(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://fusion.qq.com/cgi-bin/qzapps/mapp_lbs_getnear.cgi' used in: Lcom/tencent/tauth/LocationApi;->doSearchNearby(Landroid/location/Location;)V
'http://lbs.map.qq.com/loc?c=1' used in: Lcom/tencent/a/b/f$b;->(Lcom/tencent/a/b/f; Ljava/lang/String;)V
'http://log.umsns.com/' used in: Lcom/umeng/socialize/net/base/SocializeClient;->execute(Lcom/umeng/socialize/net/base/SocializeRequest;)Lcom/umeng/socialize/net/base/SocializeReseponse;
'http://log.umsns.com/share/api/' used in: Lcom/umeng/analytics/social/f;->a(Landroid/content/Context; Ljava/lang/String; [Lcom/umeng/analytics/social/UMPlatformData;)[Ljava/lang/String;
'http://log.umsns.com/share/auth/' used in: Lcom/umeng/socialize/view/j;->a(Lcom/umeng/socialize/bean/SocializeEntity; Lcom/umeng/socialize/bean/SHARE_MEDIA;)Ljava/lang/String;
'http://ls.map.soso.com/deflect?c=1' used in: Lcom/tencent/a/b/b$b;->run()V
'http://ls.map.soso.com/monitor/monitor.html' used in: Lcom/tencent/a/b/q;->a(Ljava/lang/String; Z)Ljava/net/HttpURLConnection;
'http://lstest.map.soso.com/loc?c=1' used in: Lcom/tencent/a/b/f$b;->(Lcom/tencent/a/b/f; Ljava/lang/String;)V
'http://oc.umeng.co/check_config_update' used in: Lcom/umeng/analytics/a;->()V
'http://oc.umeng.com/check_config_update' used in: Lcom/umeng/analytics/a;->()V
'http://openmobile.qq.com/api/check2?page=qzshare.html&loginpage=loginindex.html&logintype=qzone' used in: Lcom/tencent/connect/share/QzoneShare;->a(Landroid/content/Context; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://openmobile.qq.com/api/check?page=shareindex.html&style=9' used in: Lcom/tencent/connect/share/QQShare;->c(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://pingma.qq.com:80' used in: Lcom/tencent/mid/a/d;->b(Lcom/tencent/mid/a/g; Lcom/tencent/mid/api/MidCallback;)V
'http://pingma.qq.com:80/mstat/report' used in: Lcom/tencent/stat/StatConfig;->()V
'http://pingma.qq.com:80/mstat/report' used in: Lcom/tencent/android/tpush/stat/d;->()V
'http://pingma.qq.com:80/mstat/report/' used in: Lcom/tencent/mid/a/d;->b(Lcom/tencent/mid/a/g; Lcom/tencent/mid/api/MidCallback;)V
'http://pingmid.qq.com:80/' used in: Lcom/tencent/mid/util/Util;->getHttpUrl()Ljava/lang/String;
'http://qzs.qq.com' used in: Lcom/tencent/connect/auth/AuthAgent;->writeEncryToken(Landroid/content/Context;)V
'http://qzs.qq.com' used in: Lcom/tencent/open/SocialApiIml;->writeEncryToken(Landroid/content/Context;)V
'http://qzs.qq.com/open/mobile/brag/sdk_brag.html?' used in: Lcom/tencent/open/SocialApiIml;->brag(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/brag/sdk_brag.html?' used in: Lcom/tencent/open/SocialApiIml;->challenge(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/invite/sdk_invite.html?' used in: Lcom/tencent/open/SocialApiIml;->invite(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/not_support.html?' used in: Lcom/tencent/open/SocialApiIml;->a(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/rate/sdk_rate.html?' used in: Lcom/tencent/open/SocialApiIml;->grade(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/reactive/sdk_reactive.html?' used in: Lcom/tencent/open/SocialApiIml;->reactive(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/request/sdk_request.html?' used in: Lcom/tencent/open/SocialApiIml;->a(Landroid/app/Activity; Ljava/lang/String; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/sendstory/sdk_sendstory_v1.3.html?' used in: Lcom/tencent/open/SocialApiIml;->story(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://sns.whalecloud.com' used in: Lcom/umeng/socialize/sso/SinaSsoHandler;->()V
'http://t2.qpic.cn/mblogpic/9c7e34358608bb61a696/2000' used in: Lcom/tencent/weibo/sdk/android/component/GeneralInterfaceActivity;->onClick(Landroid/view/View;)V
'http://t2.qpic.cn/mblogpic/9c7e34358608bb61a696/2000' used in: Lcom/tencent/weibo/sdk/android/component/MainPage_Activity$3;->onClick(Landroid/view/View;)V
'http://w.m.taobao.com/api/q?' used in: Lcom/alimama/mobile/csdk/umupdate/b/a;->()V
'http://w.m.taobao.com/api/r?' used in: Lcom/alimama/mobile/csdk/umupdate/b/a;->()V
'http://webpresence.qq.com/getonline?Type=1&' used in: Lcom/tencent/wpa/WPA;->getWPAUserOnlineState(Ljava/lang/String; Lcom/tencent/tauth/IUiListener;)V
'http://wspeed.qq.com/w.cgi' used in: Lcom/tencent/open/a/c;->a(Landroid/content/Context; Ljava/lang/String;)V
'http://www.myapp.com/forward/a/45592?g_f=990935' used in: Lcom/tencent/wpa/WPA;->startWPAConversation(Ljava/lang/String; Ljava/lang/String;)I
'http://www.shangxiyou.com' used in: Lcom/sxy/model/GameInfo;->getGamePicArray()[Ljava/lang/String;
'http://www.shangxiyou.com/index.php' used in: Lcom/sxy/net/Request;->doGet(Ljava/util/Map; Lcom/sxy/net/RequestCallback;)J
'http://www.tudou.com/programs/view/b-4VQLxwoX4/' used in: Lcom/tencent/weibo/sdk/android/component/MainPage_Activity$3;->onClick(Landroid/view/View;)V
'http://www.umeng.com/social' used in: Lcom/umeng/socialize/sso/UMQQSsoHandler;->buildParams()V
'http://www.umeng.com/social' used in: Lcom/umeng/socialize/weixin/controller/UMWXHandler;->buildTextImageParams()Lcom/tencent/mm/sdk/modelmsg/WXMediaMessage;
'http://www.umeng.com/social' used in: Lcom/umeng/socialize/sso/QZoneSsoHandler;->buildParams(Lcom/umeng/socialize/bean/UMShareMsg;)Landroid/os/Bundle;
'http://www.umeng.com/social' used in: Lcom/umeng/socialize/sso/QZoneSsoHandler;->setShareToImage(Landroid/os/Bundle; Lcom/umeng/socialize/media/UMediaObject;)V
'https://api.weixin.qq.com/sns/oauth2/access_token?appid=' used in: Lcom/umeng/socialize/weixin/controller/UMWXHandler;->dealOAuth(Lcom/tencent/mm/sdk/modelbase/BaseResp;)V
'https://api.weixin.qq.com/sns/oauth2/refresh_token?appid=' used in: Lcom/umeng/socialize/weixin/controller/UMWXHandler;->authorize(Landroid/app/Activity; Lcom/umeng/socialize/controller/listener/SocializeListeners$UMAuthListener;)V
'https://api.weixin.qq.com/sns/userinfo?access_token=' used in: Lcom/umeng/socialize/weixin/controller/UMWXHandler;->getUserInfo(Lcom/umeng/socialize/controller/listener/SocializeListeners$UMDataListener;)V
'https://graph.qq.com/weiyun/check_record' used in: Lcom/tencent/weiyun/RecordManager;->checkRecord(Ljava/lang/String; Lcom/tencent/tauth/IUiListener;)V
'https://graph.qq.com/weiyun/create_record' used in: Lcom/tencent/weiyun/RecordManager;->createRecord(Ljava/lang/String; Ljava/lang/String; Lcom/tencent/tauth/IUiListener;)V
'https://graph.qq.com/weiyun/delete_music' used in: Lcom/tencent/weiyun/FileManager;->()V
'https://graph.qq.com/weiyun/delete_photo' used in: Lcom/tencent/weiyun/FileManager;->()V
'https://graph.qq.com/weiyun/delete_record' used in: Lcom/tencent/weiyun/RecordManager;->deleteRecord(Ljava/lang/String; Lcom/tencent/tauth/IUiListener;)V
'https://graph.qq.com/weiyun/delete_video' used in: Lcom/tencent/weiyun/FileManager;->()V
'https://graph.qq.com/weiyun/download_music' used in: Lcom/tencent/weiyun/FileManager$DownLoadImp;->getDownloadUrl(Lcom/tencent/weiyun/FileManager$WeiyunFileType;)Ljava/lang/String;
'https://graph.qq.com/weiyun/download_photo' used in: Lcom/tencent/weiyun/FileManager$DownLoadImp;->getDownloadUrl(Lcom/tencent/weiyun/FileManager$WeiyunFileType;)Ljava/lang/String;
'https://graph.qq.com/weiyun/download_video' used in: Lcom/tencent/weiyun/FileManager$DownLoadImp;->getDownloadUrl(Lcom/tencent/weiyun/FileManager$WeiyunFileType;)Ljava/lang/String;
'https://graph.qq.com/weiyun/get_music_list' used in: Lcom/tencent/weiyun/FileManager;->()V
'https://graph.qq.com/weiyun/get_photo_list' used in: Lcom/tencent/weiyun/FileManager;->()V
'https://graph.qq.com/weiyun/get_photo_thumb' used in: Lcom/tencent/weiyun/FileManager$DownLoadImp;->getDownloadUrl(Lcom/tencent/weiyun/FileManager$WeiyunFileType;)Ljava/lang/String;
'https://graph.qq.com/weiyun/get_record' used in: Lcom/tencent/weiyun/RecordManager;->getRecord(Ljava/lang/String; Lcom/tencent/tauth/IUiListener;)V
'https://graph.qq.com/weiyun/get_video_list' used in: Lcom/tencent/weiyun/FileManager;->()V
'https://graph.qq.com/weiyun/modify_record' used in: Lcom/tencent/weiyun/RecordManager;->modifyRecord(Ljava/lang/String; Ljava/lang/String; Lcom/tencent/tauth/IUiListener;)V
'https://graph.qq.com/weiyun/query_all_record' used in: Lcom/tencent/weiyun/RecordManager;->queryAllRecord(Lcom/tencent/tauth/IUiListener;)V
'https://graph.qq.com/weiyun/upload_music' used in: Lcom/tencent/weiyun/FileManager$UploadFileImp;->getRequestUrl(Lcom/tencent/weiyun/FileManager$WeiyunFileType;)Ljava/lang/String;
'https://graph.qq.com/weiyun/upload_photo' used in: Lcom/tencent/weiyun/FileManager$UploadFileImp;->getRequestUrl(Lcom/tencent/weiyun/FileManager$WeiyunFileType;)Ljava/lang/String;
'https://graph.qq.com/weiyun/upload_video' used in: Lcom/tencent/weiyun/FileManager$UploadFileImp;->getRequestUrl(Lcom/tencent/weiyun/FileManager$WeiyunFileType;)Ljava/lang/String;
'https://open.t.qq.com/api/friends/add' used in: Lcom/tencent/weibo/sdk/android/api/FriendAPI;->addFriend(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/friends/check' used in: Lcom/tencent/weibo/sdk/android/api/FriendAPI;->friendCheck(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; I Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/friends/fanslist' used in: Lcom/tencent/weibo/sdk/android/api/FriendAPI;->friendFansList(Landroid/content/Context; Ljava/lang/String; I I I I I Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/friends/get_intimate_friends' used in: Lcom/tencent/weibo/sdk/android/api/FriendAPI;->getIntimateFriends(Landroid/content/Context; Ljava/lang/String; I Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/friends/idollist' used in: Lcom/tencent/weibo/sdk/android/api/FriendAPI;->friendIDolList(Landroid/content/Context; Ljava/lang/String; I I I I Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/friends/mutual_list' used in: Lcom/tencent/weibo/sdk/android/api/PublishWeiBoAPI;->mutual_list(Landroid/content/Context; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I I I I)V
'https://open.t.qq.com/api/friends/mutual_list' used in: Lcom/tencent/weibo/sdk/android/api/FriendAPI;->getMutualList(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; I I I Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/ht/recent_used' used in: Lcom/tencent/weibo/sdk/android/api/PublishWeiBoAPI;->recent_used(Landroid/content/Context; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I I I)V
'https://open.t.qq.com/api/lbs/get_around_new' used in: Lcom/tencent/weibo/sdk/android/api/LbsAPI;->getAroundNew(Landroid/content/Context; Ljava/lang/String; D D Ljava/lang/String; I Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/lbs/get_around_people' used in: Lcom/tencent/weibo/sdk/android/api/LbsAPI;->getAroundPeople(Landroid/content/Context; Ljava/lang/String; D D Ljava/lang/String; I I Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/statuses/home_timeline' used in: Lcom/tencent/weibo/sdk/android/api/TimeLineAPI;->getHomeTimeLine(Landroid/content/Context; I I I I I Ljava/lang/String; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/statuses/ht_timeline_ext' used in: Lcom/tencent/weibo/sdk/android/api/TimeLineAPI;->getHTTimeLine(Landroid/content/Context; Ljava/lang/String; I Ljava/lang/String; Ljava/lang/String; I I Ljava/lang/String; Ljava/lang/String; I I Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/statuses/user_timeline' used in: Lcom/tencent/weibo/sdk/android/api/TimeLineAPI;->getUserTimeLine(Landroid/content/Context; I I I I Ljava/lang/String; Ljava/lang/String; I I Ljava/lang/String; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/t/add' used in: Lcom/tencent/weibo/sdk/android/api/WeiboAPI;->addWeibo(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; D D I I Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/t/add_multi' used in: Lcom/tencent/weibo/sdk/android/api/WeiboAPI;->reAddWeibo(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/t/add_pic' used in: Lcom/tencent/weibo/sdk/android/api/WeiboAPI;->addPic(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; D D Landroid/graphics/Bitmap; I I Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/t/add_pic_url' used in: Lcom/tencent/weibo/sdk/android/api/WeiboAPI;->addPicUrl(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; D D Ljava/lang/String; I I Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/t/getvideoinfo' used in: Lcom/tencent/weibo/sdk/android/api/WeiboAPI;->getVideoInfo(Landroid/content/Context; Ljava/lang/String; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/t/re_list' used in: Lcom/tencent/weibo/sdk/android/api/WeiboAPI;->reList(Landroid/content/Context; Ljava/lang/String; I Ljava/lang/String; I Ljava/lang/String; I Ljava/lang/String; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/user/info' used in: Lcom/tencent/weibo/sdk/android/api/UserAPI;->getUserInfo(Landroid/content/Context; Ljava/lang/String; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/user/infos' used in: Lcom/tencent/weibo/sdk/android/api/UserAPI;->getUserInfos(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/api/user/other_info' used in: Lcom/tencent/weibo/sdk/android/api/UserAPI;->getUserOtherInfo(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; I)V
'https://open.t.qq.com/cgi-bin/oauth2/access_token' used in: Lcom/tencent/weibo/sdk/android/api/BaseAPI;->startRequest(Landroid/content/Context; Ljava/lang/String; Lcom/tencent/weibo/sdk/android/network/ReqParam; Lcom/tencent/weibo/sdk/android/network/HttpCallback; Ljava/lang/Class; Ljava/lang/String; I)V
'https://open.t.qq.com/cgi-bin/oauth2/authorize?client_id=' used in: Lcom/tencent/weibo/sdk/android/component/Authorize;->onCreate(Landroid/os/Bundle;)V
'https://openmobile.qq.com/' used in: Lcom/tencent/utils/HttpUtils;->request(Lcom/tencent/connect/auth/QQToken; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle; Ljava/lang/String;)Lorg/json/JSONObject;
'https://openmobile.qq.com/' used in: Lcom/tencent/utils/HttpUtils;->upload(Lcom/tencent/connect/auth/QQToken; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle;)Lorg/json/JSONObject;
'https://openmobile.qq.com/oauth2.0/m_authorize?' used in: Lcom/tencent/connect/auth/AuthAgent;->a(Z Lcom/tencent/tauth/IUiListener;)I
'https://openmobile.qq.com/user/user_login_statis' used in: Lcom/tencent/connect/auth/AuthAgent;->a(Ljava/lang/String;)V
"javascript:doAddPhoto2Div('" used in: Lcom/sxy/activity/WebActivity;->addPick2html(Ljava/lang/String;)V
'javascript:hidePop()' used in: Lcom/sxy/activity/WebActivity;->hidePopView()V
'javascript:window.JsBridge&&JsBridge.callback(' used in: Lcom/tencent/open/a$a;->a()V
'javascript:window.JsBridge&&JsBridge.callback(' used in: Lcom/tencent/open/a$a;->a(Ljava/lang/Object;)V

中危

检测到8处setSavePassword密码明文存储漏洞。

位置: classes.dex
com.tencent.open.SocialApiIml;
com.tencent.connect.auth.AuthAgent;
com.umeng.analytics.MobclickAgentJSInterface;
com.umeng.socialize.view.j;
com.tencent.weibo.sdk.android.component.Authorize;
com.sxy.activity.WebActivity;
com.unionpay.mobile.android.upviews.b;

位置: assets/UPPayPluginEx.apk
com.unionpay.mobile.android.upviews.b;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

中危

检测到1使用全局可读写操作文件。

位置: classes.dex
com.unionpay.UPPayAssistEx;->installUPPayPlugin(Landroid.content.Context;)Z===>openFileOutput

在使用getDir、getSharedPreferences(SharedPreference)或openFileOutput时,如果设置了全局的可读权限,攻击者恶意读取文件内容,获取敏感信息。在设置文件属性时如果设置全局可写,攻击者可能会篡改、伪造内容,可以能会进行诈骗等行为,造成用户财产损失。建议:
(1)使用MODE_PRIVATE模式创建内部存储文件。
(2)加密存储敏感数据。
(3)避免在文件中存储明文和敏感信息。

参考案例:
http://wooyun.org/bugs/wooyun-2010-047172
http://wooyun.org/bugs/wooyun-2010-054438
http://wooyun.org/bugs/wooyun-2010-0151270

参考资料:
https://jaq.alibaba.com/blog.htm?id=56
https://jaq.alibaba.com/blog.htm?id=58
http://wolfeye.baidu.com/blog/global-rw-of-file
http://wolfeye.baidu.com/blog/global-rw-of-sharepreference/

低危

检测到10个WebView系统隐藏接口未移除。

位置: classes.dex
com.umeng.socialize.view.j;->c()Z
com.tencent.open.SocialApiIml;->writeEncryToken(Landroid.content.Context;)V
com.tencent.open.TDialog;->d()V
com.umeng.analytics.MobclickAgentJSInterface;->(Landroid.content.Context; Landroid.webkit.WebView; Landroid.webkit.WebChromeClient;)V
com.umeng.analytics.MobclickAgentJSInterface;->(Landroid.content.Context; Landroid.webkit.WebView;)V
com.tencent.connect.auth.AuthDialog;->e()V
com.sxy.activity.WebActivity;->initView()V
com.tencent.weibo.sdk.android.component.Authorize;->initLayout()V
com.tencent.connect.auth.AuthAgent;->writeEncryToken(Landroid.content.Context;)V
com.tencent.open.PKDialog;->initViews()V

android webview组件包含3个隐藏的系统接口:searchBoxJavaBridge_,accessibilityTraversal以及accessibility,恶意程序可以利用它们实现远程代码执行。
如果使用了WebView,那么使用WebView.removeJavascriptInterface(String name) API,显示的移除searchBoxJavaBridge_、accessibility、accessibilityTraversal这三个接口。

参考资料:
http://wolfeye.baidu.com/blog/android-webview/
http://blog.csdn.net/u013107656/article/details/51729398
http://wolfeye.baidu.com/blog/android-webview-cve-2014-7224/

低危

检测5处Intent Scheme URI漏洞。

位置: classes.dex
Lcom/tencent/android/tpush/XGPushActivity;->openIntent(Landroid/content/Intent;)V
Lcom/tencent/android/tpush/service/b/a;->a(Landroid/content/Context; Ljava/lang/String; J)V
Lcom/tencent/android/tpush/service/b/a;->d(Landroid/content/Context;)V
Lcom/tencent/android/tpush/service/channel/b;->b(Z)I
Lcom/tencent/android/tpush/rpc/h;->a(Ljava/lang/String; Lcom/tencent/android/tpush/rpc/d;)V


Intent Scheme URI是一种特殊的URL格式,用来通过Web页面启动已安装应用的Activity组件,大多数主流浏览器都支持此功能。如果在app中,没有检查获取到的load_url的值,攻击者可以构造钓鱼网站,诱导用户点击加载,就可以盗取用户信息。所以,对Intent URI的处理不当时,就会导致基于Intent的攻击。建议:
如果使用了Intent.parseUri函数,获取的intent必须严格过滤,intent至少包含addCategory(“android.intent.category.BROWSABLE”),setComponent(null),setSelector(null)3个策略。

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://drops.wooyun.org/papers/2893
http://drops.wooyun.org/mobile/15202

低危

非debug包,需要通过打包平台proguard脚本,移除大部分系统输出代码。
经扫描该包仍存在大量系统输出代码,共发现16处系统输出代码.(此处扫描的系统输出代码,是指调用System.out.print*输出的,本应在打包平台移除的系统输出代码.)
各个bundle系统输出代码详情如下:

位置: classes.dex
com.tencent.utils.Util;
com.qq.taf.jce.HexUtil;
com.qq.jce.wup.BasicClassTypeUtil;
com.dmfive.server.BackgroundService;
com.dmfive.mould.BaseTalk;
com.tencent.android.tpush.XGPushActivity;
com.dmfive.xmpp.SpeexDecoder;
com.qq.jce.wup.WupHexUtil;
com.qq.jce.wup.WupInfo;
com.tencent.weibo.sdk.android.api.BaseAPI;
com.dmfive.tools.StringUtil;
com.qq.taf.jce.JceDisplayer;
com.dmfive.tools.FunctionTools;
com.dmfive.server.BackgroundService$HttpPostAsyncTask;
com.qq.taf.RequestPacket;
com.qq.taf.jce.JceOutputStream;

警告

检测到11处addFlags使用Intent.FLAG_ACTIVITY_NEW_TASK。

位置: classes.dex
com.tencent.utils.Util;->a
com.tencent.mm.sdk.a.a;->a
com.umeng.update.net.DownloadingService$1;->handleMessage
com.umeng.update.UmengUpdateAgent;->startInstall
com.tencent.connect.auth.AuthDialog$LoginWebViewClient;->shouldOverrideUrlLoading
com.umeng.update.c;->b
com.tencent.android.tpush.XGPushActivity;->openIntent
com.umeng.update.net.c$c;->a
com.tencent.open.PKDialog;->loadUrlWithBrowser
com.sxy.receiver.MessageReceiver;->onNotifactionClickedResult
com.tencent.android.tpush.a.b;->a

APP创建Intent传递数据到其他Activity,如果创建的Activity不是在同一个Task中打开,就很可能被其他的Activity劫持读取到Intent内容,跨Task的Activity通过Intent传递敏感信息是不安全的。建议:
尽量避免使用包含FLAG_ACTIVITY_NEW_TASK标志的Intent来传递敏感信息。

参考资料:
http://wolfeye.baidu.com/blog/intent-data-leak

警告

检测到8个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

activity com.sxy.wxapi.WXEntryActivity
activity com.tencent.android.tpush.XGPushActivity
activity com.tencent.tauth.AuthActivity
service com.tencent.android.tpush.service.XGPushService
service com.tencent.android.tpush.rpc.XGRemoteService
receiver com.sxy.receiver.UploadReceiver
receiver com.tencent.android.tpush.XGPushReceiver
receiver com.sxy.receiver.MessageReceiver

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测到1个导出的隐式Service组件。
service com.tencent.android.tpush.rpc.XGRemoteService

建议:为了确保应用的安全性,启动Service时,请始终使用显式Intent,且不要为服务声明Intent过滤器。使用隐式Intent启动服务存在安全隐患,因为您无法确定哪些服务将响应Intent,且用户无法看到哪些服务已启动。从Android 5.0(API 级别 21)开始,如果使用隐式 Intent 调用 bindService(),系统会抛出异常。

参考资料:
https://developer.android.com/guide/components/intents-filters.html#Types

警告

检测1处組件設置了android.intent.category.BROWSABLE属性。
com.tencent.tauth.AuthActivity


在AndroidManifest文件中定义了android.intent.category.BROWSABLE属性的组件,可以通过浏览器唤起,这会导致远程命令执行漏洞攻击。建议:
(1)APP中任何接收外部输入数据的地方都是潜在的攻击点,过滤检查来自网页的参数。
(2)不要通过网页传输敏感信息,有的网站为了引导已经登录的用户到APP上使用,会使用脚本动态的生成URL Scheme的参数,其中包括了用户名、密码或者登录态token等敏感信息,让用户打开APP直接就登录了。恶意应用也可以注册相同的URL Sechme来截取这些敏感信息。Android系统会让用户选择使用哪个应用打开链接,但是如果用户不注意,就会使用恶意应用打开,导致敏感信息泄露或者其他风险。

參考案例:
http://www.wooyun.org/bugs/wooyun-2014-073875
http://www.wooyun.org/bugs/wooyun-2014-067798

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://www.jssec.org/dl/android_securecoding_en.pdf
http://drops.wooyun.org/mobile/15202
http://blog.csdn.net/l173864930/article/details/36951805
http://drops.wooyun.org/papers/2893

警告

检测到12潜在的XSS漏洞。

位置: classes.dex
com.sxy.activity.WebActivity;->initView()V
com.tencent.connect.auth.AuthDialog;->e()V
com.tencent.weibo.sdk.android.component.Authorize;->initLayout()V
com.umeng.analytics.MobclickAgentJSInterface;->(Landroid.content.Context; Landroid.webkit.WebView;)V
com.umeng.analytics.MobclickAgentJSInterface;->(Landroid.content.Context; Landroid.webkit.WebView; Landroid.webkit.WebChromeClient;)V
com.umeng.socialize.view.j;->c()Z
com.unionpay.mobile.android.upviews.b;->(Landroid.content.Context; Lcom.unionpay.mobile.android.upviews.b$a;)V
com.tencent.connect.auth.AuthAgent;->writeEncryToken(Landroid.content.Context;)V
com.tencent.open.PKDialog;->initViews()V
com.tencent.open.SocialApiIml;->writeEncryToken(Landroid.content.Context;)V
com.tencent.open.TDialog;->d()V

位置: assets/UPPayPluginEx.apk
com.unionpay.mobile.android.upviews.b;->(Landroid.content.Context; Lcom.unionpay.mobile.android.upviews.b$a;)V

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到2处IvParameterSpec的使用。

位置: classes.dex
com.umeng.socialize.net.utils.AesHelper;->decryptNoPadding(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.umeng.socialize.net.utils.AesHelper;->encryptNoPadding(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;

使用IVParameterSpec函数,如果使用了固定的初始化向量,那么密码文本可预测性高得多,容易受到字典攻击等。建议禁止使用常量初始化矢量构造IVParameterSpec,使用聚安全提供的安全组件。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到2处使用空Intent构造PendingIntent。

位置: classes.dex
com.umeng.update.net.c;->a(Landroid.content.Context; Lcom.umeng.update.net.a$a; I I)Lcom.umeng.update.net.c$a;
com.umeng.update.net.DownloadingService$b;->a(Ljava.io.File; Ljava.lang.String;)V

使用pendingIntent时候,如果使用了一个空Intent,会导致恶意用户劫持Intent的内容。禁止使用空intent去构造pendingIntent。建议:
禁止使用空intent去构造pendingIntent。

参考资料:
http://wolfeye.baidu.com/blog/pendingintent-leak-information
http://bbs.mob.com/thread-5249-1-1.html

警告

检测到1处socket通信。

位置: classes.dex
Lcom.tencent.android.tpush.service.XGWatchdog;->getWatchdogPort

Android应用通常使用PF_UNIX、PF_INET、PF_NETLINK等不同domain的socket来进行本地IPC或者远程网络通信,这些暴露的socket代表了潜在的本地或远程攻击面,历史上也出现过不少利用socket进行拒绝服务、root提权或者远程命令执行的案例特别是PF_INET类型的网络socket,可以通过网络与Android应用通信,其原本用于linux环境下开放网络服务,由于缺乏对网络调用者身份或者本地调用者id、permission等细粒度的安全检查机制,在实现不当的情况下,可以突破Android的沙箱限制,以被攻击应用的权限执行命令,通常出现比较严重的漏洞

参考案例:
http://www.wooyun.org/bugs/wooyun-2015-0148406
http://www.wooyun.org/bugs/wooyun-2015-0145365

参考资料:
http://wolfeye.baidu.com/blog/open-listen-port
http://blog.csdn.net/jltxgcy/article/details/50686858
https://www.bigniu.com/article/view/10
http://drops.wooyun.org/mobile/6973

警告

检测到4处使用了加解密算法。密钥处理不当可能会导致信息泄露。

位置: classes.dex
com.umeng.socialize.net.utils.AesHelper;->decryptNoPadding(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.umeng.socialize.net.utils.AesHelper;->encryptNoPadding(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.tencent.weibo.sdk.android.component.sso.AuthHelper;->generateSignature(J Ljava.lang.String; J J)[B
com.tencent.mid.util.Util;->getHMAC(Ljava.lang.String; Ljava.lang.String;)[B

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0105766
http://www.wooyun.org/bugs/wooyun-2015-0162907
http://www.wooyun.org/bugs/wooyun-2010-0187287

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html


动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书