漏洞分析

0

高危漏洞

8

中危漏洞

6

低危漏洞

10

警告

文件名 陇e行乘客端.apk
上传者 thorns
文件大小 10.914523124695MB
MD5 929195fdd37b49469cac6ac740524889
包名 com.ssyc.WQTaxi
Main Activity com.ssyc.WQTaxi.WelComeActivity
Min SDK 7
Target SDK 24

权限列表

# 名称 说明 提示
0 android.permission.CALL_PHONE 允许应用程序在您不介入的情况下拨打电话。恶意应用程序可借此在您的话费单上产生意外通话费。请注意,此权限不允许应用程序拨打紧急呼救电话。 警告
1 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
2 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
3 android.permission.ACCESS_FINE_LOCATION 访问精准的位置源,例如手机上的全球定位系统(如果有)。恶意应用程序可能会借此确定您所处的位置,并可能消耗额外的电池电量。 注意
4 android.permission.ACCESS_FINE_LOCATION 访问精准的位置源,例如手机上的全球定位系统(如果有)。恶意应用程序可能会借此确定您所处的位置,并可能消耗额外的电池电量。 注意
5 android.permission.ACCESS_LOCATION_EXTRA_COMMANDS 访问额外的位置信息提供程序命令。恶意应用程序可借此干扰GPS或其他位置源的正常工作。 注意
6 android.permission.ACCESS_LOCATION_EXTRA_COMMANDS 访问额外的位置信息提供程序命令。恶意应用程序可借此干扰GPS或其他位置源的正常工作。 注意
7 android.permission.ACCESS_MOCK_LOCATION 创建模拟地点来源进行测试。恶意应用程序可能利用此选项覆盖由真实地点来源(如GPS或网络提供商)传回的地点和/或状态。 注意
8 android.permission.ACCESS_MOCK_LOCATION 创建模拟地点来源进行测试。恶意应用程序可能利用此选项覆盖由真实地点来源(如GPS或网络提供商)传回的地点和/或状态。 注意
9 android.permission.GET_TASKS 允许应用程序检索有关当前和最近运行的任务的信息。恶意应用程序可借此发现有关其他应用程序的保密信息。 注意
10 android.permission.GET_TASKS 允许应用程序检索有关当前和最近运行的任务的信息。恶意应用程序可借此发现有关其他应用程序的保密信息。 注意
11 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
12 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
13 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
14 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
15 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
16 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
17 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
18 android.permission.SYSTEM_ALERT_WINDOW 允许应用程序显示系统警报窗口。恶意应用程序可借此掌控整个手机屏幕。 注意
19 android.permission.WRITE_SETTINGS 允许应用程序修改系统设置方面的数据。恶意应用程序可借此破坏您的系统配置。 注意
20 android.permission.WRITE_SETTINGS 允许应用程序修改系统设置方面的数据。恶意应用程序可借此破坏您的系统配置。 注意
21 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
22 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
23 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
24 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
25 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
26 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
27 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
28 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
29 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
30 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
31 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
32 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
33 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
34 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
35 android.permission.CHANGE_NETWORK_STATE 允许应用程序更改网络连接的状态。 提示
36 android.permission.CHANGE_WIFI_STATE 允许应用程序连接到WLAN接入点以及与WLAN接入点断开连接,并对配置的WLAN网络进行更改。 提示
37 android.permission.CHANGE_WIFI_STATE 允许应用程序连接到WLAN接入点以及与WLAN接入点断开连接,并对配置的WLAN网络进行更改。 提示
38 android.permission.INTERNET 允许程序访问网络. 提示
39 android.permission.INTERNET 允许程序访问网络. 提示
40 android.permission.INTERNET 允许程序访问网络. 提示
41 android.permission.INTERNET 允许程序访问网络. 提示
42 android.permission.INTERNET 允许程序访问网络. 提示
43 android.permission.INTERNET 允许程序访问网络. 提示
44 android.permission.INTERNET 允许程序访问网络. 提示
45 android.permission.MOUNT_UNMOUNT_FILESYSTEMS 允许应用程序装载和卸载可移动存储器的文件系统。 提示
46 android.permission.READ_LOGS 允许应用程序从系统的各日志文件中读取信息。这样应用程序可以发现您的手机使用情况,但这些信息不应包含任何个人信息或保密信息。 提示
47 android.permission.VIBRATE 允许应用程序控制振动器。 提示
48 android.permission.WAKE_LOCK 允许应用程序防止手机进入休眠状态。 提示
49 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示
50 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示
51 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示
52 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示
53 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

com.ssyc.WQTaxi.WelComeActivity
com.ssyc.WQTaxi.GuideActivity
com.ssyc.WQTaxi.HomeActivity
com.ssyc.WQTaxi.OpenScreenAdsActivity
com.ssyc.WQTaxi.SelectAddressActivity
com.ssyc.WQTaxi.BannerDetailsActivity
com.ssyc.WQTaxi.MessageDetailsActivity
com.ssyc.WQTaxi.MyAddressActivity
com.ssyc.WQTaxi.MessageActivity
com.ssyc.WQTaxi.MainActivity
com.ssyc.WQTaxi.PersonInfoActivity
com.ssyc.WQTaxi.AddressActivity
com.ssyc.WQTaxi.CollectActivity
com.ssyc.WQTaxi.MineOrderActivity
com.ssyc.WQTaxi.OrderdetialsActivity
com.ssyc.WQTaxi.CouponActivity
com.ssyc.WQTaxi.ApplyNvoiceActivity
com.ssyc.WQTaxi.SetActivity
com.ssyc.WQTaxi.OrderMapActivity
com.ssyc.WQTaxi.SendActivity
com.ssyc.WQTaxi.TaxiBookingActivity
com.ssyc.WQTaxi.CartTypeActivity
com.ssyc.WQTaxi.LoginActivity
com.ssyc.WQTaxi.RegistActivity
com.ssyc.WQTaxi.AddAddressActivity
com.ssyc.WQTaxi.ForgetPasswordActitivy
com.ssyc.WQTaxi.GoToWhereActivity
com.ssyc.WQTaxi.BookGoToActivity
com.ssyc.WQTaxi.BournActivity
com.ssyc.WQTaxi.OrderActivity
com.ssyc.WQTaxi.MyMsgActivity
com.alipay.sdk.app.H5PayActivity
com.alipay.sdk.auth.AuthActivity
cn.jpush.android.ui.PushActivity
com.ssyc.WQTaxi.PeopleInfoDetaileActivity
com.ssyc.WQTaxi.AuditActivity
com.ssyc.WQTaxi.ToPayActivity
com.ssyc.WQTaxi.FeelBackActivity
com.ssyc.WQTaxi.FeedActivity
com.ssyc.WQTaxi.ChangePswActivity
com.ssyc.WQTaxi.wxapi.WXEntryActivity
com.ssyc.WQTaxi.wxapi.WXPayEntryActivity

com.baidu.location.f
cn.jpush.android.service.DownloadService
cn.jpush.android.service.PushService

cn.jpush.android.service.PushReceiver
cn.jpush.android.service.AlarmReceiver
com.ssyc.WQTaxi.TestReciever

第三方库

# 库名 介绍
0 com.tencent.connect 腾讯开放平台
1 com.umeng.analytics 友盟统计分析平台是国内最大的移动应用统计分析平台。
2 com.tencent.map 腾讯地图Android SDK是一套基于Android2.3及以上设备的应用接口,通过该接口,您可以方便地访问腾讯地图为您提供的高质量地点数据和服务,构建丰富而实用的地图及位置服务类应用。腾讯地图Android SDK除提供创建底图、缩放、平滑移图等基础功能外,还提供定位、地址解析、反地址解析、周边搜索、路线方案等拓展服务,助你在应用开发中事半功倍。腾讯地图Android SDK的服务需要注册,免费的向第三方提供,任何非盈利性网站均可使用。
3 com.tencent.mm.sdk 微信支付
4 cn.jpush.android.api 极光推送,使得开发者可以即时地向其应用程序的用户推送通知或者消息,与用户保持互动,从而有效地提高留存率,提升用户体验。平台提供整合了Android推送、iOS推送的统一推送服务。
5 net.tsz.afinal Afinal 是一个android的sqlite orm 和 ioc 框架。同时封装了android中的http框架,使其更加简单易用;
6 com.alipay.sdk 支付宝移动支付功能
7 com.tencent.tauth 腾讯QQ互联平台为广大开发者整理了SDK列表,辅助开发者快速接入QQ登录、分享等功能。QQ互联是腾讯旗下的开放平台,通过QQ互联,网站主和开发者可以申请接入QQ登录、用户可以使用QQ账号登录接入的站点,通过添加分享和赞组件,将站点内容分享到QQ空间和朋友网,通过获取API授权,网站主还可以将用户操作同步到QQ空间和朋友网。
8 com.baidu.lbsapi 百度Android全景SDK是为Android移动平台提供的一套全景图服务接口,面向广大开发者提供全景图的检索、显示和交互功能,从而更加清晰方便地展示目标位置的周边环境。
9 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
10 com.baidu.mapapi 百度地图 Android SDK是一套基于Android 2.1及以上版本设备的应用程序接口。 您可以使用该套 SDK开发适用于Android系统移动设备的地图应用,通过调用地图SDK接口,您可以轻松访问百度地图服务和数据,构建功能丰富、交互性强的地图类应用程序。
11 com.google.protobuf Protocol Buffers - Google's data interchange format https://developers.google.com/protocol-buffers/

静态扫描发现风险点

风险等级 风险名称

中危

检测到当前标志被设置成true或没设置,这会导致adb调试备份允许恶意攻击者复制应用程序数据,造成数据泄露。

中危

检测到5处证书弱校验漏洞。

位置: classes.dex
com.baidu.lbsapi.auth.f$b;
com.lidroid.xutils.util.OtherUtils$1;
com.baidu.lbsapi.auth.c$b;
com.lidroid.xutils.http.client.DefaultSSLSocketFactory$1;
com.baidu.location.b.m$a$1;

当移动App客户端使用https或ssl/tls进行通信时,如果不校验证书的可信性,将存在中间人攻击漏洞,可导致信息泄露,传输数据被篡改,甚至通过中间人劫持将原有信息替换成恶意链接或恶意代码程序,以达到远程控制等攻击意图。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
www.wooyun.org/bugs/wooyun-2014-079358

参考资料:
http://drops.wooyun.org/tips/3296
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

检测到1个未移除的敏感Test或Debug组件

com.ssyc.WQTaxi.TestReciever

建议:
在正式发布app前移除敏感的Test或Debug组件

中危

检测到3处中间人攻击漏洞。

位置: classes.dex
com.lidroid.xutils.util.OtherUtils;->trustAllHttpsURLConnection()V
com.lidroid.xutils.http.client.DefaultSSLSocketFactory;->()V
com.baidu.location.b.m;->if(Lorg.apache.http.params.HttpParams;)Lorg.apache.http.client.HttpClient;

setHostnameVerifier方法设置ALLOW_ALL_HOSTNAME_VERIFIER,直接接受任意域名,可能造成中间人攻击漏洞。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-042710
http://www.wooyun.org/bugs/wooyun-2010-052339
http://www.wooyun.org/bugs/wooyun-2016-0190773

参考资料:
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

该app需要移除大部分日志打印代码。
经扫描该包仍存在大量打日志代码,共发现192处打日志代码.(此处扫描的日志打印代码,是指调用android.util.Log.* 打印的.)
详情如下:

位置: classes.dex
com.tencent.a.a.a.a.h;->b(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.overlayutil.BusLineOverlay;->onBusStationClick(I)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.bitmap.core.DiskCache;->getActiveCount()I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.favorite.FavoriteManager;->getAllFavPois()Ljava/util/List;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.bitmap.download.SimpleDownloader;->getFromHttp(Ljava/lang/String;)[B==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->error(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->b(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.c;->b(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)J==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.b$a;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.common.Logger;->logW(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.c;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.util.k;->w(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.GoToWhereActivity$3;->onFailure(Ljava/lang/Throwable; I Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.b.a.d;->a(Ljava/lang/reflect/Method;)Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.b.b;->f(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.util.JLogger;->a(I Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.alipay.ZFBPayUtil;->getPrePay(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/Activity; Landroid/os/Handler;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.route.BaiduMapRoutePlan;->openBaiduMapTransitRoute(Lcom/baidu/mapapi/utils/route/RouteParaOption; Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.c;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.bitmap.core.DiskCache;->lookupInternal(J I)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.platform.comapi.a;->a(Lcom/baidu/platform/comapi/util/PermissionCheck$b;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.util.JLogger;->a(I Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.bitmap.core.DiskCache;->loadIndex()Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.b.m$1;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->c(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.openapi.WXApiImplV10$ActivityLifecycleCb$1;->run()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.wxop.stat.b.b;->b(Ljava/lang/Object;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.openapi.WXApiImplV10$ActivityLifecycleCb;->onActivityResumed(Landroid/app/Activity;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.b$a;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->c(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.b.m$3;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.a;->j()Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.c;->onServiceConnected(Landroid/content/ComponentName; Landroid/os/IBinder;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.OrderActivity$2;->onReceive(Landroid/content/Context; Landroid/content/Intent;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->debug(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.favorite.FavoriteManager;->getFavPoi(Ljava/lang/String;)Lcom/baidu/mapapi/favorite/FavoritePoiInfo;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.a;->l()Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.a.a.a.a.b;->b()Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->verbose(Ljava/lang/Object;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.a;->k()Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.common.Logger;->logI(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bt;->a(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.a.a.a.a.d;->b()Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
kankan.wheel.widget.adapters.AbstractWheelTextAdapter;->getTextView(Landroid/view/View; I)Landroid/widget/TextView;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.lidroid.xutils.util.LogUtils;->d(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.BDNotifyListener;->onNotify(Lcom/baidu/location/BDLocation; F)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.b;->b(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.overlayutil.TransitRouteOverlay;->onRouteNodeClick(I)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.bitmap.core.DiskCache;->lookup(Lnet/tsz/afinal/bitmap/core/DiskCache$LookupRequest;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.TaxiBookingActivity;->getTaxiPrice(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.b;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.b.a.d;->(Ljava/lang/String; Ljava/lang/Class;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.wxop.stat.b.b;->error(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.b.a.e;->a(Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.FinalDb;->insertContentValues(Ljava/util/List; Landroid/content/ContentValues;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.b.m$6;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.b.a.e;->b(Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.navi.BaiduMapNavigation;->openBaiduMapBikeNavi(Lcom/baidu/mapapi/navi/NaviParaOption; Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.platform.comjni.map.basemap.a;->h()Landroid/os/Bundle;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.d;->a(Landroid/os/IBinder;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.f.a.b$a;->a(Landroid/content/Context;)Lcom/baidu/location/f/a/b$a;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.FinalDb;->debugSql(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->info(Ljava/lang/Object;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.g.b$a;->int(Z)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.platform.comapi.util.PermissionCheck;->init(Landroid/content/Context;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.route.BaiduMapRoutePlan;->openBaiduMapWalkingRoute(Lcom/baidu/mapapi/utils/route/RouteParaOption; Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.favorite.FavoriteManager;->updateFavPoi(Ljava/lang/String; Lcom/baidu/mapapi/favorite/FavoritePoiInfo;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.HomeActivity;->openPopupWindow()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.b.b;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.lidroid.xutils.util.LogUtils;->e(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.wxop.stat.b.r;->W(Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.a;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bt;->b(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.a.a.a.a.e;->b()Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.util.JLogger;->a(I Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.bitmap.download.SimpleDownloader;->download(Ljava/lang/String;)[B==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.a;->m()Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.bitmap.core.DiskCache;->getBlob(Ljava/io/RandomAccessFile; I Lnet/tsz/afinal/bitmap/core/DiskCache$LookupRequest;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.wxop.stat.b.r;->c(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.a;->g()Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.map.TileOverlayOptions;->setPositionFromBounds(Lcom/baidu/mapapi/model/LatLngBounds;)Lcom/baidu/mapapi/map/TileOverlayOptions;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.OrderActivity$13;->onSuccess(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.a;->h()Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.a.a;->m(Landroid/os/Message;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.bitmap.download.SimpleDownloader;->getFromFile(Ljava/io/File;)[B==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.tools.UploadUtil;->toUploadFile(Ljava/io/File; Ljava/lang/String; Ljava/lang/String; Ljava/util/Map;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.TaxiBookingActivity$2;->onSuccess(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.overlayutil.DrivingRouteOverlay;->onRouteNodeClick(I)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.a.a.a.a.d;->b(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.lidroid.xutils.util.LogUtils;->i(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.util.k;->i(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.a.a.a.a.e;->b(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.a.a.a.a.b;->b(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.alipay.sdk.exception.NetErrorException;->printException(Ljava/lang/String; Ljava/lang/Throwable;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.MainActivity;->setMainDriverInfo(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.favorite.FavoriteManager;->clearAllFavPois()Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.wxop.stat.b.r;->b(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.map.p;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.views.LazyViewPager;->setOffscreenPageLimit(I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.tools.SystemUtils;->isAppAlive(Landroid/content/Context; Ljava/lang/String;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.b.a.c;->onProgressChanged(Landroid/webkit/WebView; I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.b.a.e;->c(Landroid/content/Context;)Landroid/net/ConnectivityManager;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.lidroid.xutils.util.LogUtils;->w(Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.b;->b(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bt;->e(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.HomeActivity$6;->onFailure(Ljava/lang/Throwable; I Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.wxop.stat.b.b;->debug(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.b.m$4;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.a.a.a.a.h;->c(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.overlayutil.WalkingRouteOverlay;->onRouteNodeClick(I)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.ForgetPasswordActitivy;->getBackPsw()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bt;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.util.JLogger;->a(I Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.util.k;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.b;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.SetActivity$4;->onSuccess(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.c;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bt;->b(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.alipay.ZFBPayUtil$1;->onFailure(Ljava/lang/Throwable; I Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.b.m$2;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.b;->a(Landroid/os/IBinder;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.a.a;->onDestroy()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.LocationClient$1;->onServiceConnected(Landroid/content/ComponentName; Landroid/os/IBinder;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.b.m$5;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.navi.BaiduMapNavigation;->openBaiduMapNavi(Lcom/baidu/mapapi/navi/NaviParaOption; Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.wxop.stat.b.r;->W(Landroid/content/Context;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.util.k;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.b.b;->h(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.ForgetPasswordActitivy$1;->onSuccess(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.b.a.i;->a(J)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.map.TileOverlayOptions;->tileProvider(Lcom/baidu/mapapi/map/TileProvider;)Lcom/baidu/mapapi/map/TileOverlayOptions;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.RegistActivity;->checkPhoneNumber()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.poi.BaiduMapPoiSearch;->openBaiduMapPoiDetialsPage(Lcom/baidu/mapapi/utils/poi/PoiParaOption; Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.map.PolylineOptions;->customTextureList(Ljava/util/List;)Lcom/baidu/mapapi/map/PolylineOptions;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.c;->a(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->d(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.wxop.stat.b.r;->X(Landroid/content/Context;)Lorg/json/JSONArray;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.a.a;->onCreate(Landroid/content/Context;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.util.k;->v(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.AnalyticsConfig;->setAppkey(Landroid/content/Context; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.GoToWhereActivity$3;->onSuccess(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.FinalDb;->exeSqlInfo(Lnet/tsz/afinal/db/sqlite/SqlInfo;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.PersonInfoActivity;->setPicToView(Landroid/content/Intent;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.RegistActivity$4;->onSuccess(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.common.Logger;->logE(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.TaxiBookingActivity$2;->onFailure(Ljava/lang/Throwable; I Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.a;->i()Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.overlayutil.BikingRouteOverlay;->onRouteNodeClick(I)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.map.TileOverlay;->a(I I I)Lcom/baidu/mapapi/map/Tile;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.c;->onServiceDisconnected(Landroid/content/ComponentName;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.a;->b(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bt;->c(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.platform.comapi.util.f;->b(Landroid/content/Context;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.route.BaiduMapRoutePlan;->openBaiduMapDrivingRoute(Lcom/baidu/mapapi/utils/route/RouteParaOption; Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->error(Ljava/lang/Exception;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.navi.BaiduMapNavigation;->openBaiduMapWalkNavi(Lcom/baidu/mapapi/navi/NaviParaOption; Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.HomeActivity$2;->onReceiveLocation(Lcom/baidu/location/BDLocation;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.map.Polyline;->a(Landroid/os/Bundle;)Landroid/os/Bundle;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.wxapi.WXPayEntryActivity;->onResp(Lcom/tencent/mm/sdk/modelbase/BaseResp;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.b.a.d;->a(Ljava/lang/String; I Ljava/lang/Object;)Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.lbsapi.auth.a;->a(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.openapi.WXApiImplV10$ActivityLifecycleCb$2;->run()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.favorite.FavoriteManager;->add(Lcom/baidu/mapapi/favorite/FavoritePoiInfo;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.a;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Lcom/ut/device/AidCallback;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.openapi.WXApiImplV10$ActivityLifecycleCb;->onActivityPaused(Landroid/app/Activity;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.favorite.FavoriteManager;->deleteFavPoi(Ljava/lang/String;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.b.b;->g(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.GoToWhereActivity;->getTaxiPrice(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.tools.UploadUtil;->uploadFile(Ljava/io/File; Ljava/lang/String; Ljava/lang/String; Ljava/util/Map;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.poi.BaiduMapPoiSearch;->openBaiduMapPoiNearbySearch(Lcom/baidu/mapapi/utils/poi/PoiParaOption; Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bt;->d(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.wxop.stat.b.b;->warn(Ljava/lang/Object;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
net.tsz.afinal.utils.Utils;->getUsableSpace(Ljava/io/File;)J==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->e(Ljava/lang/String; Ljava/lang/String; Ljava/lang/Exception;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.common.StatLogger;->warn(Ljava/lang/Object;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.lidroid.xutils.util.LogUtils;->v(Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.c;->b(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)J==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.b.a.e;->b(Landroid/content/Context;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.common.Logger;->logV(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->b(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bt;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.ToPayActivity$3;->onSuccess(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bt;->c(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
cn.jpush.android.util.JLogger;->a(I Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mapapi.utils.poi.BaiduMapPoiSearch;->dispatchPoiToBaiduMap(Ljava/util/List; Landroid/content/Context;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.umeng.analytics.social.b;->a(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
u.aly.bt;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ta.utdid2.a.b;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Lcom/ut/device/AidCallback;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ssyc.WQTaxi.tools.UploadUtil;->toUploadFile(Ljava/io/File; Ljava/lang/String; Ljava/lang/String; Ljava/util/Map;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I

中危

检测到116条敏感明文信息,建议移除。

位置: classes.dex
'10.0.0.172' used in: Lcom/baidu/location/b/m;->()V
'10.0.0.172' used in: Lu/aly/t;->(Landroid/content/Context;)V
'10.0.0.172' used in: Lcom/tencent/wxop/stat/b/l;->v(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.172' used in: Lcom/baidu/lbsapi/auth/f;->b(Ljava/lang/String;)Ljavax/net/ssl/HttpsURLConnection;
'10.0.0.172' used in: Lcom/baidu/location/b/m;->if(Landroid/content/Context; Landroid/net/NetworkInfo;)I
'10.0.0.172' used in: Lcom/tencent/stat/common/k;->a(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.172' used in: Lcom/baidu/lbsapi/auth/c;->b(Ljava/lang/String;)Ljavax/net/ssl/HttpsURLConnection;
'10.0.0.172' used in: Lcom/baidu/platform/comapi/util/c;->a(Landroid/content/Context;)V
'10.0.0.200' used in: Lcom/tencent/wxop/stat/b/l;->v(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.200' used in: Lcom/baidu/lbsapi/auth/f;->b(Ljava/lang/String;)Ljavax/net/ssl/HttpsURLConnection;
'10.0.0.200' used in: Lcom/baidu/location/b/m;->if(Landroid/content/Context; Landroid/net/NetworkInfo;)I
'10.0.0.200' used in: Lcom/tencent/stat/common/k;->a(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.200' used in: Lcom/baidu/lbsapi/auth/c;->b(Ljava/lang/String;)Ljavax/net/ssl/HttpsURLConnection;
'10.0.0.200' used in: Lcom/baidu/platform/comapi/util/c;->a(Landroid/content/Context;)V
'http://%s/%s' used in: Lcom/baidu/location/c/a$b;->new(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V
'http://123.56.226.128/ningxiadc/WXGetPrePayInfo' used in: Lcom/ssyc/WQTaxi/alipay/WXPayUtil;->getPrePay(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Lcom/tencent/mm/sdk/openapi/IWXAPI; Landroid/content/Context;)V
'http://123.56.226.128/ningxiadc/ZFBGetPrePayInfo' used in: Lcom/ssyc/WQTaxi/alipay/ZFBPayUtil;->getPrePay(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/app/Activity; Landroid/os/Handler;)V
'http://123.57.245.141/taxi.apk' used in: Lcom/ssyc/WQTaxi/HomeActivity$13$1;->onClick(Landroid/content/DialogInterface; I)V
'http://123.57.245.141/taxi.apk' used in: Lcom/ssyc/WQTaxi/MainActivity$5$1;->onClick(Landroid/content/DialogInterface; I)V
'http://218.95.180.195' used in: Lcom/ssyc/WQTaxi/tools/HttpRequest;->()V
'http://218.95.180.195/api/' used in: Lcom/ssyc/WQTaxi/tools/HttpRequest;->()V
'http://218.95.180.195/app' used in: Lcom/ssyc/WQTaxi/tools/HttpRequest;->()V
'http://aliusergw-1-64.test.alipay.net/mgw.htm' used in: Lcom/alipay/apmobilesecuritysdk/face/APSecuritySdk$RunningTask;->run()V
'http://aliusergw-1-64.test.alipay.net/mgw.htm' used in: Lcom/alipay/apmobilesecuritysdk/face/APSecuritySdk$RunningTask;->run()V
'http://alog.umeng.co/app_logs' used in: Lcom/umeng/analytics/a;->()V
'http://alog.umeng.com/app_logs' used in: Lcom/umeng/analytics/a;->()V
'http://analy.qq.com/cgi-bin/mapp_apptrace' used in: Lcom/tencent/open/yyb/a$b;->a([Landroid/os/Bundle;)Ljava/lang/Void;
'http://api.map.baidu.com/direction?' used in: Lcom/baidu/mapapi/utils/route/BaiduMapRoutePlan;->a(Lcom/baidu/mapapi/utils/route/RouteParaOption; Landroid/content/Context; I)V
'http://api.map.baidu.com/geosearch/v2/bound' used in: Lcom/baidu/mapapi/cloud/BoundSearchInfo;->()V
'http://api.map.baidu.com/geosearch/v2/detail/' used in: Lcom/baidu/mapapi/cloud/DetailSearchInfo;->()V
'http://api.map.baidu.com/geosearch/v2/local' used in: Lcom/baidu/mapapi/cloud/LocalSearchInfo;->()V
'http://api.map.baidu.com/geosearch/v2/nearby' used in: Lcom/baidu/mapapi/cloud/NearbySearchInfo;->()V
'http://api.map.baidu.com/place/detail?' used in: Lcom/baidu/mapapi/utils/poi/BaiduMapPoiSearch;->a(Lcom/baidu/mapapi/utils/poi/PoiParaOption; Landroid/content/Context;)V
'http://api.map.baidu.com/place/search?' used in: Lcom/baidu/mapapi/utils/poi/BaiduMapPoiSearch;->b(Lcom/baidu/mapapi/utils/poi/PoiParaOption; Landroid/content/Context;)V
'http://app.navi.baidu.com/mobile/#navi/naving/' used in: Lcom/baidu/mapapi/navi/BaiduMapNavigation;->a(Lcom/baidu/mapapi/navi/NaviParaOption; Landroid/content/Context;)V
'http://appact.qzone.qq.com/appstore_activity_task_pcpush_sdk' used in: Lcom/tencent/open/TaskGuide;->e(I)V
'http://appact.qzone.qq.com/appstore_activity_task_pcpush_sdk' used in: Lcom/tencent/open/TaskGuide;->showTaskGuideWindow(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://appsupport.qq.com/cgi-bin/appstage/mstats_batch_report' used in: Lcom/tencent/open/b/g$5;->run()V
'http://appsupport.qq.com/cgi-bin/qzapps/mapp_addapp.cgi' used in: Lcom/tencent/connect/auth/AuthAgent$FeedConfirmListener;->a()V
'http://appsupport.qq.com/cgi-bin/qzapps/mapp_addapp.cgi' used in: Lcom/tencent/connect/auth/AuthAgent$FeedConfirmListener;->(Lcom/tencent/connect/auth/AuthAgent; Lcom/tencent/tauth/IUiListener;)V
'http://c.isdspeed.qq.com/code.cgi' used in: Lcom/tencent/open/b/d;->a(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/Long; I I Ljava/lang/String;)V
'http://cgi.connect.qq.com/qqconnectopen/openapi/policy_conf' used in: Lcom/tencent/open/utils/OpenConfig$1;->run()V
'http://cgi.qplus.com/report/report' used in: Lcom/tencent/open/utils/Util$1;->run()V
'http://daohang.map.baidu.com/mobile/#navi/naving/start=' used in: Lcom/baidu/mapapi/navi/BaiduMapNavigation;->openWebBaiduMapNavi(Lcom/baidu/mapapi/navi/NaviParaOption; Landroid/content/Context;)V
'http://daohang.map.baidu.com/mobile/#search/search/qt=nav&sn=2$$$$$$' used in: Lcom/baidu/mapapi/navi/BaiduMapNavigation;->openWebBaiduMapNavi(Lcom/baidu/mapapi/navi/NaviParaOption; Landroid/content/Context;)V
'http://fir.im/jiaoche1' used in: Lcom/ssyc/WQTaxi/SetActivity$6;->onClick(Landroid/view/View;)V
'http://fusion.qq.com/cgi-bin/prize_sharing/exchange_prize.cgi' used in: Lcom/tencent/open/GameAppOperation$3;->run()V
'http://fusion.qq.com/cgi-bin/prize_sharing/get_activity_state.cgi' used in: Lcom/tencent/open/GameAppOperation$4;->run()V
'http://fusion.qq.com/cgi-bin/prize_sharing/make_share_url.cgi' used in: Lcom/tencent/open/GameAppOperation$1;->run()V
'http://fusion.qq.com/cgi-bin/prize_sharing/query_unexchange_prize.cgi' used in: Lcom/tencent/open/GameAppOperation$2;->run()V
'http://fusion.qq.com/cgi-bin/qzapps/mapp_lbs_delete.cgi' used in: Lcom/tencent/open/LocationApi;->deleteLocation(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://fusion.qq.com/cgi-bin/qzapps/mapp_lbs_getnear.cgi' used in: Lcom/tencent/open/LocationApi;->a(Landroid/location/Location;)V
'http://fusion.qq.com/cgi-bin/qzapps/unified_jump?appid=%1$s&from=%2$s&isOpenAppID=1' used in: Lcom/tencent/connect/share/QQShare;->shareToQQ(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://fusion.qq.com/cgi-bin/qzapps/unified_jump?appid=%1$s&from=%2$s&isOpenAppID=1' used in: Lcom/tencent/connect/share/QzoneShare;->shareToQzone(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://hydra.alibaba.com/' used in: Lcom/ta/utdid2/a/b;->b(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'http://itsdata.map.baidu.com/long-conn-gps/sdk.php' used in: Lcom/baidu/location/e/h$2;->run()V
'http://lba.baidu.com/' used in: Lcom/baidu/location/BDLocation;->getAdUrl(Ljava/lang/String;)Ljava/lang/String;
'http://lbs.map.qq.com/loc?c=1' used in: Lcom/tencent/map/b/f$b;->(Lcom/tencent/map/b/f; Ljava/lang/String;)V
'http://loc.map.baidu.com/cc.php' used in: Lcom/baidu/location/e/h$a;->au()V
'http://loc.map.baidu.com/iofd.php' used in: Lcom/baidu/location/b/k;->()V
'http://loc.map.baidu.com/offline_loc' used in: Lcom/baidu/location/c/d;->()V
'http://loc.map.baidu.com/oqur.php' used in: Lcom/baidu/location/b/k;->()V
'http://loc.map.baidu.com/sdk.php' used in: Lcom/baidu/location/b/k;->()V
'http://loc.map.baidu.com/sdk_ep.php' used in: Lcom/baidu/location/b/k;->()V
'http://loc.map.baidu.com/statloc' used in: Lcom/baidu/location/b/o$a;->au()V
'http://loc.map.baidu.com/tcu.php' used in: Lcom/baidu/location/b/k;->()V
'http://loc.map.baidu.com/user_err.php' used in: Lcom/baidu/location/b/k;->()V
'http://loc.map.baidu.com/wloc' used in: Lcom/baidu/location/b/k;->()V
'http://log.umsns.com/share/api/' used in: Lcom/umeng/analytics/social/f;->a(Landroid/content/Context; Ljava/lang/String; [Lcom/umeng/analytics/social/UMPlatformData;)[Ljava/lang/String;
'http://ls.map.soso.com/deflect?c=1' used in: Lcom/tencent/map/b/b$b;->run()V
'http://ls.map.soso.com/monitor/monitor.html' used in: Lcom/tencent/map/b/q;->a(Ljava/lang/String; Z)Ljava/net/HttpURLConnection;
'http://lstest.map.soso.com/loc?c=1' used in: Lcom/tencent/map/b/f$b;->(Lcom/tencent/map/b/f; Ljava/lang/String;)V
'http://m.alipay.com/?action=h5quit' used in: Lcom/alipay/sdk/app/H5PayActivity$a;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z
'http://m.alipay.com/?action=h5quit' used in: Lcom/alipay/sdk/app/H5AuthActivity$a;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z
'http://m.wsq.qq.com/direct?' used in: Lcom/tencent/open/yyb/AppbarAgent;->c(Ljava/lang/String;)Ljava/lang/String;
'http://mcgw.alipay.com/gateway.do' used in: Lcom/alipay/sdk/cons/a;->()V
'http://mo.baidu.com/map/' used in: Lcom/baidu/mapapi/utils/OpenClientUtil;->getLatestBaiduMapApp(Landroid/content/Context;)V
'http://openmobile.qq.com/oauth2.0/m_authorize?' used in: Lcom/tencent/connect/auth/AuthAgent;->a(Z Lcom/tencent/tauth/IUiListener;)I
'http://openmobile.qq.com/oauth2.0/m_jump_by_version?' used in: Lcom/tencent/connect/common/BaseApi;->getCommonDownloadQQUrl(Ljava/lang/String;)Ljava/lang/String;
'http://pingma.qq.com:80/mstat/report' used in: Lcom/tencent/stat/StatConfig;->()V
'http://pingma.qq.com:80/mstat/report' used in: Lcom/tencent/wxop/stat/c;->()V
'http://qzs.qq.com' used in: Lcom/tencent/open/SocialApiIml;->writeEncryToken(Landroid/content/Context;)V
'http://qzs.qq.com/open/mobile/brag/sdk_brag.html?' used in: Lcom/tencent/open/SocialApiIml;->brag(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/brag/sdk_brag.html?' used in: Lcom/tencent/open/SocialApiIml;->challenge(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/invite/sdk_invite.html?' used in: Lcom/tencent/open/SocialApiIml;->invite(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/jsbridge/demo.htm' used in: Lcom/tencent/open/yyb/AppbarJsBridge;->share(Landroid/net/Uri; I Ljava/lang/String; Ljava/lang/String;)V
'http://qzs.qq.com/open/mobile/login/qzsjump.html?' used in: Lcom/tencent/connect/common/BaseApi;->handleDownloadLastestQQ(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/login/qzsjump.html?' used in: Lcom/tencent/connect/auth/AuthDialog;->a()Ljava/lang/String;
'http://qzs.qq.com/open/mobile/login/qzsjump.html?' used in: Lcom/tencent/connect/auth/AuthDialog$LoginWebViewClient;->onReceivedError(Landroid/webkit/WebView; I Ljava/lang/String; Ljava/lang/String;)V
'http://qzs.qq.com/open/mobile/not_support.html?' used in: Lcom/tencent/open/SocialApiIml;->a(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/rate/sdk_rate.html?' used in: Lcom/tencent/open/SocialApiIml;->grade(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/reactive/sdk_reactive.html?' used in: Lcom/tencent/open/SocialApiIml;->reactive(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/request/sdk_request.html?' used in: Lcom/tencent/open/SocialApiIml;->a(Landroid/app/Activity; Ljava/lang/String; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/sendstory/sdk_sendstory_v1.3.html?' used in: Lcom/tencent/open/SocialApiIml;->story(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://webpresence.qq.com/getonline?Type=1&' used in: Lcom/tencent/open/wpa/WPA;->getWPAUserOnlineState(Ljava/lang/String; Lcom/tencent/tauth/IUiListener;)V
'http://wspeed.qq.com/w.cgi' used in: Lcom/tencent/open/b/g$4;->run()V
'http://www.javaeye.com/custom' used in: Lcom/ssyc/WQTaxi/wheel/ImageTextButton;->(Landroid/content/Context; Landroid/util/AttributeSet;)V
'http://www.myapp.com/forward/a/45592?g_f=990935' used in: Lcom/tencent/open/wpa/WPA;->startWPAConversation(Landroid/app/Activity; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)I
'http://www.pgyer.com/ningxia1' used in: Lcom/ssyc/WQTaxi/MainActivity;->wechatShare(I)V
'http://www.pgyer.com/ningxia1' used in: Lcom/ssyc/WQTaxi/HomeActivity;->wechatShare(I)V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lcom/ta/utdid2/c/a/a;->setFeature(Ljava/lang/String; Z)V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lcom/ta/utdid2/c/a/d$a;->f()Z
'https://aliusergw.alipay.com/mgw.htm' used in: Lcom/alipay/apmobilesecuritysdk/b/a;->()V
'https://aliusergw.alipay.com/mgw.htm' used in: Lcom/alipay/apmobilesecuritysdk/face/APSecuritySdk$RunningTask;->run()V
'https://api.map.baidu.com/sdkcs/verify' used in: Lcom/baidu/lbsapi/auth/i;->a(Z Ljava/lang/String; Ljava/util/Hashtable; [Ljava/lang/String; Ljava/lang/String;)V
'https://api.map.baidu.com/sdkcs/verify' used in: Lcom/baidu/lbsapi/auth/i;->a(Z Ljava/lang/String; Ljava/util/Hashtable; Ljava/lang/String;)V
'https://openmobile.qq.com/' used in: Lcom/tencent/open/utils/HttpUtils;->upload(Lcom/tencent/connect/auth/QQToken; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle;)Lorg/json/JSONObject;
'https://openmobile.qq.com/' used in: Lcom/tencent/open/utils/HttpUtils;->request(Lcom/tencent/connect/auth/QQToken; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle; Ljava/lang/String;)Lorg/json/JSONObject;
'https://openmobile.qq.com/user/user_login_statis' used in: Lcom/tencent/connect/auth/AuthAgent;->a(Lcom/tencent/tauth/IUiListener;)V
'https://openmobile.qq.com/v3/user/get_info' used in: Lcom/tencent/connect/auth/AuthAgent;->b(Lcom/tencent/tauth/IUiListener;)V
'https://sapi.skyhookwireless.com/wps2/location' used in: Lcom/baidu/location/b/k;->()V
'https://sapi.skyhookwireless.com/wps2/reverse-geo' used in: Lcom/baidu/location/g/b$a;->au()V
'https://www.pgyer.com/ggzsq' used in: Lcom/ssyc/WQTaxi/HomeActivity$13;->onSuccess(Ljava/lang/Object;)V
'https://www.pgyer.com/ggzsq' used in: Lcom/ssyc/WQTaxi/MainActivity$5;->onSuccess(Ljava/lang/Object;)V
'javascript:window.JsBridge&&JsBridge.callback(' used in: Lcom/tencent/open/a$a;->a()V
'javascript:window.JsBridge&&JsBridge.callback(' used in: Lcom/tencent/open/a$a;->a(Ljava/lang/Object;)V

中危

检测到7处setSavePassword密码明文存储漏洞。

位置: classes.dex
com.tencent.open.SocialApiIml;
com.umeng.analytics.MobclickAgentJSInterface;
com.ssyc.WQTaxi.MessageDetailsActivity;
com.ssyc.WQTaxi.BannerDetailsActivity;
cn.jpush.android.ui.FullScreenView;
cn.jpush.android.ui.PopWinActivity;
com.tencent.open.yyb.AppbarActivity;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

低危

检测到2处SecureRandom使用不当。

位置: classes.dex
com.ta.utdid2.b.a.a;->a
com.alipay.security.mobile.module.a.b;->a

SecureRandom的使用不当会导致生成的随机数可被预测,该漏洞存在于Android系统随机生成数字串安全密钥的环节中。该漏洞的生成原因是对SecureRandom类的不正确使用方式导致生成的随机数不随机。建议:
(1)不要使用自定义随机源代替系统默认随机源(推荐)除非有特殊需求,在使用SecureRandom类时,不要调用以下函数:SecureRandom类下SecureRandom(byte[]seed)、setSeed(long seed)和setSeed(byte[]seed)方法。
(2)在调用setSeed方法前先调用任意nextXXX方法。具体做法是调用setSeed方法前先调用一次SecureRandom#nextBytes(byte[]bytes)方法,可以避免默认随机源被替代,详细见参考资料。

参考资料:
https://developer.android.com/reference/java/security/SecureRandom.html
http://drops.wooyun.org/papers/5164
http://jaq.alibaba.com/blog.htm?id=47

低危

检测到9个WebView系统隐藏接口未移除。

位置: classes.dex
com.ssyc.WQTaxi.MessageDetailsActivity;->setWebViewData(Ljava.lang.String; I)V
com.umeng.analytics.MobclickAgentJSInterface;->(Landroid.content.Context; Landroid.webkit.WebView; Landroid.webkit.WebChromeClient;)V
com.alipay.sdk.app.H5PayActivity;->onCreate(Landroid.os.Bundle;)V
com.umeng.analytics.MobclickAgentJSInterface;->(Landroid.content.Context; Landroid.webkit.WebView;)V
com.alipay.sdk.auth.AuthActivity;->onCreate(Landroid.os.Bundle;)V
com.alipay.sdk.app.H5AuthActivity;->onCreate(Landroid.os.Bundle;)V
com.ssyc.WQTaxi.BannerDetailsActivity;->setWebViewData(Ljava.lang.String;)V
cn.jpush.android.ui.PopWinActivity;->onCreate(Landroid.os.Bundle;)V
cn.jpush.android.ui.FullScreenView;->initModule(Landroid.content.Context; Lcn.jpush.android.data.d;)V

android webview组件包含3个隐藏的系统接口:searchBoxJavaBridge_,accessibilityTraversal以及accessibility,恶意程序可以利用它们实现远程代码执行。
如果使用了WebView,那么使用WebView.removeJavascriptInterface(String name) API,显示的移除searchBoxJavaBridge_、accessibility、accessibilityTraversal这三个接口。

参考资料:
http://wolfeye.baidu.com/blog/android-webview/
http://blog.csdn.net/u013107656/article/details/51729398
http://wolfeye.baidu.com/blog/android-webview-cve-2014-7224/

低危

检测到8处AES/DES弱加密风险。

位置: classes.dex
Lcom/ssyc/WQTaxi/OrderActivity;->encrypt(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
com.alipay.sdk.encrypt.b;->a(I Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
Lcom/ssyc/WQTaxi/MyAddressActivity;->encrypt(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
Lcom/ssyc/WQTaxi/MineOrderActivity;->encrypt(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
Lcom/ssyc/WQTaxi/AddressActivity;->encrypt(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
Lcom/ssyc/WQTaxi/SelectAddressActivity;->encrypt(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
Lcom/ssyc/WQTaxi/LoginActivity;->encrypt(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
Lcom/alipay/sdk/encrypt/e;->()V

使用AES/DES/DESede加密算法时,如果使用ECB模式,容易受到攻击风险,造成信息泄露。建议在使用AES/DES/DESede加密算法时,应显示指定使用CBC或CFB加密模式

参考资料:
http://blog.csdn.net/u013107656/article/details/51997957
https://developer.android.com/reference/javax/crypto/Cipher.html
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

低危

非debug包,需要通过打包平台proguard脚本,移除大部分系统输出代码。
经扫描该包仍存在大量系统输出代码,共发现92处系统输出代码.(此处扫描的系统输出代码,是指调用System.out.print*输出的,本应在打包平台移除的系统输出代码.)
各个bundle系统输出代码详情如下:

位置: classes.dex
com.ssyc.WQTaxi.alipay.ZFBPayUtil$1;
com.ssyc.WQTaxi.MainActivity$25;
com.ssyc.WQTaxi.OrderdetialsActivity;
com.ssyc.WQTaxi.PersonInfoActivity$6;
com.ssyc.WQTaxi.MyAddressActivity$1;
com.ssyc.WQTaxi.LoginActivity$5;
com.ssyc.WQTaxi.HomeActivity$7;
com.ssyc.WQTaxi.views.MaskedImage;
com.ssyc.WQTaxi.GoToWhereActivity$4;
com.ssyc.WQTaxi.RegistActivity$5;
cn.jpush.android.util.TestLogger;
com.ssyc.WQTaxi.MainActivity;
com.ssyc.WQTaxi.AddAddressActivity$4;
cn.jpush.b.a.b.k;
com.ssyc.WQTaxi.OrderActivity$21;
com.ssyc.WQTaxi.GoToWhereActivity;
com.ssyc.WQTaxi.HomeActivity$6;
com.ssyc.WQTaxi.ToPayActivity$1;
com.ssyc.WQTaxi.MyAddressActivity;
com.ssyc.WQTaxi.RegistActivity$6;
com.ssyc.WQTaxi.MainActivity$9;
com.baidu.platform.comjni.map.basemap.a;
com.ssyc.WQTaxi.AddAddressActivity;
com.baidu.mapapi.a.a.a;
com.ssyc.WQTaxi.MineOrderActivity;
com.ssyc.WQTaxi.AddressActivity$3;
com.baidu.platform.comapi.a;
com.tencent.open.utils.Util;
com.ssyc.WQTaxi.AddressActivity$4;
com.ssyc.WQTaxi.alipay.WXPayUtil$1;
com.ssyc.WQTaxi.AddAddressActivity$6;
com.ssyc.WQTaxi.OrderActivity$15$1;
cn.jpush.b.a.c.b;
com.ssyc.WQTaxi.OrderMapActivity;
com.ssyc.WQTaxi.OrderActivity$8;
com.ssyc.WQTaxi.PersonInfoActivity$3;
com.ssyc.WQTaxi.OrderActivity$16;
com.ssyc.WQTaxi.MainActivity$8;
com.ssyc.WQTaxi.OrderActivity;
net.tsz.afinal.FinalDb;
com.ssyc.WQTaxi.OrderdetialsActivity$7$1;
com.baidu.mapapi.radar.RadarSearchManager;
com.ssyc.WQTaxi.HomeActivity$5;
com.ssyc.WQTaxi.AddAddressActivity$1;
com.ssyc.WQTaxi.SelectAddressActivity$1;
com.ssyc.WQTaxi.TestReciever;
com.ssyc.WQTaxi.ForgetPasswordActitivy$2;
com.ssyc.WQTaxi.TaxiBookingActivity;
com.ssyc.WQTaxi.MineOrderActivity$4;
com.ssyc.WQTaxi.PersonInfoActivity$2;
com.ssyc.WQTaxi.views.SelectTimePopupWindow;
com.ssyc.WQTaxi.HomeActivity$3;
com.ssyc.WQTaxi.OrderActivity$1;
com.ssyc.WQTaxi.MainActivity$3;
com.ssyc.WQTaxi.GoToWhereActivity$1;
com.ssyc.WQTaxi.OrderActivity$15;
com.ssyc.WQTaxi.LoginActivity;
com.ssyc.WQTaxi.MessageActivity$3;
com.ssyc.WQTaxi.MineOrderActivity$3;
com.ssyc.WQTaxi.MainActivity$MyLocationListener;
com.ssyc.WQTaxi.OrderActivity$2;
com.ssyc.WQTaxi.GoToWhereActivity$6;
com.ssyc.WQTaxi.MainActivity$8$1;
com.ssyc.WQTaxi.MainActivity$6;
com.ssyc.WQTaxi.OrderdetialsActivity$1;
net.tsz.afinal.exception.ViewException;
com.ssyc.WQTaxi.MessageActivity$2;
com.ssyc.WQTaxi.SelectAddressActivity;
com.ssyc.WQTaxi.MainActivity$10;
com.ssyc.WQTaxi.OrderActivity$23;
com.ssyc.WQTaxi.WelComeActivity$2;
com.ssyc.WQTaxi.OrderActivity$3;
com.ssyc.WQTaxi.OrderMapActivity$MyOnGetRoutePlanResultListener;
com.ssyc.WQTaxi.PersonInfoActivity$4;
com.ssyc.WQTaxi.HomeActivity;
com.ssyc.WQTaxi.MainActivity$2;
com.ssyc.WQTaxi.MainActivity$1;
com.ssyc.WQTaxi.AddressActivity;
com.baidu.mapapi.search.core.g;
com.ssyc.WQTaxi.MainActivity$11;
com.baidu.mapapi.cloud.CloudManager;
com.ssyc.WQTaxi.SelectAddressActivity$4;
com.ssyc.WQTaxi.HomeActivity$13;
com.ssyc.WQTaxi.OrderActivity$4;
net.tsz.afinal.utils.ClassUtils;
com.ssyc.WQTaxi.tools.SystemUtils;
com.ssyc.WQTaxi.MainActivity$5;
com.ssyc.WQTaxi.AddressActivity$1;
com.ssyc.WQTaxi.AddressActivity$1$1$1;
com.ssyc.WQTaxi.AddAddressActivity$5;
com.ssyc.WQTaxi.OrderdetialsActivity$7;
cn.jpush.b.a.b.j;

低危

检测到2处主机名弱校验检测漏洞。

位置: classes.dex
com.baidu.lbsapi.auth.e;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z
com.baidu.lbsapi.auth.h;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

自定义HostnameVerifier类,却不实现其verify方法验证域名直接返回true,直接接受任意域名。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考资料:
http://drops.wooyun.org/tips/3296
https://www.91ri.org/12534.html

低危

检测到3处地方在自定义实现的WebViewClient类在onReceivedSslError调用proceed()方法。

位置: classes.dex
com.alipay.sdk.app.H5AuthActivity$a;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V
com.alipay.sdk.app.H5PayActivity$a;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V
com.alipay.sdk.auth.AuthActivity$b;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V

Android WebView组件加载网页发生证书认证错误时,会调用WebViewClient类的onReceivedSslError方法,如果该方法实现调用了handler.proceed()来忽略该证书错误,则会受到中间人攻击的威胁,可能导致隐私泄露。建议:
当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0109266

参考资料:
https://jaq.alibaba.com/blog.htm?id=60
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/

警告

检测到7处addFlags使用Intent.FLAG_ACTIVITY_NEW_TASK。

位置: classes.dex
com.tencent.mm.sdk.a.a;->a
cn.jpush.android.util.a;->e
com.tencent.connect.auth.AuthDialog$LoginWebViewClient;->shouldOverrideUrlLoading
com.tencent.open.TDialog$FbWebViewClient;->shouldOverrideUrlLoading
com.tencent.open.utils.Util;->a
cn.jpush.android.service.PushReceiver;->onReceive
com.tencent.open.PKDialog;->loadUrlWithBrowser

APP创建Intent传递数据到其他Activity,如果创建的Activity不是在同一个Task中打开,就很可能被其他的Activity劫持读取到Intent内容,跨Task的Activity通过Intent传递敏感信息是不安全的。建议:
尽量避免使用包含FLAG_ACTIVITY_NEW_TASK标志的Intent来传递敏感信息。

参考资料:
http://wolfeye.baidu.com/blog/intent-data-leak

警告

检测到5个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

activity cn.jpush.android.ui.PushActivity
activity com.ssyc.WQTaxi.wxapi.WXEntryActivity
activity com.ssyc.WQTaxi.wxapi.WXPayEntryActivity
receiver cn.jpush.android.service.PushReceiver
receiver com.ssyc.WQTaxi.TestReciever

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测到14潜在的XSS漏洞。

位置: classes.dex
cn.jpush.android.ui.PopWinActivity;->onCreate(Landroid.os.Bundle;)V
cn.jpush.android.util.a;->a(Landroid.webkit.WebSettings;)V
com.alipay.sdk.app.H5AuthActivity;->onCreate(Landroid.os.Bundle;)V
com.alipay.sdk.app.H5PayActivity;->onCreate(Landroid.os.Bundle;)V
com.alipay.sdk.auth.AuthActivity;->onCreate(Landroid.os.Bundle;)V
com.tencent.connect.auth.AuthDialog;->d()V
com.tencent.open.yyb.AppbarActivity;->initViews()V
com.umeng.analytics.MobclickAgentJSInterface;->(Landroid.content.Context; Landroid.webkit.WebView;)V
com.umeng.analytics.MobclickAgentJSInterface;->(Landroid.content.Context; Landroid.webkit.WebView; Landroid.webkit.WebChromeClient;)V
com.ssyc.WQTaxi.BannerDetailsActivity;->setWebViewData(Ljava.lang.String;)V
com.ssyc.WQTaxi.MessageDetailsActivity;->setWebViewData(Ljava.lang.String; I)V
com.tencent.open.PKDialog;->initViews()V
com.tencent.open.SocialApiIml;->writeEncryToken(Landroid.content.Context;)V
com.tencent.open.TDialog;->b()V

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到10处IvParameterSpec的使用。

位置: classes.dex
com.alipay.security.mobile.module.a.b;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.security.mobile.module.a.b;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.baidu.android.bbalbs.common.a.a;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.baidu.android.bbalbs.common.a.a;->b(Ljava.lang.String; Ljava.lang.String; [B)[B
com.baidu.location.f.b.a;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.baidu.location.f.b.a;->if(Ljava.lang.String; Ljava.lang.String; [B)[B
com.ta.utdid2.b.a.a;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.ta.utdid2.b.a.a;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.umeng.analytics.b;->a([B [B)[B
com.umeng.analytics.b;->b([B [B)[B

使用IVParameterSpec函数,如果使用了固定的初始化向量,那么密码文本可预测性高得多,容易受到字典攻击等。建议禁止使用常量初始化矢量构造IVParameterSpec,使用聚安全提供的安全组件。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到使用android.permission.ACCESS_MOCK_LOCATION权限,该权限是使在模拟器中使用。

警告

检测到1处使用空Intent构造PendingIntent。

位置: classes.dex
cn.jpush.android.service.DownloadService;->a(Lcn.jpush.android.data.d; I J J)V

使用pendingIntent时候,如果使用了一个空Intent,会导致恶意用户劫持Intent的内容。禁止使用空intent去构造pendingIntent。建议:
禁止使用空intent去构造pendingIntent。

参考资料:
http://wolfeye.baidu.com/blog/pendingintent-leak-information
http://bbs.mob.com/thread-5249-1-1.html

警告

检测到1处socket通信。

位置: classes.dex
Lcn.jpush.android.helpers.ConnectingHelper;->a

Android应用通常使用PF_UNIX、PF_INET、PF_NETLINK等不同domain的socket来进行本地IPC或者远程网络通信,这些暴露的socket代表了潜在的本地或远程攻击面,历史上也出现过不少利用socket进行拒绝服务、root提权或者远程命令执行的案例特别是PF_INET类型的网络socket,可以通过网络与Android应用通信,其原本用于linux环境下开放网络服务,由于缺乏对网络调用者身份或者本地调用者id、permission等细粒度的安全检查机制,在实现不当的情况下,可以突破Android的沙箱限制,以被攻击应用的权限执行命令,通常出现比较严重的漏洞

参考案例:
http://www.wooyun.org/bugs/wooyun-2015-0148406
http://www.wooyun.org/bugs/wooyun-2015-0145365

参考资料:
http://wolfeye.baidu.com/blog/open-listen-port
http://blog.csdn.net/jltxgcy/article/details/50686858
https://www.bigniu.com/article/view/10
http://drops.wooyun.org/mobile/6973

警告

这个app应该声明permission的"android:protectionLevel"属性值为"signature"或者"signatureOrSystem",保证其他app无法注册或者从这个app接收消息。有安全隐患的permission如下:
android.permission.BAIDU_LOCATION_SERVICE normal

警告

检测到 3处url没有使用安全的https链接。

位置: classes.dex
http://aliusergw-1-64.test.alipay.net/
http://m.alipay.com/
http://mcgw.alipay.com/

参考资料:
https://jaq.alibaba.com/blog.htm?id=60
https://developer.android.com/training/articles/security-ssl.html

警告

检测到20处使用了加解密算法。密钥处理不当可能会导致信息泄露。

位置: classes.dex
com.ssyc.WQTaxi.SelectAddressActivity;->encrypt(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.ta.utdid2.b.a.a;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.ssyc.WQTaxi.OrderActivity;->encrypt(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.baidu.android.bbalbs.common.a.a;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.ssyc.WQTaxi.LoginActivity;->encrypt(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.sdk.encrypt.b;->a(I Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.umeng.analytics.b;->b([B [B)[B
com.ta.utdid2.b.a.a;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.ssyc.WQTaxi.MyAddressActivity;->encrypt(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.sdk.encrypt.e;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.ssyc.WQTaxi.MineOrderActivity;->encrypt(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.ta.utdid2.device.c;->b()[B
com.alipay.sdk.encrypt.e;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.ssyc.WQTaxi.AddressActivity;->encrypt(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.baidu.location.f.b.a;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.umeng.analytics.b;->a([B [B)[B
com.baidu.location.f.b.a;->if(Ljava.lang.String; Ljava.lang.String; [B)[B
com.alipay.security.mobile.module.a.b;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.baidu.android.bbalbs.common.a.a;->b(Ljava.lang.String; Ljava.lang.String; [B)[B
com.alipay.security.mobile.module.a.b;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0105766
http://www.wooyun.org/bugs/wooyun-2015-0162907
http://www.wooyun.org/bugs/wooyun-2010-0187287

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html


动态扫描发现风险点

风险等级 风险名称

中危

com.ssyc.WQTaxi.wxapi.WXEntryActivity
com.ssyc.WQTaxi.wxapi.WXPayEntryActivity

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书