漏洞分析

0

高危漏洞

3

中危漏洞

1

低危漏洞

5

警告

文件名 com.amall360.amallb2b_android.apk
上传者 mrtao
文件大小 9.2036085128784MB
MD5 8f8170d79314ce4e31a8df383e54a3d3
包名 com.amall360.amallb2b_android
Main Activity com.amall360.amallb2b_android.ui.activity.SplashActivity
Min SDK 16
Target SDK 27

权限列表

# 名称 说明 提示
0 android.permission.CALL_PHONE 允许应用程序在您不介入的情况下拨打电话。恶意应用程序可借此在您的话费单上产生意外通话费。请注意,此权限不允许应用程序拨打紧急呼救电话。 警告
1 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
2 android.permission.ACCESS_FINE_LOCATION 访问精准的位置源,例如手机上的全球定位系统(如果有)。恶意应用程序可能会借此确定您所处的位置,并可能消耗额外的电池电量。 注意
3 android.permission.ACCESS_LOCATION_EXTRA_COMMANDS 访问额外的位置信息提供程序命令。恶意应用程序可借此干扰GPS或其他位置源的正常工作。 注意
4 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
5 android.permission.SYSTEM_ALERT_WINDOW 允许应用程序显示系统警报窗口。恶意应用程序可借此掌控整个手机屏幕。 注意
6 android.permission.WRITE_SETTINGS 允许应用程序修改系统设置方面的数据。恶意应用程序可借此破坏您的系统配置。 注意
7 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
8 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
9 android.permission.CAMERA 允许应用程序使用相机拍照,这样应用程序可随时收集进入相机镜头的图像。 提示
10 android.permission.CHANGE_NETWORK_STATE 允许应用程序更改网络连接的状态。 提示
11 android.permission.CHANGE_WIFI_STATE 允许应用程序连接到WLAN接入点以及与WLAN接入点断开连接,并对配置的WLAN网络进行更改。 提示
12 android.permission.INTERNET 允许程序访问网络. 提示
13 android.permission.MOUNT_UNMOUNT_FILESYSTEMS 允许应用程序装载和卸载可移动存储器的文件系统。 提示
14 android.permission.VIBRATE 允许应用程序控制振动器。 提示
15 android.permission.WAKE_LOCK 允许应用程序防止手机进入休眠状态。 提示
16 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

com.amall360.amallb2b_android.ui.activity.SplashActivity
com.amall360.amallb2b_android.ui.activity.MainActivity
com.amall360.amallb2b_android.ui.activity.LoginActivity
com.amall360.amallb2b_android.ui.activity.forgetpass.ForgetPassOneActivity
com.amall360.amallb2b_android.ui.activity.forgetpass.ForgetPassTwoActivity
com.amall360.amallb2b_android.ui.activity.register.MemberJoinActivity
com.amall360.amallb2b_android.ui.activity.register.SellerJoinActivity
com.amall360.amallb2b_android.ui.activity.register.MemberJoinTwoActivity
com.amall360.amallb2b_android.ui.activity.register.MemberJoinThreeActivity
com.amall360.amallb2b_android.ui.activity.register.SellerJoinTwoActivity
com.amall360.amallb2b_android.ui.activity.register.SellerJoinThreeActivity
com.amall360.amallb2b_android.ui.activity.citymanager.CityManagerActivity
com.amall360.amallb2b_android.ui.activity.setting.SettingActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.AccountSafeActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.loginsafe.LoginSafeActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.loginsafe.UpdateLoginPassActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.loginsafe.UpdateLoginTeleActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.loginsafe.UpdateLoginTeleTwoActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.loginsafe.UpdateLoginTeleThreeActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.bankcard.BankCardActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.paysafe.PaySafeActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.paysafe.SetPayTeleActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.paysafe.UpdatePayPassActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.paysafe.SetPayPassActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.paysafe.UpdatePayTeleActivity
com.amall360.amallb2b_android.ui.activity.orderinfo.BBMOrderActivity
com.amall360.amallb2b_android.ui.activity.orderinfo.BBMOrderDetailsActivity
com.amall360.amallb2b_android.ui.activity.orderinfo.BBMOrderSearchActivity
com.amall360.amallb2b_android.ui.activity.orderinfo.LogisticsActivity
com.amall360.amallb2b_android.ui.activity.orderinfo.SendCommitActivity
com.amall360.amallb2b_android.ui.activity.orderinfo.ShLogisticsActivity
com.amall360.amallb2b_android.ui.activity.prodetail.ProDetailActivity
com.amall360.amallb2b_android.ui.activity.InVoiceActivity
com.amall360.amallb2b_android.ui.activity.centremodel.AddAgentActivity
com.amall360.amallb2b_android.ui.activity.centremodel.AgentApplayActivity
com.amall360.amallb2b_android.ui.activity.centremodel.GoodsManagerActivity
com.amall360.amallb2b_android.ui.activity.centremodel.HyAgentActivity
com.amall360.amallb2b_android.ui.activity.centremodel.ShAgentActivity
com.amall360.amallb2b_android.ui.activity.payrelative.AccountBalanceActivity
com.amall360.amallb2b_android.ui.activity.payrelative.ACoinActivity
com.amall360.amallb2b_android.ui.activity.payrelative.ACoinDrawActivity
com.amall360.amallb2b_android.ui.activity.payrelative.BalanceDrawActivity
com.amall360.amallb2b_android.ui.activity.payrelative.BalanceToAcoinActivity
com.amall360.amallb2b_android.ui.activity.payrelative.BalanceWithDrawActivity
com.amall360.amallb2b_android.ui.activity.payrelative.CouponActivity
com.amall360.amallb2b_android.ui.activity.payrelative.CouponInfoActivity
com.amall360.amallb2b_android.ui.activity.payrelative.YjinActivity
com.amall360.amallb2b_android.ui.activity.payrelative.YjRuleActivity
com.amall360.amallb2b_android.ui.activity.payrelative.YjDetailsActivity
com.amall360.amallb2b_android.ui.activity.payrelative.YjInfoActivity
com.amall360.amallb2b_android.ui.activity.payrelative.YjPartnerActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.paysafe.UpdatePayTeleTwoActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.paysafe.UpdatePayTeleThreeActivity
com.amall360.amallb2b_android.ui.activity.prodetail.ShopTicketsActivity
com.amall360.amallb2b_android.ui.activity.prodetail.ChooseSpecActivity
com.amall360.amallb2b_android.ui.activity.payrelative.PaySuccessActivity
com.amall360.amallb2b_android.ui.activity.payrelative.PropertyActivity
com.amall360.amallb2b_android.ui.activity.address.ShopAdressManagerActivity
com.amall360.amallb2b_android.ui.activity.address.ShopAdressAddActivity
com.amall360.amallb2b_android.ui.activity.address.AddressSelectActivity
com.amall360.amallb2b_android.ui.activity.address.ShopAdressEditActivity
com.alipay.sdk.app.H5PayActivity
com.alipay.sdk.app.H5AuthActivity
com.amall360.amallb2b_android.ui.activity.collect.CollectActivity
com.amall360.amallb2b_android.wxapi.WXPayEntryActivity
com.amall360.amallb2b_android.ui.activity.payrelative.DrawExplainActivity
com.amall360.amallb2b_android.ui.activity.payrelative.DrawVerifyActivity
com.amall360.amallb2b_android.ui.activity.search.SearchActivity
com.amall360.amallb2b_android.ui.activity.search.SearchContentActivity
com.amall360.amallb2b_android.ui.activity.shop.ShopActivity
com.amall360.amallb2b_android.ui.activity.payrelative.ZfbPayActivity
com.amall360.amallb2b_android.ui.activity.material.MaterialActivity
com.amall360.amallb2b_android.ui.activity.material.MaterialSelectActivity
com.amall360.amallb2b_android.ui.activity.centremodel.MessageCentreActivity
com.amall360.amallb2b_android.ui.activity.centremodel.MessageInfoActivity
com.amall360.amallb2b_android.ui.activity.centremodel.BBMPartnerActivity
com.amall360.amallb2b_android.ui.activity.centremodel.InvaiteFriendsActivity
com.amall360.amallb2b_android.ui.activity.orderinfo.BBMShOrderDetailsActivity
com.amall360.amallb2b_android.ui.activity.firmorder.FirmOrderActivity
com.amall360.amallb2b_android.ui.activity.confirmpayment.ConfirmPaymentActivity
com.amall360.amallb2b_android.ui.activity.confirmpayment.ConfirmPaymentABiActivity
com.amall360.amallb2b_android.ui.activity.confirmpayment.PaymentFinishActivity
com.amall360.amallb2b_android.ui.activity.orderinfo.OrderPersonInvoiceActivity
com.amall360.amallb2b_android.ui.activity.orderinfo.OrderComInvoiceActivity
com.amall360.amallb2b_android.ui.activity.orderinfo.OrderZZSInvoiceActivity
com.amall360.amallb2b_android.ui.activity.nq.NewsInfoActivity
com.amall360.amallb2b_android.ui.activity.sellcakes.SellCakesActivity
com.amall360.amallb2b_android.ui.activity.newpro.NewProActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.bankcard.SetBankCardActivity
com.amall360.amallb2b_android.wxapi.WXEntryActivity
com.umeng.socialize.media.WBShareCallBackActivity
com.sina.weibo.sdk.share.WbShareTransActivity
com.umeng.qq.tencent.AuthActivity
com.umeng.qq.tencent.AssistActivity
com.amall360.amallb2b_android.ui.activity.centremodel.ShopServiceActivity
com.amall360.amallb2b_android.ui.activity.centremodel.ModifyShopServiceActivity
com.amall360.amallb2b_android.ui.activity.setting.realname.RealNameActivity
com.amall360.amallb2b_android.ui.activity.setting.realname.RealNameUpdataActivity
com.amall360.amallb2b_android.ui.activity.setting.UpdataShopNameActivity
com.amall360.amallb2b_android.ui.activity.setting.UpdataCompanyAuthActivity
com.amall360.amallb2b_android.ui.activity.WelcomeGuideActivity
com.amall360.amallb2b_android.ui.activity.FootPrintActivity
com.amall360.amallb2b_android.ui.activity.citymanager.ShopCityManagerActivity
com.amall360.amallb2b_android.ui.activity.centremodel.InviatePageActivity
com.amall360.amallb2b_android.ui.activity.shop.AgentShopGoodsActivity
com.amall360.amallb2b_android.ui.activity.setting.accountsafe.bankcard.BankVerifyActivity
com.amall360.amallb2b_android.ui.activity.register.AgreementActivity
com.amall360.amallb2b_android.ui.activity.centremodel.MessageH5Activity
com.amall360.amallb2b_android.ui.activity.centremodel.BBMCouponCentreActivity
com.amall360.amallb2b_android.ui.activity.BBMH5Activity
com.amall360.amallb2b_android.warmcircle.ui.activity.topline.TopLineDetailsActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.topline.TopLineCommentsActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.topline.GiveGiftsActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.topline.WMTopLineShareActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.lookgg.KnowCargoDetailsActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.wm.WmDynamicDetailsActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.wm.WmDynamicCommentsActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.home.WmAttentionActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.home.WmFansActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.home.WmNotifyActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.home.WmUserHomeActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.home.SendDynamicActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.home.ImagesDetailsActivity
cn.finalteam.rxgalleryfinal.ui.activity.MediaActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.home.SendTopLineActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.home.TopLineTypeActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.home.SendShareGoodsActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.home.SendShareShopGoodsActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.lookgg.WmShareGoodsActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.PhotoJSActivity
com.amall360.amallb2b_android.ui.activity.prodetail.FanABInfoActivity
com.amall360.amallb2b_android.ui.activity.prodetail.ServiceInfoActivity
com.amall360.amallb2b_android.warmcircle.ui.activity.home.UserRuleActivity
com.amall360.amallb2b_android.ui.activity.group.GroupProDetailActivity
com.amall360.amallb2b_android.ui.activity.group.GroupListActivity
com.zhihu.matisse.ui.MatisseActivity
com.zhihu.matisse.internal.ui.AlbumPreviewActivity
com.zhihu.matisse.internal.ui.SelectedPreviewActivity
cn.jpush.android.ui.PopWinActivity
cn.jpush.android.ui.PushActivity

com.amall360.amallb2b_android.receiver.UpdateService
cn.jpush.android.service.PushService
cn.jpush.android.service.DaemonService

com.amall360.amallb2b_android.receiver.MyReceiver
com.amall360.amallb2b_android.receiver.MyJPushMessageReceiver
cn.jpush.android.service.PushReceiver
cn.jpush.android.service.AlarmReceiver

android.support.v4.content.FileProvider
cn.jpush.android.service.DataProvider
cn.jpush.android.service.DownloadProvider

第三方库

# 库名 介绍
0 com.alibaba.fastjson Fast JSON Processor https://github.com/alibaba/fastjson/wiki
1 cn.jpush.android.api 极光推送,使得开发者可以即时地向其应用程序的用户推送通知或者消息,与用户保持互动,从而有效地提高留存率,提升用户体验。平台提供整合了Android推送、iOS推送的统一推送服务。
2 com.bigkoo.pickerview 仿iOS的PickerView控件,有时间选择和选项选择并支持一二三级联动效果
3 com.alipay.sdk 支付宝移动支付功能
4 com.afollestad.materialdialogs Not even AppCompat uses Material theming for AlertDialogs on pre-Lollipop. This is a beautiful and easy solution.
5 com.zhy.view An Android Library that allows users to pull down a menu and select different actions. It can be implemented inside ScrollView, GridView, ListView.
6 com.nineoldandroids Android library for using the Honeycomb animation API on all versions of the platform back to 1.0!
7 com.sina.weibo 新浪微博开放平台(Weibo Open Platform)是基于新浪微博海量用户和强大的传播能力,接入第三方合作伙伴服务,向用户提供丰富应用和完善服务的开放平台。将你的服务接入微博平台,有助于推广产品,增加网站/应用的流量、拓展新用户,获得收益。
8 com.umeng.socialize 社会化组件帮您接入和升级各种社交平台,快速武装您的应用!
9 com.umeng.analytics 友盟统计分析平台是国内最大的移动应用统计分析平台。
10 com.umeng.analytics.game 友盟游戏统计分析为移动游戏开发者提供了开箱即用的一站式解决方案。
11 com.flyco.tablayout An Android TabLayout Lib has two kinds of TabLayout at present.
12 rx RxJava – Reactive Extensions for the JVM – a library for composing asynchronous and event-based programs using observable sequences for the Java VM.
13 com.bumptech.glide An image loading and caching library for Android focused on smooth scrolling
14 org.simple.eventbus A lightweight eventbus library for android, simplifies communication between Activities, Fragments, Threads, Services, etc.
15 android.support.transition A backport of the new Transitions API for Android.
16 retrofit2 Type-safe REST client for Android and Java by Square, Inc.
17 pl.droidsonroids.gif Views and Drawable for displaying animated GIFs on Android
18 android.support.multidex DEPRECATED
19 com.ms.square.android.expandabletextview Android's TextView that can expand/collapse like the Google Play's app description
20 de.tavendo.autobahn WebSocket & WAMP in Java for Android
21 butterknife View "injection" library for Android.
22 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
23 me.drakeet.materialdialog An Android library for conveniently building Material Design Dialog in Android version 2.2 ~ L.
24 rx.android RxJava bindings for Android
25 retrofit2 Type-safe REST client for Android and Java by Square, Inc.
26 it.sephiroth.android.library.imagezoom Android ImageView widget with zoom and pan capabilities
27 it.sephiroth.android.library Android library to achieve in an easy way, the behaviour of the home page in the Expedia app, with a pair of auto-scroll circular parallax ListViews.
28 me.zhanghai.android.materialprogressbar Material design ProgressBar with consistent appearance
29 rx RxJava – Reactive Extensions for the JVM – a library for composing asynchronous and event-based programs using observable sequences for the Java VM.
30 pl.droidsonroids.gif Views and Drawable for displaying animated GIFs on Android
31 okhttp3 An HTTP+SPDY client for Android and Java applications.
32 uk.co.senab.photoview Implementation of ImageView for Android that supports zooming, by various touch gestures.
33 org.json 根据Gson库使用的要求,将JSONObject格式的String 解析成实体
34 org.simple.eventbus A lightweight eventbus library for android, simplifies communication between Activities, Fragments, Threads, Services, etc.

静态扫描发现风险点

风险等级 风险名称

中危

检测到当前标志被设置成true或没设置,这会导致adb调试备份允许恶意攻击者复制应用程序数据,造成数据泄露。

中危

检测到1个WebView远程执行漏洞。

位置: classes.dex
com.amall360.amallb2b_android.warmcircle.ui.activity.topline.TopLineDetailsActivity;->initWebView(Ljava.lang.String;)V

Android API < 17之前版本存在远程代码执行安全漏洞,该漏洞源于程序没有正确限制使用addJavaScriptInterface方法,攻击者可以通过Java反射利用该漏洞执行任意Java对象的方法,导致远程代码执行安全漏洞。
(1)API等于高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252
http://drops.wooyun.org/papers/548

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis
https://developer.android.com/reference/android/webkit/WebView.html

中危

检测到17处setSavePassword密码明文存储漏洞。

位置: classes.dex
com.amall360.amallb2b_android.ui.activity.centremodel.MessageH5Activity;
com.amall360.amallb2b_android.ui.fragment.prodetail.GoodsInfoWebFragment;
com.amall360.amallb2b_android.ui.activity.centremodel.BBMPartnerActivity;
com.umeng.socialize.view.BaseDialog;
com.amall360.amallb2b_android.ui.fragment.prodetail.GoodsInfoWebFragment$GoodsDetailWebViewClient;
com.umeng.socialize.sina.webview.ShareDialog;
com.amall360.amallb2b_android.ui.activity.register.AgreementActivity;
com.amall360.amallb2b_android.ui.activity.centremodel.MessageInfoActivity;
com.amall360.amallb2b_android.ui.activity.centremodel.InviatePageActivity;
com.amall360.amallb2b_android.ui.activity.BBMH5Activity;
com.amall360.amallb2b_android.warmcircle.ui.activity.topline.TopLineDetailsActivity;
com.amall360.amallb2b_android.ui.activity.group.GroupInfoWebFragment$GoodsDetailWebViewClient;
com.amall360.amallb2b_android.warmcircle.ui.activity.topline.TopLineDetailsActivity$MyWebViewClient;
com.amall360.amallb2b_android.warmcircle.ui.activity.home.UserRuleActivity;
com.amall360.amallb2b_android.ui.activity.group.GroupInfoWebFragment;
com.amall360.amallb2b_android.warmcircle.ui.activity.lookgg.KnowCargoDetailsActivity;
com.amall360.amallb2b_android.ui.activity.centremodel.InvaiteFriendsActivity;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

低危

检测到2处地方在自定义实现的WebViewClient类在onReceivedSslError调用proceed()方法。

位置: classes.dex
cn.jpush.android.ui.a;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V
com.alipay.sdk.auth.AuthActivity$b;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V

Android WebView组件加载网页发生证书认证错误时,会调用WebViewClient类的onReceivedSslError方法,如果该方法实现调用了handler.proceed()来忽略该证书错误,则会受到中间人攻击的威胁,可能导致隐私泄露。建议:
当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0109266

参考资料:
https://jaq.alibaba.com/blog.htm?id=60
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/

警告

检测到7个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

activity com.amall360.amallb2b_android.ui.activity.MainActivity
activity com.amall360.amallb2b_android.wxapi.WXPayEntryActivity
activity com.sina.weibo.sdk.share.WbShareTransActivity
activity com.umeng.qq.tencent.AuthActivity
activity cn.finalteam.rxgalleryfinal.ui.activity.MediaActivity
service cn.jpush.android.service.DaemonService
receiver com.amall360.amallb2b_android.receiver.MyJPushMessageReceiver

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测到1个导出的隐式Service组件。
service cn.jpush.android.service.DaemonService

建议:为了确保应用的安全性,启动Service时,请始终使用显式Intent,且不要为服务声明Intent过滤器。使用隐式Intent启动服务存在安全隐患,因为您无法确定哪些服务将响应Intent,且用户无法看到哪些服务已启动。从Android 5.0(API 级别 21)开始,如果使用隐式 Intent 调用 bindService(),系统会抛出异常。

参考资料:
https://developer.android.com/guide/components/intents-filters.html#Types

警告

检测2处組件設置了android.intent.category.BROWSABLE属性。
com.amall360.amallb2b_android.ui.activity.MainActivity
com.umeng.qq.tencent.AuthActivity


在AndroidManifest文件中定义了android.intent.category.BROWSABLE属性的组件,可以通过浏览器唤起,这会导致远程命令执行漏洞攻击。建议:
(1)APP中任何接收外部输入数据的地方都是潜在的攻击点,过滤检查来自网页的参数。
(2)不要通过网页传输敏感信息,有的网站为了引导已经登录的用户到APP上使用,会使用脚本动态的生成URL Scheme的参数,其中包括了用户名、密码或者登录态token等敏感信息,让用户打开APP直接就登录了。恶意应用也可以注册相同的URL Sechme来截取这些敏感信息。Android系统会让用户选择使用哪个应用打开链接,但是如果用户不注意,就会使用恶意应用打开,导致敏感信息泄露或者其他风险。

參考案例:
http://www.wooyun.org/bugs/wooyun-2014-073875
http://www.wooyun.org/bugs/wooyun-2014-067798

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://www.jssec.org/dl/android_securecoding_en.pdf
http://drops.wooyun.org/mobile/15202
http://blog.csdn.net/l173864930/article/details/36951805
http://drops.wooyun.org/papers/2893

警告

检测到13潜在的XSS漏洞。

位置: classes.dex
cn.jpush.android.d.a;->a(Landroid.webkit.WebSettings;)V
com.alipay.sdk.auth.AuthActivity;->onCreate(Landroid.os.Bundle;)V
com.alipay.sdk.util.l;->a(Landroid.app.Activity; Ljava.lang.String; Ljava.lang.String;)Landroid.webkit.WebView;
com.umeng.socialize.view.BaseDialog;->setUpWebView()Z
com.amall360.amallb2b_android.ui.activity.BBMH5Activity;->initView(Landroid.os.Bundle; Landroid.view.View;)V
com.amall360.amallb2b_android.ui.activity.centremodel.BBMPartnerActivity;->initView(Landroid.os.Bundle; Landroid.view.View;)V
com.amall360.amallb2b_android.ui.activity.centremodel.InvaiteFriendsActivity;->initView(Landroid.os.Bundle; Landroid.view.View;)V
com.amall360.amallb2b_android.ui.activity.centremodel.InviatePageActivity;->initView(Landroid.os.Bundle; Landroid.view.View;)V
com.amall360.amallb2b_android.ui.activity.centremodel.MessageH5Activity;->initView(Landroid.os.Bundle; Landroid.view.View;)V
com.amall360.amallb2b_android.ui.activity.centremodel.MessageInfoActivity;->initView(Landroid.os.Bundle; Landroid.view.View;)V
com.amall360.amallb2b_android.ui.activity.register.AgreementActivity;->initView(Landroid.os.Bundle; Landroid.view.View;)V
com.amall360.amallb2b_android.warmcircle.ui.activity.lookgg.KnowCargoDetailsActivity;->initWebView(Ljava.lang.String;)V
com.amall360.amallb2b_android.warmcircle.ui.activity.topline.TopLineDetailsActivity;->initWebView(Ljava.lang.String;)V

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到1处provider的grantUriPermissions设置为true。
android.support.v4.content.FileProvider


grant-uri-permission若设置为true,可被其它程序员通过uri访问到content provider的内容,容易造成信息泄露。

参考资料:
https://security.tencent.com/index.php/blog/msg/6


动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书