漏洞分析

0

高危漏洞

4

中危漏洞

3

低危漏洞

5

警告

文件名 wgt2.apk
上传者 htest
文件大小 11.315594673157MB
MD5 83835eeba793764b7451d2f03b33802a
包名 com.gzgxinfo.gzga.crj
Main Activity com.gzgxinfo.gzga.crj.ac.LoginActivity
Min SDK 19
Target SDK 19

权限列表

# 名称 说明 提示
0 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
1 android.permission.ACCESS_FINE_LOCATION 访问精准的位置源,例如手机上的全球定位系统(如果有)。恶意应用程序可能会借此确定您所处的位置,并可能消耗额外的电池电量。 注意
2 android.permission.BLUETOOTH 允许应用程序查看本地蓝牙手机的配置,以及建立或接受与配对设备的连接。 注意
3 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
4 android.permission.RECORD_AUDIO 允许应用程序访问录音路径。 注意
5 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
6 android.permission.BLUETOOTH_ADMIN 允许应用程序配置本地蓝牙手机,以及发现远程设备并与其配对。 提示
7 android.permission.CAMERA 允许应用程序使用相机拍照,这样应用程序可随时收集进入相机镜头的图像。 提示
8 android.permission.CAMERA 允许应用程序使用相机拍照,这样应用程序可随时收集进入相机镜头的图像。 提示
9 android.permission.INTERNET 允许程序访问网络. 提示
10 android.permission.KILL_BACKGROUND_PROCESSES 无论内存资源是否紧张,都允许应用程序结束其他应用程序的后台进程。 提示
11 android.permission.MOUNT_UNMOUNT_FILESYSTEMS 允许应用程序装载和卸载可移动存储器的文件系统。 提示
12 android.permission.VIBRATE 允许应用程序控制振动器。 提示
13 android.permission.WAKE_LOCK 允许应用程序防止手机进入休眠状态。 提示
14 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

com.gzgxinfo.gzga.crj.HLCRJActivity
com.gzgxinfo.gzga.crj.ac.WFActivity
com.gzgxinfo.gzga.crj.ac.LoginActivity
cn.dabby.sdk.wiiauth.senseid.SilentLivenessActivity
cn.dabby.sdk.wiiauth.activities.EntryActivity
cn.dabby.sdk.wiiauth.activities.Auth22Activity
cn.dabby.sdk.wiiauth.activities.Auth66Activity
cn.dabby.sdk.wiiauth.activities.Auth79BleActivity
cn.dabby.sdk.wiiauth.activities.Auth79NfcActivity

cn.com.fri.BleDeviceService.BleDeviceService
cn.dabby.sdk.wiiauth.dkble.BleNfcDeviceService

com.gzgxinfo.gzga.crj.receiver.NetBroadcastReceiver

第三方库

# 库名 介绍
0 com.mingle.widget 高仿新版58 加载动画
1 com.umeng.analytics 友盟统计分析平台是国内最大的移动应用统计分析平台。
2 android.support.transition A backport of the new Transitions API for Android.
3 com.umeng.analytics.game 友盟游戏统计分析为移动游戏开发者提供了开箱即用的一站式解决方案。
4 okhttp3 An HTTP+SPDY client for Android and Java applications.
5 com.nineoldandroids Android library for using the Honeycomb animation API on all versions of the platform back to 1.0!
6 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
7 org.apache.http The Apache HttpComponents™ project is responsible for creating and maintaining a toolset of low level Java components focused on HTTP and associated protocols.

静态扫描发现风险点

风险等级 风险名称

中危

检测到当前标志被设置成true或没设置,这会导致adb调试备份允许恶意攻击者复制应用程序数据,造成数据泄露。

中危

检测到1处证书弱校验漏洞。

位置: classes.dex
cn.dabby.http.okhttp.https.HttpsUtils$UnSafeTrustManager;

当移动App客户端使用https或ssl/tls进行通信时,如果不校验证书的可信性,将存在中间人攻击漏洞,可导致信息泄露,传输数据被篡改,甚至通过中间人劫持将原有信息替换成恶意链接或恶意代码程序,以达到远程控制等攻击意图。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
www.wooyun.org/bugs/wooyun-2014-079358

参考资料:
http://drops.wooyun.org/tips/3296
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

该app需要移除大部分日志打印代码。
经扫描该包仍存在大量打日志代码,共发现86处打日志代码.(此处扫描的日志打印代码,是指调用android.util.Log.* 打印的.)
详情如下:

位置: classes.dex
com.umeng.commonsdk.utils.UMUtils;->getAppVersionName(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.sdk.wiiauth.util.f;->d(I Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.nineoldandroids.animation.PropertyValuesHolder$IntPropertyValuesHolder;->setAnimatedValue(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.com.fri.BleDeviceService.BleDeviceService$2;->a(Landroid/bluetooth/BluetoothDevice; I [B)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMRTLog;->sw(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMRTLog;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.gzgxinfo.gzga.crj.HLCRJActivity$4$1;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getGPU(Ljavax/microedition/khronos/opengles/GL10;)[Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.common.MLog;->print(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
cn.com.fri.BleDeviceService.BleDeviceService$1;->a(Z)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.common.e;->a(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMLog;->jsonArry(Lorg/json/JSONArray;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.nineoldandroids.animation.PropertyValuesHolder;->getPropertyFunction(Ljava/lang/Class; Ljava/lang/String; Ljava/lang/Class;)Ljava/lang/reflect/Method;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMRTLog;->sd(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.gzgxinfo.gzga.crj.ac.LoginActivity$6$1;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getOperator(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.sdk.wiiauth.util.e;->a(J J Lcn/dabby/sdk/wiiauth/util/e$b;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.nineoldandroids.animation.PropertyValuesHolder;->setupValue(Ljava/lang/Object; Lcom/nineoldandroids/animation/Keyframe;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.common.e;->a(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.I;->log(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getLocale(Landroid/content/Context;)Ljava/util/Locale;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getAppkey(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getSubOSVersion(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMRTLog;->v(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getCPU()Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMRTLog;->i(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.UMConfigure;->init(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; I Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getAppVersinoCode(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.sdk.wiiauth.dkble.BleNfcDeviceService$2;->a(Z)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.nineoldandroids.animation.PropertyValuesHolder$FloatPropertyValuesHolder;->setAnimatedValue(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMRTLog;->w(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.sdk.wiiauth.dkble.BleNfcDeviceService$2;->a(B)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMLog;->jsonObject(Lorg/json/JSONObject;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.http.okhttp.utils.L;->e(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMRTLog;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->setAppkey(Landroid/content/Context; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.E;->log(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getAppName(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.common.MLog;->print(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.common.e;->a(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.sdk.wiiauth.dkble.BleNfcDeviceService$2;->a(Z I [B [B)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getAppVersionCode(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.idtracking.ImprintHandler$a;->b(Lcom/umeng/commonsdk/statistics/proto/d;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getDeviceType(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMRTLog;->se(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->setLastAppkey(Landroid/content/Context; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.sdk.wiiauth.dkble.BleNfcDeviceService$1;->a(Landroid/bluetooth/BluetoothDevice; I [B)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getImsi(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getNetworkOperatorName(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.com.fri.BleDeviceService.BleDeviceService$1;->b(Z)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->encryptBySHA1(Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getFileMD5(Ljava/io/File;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.common.MLog;->print(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getNetworkAccessMode(Landroid/content/Context;)[Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.common.e;->a(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.common.MLog;->print(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMLog;->jsonObject(Ljava/lang/String; Lorg/json/JSONObject;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getUTDID(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMRTLog;->sv(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->MD5(Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.W;->log(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.b;->a(Landroid/content/Context; Lorg/json/JSONObject; Lorg/json/JSONObject;)Lorg/json/JSONObject;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getMac(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getDisplayResolution(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.sdk.wiiauth.util.f;->d(I Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.sdk.wiiauth.util.e$a;->onStatusChanged(Ljava/lang/String; I Landroid/os/Bundle;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.b;->a(Landroid/content/Context;)J==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getRegisteredOperator(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMRTLog;->si(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.D;->log(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getLastAppkey(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getChannel(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.http.okhttp.log.LoggerInterceptor;->logForRequest(Lokhttp3/Request;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->setChannel(Landroid/content/Context; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.nineoldandroids.animation.PropertyValuesHolder;->setAnimatedValue(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.sdk.wiiauth.WiiAuth;->initSDK(Landroid/content/Context;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.UMConfigure;->init(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; I Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.UMConfigure;->setLogEnabled(Z)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getSubOSName(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.common.MLog;->print(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.http.okhttp.log.LoggerInterceptor;->logForResponse(Lokhttp3/Response;)Lokhttp3/Response;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.statistics.common.e;->a(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.debug.UMLog;->jsonArry(Ljava/lang/String; Lorg/json/JSONArray;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.commonsdk.utils.UMUtils;->getAppVersionName(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.nineoldandroids.animation.PropertyValuesHolder;->setupSetterAndGetter(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.dabby.sdk.wiiauth.dkble.BleNfcDeviceService$2;->a([B)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I

中危

检测到23条敏感明文信息,建议移除。

位置: classes.dex
'10.0.0.172' used in: Lcom/umeng/commonsdk/statistics/internal/c;->(Landroid/content/Context;)V
'10.0.0.172' used in: Lcom/umeng/commonsdk/stateless/e;->(Landroid/content/Context;)V
'http://192.168.10.236/download/xk.apk' used in: Lcom/gzgxinfo/gzga/crj/ac/LoginActivity$6$1;->run()V
'http://schemas.android.com/apk/res/android' used in: Landroid/support/v4/content/res/TypedArrayUtils;->hasAttribute(Lorg/xmlpull/v1/XmlPullParser; Ljava/lang/String;)Z
'https://alogsus.umeng.com/unify_logs' used in: Lcom/umeng/commonsdk/statistics/UMServerURL;->()V
'https://alogus.umeng.com/unify_logs' used in: Lcom/umeng/commonsdk/statistics/UMServerURL;->()V
'https://cmnsguider.yunos.com:443/genDeviceToken' used in: Lcom/umeng/commonsdk/statistics/idtracking/s;->b(Ljava/lang/String;)Ljava/lang/String;
'https://crj.gzjd.gov.cn/crjydjw/sendRequst?' used in: Lcom/gzgxinfo/gzga/crj/Utils/Constant;->()V
'https://crj.gzjd.gov.cn/crjydjw/sendRequst?' used in: Lcom/gzgxinfo/gzga/crj/ac/LoginActivity;->loginFromData(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V
'https://crj.gzjd.gov.cn/wgtfy/download/123' used in: Lcom/gzgxinfo/gzga/crj/HLCRJActivity$1$2$2$1;->run()V
'https://crj.gzjd.gov.cn/wgtfy/download/123' used in: Lcom/gzgxinfo/gzga/crj/HLCRJActivity$4$1$1;->run()V
'https://crj.gzjd.gov.cn/wgtfy/download/123' used in: Lcom/gzgxinfo/gzga/crj/HLCRJActivity$4$1;->run()V
'https://developer.umeng.com/docs/66632/detail/' used in: Lcom/umeng/commonsdk/debug/UMLogUtils;->makeUrl(Ljava/lang/String;)Ljava/lang/String;
'https://ouplog.umeng.com' used in: Lcom/umeng/commonsdk/stateless/a;->()V
'https://plbslog.umeng.com' used in: Lcom/umeng/commonsdk/stateless/a;->()V
'https://rz.weijing.gov.cn/api/' used in: Lcn/dabby/sdk/wiiauth/util/WaUtils;->getWaHOST()Ljava/lang/String;
'https://rz.weijing.gov.cn/api/getaccesstoken?client_id=gz_crj_sdk_prod&client_secret=7e2ad673-720b-4a78-99f3-12f247708313' used in: Lcom/gzgxinfo/gzga/crj/ac/LoginActivity;->loadData()V
'https://rz.weijing.gov.cn/api/getcerttoken?access_token=' used in: Lcom/gzgxinfo/gzga/crj/ac/WFActivity;->setData(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V
'https://rz.weijing.gov.cn/api/idauthappl' used in: Lcn/dabby/sdk/wiiauth/net/a;->a(Ljava/lang/Object; Lcn/dabby/sdk/wiiauth/entities/AuthRequestContent; Lcn/dabby/sdk/wiiauth/net/a/a;)V
'https://rz.weijing.gov.cn/api/idauthdata' used in: Lcn/dabby/sdk/wiiauth/net/a;->a(Ljava/lang/Object; Lcn/dabby/sdk/wiiauth/net/bean/resquest/IDAuthDataBean2; Lcn/dabby/sdk/wiiauth/net/a/a;)V
'https://ulogs.umeng.com/unify_logs' used in: Lcom/umeng/commonsdk/statistics/UMServerURL;->()V
'https://ulogs.umengcloud.com/unify_logs' used in: Lcom/umeng/commonsdk/statistics/UMServerURL;->()V
'www.bouncycastle.org' used in: Lorg/bouncycastle/crypto/examples/DESExample;->(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Z)V

低危

检测到6处SecureRandom使用不当。

位置: classes.dex
org.bouncycastle.crypto.prng.SP800SecureRandom;->setSeed
org.bouncycastle.crypto.prng.X931SecureRandom;->setSeed
org.bouncycastle.crypto.examples.DESExample;->
org.bouncycastle.jcajce.provider.drbg.DRBG$NonceAndIV;->engineSetSeed
org.bouncycastle.jcajce.provider.drbg.DRBG$Default;->engineSetSeed
org.bouncycastle.jcajce.provider.keystore.bc.BcKeyStoreSpi$StoreEntry;->

SecureRandom的使用不当会导致生成的随机数可被预测,该漏洞存在于Android系统随机生成数字串安全密钥的环节中。该漏洞的生成原因是对SecureRandom类的不正确使用方式导致生成的随机数不随机。建议:
(1)不要使用自定义随机源代替系统默认随机源(推荐)除非有特殊需求,在使用SecureRandom类时,不要调用以下函数:SecureRandom类下SecureRandom(byte[]seed)、setSeed(long seed)和setSeed(byte[]seed)方法。
(2)在调用setSeed方法前先调用任意nextXXX方法。具体做法是调用setSeed方法前先调用一次SecureRandom#nextBytes(byte[]bytes)方法,可以避免默认随机源被替代,详细见参考资料。

参考资料:
https://developer.android.com/reference/java/security/SecureRandom.html
http://drops.wooyun.org/papers/5164
http://jaq.alibaba.com/blog.htm?id=47

低危

非debug包,需要通过打包平台proguard脚本,移除大部分系统输出代码。
经扫描该包仍存在大量系统输出代码,共发现35处系统输出代码.(此处扫描的系统输出代码,是指调用System.out.print*输出的,本应在打包平台移除的系统输出代码.)
各个bundle系统输出代码详情如下:

位置: classes.dex
org.bouncycastle.pqc.crypto.gmss.GMSSKeyPairGenerator;
com.bluetooth.bluetooth.MainActivity$2;
cn.dabby.sdk.wiiauth.util.f;
org.bouncycastle.pqc.math.linearalgebra.IntegerFunctions;
cn.dabby.sdk.wiiauth.dkble.BleManager.BleManager$1;
org.bouncycastle.pqc.crypto.gmss.GMSSRootCalc;
org.bouncycastle.math.ec.tools.TraceOptimizer;
org.bouncycastle.crypto.examples.DESExample;
org.bouncycastle.asn1.util.Dump;
org.bouncycastle.math.ec.tools.F2mSqrtOptimizer;
com.b.b.a;
com.a.a.a;
org.bouncycastle.pqc.math.linearalgebra.PolynomialRingGF2;
org.bouncycastle.pqc.crypto.gmss.GMSSSigner;
org.bouncycastle.crypto.examples.JPAKEExample;
com.gzgxinfo.gzga.crj.HLCRJActivity$4$1;
org.bouncycastle.pqc.crypto.gmss.util.GMSSUtil;
com.bluetooth.bluetooth.MainActivity$3;
org.bouncycastle.crypto.engines.NaccacheSternEngine;
org.bouncycastle.jcajce.provider.symmetric.util.BaseWrapCipher;
com.bluetooth.bluetooth.MainActivity$5;
com.bluetooth.bluetooth.MainActivity$a$1;
org.bouncycastle.LICENSE;
com.bluetooth.b.a;
org.bouncycastle.util.test.SimpleTest;
cn.com.fri.a.a$2;
org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi;
org.bouncycastle.crypto.generators.NaccacheSternKeyPairGenerator;
org.bouncycastle.pqc.crypto.xmss.XMSSUtil;
org.bouncycastle.jce.provider.BrokenJCEBlockCipher;
org.bouncycastle.pqc.crypto.gmss.Treehash;
com.umeng.commonsdk.stateless.f;
org.bouncycastle.pqc.crypto.gmss.GMSSPrivateKeyParameters;
com.umeng.commonsdk.framework.b;
org.bouncycastle.math.ec.tools.DiscoverEndomorphisms;

低危

检测到1处主机名弱校验检测漏洞。

位置: classes.dex
cn.dabby.http.okhttp.https.HttpsUtils$UnSafeHostnameVerifier;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

自定义HostnameVerifier类,却不实现其verify方法验证域名直接返回true,直接接受任意域名。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考资料:
http://drops.wooyun.org/tips/3296
https://www.91ri.org/12534.html

警告

检测到1处addFlags使用Intent.FLAG_ACTIVITY_NEW_TASK。

位置: classes.dex
cn.dabby.sdk.wiiauth.base.BaseActivity$1;->onClick

APP创建Intent传递数据到其他Activity,如果创建的Activity不是在同一个Task中打开,就很可能被其他的Activity劫持读取到Intent内容,跨Task的Activity通过Intent传递敏感信息是不安全的。建议:
尽量避免使用包含FLAG_ACTIVITY_NEW_TASK标志的Intent来传递敏感信息。

参考资料:
http://wolfeye.baidu.com/blog/intent-data-leak

警告

检测到1个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

activity cn.dabby.sdk.wiiauth.activities.EntryActivity

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测到28处IvParameterSpec的使用。

位置: classes.dex
com.umeng.commonsdk.stateless.f;->a([B [B)[B
com.umeng.commonsdk.statistics.common.DataHelper;->decrypt([B [B)[B
com.umeng.commonsdk.statistics.common.DataHelper;->encrypt([B [B)[B
org.bouncycastle.jcajce.spec.AEADParameterSpec;->([B I [B)V
org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi;->createCipher(I [C Lorg.bouncycastle.asn1.x509.AlgorithmIdentifier;)Ljavax.crypto.Cipher;
org.bouncycastle.jcajce.provider.symmetric.AES$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.AES$AlgParamsCCM;->localEngineGetParameterSpec(Ljava.lang.Class;)Ljava.security.spec.AlgorithmParameterSpec;
org.bouncycastle.jcajce.provider.symmetric.AES$AlgParamsGCM;->localEngineGetParameterSpec(Ljava.lang.Class;)Ljava.security.spec.AlgorithmParameterSpec;
org.bouncycastle.jcajce.provider.symmetric.ARIA$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.ARIA$AlgParamsCCM;->localEngineGetParameterSpec(Ljava.lang.Class;)Ljava.security.spec.AlgorithmParameterSpec;
org.bouncycastle.jcajce.provider.symmetric.ARIA$AlgParamsGCM;->localEngineGetParameterSpec(Ljava.lang.Class;)Ljava.security.spec.AlgorithmParameterSpec;
org.bouncycastle.jcajce.provider.symmetric.CAST5$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.CAST5$AlgParams;->localEngineGetParameterSpec(Ljava.lang.Class;)Ljava.security.spec.AlgorithmParameterSpec;
org.bouncycastle.jcajce.provider.symmetric.Camellia$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.DES$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.DESede$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.GOST28147$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.IDEA$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.IDEA$AlgParams;->localEngineGetParameterSpec(Ljava.lang.Class;)Ljava.security.spec.AlgorithmParameterSpec;
org.bouncycastle.jcajce.provider.symmetric.Noekeon$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.RC2$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.RC2$AlgParams;->localEngineGetParameterSpec(Ljava.lang.Class;)Ljava.security.spec.AlgorithmParameterSpec;
org.bouncycastle.jcajce.provider.symmetric.RC5$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.RC6$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.SEED$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.SM4$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.Shacal2$AlgParamGen;->engineGenerateParameters()Ljava.security.AlgorithmParameters;
org.bouncycastle.jcajce.provider.symmetric.util.IvAlgorithmParameters;->localEngineGetParameterSpec(Ljava.lang.Class;)Ljava.security.spec.AlgorithmParameterSpec;

使用IVParameterSpec函数,如果使用了固定的初始化向量,那么密码文本可预测性高得多,容易受到字典攻击等。建议禁止使用常量初始化矢量构造IVParameterSpec,使用聚安全提供的安全组件。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到1处socket通信。

位置: classes.dex
Lorg.bouncycastle.crypto.tls.UDPTransport;->receive

Android应用通常使用PF_UNIX、PF_INET、PF_NETLINK等不同domain的socket来进行本地IPC或者远程网络通信,这些暴露的socket代表了潜在的本地或远程攻击面,历史上也出现过不少利用socket进行拒绝服务、root提权或者远程命令执行的案例特别是PF_INET类型的网络socket,可以通过网络与Android应用通信,其原本用于linux环境下开放网络服务,由于缺乏对网络调用者身份或者本地调用者id、permission等细粒度的安全检查机制,在实现不当的情况下,可以突破Android的沙箱限制,以被攻击应用的权限执行命令,通常出现比较严重的漏洞

参考案例:
http://www.wooyun.org/bugs/wooyun-2015-0148406
http://www.wooyun.org/bugs/wooyun-2015-0145365

参考资料:
http://wolfeye.baidu.com/blog/open-listen-port
http://blog.csdn.net/jltxgcy/article/details/50686858
https://www.bigniu.com/article/view/10
http://drops.wooyun.org/mobile/6973

警告

检测到33处使用了加解密算法。密钥处理不当可能会导致信息泄露。

位置: classes.dex
org.bouncycastle.jcajce.provider.symmetric.DESede$KeyFactory;->engineGenerateSecret(Ljava.security.spec.KeySpec;)Ljavax.crypto.SecretKey;
org.bouncycastle.jcajce.provider.symmetric.util.BaseSecretKeyFactory;->engineGenerateSecret(Ljava.security.spec.KeySpec;)Ljavax.crypto.SecretKey;
okio.ByteString;->hmac(Ljava.lang.String; Lokio.ByteString;)Lokio.ByteString;
org.bouncycastle.jce.provider.BrokenJCEBlockCipher;->engineUnwrap([B Ljava.lang.String; I)Ljava.security.Key;
org.bouncycastle.jcajce.provider.symmetric.DES$KeyFactory;->engineGenerateSecret(Ljava.security.spec.KeySpec;)Ljavax.crypto.SecretKey;
org.bouncycastle.jcajce.provider.symmetric.DESede$KeyGenerator;->engineGenerateKey()Ljavax.crypto.SecretKey;
org.bouncycastle.jcajce.provider.symmetric.util.BaseSecretKeyFactory;->engineTranslateKey(Ljavax.crypto.SecretKey;)Ljavax.crypto.SecretKey;
org.bouncycastle.jcajce.provider.symmetric.TLSKDF$TLS11;->engineGenerateSecret(Ljava.security.spec.KeySpec;)Ljavax.crypto.SecretKey;
org.bouncycastle.jcajce.provider.keystore.bc.BcKeyStoreSpi;->decodeKey(Ljava.io.DataInputStream;)Ljava.security.Key;
org.bouncycastle.jcajce.provider.symmetric.TLSKDF$TLS10;->engineGenerateSecret(Ljava.security.spec.KeySpec;)Ljavax.crypto.SecretKey;
org.bouncycastle.jcajce.provider.symmetric.util.BaseWrapCipher;->engineUnwrap([B Ljava.lang.String; I)Ljava.security.Key;
com.umeng.commonsdk.statistics.common.DataHelper;->encrypt([B [B)[B
org.bouncycastle.jcajce.provider.keystore.bcfks.BcFKSKeyStoreSpi;->decryptData(Ljava.lang.String; Lorg.bouncycastle.asn1.x509.AlgorithmIdentifier; [C [B)[B
org.bouncycastle.jcajce.provider.symmetric.util.BaseSecretKeyFactory;->engineGetKeySpec(Ljavax.crypto.SecretKey; Ljava.lang.Class;)Ljava.security.spec.KeySpec;
org.bouncycastle.jcajce.provider.asymmetric.util.BaseCipherSpi;->engineUnwrap([B Ljava.lang.String; I)Ljava.security.Key;
org.bouncycastle.jcajce.provider.symmetric.util.BaseKeyGenerator;->engineGenerateKey()Ljavax.crypto.SecretKey;
org.bouncycastle.jcajce.provider.symmetric.DESede$KeyFactory;->engineGetKeySpec(Ljavax.crypto.SecretKey; Ljava.lang.Class;)Ljava.security.spec.KeySpec;
org.bouncycastle.jcajce.provider.symmetric.DES$KeyFactory;->engineGetKeySpec(Ljavax.crypto.SecretKey; Ljava.lang.Class;)Ljava.security.spec.KeySpec;
okio.HashingSink;->(Lokio.Sink; Lokio.ByteString; Ljava.lang.String;)V
org.bouncycastle.jcajce.provider.asymmetric.util.BaseAgreementSpi;->engineGenerateSecret(Ljava.lang.String;)Ljavax.crypto.SecretKey;
okio.Buffer;->hmac(Ljava.lang.String; Lokio.ByteString;)Lokio.ByteString;
org.bouncycastle.jcajce.provider.keystore.bcfks.BcFKSKeyStoreSpi;->engineStore(Ljava.io.OutputStream; [C)V
org.bouncycastle.jcajce.provider.keystore.bcfks.BcFKSKeyStoreSpi;->engineSetKeyEntry(Ljava.lang.String; Ljava.security.Key; [C [Ljava.security.cert.Certificate;)V
org.bouncycastle.jcajce.provider.keystore.bcfks.BcFKSKeyStoreSpi;->engineGetKey(Ljava.lang.String; [C)Ljava.security.Key;
com.umeng.commonsdk.statistics.common.DataHelper;->decrypt([B [B)[B
okio.HashingSource;->(Lokio.Source; Lokio.ByteString; Ljava.lang.String;)V
org.bouncycastle.jcajce.provider.keystore.bcfks.BcFKSKeyStoreSpi;->calculateMac([B Lorg.bouncycastle.asn1.x509.AlgorithmIdentifier; Lorg.bouncycastle.asn1.pkcs.KeyDerivationFunc; [C)[B
com.umeng.commonsdk.stateless.f;->a([B [B)[B
org.bouncycastle.jcajce.provider.asymmetric.dh.KeyAgreementSpi;->engineGenerateSecret(Ljava.lang.String;)Ljavax.crypto.SecretKey;
org.bouncycastle.jcajce.provider.symmetric.TLSKDF$TLS12;->engineGenerateSecret(Ljava.security.spec.KeySpec;)Ljavax.crypto.SecretKey;
com.sensetime.senseid.sdk.liveness.silent.common.util.StringUtil;->sha256(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
org.bouncycastle.jcajce.provider.symmetric.OpenSSLPBKDF$PBKDF;->engineGenerateSecret(Ljava.security.spec.KeySpec;)Ljavax.crypto.SecretKey;
org.bouncycastle.jcajce.provider.symmetric.DES$KeyGenerator;->engineGenerateKey()Ljavax.crypto.SecretKey;

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0105766
http://www.wooyun.org/bugs/wooyun-2015-0162907
http://www.wooyun.org/bugs/wooyun-2010-0187287

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html


动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书