0

高危漏洞

6

中危漏洞

2

低危漏洞

6

警告

文件名 com.sinyee.babybus.jewel_9390000.apk
上传者 test
文件大小 72.926032066345MB
MD5 8cb09550594c505918aaa998f186b562
包名 com.sinyee.babybus.jewel
Main Activity com.sinyee.babybus.SplashAct
Min SDK 17
Target SDK 26

权限列表

# 名称 说明 提示
0 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
1 android.permission.GET_TASKS 允许应用程序检索有关当前和最近运行的任务的信息。恶意应用程序可借此发现有关其他应用程序的保密信息。 注意
2 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
3 android.permission.SYSTEM_ALERT_WINDOW 允许应用程序显示系统警报窗口。恶意应用程序可借此掌控整个手机屏幕。 注意
4 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
5 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
6 android.permission.INTERNET 允许程序访问网络. 提示
7 android.permission.MOUNT_UNMOUNT_FILESYSTEMS 允许应用程序装载和卸载可移动存储器的文件系统。 提示
8 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

com.sinyee.babybus.SplashAct
com.sinyee.babybus.Main
com.tencent.tauth.AuthActivity
com.sinyee.babybus.jewel.wxapi.WXEntryActivity
com.babybus.plugin.uninstallfeedback.activity.UninstallFeedbackActivity
com.babybus.plugin.uninstallfeedback.activity.UninstallFeedbackLandscapeActivity
com.sinyee.babybus.jewel.loader.a.ActivityN1NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1STTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1STTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1STTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1SITS0
com.sinyee.babybus.jewel.loader.a.ActivityN1SITS1
com.sinyee.babybus.jewel.loader.a.ActivityN1SITS2
com.sinyee.babybus.jewel.loader.a.ActivityN1NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityN1NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityN1NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityN1STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1STNTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1SINTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1SINTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1SINTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA0STNTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityN1TA1STNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0STTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0STTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0STTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0SITS0
com.sinyee.babybus.jewel.loader.a.ActivityP0SITS1
com.sinyee.babybus.jewel.loader.a.ActivityP0SITS2
com.sinyee.babybus.jewel.loader.a.ActivityP0NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityP0NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityP0NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityP0STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0STNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0SINTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0SINTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0SINTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA0STNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP0TA1STNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1STTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1STTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1STTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1SITS0
com.sinyee.babybus.jewel.loader.a.ActivityP1SITS1
com.sinyee.babybus.jewel.loader.a.ActivityP1SITS2
com.sinyee.babybus.jewel.loader.a.ActivityP1NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityP1NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityP1NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityP1STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1STNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1SINTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1SINTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1SINTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA0STNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP1TA1STNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2STTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2STTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2STTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2SITS0
com.sinyee.babybus.jewel.loader.a.ActivityP2SITS1
com.sinyee.babybus.jewel.loader.a.ActivityP2SITS2
com.sinyee.babybus.jewel.loader.a.ActivityP2NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityP2NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityP2NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityP2STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2STNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2SINTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2SINTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2SINTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA0STNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1NRTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1NRTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1NRTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STPTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STPTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STPTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1NRNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1NRNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1NRNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1NRNTS3
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1NRNTS4
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1NRNTS5
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STPNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STPNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STPNTS2
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STNTS0
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STNTS1
com.sinyee.babybus.jewel.loader.a.ActivityP2TA1STNTS2
com.alipay.sdk.app.H5PayActivity
com.alipay.sdk.app.H5AuthActivity
com.alipay.sdk.app.PayResultActivity
com.alipay.sdk.app.AlipayResultActivity
com.babybus.plugin.payview.activity.ModifyPasswordActivity
com.babybus.plugin.payview.activity.SetPasswordActivity
com.babybus.plugin.payview.activity.ChangePhoneActivity
com.babybus.plugin.payview.activity.LoginOutActivity
com.babybus.plugin.payview.activity.RuleActivity
com.babybus.plugin.payview.activity.QuestionActivity
com.babybus.plugin.payview.activity.CallbackActivity
com.babybus.plugin.payview.activity.RecordActivity
com.babybus.plugin.payview.activity.PayActivity
com.babybus.plugin.payview.activity.PayMethodActivity
com.babybus.plugin.payview.activity.PaySuccessActivity
com.babybus.plugin.payview.activity.SoldOutActivity
com.babybus.plugin.payview.activity.RemoveSuccessActivity
com.babybus.plugin.payview.activity.ProtocolActivity
com.babybus.plugin.payview.activity.MyAccountActivity
com.babybus.plugin.payview.activity.MemberCenterActivity
com.babybus.plugin.payview.activity.RenewalActivity
com.babybus.plugin.permissionsdialog.activity.SDCardDialogActivity
com.babybus.plugin.wemedia.activity.WebAdActivity
com.babybus.plugin.parentcenter.ui.activity.GuideActivity
com.babybus.plugin.parentcenter.ui.activity.ParentCenterActivity
com.babybus.plugin.parentcenter.ui.activity.WebViewActivity
com.babybus.plugin.parentcenter.ui.activity.AdVideoActivity
com.babybus.plugin.parentcenter.dialog.MiniProgramDialog
com.babybus.plugin.account.activity.HtmlActivity
com.babybus.plugin.account.activity.MembersExchangeCodeActivity
com.babybus.plugin.account.activity.WebPrivacyAgreementActivity
com.babybus.plugin.parentcenter.ui.activity.HomeUpdateBabyInfoDialog
com.babybus.plugin.parentcenter.ui.activity.HomeUpdateBabyInfoVerticalDialog
com.babybus.plugin.gdt.activity.GdtComfirmActivity
com.qq.e.ads.ADActivity
com.qq.e.ads.PortraitADActivity
com.qq.e.ads.LandscapeADActivity
com.babybus.plugin.videoview.activity.NormalVideoActivity
com.babybus.plugin.babybusad.activity.WebAdActivity
com.bytedance.sdk.openadsdk.activity.TTLandingPageActivity
com.bytedance.sdk.openadsdk.activity.TTVideoLandingPageActivity
com.bytedance.sdk.openadsdk.activity.TTRewardVideoActivity
com.bytedance.sdk.openadsdk.activity.TTFullScreenVideoActivity
com.bytedance.sdk.openadsdk.activity.TTDelegateActivity
com.ss.android.socialbase.appdownloader.view.DownloadSizeLimitActivity
com.ss.android.socialbase.appdownloader.view.DownloadTaskDeleteActivity
com.ss.android.downloadlib.activity.TTDelegateActivity
com.babybus.plugin.debugsystem.ui.ConsoleActivity
com.babybus.plugin.shutdown.activity.ShutdownActivity
com.babybus.plugin.babybusupdate.activity.UpdateActivity
com.babybus.plugin.alarm.activity.HintActivity
com.babybus.plugin.box.activity.LocalBoxActivity
com.babybus.plugin.markettip.activity.MarketTipActivity
com.tencent.connect.common.AssistActivity
com.umeng.socialize.editorpage.ShareActivity
com.umeng.socialize.media.WBShareCallBackActivity
com.sina.weibo.sdk.share.WbShareTransActivity
com.sina.weibo.sdk.web.WeiboSdkWebActivity
com.babybus.plugin.umengshare.activity.ShareBoardForLandscapeActivity
com.babybus.plugin.umengshare.activity.ShareBoardForPortraitActivity
com.babybus.plugin.magicview.common.CommonUnNetworkActivity
com.babybus.plugin.magicview.campaign.welcomeInterstitial.WelcomeInterstitialActivity
com.babybus.plugin.magicview.startwindowslinks.insufficientspace.InsufficientSpaceActivity
com.baidu.mobads.production.rewardvideo.MobRewardVideoActivity
com.baidu.mobads.AppActivity
com.sinyee.babybus.jewel.loader.a.Activity0_singleTask1
com.sinyee.babybus.jewel.loader.a.Activity0_singleInstance1
com.sinyee.babybus.jewel.loader.a.Activity0_task
com.sinyee.babybus.jewel.loader.a.Activity0_fullscreen
com.sinyee.babybus.jewel.loader.a.Activity0_translucent
com.sinyee.babybus.jewel.loader.a.Activity0_translucent_fullscreen
com.sinyee.babybus.jewel.loader.a.Activity0_dialog
com.sinyee.babybus.jewel.loader.a.Activity0
com.sinyee.babybus.jewel.loader.a.Activity1_singleTask1
com.sinyee.babybus.jewel.loader.a.Activity1_singleInstance1
com.sinyee.babybus.jewel.loader.a.Activity1_task
com.sinyee.babybus.jewel.loader.a.Activity1_fullscreen
com.sinyee.babybus.jewel.loader.a.Activity1_translucent
com.sinyee.babybus.jewel.loader.a.Activity1_translucent_fullscreen
com.sinyee.babybus.jewel.loader.a.Activity1_dialog
com.sinyee.babybus.jewel.loader.a.Activity1

com.edge.pcdn.PcdnVodService
com.babybus.plugin.parentcenter.service.UpdateAbilityService
com.qq.e.comm.DownloadService
com.bytedance.sdk.openadsdk.multipro.aidl.BinderPoolService
com.ss.android.socialbase.downloader.notification.DownloadNotificationService
com.ss.android.socialbase.downloader.downloader.DownloadService
com.ss.android.socialbase.downloader.downloader.IndependentProcessDownloadService
com.ss.android.socialbase.downloader.impls.DownloadHandleService
com.ss.android.socialbase.appdownloader.DownloadHandlerService
com.babybus.plugin.notification.service.ClickService
com.babybus.plugin.notification.service.SelfPushClickService
com.liulishuo.filedownloader.services.FileDownloadService$SharedMainProcessService
com.liulishuo.filedownloader.services.FileDownloadService$SeparateProcessService
com.sinyee.babybus.jewel.loader.s.ServiceN1
com.sinyee.babybus.jewel.loader.s.Service0
com.sinyee.babybus.jewel.loader.s.Service1
com.qihoo360.replugin.component.service.server.PluginPitServiceUI
com.qihoo360.replugin.component.service.server.PluginPitServiceGuard
com.qihoo360.replugin.component.service.server.PluginPitServiceP0
com.qihoo360.replugin.component.service.server.PluginPitServiceP1
com.qihoo360.replugin.component.service.server.PluginPitServiceP2

com.babybus.plugin.uninstallfeedback.AppUninstallReceiver
com.ss.android.downloadlib.core.download.DownloadReceiver

com.babybus.utils.downloadutils.FileProvider
android.support.v4.content.FileProvider
com.bytedance.sdk.openadsdk.TTFileProvider
com.bytedance.sdk.openadsdk.multipro.TTMultiProvider
com.baidu.mobads.openad.FileProvider
com.qihoo360.replugin.component.process.ProcessPitProviderUI
com.sinyee.babybus.jewel.loader.p.ProviderN1
com.qihoo360.replugin.component.process.ProcessPitProviderLoader0
com.sinyee.babybus.jewel.loader.p.Provider0
com.qihoo360.replugin.component.process.ProcessPitProviderLoader1
com.sinyee.babybus.jewel.loader.p.Provider1
com.qihoo360.replugin.component.provider.PluginPitProviderUI
com.qihoo360.replugin.packages.PluginFastInstallProvider
com.qihoo360.replugin.component.process.ProcessPitProviderPersist
com.qihoo360.replugin.component.provider.PluginPitProviderPersist
com.qihoo360.mobilesafe.svcmanager.ServiceProvider
com.qihoo360.replugin.component.provider.PluginPitProviderP0
com.qihoo360.replugin.component.process.ProcessPitProviderP0
com.qihoo360.replugin.component.provider.PluginPitProviderP1
com.qihoo360.replugin.component.process.ProcessPitProviderP1
com.qihoo360.replugin.component.provider.PluginPitProviderP2
com.qihoo360.replugin.component.process.ProcessPitProviderP2

第三方库

# 库名 介绍
0 android.support.transition A backport of the new Transitions API for Android.
1 retrofit2 Type-safe REST client for Android and Java by Square, Inc.
2 rx RxJava – Reactive Extensions for the JVM – a library for composing asynchronous and event-based programs using observable sequences for the Java VM.
3 com.alipay.sdk 支付宝移动支付功能
4 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
5 android.support.multidex DEPRECATED
6 com.bumptech.glide An image loading and caching library for Android focused on smooth scrolling
7 com.nineoldandroids Android library for using the Honeycomb animation API on all versions of the platform back to 1.0!
8 com.baidu.mobads 百度移动推广SDK
9 com.sina.weibo 新浪微博开放平台(Weibo Open Platform)是基于新浪微博海量用户和强大的传播能力,接入第三方合作伙伴服务,向用户提供丰富应用和完善服务的开放平台。将你的服务接入微博平台,有助于推广产品,增加网站/应用的流量、拓展新用户,获得收益。
10 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
11 com.tencent.bugly 腾讯Bugly,面向移动开发者提供最专业的Crash监控、崩溃分析等质量跟踪服务,为您修复用户的每一次Crash!
12 rx.android RxJava bindings for Android
13 retrofit2 Type-safe REST client for Android and Java by Square, Inc.
14 com.tencent.mm.sdk 微信支付
15 com.umeng.analytics.game 友盟游戏统计分析为移动游戏开发者提供了开箱即用的一站式解决方案。
16 com.tencent.connect 腾讯开放平台
17 rx RxJava – Reactive Extensions for the JVM – a library for composing asynchronous and event-based programs using observable sequences for the Java VM.
18 com.umeng.analytics 友盟统计分析平台是国内最大的移动应用统计分析平台。
19 okhttp3 An HTTP+SPDY client for Android and Java applications.
20 com.tencent.smtt 腾讯X5浏览服务由QQ浏览器团队出品,致力于优化移动端webview体验的整套解决方案,使用QQ浏览器X5内核SDK和X5云端服务,解决移动端webview使用过程中出现的一切问题,优化用户的浏览体验,同时腾讯还将持续提供后续的更新和优化,为开发者提供最新最优秀的功能和服务。
21 com.tencent.tauth 腾讯QQ互联平台为广大开发者整理了SDK列表,辅助开发者快速接入QQ登录、分享等功能。QQ互联是腾讯旗下的开放平台,通过QQ互联,网站主和开发者可以申请接入QQ登录、用户可以使用QQ账号登录接入的站点,通过添加分享和赞组件,将站点内容分享到QQ空间和朋友网,通过获取API授权,网站主还可以将用户操作同步到QQ空间和朋友网。
22 de.greenrobot.event Android optimized event bus that simplifies communication between Activities, Fragments, Threads, Services, etc. Less code, better quality.
23 org.json 根据Gson库使用的要求,将JSONObject格式的String 解析成实体
24 com.umeng.socialize 社会化组件帮您接入和升级各种社交平台,快速武装您的应用!
25 com.baidu.mobads 百度移动推广SDK
26 com.tencent.map 腾讯地图Android SDK是一套基于Android2.3及以上设备的应用接口,通过该接口,您可以方便地访问腾讯地图为您提供的高质量地点数据和服务,构建丰富而实用的地图及位置服务类应用。腾讯地图Android SDK除提供创建底图、缩放、平滑移图等基础功能外,还提供定位、地址解析、反地址解析、周边搜索、路线方案等拓展服务,助你在应用开发中事半功倍。腾讯地图Android SDK的服务需要注册,免费的向第三方提供,任何非盈利性网站均可使用。
27 android.support.multidex DEPRECATED
28 android.support.multidex DEPRECATED
29 android.support.multidex DEPRECATED
30 android.support.multidex DEPRECATED

静态扫描发现风险点

风险等级 风险名称

中危

检测到当前标志被设置成true或没设置,这会导致adb调试备份允许恶意攻击者复制应用程序数据,造成数据泄露。

中危

检测到8处证书弱校验漏洞。

位置: classes.dex
com.a.a.a.a.e.c$1;
com.babybus.aiolos.f.b$2;

位置: classes2.dex
com.babybus.utils.downloadutils.https.SSLSocketClient$1;
com.bytedance.sdk.adnet.b.a;
com.baidu.mobads.openad.e.c$a;
com.edge.pcdn.HttpsTask$MyTrustManager;
com.bytedance.sdk.openadsdk.downloadnew.a.a.f$a;

位置: assets/bdxadsdk.jar
com.baidu.mobads.container.b.g.c$a;

当移动App客户端使用https或ssl/tls进行通信时,如果不校验证书的可信性,将存在中间人攻击漏洞,可导致信息泄露,传输数据被篡改,甚至通过中间人劫持将原有信息替换成恶意链接或恶意代码程序,以达到远程控制等攻击意图。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
www.wooyun.org/bugs/wooyun-2014-079358

参考资料:
http://drops.wooyun.org/tips/3296
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

检测到1个未移除的敏感Test或Debug组件

com.babybus.plugin.debugsystem.ui.ConsoleActivity

建议:
在正式发布app前移除敏感的Test或Debug组件

中危

检测到1处中间人攻击漏洞。

位置: classes.dex
com.a.a.a.a.e.a;->()V

setHostnameVerifier方法设置ALLOW_ALL_HOSTNAME_VERIFIER,直接接受任意域名,可能造成中间人攻击漏洞。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-042710
http://www.wooyun.org/bugs/wooyun-2010-052339
http://www.wooyun.org/bugs/wooyun-2016-0190773

参考资料:
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

检测到11个WebView远程执行漏洞。

位置: classes.dex
com.babybus.plugin.babybusad.activity.WebAdActivity;->new()V

位置: classes2.dex
com.babybus.plugin.parentcenter.ui.fragment.PostInfoFragment;->initWebView()V
com.babybus.plugin.parentcenter.ui.fragment.PostInfoFragment;->initWebView()V
com.babybus.plugin.parentcenter.ui.fragment.WebViewFragment;->initWebView()V
com.babybus.plugin.wemedia.activity.WebAdActivity;->new()V
com.bytedance.sdk.openadsdk.b.i;->(Landroid.content.Context; Lcom.bytedance.sdk.openadsdk.core.d.i; Landroid.webkit.WebView;)V

位置: classes3.dex
com.tencent.smtt.sdk.WebView;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.tencent.bugly.crashreport.CrashReport$1;->addJavascriptInterface(Lcom.tencent.bugly.crashreport.crash.h5.H5JavaScriptInterface; Ljava.lang.String;)V
com.tencent.smtt.sdk.WebView;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V

位置: assets/plugins/com.babybus.plugin.webview.jar
com.babybus.plugin.webview.activity.WebBoxActivity;->j()V
com.babybus.plugin.webview.activity.WebViewActivity;->l()V

Android API < 17之前版本存在远程代码执行安全漏洞,该漏洞源于程序没有正确限制使用addJavaScriptInterface方法,攻击者可以通过Java反射利用该漏洞执行任意Java对象的方法,导致远程代码执行安全漏洞。
(1)API等于高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252
http://drops.wooyun.org/papers/548

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis
https://developer.android.com/reference/android/webkit/WebView.html

中危

检测到25处setSavePassword密码明文存储漏洞。

位置: classes.dex
com.a.a.a.a.a.a;
com.babybus.plugin.account.d.h;
com.babybus.plugin.account.activity.WebPrivacyAgreementActivity;
com.babybus.plugin.account.activity.HtmlActivity;

位置: classes2.dex
com.bytedance.sdk.openadsdk.core.widget.webview.a;
com.bytedance.sdk.openadsdk.activity.TTFullScreenVideoActivity;
com.bytedance.sdk.openadsdk.g.m;
com.bytedance.sdk.openadsdk.activity.TTRewardVideoActivity;
com.bytedance.sdk.openadsdk.activity.TTLandingPageActivity;
com.bytedance.sdk.openadsdk.core.nativeexpress.NativeExpressView;
com.bytedance.sdk.openadsdk.activity.TTVideoLandingPageActivity;
com.babybus.plugin.parentcenter.ui.fragment.WeekLearningReportFragment;

位置: classes3.dex
org.cocos2dx.lib.Cocos2dxWebView;
com.umeng.socialize.view.BaseDialog;
com.tencent.smtt.sdk.WebSettings;
com.tencent.bugly.crashreport.CrashReport$1;
com.umeng.socialize.sina.webview.ShareDialog;

位置: assets/bdxadsdk.jar
com.baidu.mobads.container.landingpage.App2Activity;

位置: assets/gdt_plugin/gdtadv2.jar
com.qq.e.comm.plugin.ab.c;
com.qq.e.comm.plugin.util.k;
com.qq.e.comm.plugin.ae.d;
com.qq.e.comm.plugin.ad.e.c;
com.qq.e.comm.plugin.ad.d;

位置: assets/plugins/com.babybus.plugin.webview.jar
com.babybus.plugin.webview.activity.WebViewActivity;
com.babybus.plugin.webview.activity.WebBoxActivity;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

低危

检测到6处主机名弱校验检测漏洞。

位置: classes.dex
com.babybus.aiolos.f.b$3;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

位置: classes2.dex
com.babybus.utils.downloadutils.https.SSLSocketClient$2;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z
com.baidu.mobads.openad.e.d;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z
com.bytedance.sdk.adnet.b.a$1;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z
com.bytedance.sdk.openadsdk.downloadnew.a.a.f$a$1;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

位置: assets/bdxadsdk.jar
com.baidu.mobads.container.b.g.d;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

自定义HostnameVerifier类,却不实现其verify方法验证域名直接返回true,直接接受任意域名。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考资料:
http://drops.wooyun.org/tips/3296
https://www.91ri.org/12534.html

低危

检测到3处地方在自定义实现的WebViewClient类在onReceivedSslError调用proceed()方法。

位置: classes.dex
com.alipay.sdk.app.b;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V
com.alipay.sdk.auth.AuthActivity$c;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V

位置: assets/plugins/com.babybus.plugin.webview.jar
com.babybus.plugin.webview.activity.WebBoxActivity$2;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V

Android WebView组件加载网页发生证书认证错误时,会调用WebViewClient类的onReceivedSslError方法,如果该方法实现调用了handler.proceed()来忽略该证书错误,则会受到中间人攻击的威胁,可能导致隐私泄露。建议:
当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0109266

参考资料:
https://jaq.alibaba.com/blog.htm?id=60
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/

警告

检测到9个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

activity com.tencent.tauth.AuthActivity
activity com.sinyee.babybus.jewel.wxapi.WXEntryActivity
activity com.babybus.plugin.uninstallfeedback.activity.UninstallFeedbackActivity
activity com.alipay.sdk.app.PayResultActivity
activity com.alipay.sdk.app.AlipayResultActivity
activity com.sina.weibo.sdk.share.WbShareTransActivity
service com.babybus.plugin.parentcenter.service.UpdateAbilityService
service com.ss.android.socialbase.downloader.downloader.IndependentProcessDownloadService
receiver com.babybus.plugin.uninstallfeedback.AppUninstallReceiver

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测到1个导出的隐式Service组件。
service com.ss.android.socialbase.downloader.downloader.IndependentProcessDownloadService

建议:为了确保应用的安全性,启动Service时,请始终使用显式Intent,且不要为服务声明Intent过滤器。使用隐式Intent启动服务存在安全隐患,因为您无法确定哪些服务将响应Intent,且用户无法看到哪些服务已启动。从Android 5.0(API 级别 21)开始,如果使用隐式 Intent 调用 bindService(),系统会抛出异常。

参考资料:
https://developer.android.com/guide/components/intents-filters.html#Types

警告

检测2处組件設置了android.intent.category.BROWSABLE属性。
com.tencent.tauth.AuthActivity
com.alipay.sdk.app.AlipayResultActivity


在AndroidManifest文件中定义了android.intent.category.BROWSABLE属性的组件,可以通过浏览器唤起,这会导致远程命令执行漏洞攻击。建议:
(1)APP中任何接收外部输入数据的地方都是潜在的攻击点,过滤检查来自网页的参数。
(2)不要通过网页传输敏感信息,有的网站为了引导已经登录的用户到APP上使用,会使用脚本动态的生成URL Scheme的参数,其中包括了用户名、密码或者登录态token等敏感信息,让用户打开APP直接就登录了。恶意应用也可以注册相同的URL Sechme来截取这些敏感信息。Android系统会让用户选择使用哪个应用打开链接,但是如果用户不注意,就会使用恶意应用打开,导致敏感信息泄露或者其他风险。

參考案例:
http://www.wooyun.org/bugs/wooyun-2014-073875
http://www.wooyun.org/bugs/wooyun-2014-067798

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://www.jssec.org/dl/android_securecoding_en.pdf
http://drops.wooyun.org/mobile/15202
http://blog.csdn.net/l173864930/article/details/36951805
http://drops.wooyun.org/papers/2893

警告

检测到22潜在的XSS漏洞。

位置: classes.dex
com.a.a.a.a.a.a;->do()V
com.alipay.sdk.auth.AuthActivity;->onCreate(Landroid.os.Bundle;)V
com.alipay.sdk.util.n;->a(Landroid.app.Activity; Ljava.lang.String; Ljava.lang.String;)Landroid.webkit.WebView;
com.alipay.sdk.widget.WebViewWindow;->c(Landroid.content.Context;)V
com.alipay.sdk.widget.WebViewWindow;->c(Landroid.content.Context;)V
com.alipay.sdk.widget.h;->a(Landroid.webkit.WebView; Landroid.content.Context;)V
com.babybus.plugin.account.d.h;->if()V
com.babybus.plugin.account.activity.HtmlActivity;->do()V
com.babybus.plugin.account.activity.WebPrivacyAgreementActivity;->initView()V

位置: classes2.dex
com.bytedance.sdk.openadsdk.core.widget.webview.a;->a(Landroid.webkit.WebView;)V
com.bytedance.sdk.openadsdk.core.nativeexpress.NativeExpressView;->a(Lcom.bytedance.sdk.openadsdk.core.widget.webview.SSWebView;)V
com.babybus.plugin.parentcenter.ui.fragment.WeekLearningReportFragment;->initWebView()V

位置: classes3.dex
com.umeng.socialize.view.BaseDialog;->setUpWebView()Z
org.cocos2dx.lib.Cocos2dxWebView;->(Landroid.content.Context; I)V
com.tencent.bugly.crashreport.CrashReport$1;->setJavaScriptEnabled(Z)V

位置: assets/bdxadsdk.jar
com.baidu.mobads.container.ae;->(Landroid.content.Context; Lcom.baidu.mobads.interfaces.utils.IXAdLogger; Z Z Lcom.baidu.mobads.container.ae$c;)V

位置: assets/gdt_plugin/gdtadv2.jar
com.qq.e.comm.plugin.ab.c;->onAfterCreate(Landroid.os.Bundle;)V
com.qq.e.comm.plugin.ad.d;->k()V
com.qq.e.comm.plugin.ad.e.c;->(Landroid.content.Context; Landroid.webkit.WebViewClient; Lcom.qq.e.comm.plugin.ad.e.b;)V
com.qq.e.comm.plugin.ae.d;->h()V

位置: assets/plugins/com.babybus.plugin.webview.jar
com.babybus.plugin.webview.activity.WebBoxActivity;->j()V
com.babybus.plugin.webview.activity.WebViewActivity;->k()V

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到4处provider的grantUriPermissions设置为true。
com.babybus.utils.downloadutils.FileProvider
android.support.v4.content.FileProvider
com.bytedance.sdk.openadsdk.TTFileProvider
com.baidu.mobads.openad.FileProvider


grant-uri-permission若设置为true,可被其它程序员通过uri访问到content provider的内容,容易造成信息泄露。

参考资料:
https://security.tencent.com/index.php/blog/msg/6

警告

这个app应该声明permission的"android:protectionLevel"属性值为"signature"或者"signatureOrSystem",保证其他app无法注册或者从这个app接收消息。有安全隐患的permission如下:
android.permission.ACCESS_WIFI_STATE normal
android.permission.WRITE_EXTERNAL_STORAGE normal
android.permission.READ_PHONE_STATE normal
android.permission.ACCESS_NETWORK_STATE normal
android.permission.INTERNET normal

动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书