0

高危漏洞

10

中危漏洞

6

低危漏洞

9

警告

文件名 vuldemo.apk
上传者 glider
文件大小 2.6276159286499MB
MD5 9fa39d2289048c20a73be1c2f0aa4439
包名 com.example.vulndemo
Main Activity com.example.vulndemo.MainActivity
Min SDK 15
Target SDK 29

权限列表

# 名称 说明 提示
0 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

com.example.vulndemo.vuln.WebViewActivity
com.example.vulndemo.MainActivity
com.example.vulndemo.vuln.FragmentInjectActivity

com.vivo.push.sdk.service.CommandClientService

com.example.vulndemo.vuln.FileProvider

第三方库

# 库名 介绍
0 com.xiaomi.mipush.sdk 小米推送(MiPush)是小米公司为开发者提供的消息推送服务,通过在云端和客户端之间建立一条稳定、可靠的长连接,为开发者提供向客户端应用推送实时消息的服务,帮助开发者有效地拉动用户活跃。

静态扫描发现风险点

风险等级 风险名称

中危

检测到当前标志被设置成true或没设置,这会导致adb调试备份允许恶意攻击者复制应用程序数据,造成数据泄露。

中危

检测到1处证书弱校验漏洞。

位置: classes.dex
com.example.vulndemo.vuln.SSLTrustAnyoneVulDemo$1;

当移动App客户端使用https或ssl/tls进行通信时,如果不校验证书的可信性,将存在中间人攻击漏洞,可导致信息泄露,传输数据被篡改,甚至通过中间人劫持将原有信息替换成恶意链接或恶意代码程序,以达到远程控制等攻击意图。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
www.wooyun.org/bugs/wooyun-2014-079358

参考资料:
http://drops.wooyun.org/tips/3296
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

检测到1个暴露的provider组件实现了openFile函数。

位置: classes.dex
Lcom/example/vulndemo/vuln/FileProvider; openFile


对外暴露的Content Provider实现了openFile()接口,会导致其他有相应调用该Content Provider权限的应用即可调用Content Provider的openFile()接口进行文件数据访问。如果没有进行Content Provider访问权限控制和对访问的目标文件的Uri进行有效判断,攻击者利用文件目录遍历访问任意可读文件。
(1)将不必要导出的Content Provider设置为不导出
(2)去除没有必要的openFile()接口
(3)过滤限制跨域访问,对访问的目标文件的路径进行有效判断
(4)使用签名验证来控制Content Provider共享数据的访问权限,如设置protectionLevel="signature"或"signatureOrSystem"
(5)公开的content provider确保不存储敏感数据
(6)提供asset文件时注意权限保护

参考案例:
www.wooyun.org/bugs/wooyun-2013-047098
www.wooyun.org/bugs/wooyun-2013-044407
www.wooyun.org/bugs/wooyun-2013-044411

参考资料:
https://jaq.alibaba.com/blog.htm?id=61
http://wolfeye.baidu.com/blog/content-provider-file-traversal
http://drops.wooyun.org/tips/4314

中危

检测到debug模式被打开。如果该项被打开,app存在被恶意程序调试的风险,可能导致泄露敏感信息等问题,建议关闭debug模式。

中危

检测到1处中间人攻击漏洞。

位置: classes.dex
com.example.vulndemo.vuln.HttpsCloseHostVerifier;->vul()V

setHostnameVerifier方法设置ALLOW_ALL_HOSTNAME_VERIFIER,直接接受任意域名,可能造成中间人攻击漏洞。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-042710
http://www.wooyun.org/bugs/wooyun-2010-052339
http://www.wooyun.org/bugs/wooyun-2016-0190773

参考资料:
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

该app需要移除大部分日志打印代码。
经扫描该包仍存在大量打日志代码,共发现198处打日志代码.(此处扫描的日志打印代码,是指调用android.util.Log.* 打印的.)
详情如下:

位置: classes.dex
androidx.appcompat.widget.AppCompatDrawableManager;->tintDrawable(Landroid/graphics/drawable/Drawable; Landroidx/appcompat/widget/TintInfo; [I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.RemoteInput;->addResultsToIntent([Landroidx/core/app/RemoteInput; Landroid/content/Intent; Landroid/os/Bundle;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentActivity;->onActivityResult(I I Landroid/content/Intent;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.util.AtomicFile;->startWrite()Ljava/io/FileOutputStream;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.swiperefreshlayout.widget.SwipeRefreshLayout;->onInterceptTouchEvent(Landroid/view/MotionEvent;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.SuggestionsAdapter;->changeCursor(Landroid/database/Cursor;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->onCreateView(Landroid/view/View; Ljava/lang/String; Landroid/content/Context; Landroid/util/AttributeSet;)Landroid/view/View;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.app.AppCompatViewInflater;->themifyContext(Landroid/content/Context; Landroid/util/AttributeSet; Z Z)Landroid/content/Context;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->allocBackStackIndex(Landroidx/fragment/app/BackStackRecord;)I==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.constraintlayout.widget.ConstraintHelper;->addID(Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.example.vulndemo.vuln.WebViewAcitivty;->getClient(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->moveToState(Landroidx/fragment/app/Fragment; I I I Z)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView;->handleMissingPreInfoForChangeError(J Landroidx/recyclerview/widget/RecyclerView$ViewHolder; Landroidx/recyclerview/widget/RecyclerView$ViewHolder;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView$SmoothScroller;->start(Landroidx/recyclerview/widget/RecyclerView; Landroidx/recyclerview/widget/RecyclerView$LayoutManager;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView;->scrollTo(I I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.constraintlayout.widget.Constraints;->init(Landroid/util/AttributeSet;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->addFragment(Landroidx/fragment/app/Fragment; Z)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentActivity;->onCreate(Landroid/os/Bundle;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.miui.pushads.sdk.k;->a(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.ListPopupWindow;->()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.BackStackRecord;->generateOps(Ljava/util/ArrayList; Ljava/util/ArrayList;)Z==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.content.res.ResourcesCompat;->loadFont(Landroid/content/Context; Landroid/content/res/Resources; Landroid/util/TypedValue; I I Landroidx/core/content/res/ResourcesCompat$FontCallback; Landroid/os/Handler; Z)Landroid/graphics/Typeface;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.documentfile.provider.TreeDocumentFile;->listFiles()[Landroidx/documentfile/provider/DocumentFile;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.push.cj;->a(Ljava/util/ArrayList; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.BackStackRecord;->bumpBackStackNesting(I)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.vivo.push.util.n;->a(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.TooltipPopup;->computePosition(Landroid/view/View; I I Z Landroid/view/WindowManager$LayoutParams;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView;->scrollToPosition(I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.RemoteInput;->getDataResultsFromIntent(Landroid/content/Intent; Ljava/lang/String;)Ljava/util/Map;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.miui.pushads.sdk.l;->a(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.documentfile.provider.DocumentsContractApi19;->exists(Landroid/content/Context; Landroid/net/Uri;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.app.AppCompatDelegateImpl;->sanitizeWindowFeatureId(I)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.ListPopupWindow;->setPopupClipToScreenEnabled(Z)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.view.MenuItemCompat;->getActionProvider(Landroid/view/MenuItem;)Landroidx/core/view/ActionProvider;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.AsyncListUtil$1;->removeTile(I I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.transition.ViewGroupUtilsApi14;->suppressLayout(Landroid/view/ViewGroup; Z)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.LinearLayoutManager$LayoutState;->log()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.miui.pushads.sdk.l;->a(I Lcom/xiaomi/push/ce; Lcom/xiaomi/miui/pushads/sdk/j;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.NotificationManagerCompat$SideChannelManager;->scheduleListenerRetry(Landroidx/core/app/NotificationManagerCompat$SideChannelManager$ListenerRecord;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.miui.pushads.sdk.j;->a(Lorg/json/JSONObject;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.vectordrawable.graphics.drawable.VectorDrawableCompat$VPath;->printVPath(I)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.SearchView;->onVoiceClicked()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.RemoteInput;->getResultsFromIntent(Landroid/content/Intent;)Landroid/os/Bundle;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->attachFragment(Landroidx/fragment/app/Fragment;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.app.AppCompatDelegate;->setDefaultNightMode(I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.app.ActionBarDrawerToggleHoneycomb;->setActionBarUpIndicator(Landroidx/appcompat/app/ActionBarDrawerToggleHoneycomb$SetIndicatorInfo; Landroid/app/Activity; Landroid/graphics/drawable/Drawable; I)Landroidx/appcompat/app/ActionBarDrawerToggleHoneycomb$SetIndicatorInfo;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.widget.NestedScrollView;->onInterceptTouchEvent(Landroid/view/MotionEvent;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.channel.commonutils.logger.a;->log(Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.NotificationManagerCompat$SideChannelManager;->scheduleListenerRetry(Landroidx/core/app/NotificationManagerCompat$SideChannelManager$ListenerRecord;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.graphics.PathParser$PathDataNode;->drawArc(Landroid/graphics/Path; F F F F F F F Z Z)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.miui.pushads.sdk.MiPushRelayTraceService;->onStartCommand(Landroid/content/Intent; I I)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.loader.app.LoaderManagerImpl$LoaderInfo;->onLoadComplete(Landroidx/loader/content/Loader; Ljava/lang/Object;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.LinearLayoutManager;->validateChildOrder()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->setBackStackIndex(I Landroidx/fragment/app/BackStackRecord;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.AsyncListUtil$1;->addTile(I Landroidx/recyclerview/widget/TileList$Tile;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.push.dh;->a()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.ToolbarWidgetWrapper;->initIndeterminateProgress()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->saveAllState()Landroid/os/Parcelable;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.documentfile.provider.RawDocumentFile;->deleteContents(Ljava/io/File;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.AsyncListUtil$2;->log(Ljava/lang/String; [Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView;->onTouchEvent(Landroid/view/MotionEvent;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentStatePagerAdapter;->restoreState(Landroid/os/Parcelable; Ljava/lang/ClassLoader;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.transition.ViewUtils;->fetchViewFlagsField()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.AsyncListUtil;->log(Ljava/lang/String; [Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.os.EnvironmentCompat;->getStorageState(Ljava/io/File;)Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->freeBackStackIndex(I)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.customview.widget.ViewDragHelper;->isValidPointerForActionMove(I)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.miui.pushads.sdk.k;->a(I Lcom/xiaomi/push/ce; Lcom/xiaomi/miui/pushads/sdk/j;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.constraintlayout.widget.ConstraintSet;->populateConstraint(Landroidx/constraintlayout/widget/ConstraintSet$Constraint; Landroid/content/res/TypedArray;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.app.ActionBarDrawerToggle;->setActionBarUpIndicator(Landroid/graphics/drawable/Drawable; I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.ItemTouchHelper;->startSwipe(Landroidx/recyclerview/widget/RecyclerView$ViewHolder;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.push.as;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/util/Map; Ljava/lang/String;)Lcom/xiaomi/push/aq;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.push.as;->a(Ljava/util/Map;)Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView$SmoothScroller$Action;->runIfNecessary(Landroidx/recyclerview/widget/RecyclerView;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView$SmoothScroller;->onAnimation(I I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.SuggestionsAdapter;->getActivityIcon(Landroid/content/ComponentName;)Landroid/graphics/drawable/Drawable;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.constraintlayout.widget.ConstraintSet;->populateConstraint(Landroidx/constraintlayout/widget/ConstraintSet$Constraint; Landroid/content/res/TypedArray;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.ToolbarWidgetWrapper;->initProgress()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.example.vulndemo.vuln.WebViewAcitivty$2;->onReceivedTitle(Landroid/webkit/WebView; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.NotificationManagerCompat$SideChannelManager;->ensureServiceBound(Landroidx/core/app/NotificationManagerCompat$SideChannelManager$ListenerRecord;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->detachFragment(Landroidx/fragment/app/Fragment;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.documentfile.provider.DocumentsContractApi19;->queryForString(Landroid/content/Context; Landroid/net/Uri; Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.loader.app.LoaderManagerImpl$LoaderObserver;->onChanged(Ljava/lang/Object;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.graphics.drawable.RoundedBitmapDrawableFactory;->create(Landroid/content/res/Resources; Ljava/lang/String;)Landroidx/core/graphics/drawable/RoundedBitmapDrawable;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView;->setScrollingTouchSlop(I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.view.SupportMenuInflater$MenuState;->readItem(Landroid/util/AttributeSet;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView;->smoothScrollToPosition(I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.MessageThreadUtil$2$1;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.NotificationManagerCompat$SideChannelManager;->updateListenerMap()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.loader.app.LoaderManagerImpl;->initLoader(I Landroid/os/Bundle; Landroidx/loader/app/LoaderManager$LoaderCallbacks;)Landroidx/loader/content/Loader;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.miui.pushads.sdk.j;->c(Lorg/json/JSONObject;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.MenuPopupWindow;->()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.GridLayoutManager;->getSpanSize(Landroidx/recyclerview/widget/RecyclerView$Recycler; Landroidx/recyclerview/widget/RecyclerView$State; I)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView;->onInterceptTouchEvent(Landroid/view/MotionEvent;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.miui.pushads.sdk.l;->b(Lcom/xiaomi/push/ce;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.SuggestionsAdapter;->getDrawable(Landroid/net/Uri;)Landroid/graphics/drawable/Drawable;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView;->scrollBy(I I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView;->dispatchLayout()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.app.AppCompatDelegateImpl;->installViewFactory()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.graphics.TypefaceCompatApi26Impl;->isFontFamilyPrivateAPIAvailable()Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.view.MenuItemCompat;->setActionProvider(Landroid/view/MenuItem; Landroidx/core/view/ActionProvider;)Landroid/view/MenuItem;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.widget.TextViewCompat;->retrieveIntFromField(Ljava/lang/reflect/Field; Landroid/widget/TextView;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.MessageThreadUtil$1$1;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.content.ContextCompat;->createFilesDir(Ljava/io/File;)Ljava/io/File;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.loader.app.LoaderManagerImpl$LoaderInfo;->onInactive()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.TaskStackBuilder;->addParentStack(Landroid/content/ComponentName;)Landroidx/core/app/TaskStackBuilder;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.view.SupportMenuInflater$MenuState;->setItem(Landroid/view/MenuItem;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.example.vulndemo.vuln.WebViewAcitivty;->onKeyDown(I Landroid/view/KeyEvent;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->showFragment(Landroidx/fragment/app/Fragment;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView$LayoutManager;->smoothScrollToPosition(Landroidx/recyclerview/widget/RecyclerView; Landroidx/recyclerview/widget/RecyclerView$State; I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.vivo.push.util.n;->c(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.example.vulndemo.vuln.WebViewActivity$1;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.example.vulndemo.vuln.WebViewActivity$2;->onReceivedTitle(Landroid/webkit/WebView; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.widget.TextViewCompat;->retrieveField(Ljava/lang/String;)Ljava/lang/reflect/Field;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.app.AppCompatDelegateImpl;->setLocalNightMode(I)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.loader.app.LoaderManagerImpl;->restartLoader(I Landroid/os/Bundle; Landroidx/loader/app/LoaderManager$LoaderCallbacks;)Landroidx/loader/content/Loader;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.documentfile.provider.RawDocumentFile;->createFile(Ljava/lang/String; Ljava/lang/String;)Landroidx/documentfile/provider/DocumentFile;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.vectordrawable.graphics.drawable.VectorDrawableCompat;->printGroupTree(Landroidx/vectordrawable/graphics/drawable/VectorDrawableCompat$VGroup; I)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.view.ViewConfigurationCompat;->getLegacyScrollFactor(Landroid/view/ViewConfiguration; Landroid/content/Context;)F==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->saveNonConfig()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.slidingpanelayout.widget.SlidingPaneLayout;->onMeasure(I I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->hideFragment(Landroidx/fragment/app/Fragment;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.constraintlayout.widget.ConstraintLayout$LayoutParams;->(Landroid/content/Context; Landroid/util/AttributeSet;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.vectordrawable.graphics.drawable.AnimatorInflaterCompat;->dumpKeyframes([Ljava/lang/Object; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.lifecycle.LifecycleRegistry;->sync()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.example.vulndemo.vuln.WebViewActivity;->getClient(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.vivo.push.util.n;->e(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.legacy.content.WakefulBroadcastReceiver;->completeWakefulIntent(Landroid/content/Intent;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.NotificationManagerCompat$SideChannelManager;->processListenerQueue(Landroidx/core/app/NotificationManagerCompat$SideChannelManager$ListenerRecord;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.TooltipCompatHandler;->hide()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.NotificationManagerCompat$SideChannelManager;->onServiceConnected(Landroid/content/ComponentName; Landroid/os/IBinder;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.ItemTouchHelper;->startDrag(Landroidx/recyclerview/widget/RecyclerView$ViewHolder;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.graphics.drawable.IconCompat;->checkResource(Landroid/content/Context;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView$LayoutManager;->onLayoutChildren(Landroidx/recyclerview/widget/RecyclerView$Recycler; Landroidx/recyclerview/widget/RecyclerView$State;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.view.ViewConfigurationCompat;->()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.BackStackState;->instantiate(Landroidx/fragment/app/FragmentManagerImpl;)Landroidx/fragment/app/BackStackRecord;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.example.vulndemo.vuln.WebViewActivity;->onKeyDown(I Landroid/view/KeyEvent;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->makeInactive(Landroidx/fragment/app/Fragment;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.BackStackRecord;->commitInternal(Z)I==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.coordinatorlayout.widget.CoordinatorLayout;->getResolvedLayoutParams(Landroid/view/View;)Landroidx/coordinatorlayout/widget/CoordinatorLayout$LayoutParams;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.graphics.TypefaceCompatApi24Impl;->isUsable()Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.DividerItemDecoration;->(Landroid/content/Context; I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.example.vulndemo.MainActivity;->()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.loader.app.LoaderManagerImpl$LoaderInfo;->destroy(Z)Landroidx/loader/content/Loader;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.graphics.drawable.IconCompat;->createFromBundle(Landroid/os/Bundle;)Landroidx/core/graphics/drawable/IconCompat;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.ListPopupWindow;->getMaxAvailableHeight(Landroid/view/View; I Z)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.RemoteInput;->addDataResultToIntent(Landroidx/core/app/RemoteInput; Landroid/content/Intent; Ljava/util/Map;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView$ViewHolder;->setIsRecyclable(Z)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.app.TwilightManager;->isNight()Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView;->fling(I I)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->restoreAllState(Landroid/os/Parcelable; Landroidx/fragment/app/FragmentManagerNonConfig;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.loader.app.LoaderManagerImpl$LoaderObserver;->reset()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.LinearLayoutManager;->logChildren()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.util.LogWriter;->flushBuilder()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.graphics.TypefaceCompatUtil;->copyToFile(Ljava/io/File; Ljava/io/InputStream;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.legacy.app.ActionBarDrawerToggle;->setActionBarUpIndicator(Landroid/graphics/drawable/Drawable; I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.miui.pushads.sdk.j;->onCancelled()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.example.vulndemo.vuln.WebViewAcitivty$1;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.view.ActionProvider;->setVisibilityListener(Landroidx/core/view/ActionProvider$VisibilityListener;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.viewpager.widget.ViewPager;->arrowScroll(I)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.documentfile.provider.DocumentsContractApi19;->queryForLong(Landroid/content/Context; Landroid/net/Uri; Ljava/lang/String; J)J==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.push.di;->b()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.viewpager.widget.ViewPager;->setOffscreenPageLimit(I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.vivo.push.util.n;->b(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.loader.app.LoaderManagerImpl;->createAndInstallLoader(I Landroid/os/Bundle; Landroidx/loader/app/LoaderManager$LoaderCallbacks; Landroidx/loader/content/Loader;)Landroidx/loader/content/Loader;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.swiperefreshlayout.widget.SwipeRefreshLayout;->onTouchEvent(Landroid/view/MotionEvent;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->moveToState(Landroidx/fragment/app/Fragment; I I I Z)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.app.AppCompatDelegateImpl;->onKeyUpPanel(I Landroid/view/KeyEvent;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.NotificationCompatJellybean;->getExtras(Landroid/app/Notification;)Landroid/os/Bundle;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.NavUtils;->getParentActivityIntent(Landroid/app/Activity;)Landroid/content/Intent;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.localbroadcastmanager.content.LocalBroadcastManager;->sendBroadcast(Landroid/content/Intent;)Z==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.coordinatorlayout.widget.CoordinatorLayout;->getKeyline(I)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.loader.app.LoaderManagerImpl$LoaderInfo;->onLoadComplete(Landroidx/loader/content/Loader; Ljava/lang/Object;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->throwException(Ljava/lang/RuntimeException;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.widget.NestedScrollView;->onTouchEvent(Landroid/view/MotionEvent;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.MenuPopupWindow;->setTouchModal(Z)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.NotificationManagerCompat$SideChannelManager;->updateListenerMap()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView$SmoothScroller;->computeScrollVectorForPosition(I)Landroid/graphics/PointF;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.xiaomi.miui.pushads.sdk.l;->a(Ljava/lang/String;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.RecyclerView;->smoothScrollBy(I I Landroid/view/animation/Interpolator;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->makeActive(Landroidx/fragment/app/Fragment;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.app.NotificationManagerCompat$SideChannelManager;->onServiceDisconnected(Landroid/content/ComponentName;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.ListPopupWindow;->buildDropDown()I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentActivity;->onRequestPermissionsResult(I [Ljava/lang/String; [I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.transition.ViewGroupUtilsApi14;->cancelLayoutTransition(Landroid/animation/LayoutTransition;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.ViewUtils;->makeOptionalFitsSystemWindows(Landroid/view/View;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.core.graphics.drawable.RoundedBitmapDrawableFactory;->create(Landroid/content/res/Resources; Ljava/io/InputStream;)Landroidx/core/graphics/drawable/RoundedBitmapDrawable;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.GridLayoutManager;->getSpanGroupIndex(Landroidx/recyclerview/widget/RecyclerView$Recycler; Landroidx/recyclerview/widget/RecyclerView$State; I)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->removeFragment(Landroidx/fragment/app/Fragment;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.loader.app.LoaderManagerImpl$LoaderInfo;->onActive()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.SuggestionsAdapter;->getDrawableFromResourceValue(Ljava/lang/String;)Landroid/graphics/drawable/Drawable;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.ViewUtils;->()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentManagerImpl;->restoreAllState(Landroid/os/Parcelable; Landroidx/fragment/app/FragmentManagerNonConfig;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
androidx.recyclerview.widget.GridLayoutManager;->getSpanIndex(Landroidx/recyclerview/widget/RecyclerView$Recycler; Landroidx/recyclerview/widget/RecyclerView$State; I)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.vivo.push.util.n;->d(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
androidx.appcompat.widget.DrawableUtils;->getOpticalBounds(Landroid/graphics/drawable/Drawable;)Landroid/graphics/Rect;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
androidx.fragment.app.FragmentState;->instantiate(Landroidx/fragment/app/FragmentHostCallback; Landroidx/fragment/app/FragmentContainer; Landroidx/fragment/app/Fragment; Landroidx/fragment/app/FragmentManagerNonConfig; Landroidx/lifecycle/ViewModelStore;)Landroidx/fragment/app/Fragment;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
androidx.loader.app.LoaderManagerImpl;->destroyLoader(I)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I

中危

检测到2个WebView远程执行漏洞。

位置: classes.dex
com.example.vulndemo.vuln.WebViewSetSavaPwdVulDemo;->level_0_vuln(Landroid.content.Context;)V
com.example.vulndemo.vuln.WebViewActivity;->onCreate(Landroid.os.Bundle;)V

Android API < 17之前版本存在远程代码执行安全漏洞,该漏洞源于程序没有正确限制使用addJavaScriptInterface方法,攻击者可以通过Java反射利用该漏洞执行任意Java对象的方法,导致远程代码执行安全漏洞。
(1)API等于高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252
http://drops.wooyun.org/papers/548

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis
https://developer.android.com/reference/android/webkit/WebView.html

中危

检测到25条敏感明文信息,建议移除。

位置: classes.dex
'10.0.0.200' used in: Lcom/xiaomi/push/as;->a(Landroid/content/Context; Ljava/net/URL;)Ljava/net/HttpURLConnection;
'10.237.14.141' used in: Lcom/xiaomi/push/ae;->()V
'http://%1$s/gslb/?ver=4.0' used in: Lcom/xiaomi/push/cu;->a(Ljava/util/ArrayList; Ljava/lang/String; Ljava/lang/String; Z)Ljava/lang/String;
'http://139.196.35.30:8080/OkHttpTest/apppackage/test.html' used in: Lcom/example/vulndemo/vuln/WebViewActivity;->onCreate(Landroid/os/Bundle;)V
'http://139.196.35.30:8080/OkHttpTest/apppackage/test.html' used in: Lcom/example/vulndemo/vuln/WebViewAcitivty;->onCreate(Landroid/os/Bundle;)V
'http://new.api.ad.xiaomi.com/logNotificationAdActions' used in: Lcom/xiaomi/push/cl;->a(Ljava/lang/String; Ljava/lang/String; Lcom/xiaomi/push/ch;)I
'http://resolver.msg.xiaomi.net/psc/?t=a' used in: Lcom/xiaomi/push/service/bb;->b()V
'http://schemas.android.com/apk/res-auto' used in: Lcom/google/android/material/chip/ChipDrawable;->loadFromAttributes(Landroid/util/AttributeSet; I I)V
'http://schemas.android.com/apk/res/android' used in: Lcom/google/android/material/chip/Chip;->validateAttributes(Landroid/util/AttributeSet;)V
'http://schemas.android.com/apk/res/android' used in: Landroidx/core/content/res/TypedArrayUtils;->hasAttribute(Lorg/xmlpull/v1/XmlPullParser; Ljava/lang/String;)Z
'http://www.google.com/' used in: Lcom/example/vulndemo/vuln/WebViewAcitivty$1;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z
'http://www.google.com/' used in: Lcom/example/vulndemo/vuln/WebViewActivity$1;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/push/gl;->a([B)V
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/push/fs;->()V
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/push/fi;->()V
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/push/gk;->a()V
'https://api.xmpush.xiaomi.com/upload/app_log?file=' used in: Lcom/xiaomi/mipush/sdk/w;->run()V
'https://api.xmpush.xiaomi.com/upload/crash_log?file=' used in: Lcom/xiaomi/mipush/sdk/y;->run()V
'https://api.xmpush.xiaomi.com/upload/xmsf_log?file=' used in: Lcom/xiaomi/mipush/sdk/w;->run()V
'https://cn.register.xmpush.xiaomi.com' used in: Lcom/xiaomi/push/service/l;->a(Landroid/content/Context;)Ljava/lang/String;
'https://fr.register.xmpush.global.xiaomi.com' used in: Lcom/xiaomi/push/service/l;->a(Landroid/content/Context;)Ljava/lang/String;
'https://idmb.register.xmpush.global.xiaomi.com' used in: Lcom/xiaomi/push/service/l;->a(Landroid/content/Context;)Ljava/lang/String;
'https://register.xmpush.global.xiaomi.com' used in: Lcom/xiaomi/push/service/l;->a(Landroid/content/Context;)Ljava/lang/String;
'https://ru.register.xmpush.global.xiaomi.com' used in: Lcom/xiaomi/push/service/l;->a(Landroid/content/Context;)Ljava/lang/String;
'www.baidu.com:80' used in: Lcom/xiaomi/push/service/ad;->run()V

中危

检测到3处setSavePassword密码明文存储漏洞。

位置: classes.dex
com.example.vulndemo.vuln.WebViewSetSavaPwdVulDemo;
com.example.vulndemo.vuln.WebViewActivity;
com.example.vulndemo.vuln.WebViewAcitivty;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

中危

检测到3使用全局可读写操作文件。

位置: classes.dex
com.example.vulndemo.vuln.GetDirVulDemo;->vul(Landroid.content.Context;)V===>openFileOutput
com.example.vulndemo.vuln.GetDirVulDemo;->vul(Landroid.content.Context;)V===>getSharedPreferences
com.example.vulndemo.vuln.GetDirVulDemo;->vul(Landroid.content.Context;)V===>getDir

在使用getDir、getSharedPreferences(SharedPreference)或openFileOutput时,如果设置了全局的可读权限,攻击者恶意读取文件内容,获取敏感信息。在设置文件属性时如果设置全局可写,攻击者可能会篡改、伪造内容,可以能会进行诈骗等行为,造成用户财产损失。建议:
(1)使用MODE_PRIVATE模式创建内部存储文件。
(2)加密存储敏感数据。
(3)避免在文件中存储明文和敏感信息。

参考案例:
http://wooyun.org/bugs/wooyun-2010-047172
http://wooyun.org/bugs/wooyun-2010-054438
http://wooyun.org/bugs/wooyun-2010-0151270

参考资料:
https://jaq.alibaba.com/blog.htm?id=56
https://jaq.alibaba.com/blog.htm?id=58
http://wolfeye.baidu.com/blog/global-rw-of-file
http://wolfeye.baidu.com/blog/global-rw-of-sharepreference/

低危

检测到1处SecureRandom使用不当。

位置: classes.dex
com.example.vulndemo.vuln.RandomNumberVulDemo;->vul_demo

SecureRandom的使用不当会导致生成的随机数可被预测,该漏洞存在于Android系统随机生成数字串安全密钥的环节中。该漏洞的生成原因是对SecureRandom类的不正确使用方式导致生成的随机数不随机。建议:
(1)不要使用自定义随机源代替系统默认随机源(推荐)除非有特殊需求,在使用SecureRandom类时,不要调用以下函数:SecureRandom类下SecureRandom(byte[]seed)、setSeed(long seed)和setSeed(byte[]seed)方法。
(2)在调用setSeed方法前先调用任意nextXXX方法。具体做法是调用setSeed方法前先调用一次SecureRandom#nextBytes(byte[]bytes)方法,可以避免默认随机源被替代,详细见参考资料。

参考资料:
https://developer.android.com/reference/java/security/SecureRandom.html
http://drops.wooyun.org/papers/5164
http://jaq.alibaba.com/blog.htm?id=47

低危

检测到3个WebView系统隐藏接口未移除。

位置: classes.dex
com.example.vulndemo.vuln.WebViewAcitivty;->onCreate(Landroid.os.Bundle;)V
com.example.vulndemo.vuln.WebViewActivity;->onCreate(Landroid.os.Bundle;)V
com.example.vulndemo.vuln.WebViewSetSavaPwdVulDemo;->level_0_vuln(Landroid.content.Context;)V

android webview组件包含3个隐藏的系统接口:searchBoxJavaBridge_,accessibilityTraversal以及accessibility,恶意程序可以利用它们实现远程代码执行。
如果使用了WebView,那么使用WebView.removeJavascriptInterface(String name) API,显示的移除searchBoxJavaBridge_、accessibility、accessibilityTraversal这三个接口。

参考资料:
http://wolfeye.baidu.com/blog/android-webview/
http://blog.csdn.net/u013107656/article/details/51729398
http://wolfeye.baidu.com/blog/android-webview-cve-2014-7224/

低危

检测4处Intent Scheme URI漏洞。

位置: classes.dex
Lcom/xiaomi/mipush/sdk/av;->a(Landroid/content/Context; Ljava/lang/String; Ljava/util/Map;)Landroid/content/Intent;
Lcom/xiaomi/push/service/z;->a(Landroid/content/Context; Ljava/lang/String; I Ljava/util/Map;)Landroid/content/Intent;
Lcom/vivo/push/c/s;->a(Lcom/vivo/push/y;)V
Lcom/example/vulndemo/MainActivity;->onCreate(Landroid/os/Bundle;)V


Intent Scheme URI是一种特殊的URL格式,用来通过Web页面启动已安装应用的Activity组件,大多数主流浏览器都支持此功能。如果在app中,没有检查获取到的load_url的值,攻击者可以构造钓鱼网站,诱导用户点击加载,就可以盗取用户信息。所以,对Intent URI的处理不当时,就会导致基于Intent的攻击。建议:
如果使用了Intent.parseUri函数,获取的intent必须严格过滤,intent至少包含addCategory(“android.intent.category.BROWSABLE”),setComponent(null),setSelector(null)3个策略。

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://drops.wooyun.org/papers/2893
http://drops.wooyun.org/mobile/15202

低危

检测到1处AES/DES弱加密风险。

位置: classes.dex
Lcom/example/vulndemo/vuln/CipherVulDemo;->aes_des_vuln()V

使用AES/DES/DESede加密算法时,如果使用ECB模式,容易受到攻击风险,造成信息泄露。建议在使用AES/DES/DESede加密算法时,应显示指定使用CBC或CFB加密模式

参考资料:
http://blog.csdn.net/u013107656/article/details/51997957
https://developer.android.com/reference/javax/crypto/Cipher.html
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

低危

非debug包,需要通过打包平台proguard脚本,移除大部分系统输出代码。
经扫描该包仍存在大量系统输出代码,共发现7处系统输出代码.(此处扫描的系统输出代码,是指调用System.out.print*输出的,本应在打包平台移除的系统输出代码.)
各个bundle系统输出代码详情如下:

位置: classes.dex
androidx.constraintlayout.solver.widgets.ConstraintWidgetContainer;
com.xiaomi.push.gl;
androidx.constraintlayout.solver.ArrayLinkedVariables;
com.example.vulndemo.vuln.DangerousApiVulDemo;
com.xiaomi.push.fx;
com.xiaomi.push.fs;
androidx.constraintlayout.solver.LinearSystem;

低危

检测到1处RSA算法不使用padding。

位置: classes.dex
'RSA/ECB/NoPadding' used in: Lcom/example/vulndemo/vuln/CipherVulDemo;->aes_des_vuln()V

使用RSA公钥时通常会绑定一个padding,原因是为了防止一些依赖于no padding时对RSA算法的攻击。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到6处addFlags使用Intent.FLAG_ACTIVITY_NEW_TASK。

位置: classes.dex
androidx.appcompat.widget.SearchView;->createIntent
com.vivo.push.c.s;->a
com.xiaomi.push.service.z;->a
androidx.appcompat.widget.SearchView;->
androidx.core.app.TaskStackBuilder;->startActivities
com.xiaomi.mipush.sdk.av;->a

APP创建Intent传递数据到其他Activity,如果创建的Activity不是在同一个Task中打开,就很可能被其他的Activity劫持读取到Intent内容,跨Task的Activity通过Intent传递敏感信息是不安全的。建议:
尽量避免使用包含FLAG_ACTIVITY_NEW_TASK标志的Intent来传递敏感信息。

参考资料:
http://wolfeye.baidu.com/blog/intent-data-leak

警告

检测到1个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

service com.vivo.push.sdk.service.CommandClientService

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测1处組件設置了android.intent.category.BROWSABLE属性。
com.example.vulndemo.vuln.WebViewActivity


在AndroidManifest文件中定义了android.intent.category.BROWSABLE属性的组件,可以通过浏览器唤起,这会导致远程命令执行漏洞攻击。建议:
(1)APP中任何接收外部输入数据的地方都是潜在的攻击点,过滤检查来自网页的参数。
(2)不要通过网页传输敏感信息,有的网站为了引导已经登录的用户到APP上使用,会使用脚本动态的生成URL Scheme的参数,其中包括了用户名、密码或者登录态token等敏感信息,让用户打开APP直接就登录了。恶意应用也可以注册相同的URL Sechme来截取这些敏感信息。Android系统会让用户选择使用哪个应用打开链接,但是如果用户不注意,就会使用恶意应用打开,导致敏感信息泄露或者其他风险。

參考案例:
http://www.wooyun.org/bugs/wooyun-2014-073875
http://www.wooyun.org/bugs/wooyun-2014-067798

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://www.jssec.org/dl/android_securecoding_en.pdf
http://drops.wooyun.org/mobile/15202
http://blog.csdn.net/l173864930/article/details/36951805
http://drops.wooyun.org/papers/2893

警告

检测到2潜在的XSS漏洞。

位置: classes.dex
com.example.vulndemo.vuln.WebViewAcitivty;->onCreate(Landroid.os.Bundle;)V
com.example.vulndemo.vuln.WebViewActivity;->onCreate(Landroid.os.Bundle;)V

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到3处IvParameterSpec的使用。

位置: classes.dex
com.vivo.push.cache.c;->updateDataToSP(Ljava.util.Set;)Ljava.lang.String;
com.vivo.push.util.g;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.xiaomi.push.h;->a([B I)Ljavax.crypto.Cipher;

使用IVParameterSpec函数,如果使用了固定的初始化向量,那么密码文本可预测性高得多,容易受到字典攻击等。建议禁止使用常量初始化矢量构造IVParameterSpec,使用聚安全提供的安全组件。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到4处使用空Intent构造PendingIntent。

位置: classes.dex
com.example.vulndemo.vuln.PendingIntentVulDemo;->level_3_vuln(Landroid.content.Context;)V
com.example.vulndemo.vuln.PendingIntentVulDemo;->level_0_vuln(Landroid.content.Context;)V
com.example.vulndemo.vuln.PendingIntentVulDemo;->level_2_vuln(Landroid.content.Context;)V
com.example.vulndemo.vuln.PendingIntentVulDemo;->smoke_bomb(Landroid.content.Context;)V

使用pendingIntent时候,如果使用了一个空Intent,会导致恶意用户劫持Intent的内容。禁止使用空intent去构造pendingIntent。建议:
禁止使用空intent去构造pendingIntent。

参考资料:
http://wolfeye.baidu.com/blog/pendingintent-leak-information
http://bbs.mob.com/thread-5249-1-1.html

警告

检测到1处socket通信。

位置: classes.dex
Lcom.example.vulndemo.vuln.SocketDemo;->vul

Android应用通常使用PF_UNIX、PF_INET、PF_NETLINK等不同domain的socket来进行本地IPC或者远程网络通信,这些暴露的socket代表了潜在的本地或远程攻击面,历史上也出现过不少利用socket进行拒绝服务、root提权或者远程命令执行的案例特别是PF_INET类型的网络socket,可以通过网络与Android应用通信,其原本用于linux环境下开放网络服务,由于缺乏对网络调用者身份或者本地调用者id、permission等细粒度的安全检查机制,在实现不当的情况下,可以突破Android的沙箱限制,以被攻击应用的权限执行命令,通常出现比较严重的漏洞

参考案例:
http://www.wooyun.org/bugs/wooyun-2015-0148406
http://www.wooyun.org/bugs/wooyun-2015-0145365

参考资料:
http://wolfeye.baidu.com/blog/open-listen-port
http://blog.csdn.net/jltxgcy/article/details/50686858
https://www.bigniu.com/article/view/10
http://drops.wooyun.org/mobile/6973

警告

这个app应该声明permission的"android:protectionLevel"属性值为"signature"或者"signatureOrSystem",保证其他app无法注册或者从这个app接收消息。有安全隐患的permission如下:
com.glider.testpermission1 dangerous
com.glider.testpermission normal

警告

检测到4处使用了加解密算法。密钥处理不当可能会导致信息泄露。

位置: classes.dex
com.vivo.push.util.g;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.vivo.push.cache.c;->updateDataToSP(Ljava.util.Set;)Ljava.lang.String;
com.xiaomi.push.h;->a([B I)Ljavax.crypto.Cipher;
com.example.vulndemo.vuln.CipherVulDemo;->aes_des_vuln()V

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0105766
http://www.wooyun.org/bugs/wooyun-2015-0162907
http://www.wooyun.org/bugs/wooyun-2010-0187287

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html


动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书