漏洞分析

0

高危漏洞

9

中危漏洞

4

低危漏洞

10

警告

文件名 shoujiyunzhuomian_18707.apk
上传者 thorns
文件大小 13.475431442261MB
MD5 a292d2bcea464f89b68fc6c935731213
包名 telecom.mdesk
Main Activity telecom.mdesk.LauncherEntrance
Min SDK 9
Target SDK 11

权限列表

# 名称 说明 提示
0 android.permission.CALL_PHONE 允许应用程序在您不介入的情况下拨打电话。恶意应用程序可借此在您的话费单上产生意外通话费。请注意,此权限不允许应用程序拨打紧急呼救电话。 警告
1 android.permission.READ_SMS 允许应用程序读取您的手机或SIM卡中存储的短信。恶意应用程序可借此读取您的机密信息。 警告
2 android.permission.SEND_SMS 允许应用程序发送短信。恶意应用程序可能会不经您的确认就发送信息,给您带来费用。 警告
3 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
4 android.permission.ACCESS_FINE_LOCATION 访问精准的位置源,例如手机上的全球定位系统(如果有)。恶意应用程序可能会借此确定您所处的位置,并可能消耗额外的电池电量。 注意
5 android.permission.BLUETOOTH 允许应用程序查看本地蓝牙手机的配置,以及建立或接受与配对设备的连接。 注意
6 android.permission.BROADCAST_STICKY 允许应用程序发送顽固广播,这些广播在结束后仍会保留。恶意应用程序可能会借此使手机耗用太多内存,从而降低其速度或稳定性。 注意
7 android.permission.CHANGE_COMPONENT_ENABLED_STATE 允许应用程序更改是否启用其他应用程序的组件。恶意应用程序可借此停用重要的手机功能。使用此权限时务必谨慎,因为这可能导致应用程序组件进入不可用、不一致或不稳定的状态。 注意
8 android.permission.GET_TASKS 允许应用程序检索有关当前和最近运行的任务的信息。恶意应用程序可借此发现有关其他应用程序的保密信息。 注意
9 android.permission.MODIFY_PHONE_STATE 允许应用程序控制设备的电话功能。拥有此权限的应用程序可自行切换网络、打开和关闭无线通信等,而不会通知您。 注意
10 android.permission.READ_CONTACTS 允许应用程序读取您手机上存储的所有联系人(地址)数据。恶意应用程序可借此将您的数据发送给其他人。 注意
11 android.permission.READ_CONTACTS 允许应用程序读取您手机上存储的所有联系人(地址)数据。恶意应用程序可借此将您的数据发送给其他人。 注意
12 android.permission.READ_OWNER_DATA 允许应用程序读取您手机上存储的手机所有者数据。恶意应用程序可借此读取手机所有者数据。 注意
13 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
14 android.permission.RECEIVE_BOOT_COMPLETED 允许应用程序在系统完成启动后即自行启动。这样会延长手机的启动时间,而且如果应用程序一直运行,会降低手机的整体速度。 注意
15 android.permission.RECEIVE_MMS 允许应用程序接收和处理彩信。恶意应用程序可借此监视您的信息,或者将信息删除而不向您显示。 注意
16 android.permission.RECEIVE_SMS 允许应用程序接收和处理短信。恶意应用程序可借此监视您的信息,或者将信息删除而不向您显示。 注意
17 android.permission.SET_PREFERRED_APPLICATIONS 允许应用程序修改首选的应用程序。这样恶意应用程序可能会暗中更改运行的应用程序,从而骗过您的现有应用程序来收集您的保密数据。 注意
18 android.permission.SYSTEM_ALERT_WINDOW 允许应用程序显示系统警报窗口。恶意应用程序可借此掌控整个手机屏幕。 注意
19 android.permission.WRITE_CONTACTS 允许应用程序修改您手机上存储的联系人(地址)数据。恶意应用程序可借此清除或修改您的联系人数据。 注意
20 android.permission.WRITE_OWNER_DATA 允许应用程序修改您手机上存储的手机所有者数据。恶意应用程序可借此清除或修改所有者数据。 注意
21 android.permission.WRITE_SECURE_SETTINGS 允许应用程序修改系统的安全设置数据。普通应用程序不能使用此权限。 注意
22 android.permission.WRITE_SETTINGS 允许应用程序修改系统设置方面的数据。恶意应用程序可借此破坏您的系统配置。 注意
23 android.permission.WRITE_SMS 允许应用程序写入手机或SIM卡中存储的短信。恶意应用程序可借此删除您的信息。 注意
24 android.permission.WRITE_SYNC_SETTINGS 允许应用程序修改同步设置,例如是否为\“联系人\”启用同步。 注意
25 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
26 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
27 android.permission.BLUETOOTH_ADMIN 允许应用程序配置本地蓝牙手机,以及发现远程设备并与其配对。 提示
28 android.permission.CAMERA 允许应用程序使用相机拍照,这样应用程序可随时收集进入相机镜头的图像。 提示
29 android.permission.CHANGE_NETWORK_STATE 允许应用程序更改网络连接的状态。 提示
30 android.permission.CHANGE_WIFI_STATE 允许应用程序连接到WLAN接入点以及与WLAN接入点断开连接,并对配置的WLAN网络进行更改。 提示
31 android.permission.DISABLE_KEYGUARD 允许应用程序停用键锁和任何关联的密码安全设置。例如,在手机上接听电话时停用键锁,在通话结束后重新启用键锁。 提示
32 android.permission.EXPAND_STATUS_BAR 允许应用程序展开或收拢状态栏。 提示
33 android.permission.FLASHLIGHT 允许应用程序控制闪光灯。 提示
34 android.permission.GET_ACCOUNTS 允许应用程序获取手机已知的帐户列表。 提示
35 android.permission.GET_PACKAGE_SIZE 允许应用程序检索其代码、数据和缓存大小 提示
36 android.permission.HARDWARE_TEST 允许应用程序控制各外围设备以进行硬件测试。 提示
37 android.permission.INTERNET 允许程序访问网络. 提示
38 android.permission.KILL_BACKGROUND_PROCESSES 无论内存资源是否紧张,都允许应用程序结束其他应用程序的后台进程。 提示
39 android.permission.MANAGE_ACCOUNTS 允许应用程序执行添加、删除帐户及删除其密码之类的操作。 提示
40 android.permission.PERSISTENT_ACTIVITY 允许应用程序部分持续运行,这样系统便不能将其用于其他应用程序。 提示
41 android.permission.READ_SYNC_SETTINGS 允许应用程序读取同步设置,例如是否为\“联系人\”启用同步。 提示
42 android.permission.READ_SYNC_STATS 允许应用程序读取同步统计信息;例如已发生的同步历史记录。 提示
43 android.permission.RESTART_PACKAGES 允许程序自己重启或重启其他程序 提示
44 android.permission.SET_WALLPAPER 允许应用程序设置系统壁纸。 提示
45 android.permission.SET_WALLPAPER_HINTS 允许应用程序设置有关壁纸大小的提示。 提示
46 android.permission.USE_CREDENTIALS 允许应用程序请求身份验证标记。 提示
47 android.permission.VIBRATE 允许应用程序控制振动器。 提示
48 android.permission.WAKE_LOCK 允许应用程序防止手机进入休眠状态。 提示
49 android.permission.WRITE_APN_SETTINGS 允许应用程序修改APN设置,例如任何APN的代理和端口。 提示
50 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示
51 com.android.browser.permission.WRITE_HISTORY_BOOKMARKS 允许应用程序写入浏览器历史和书签记录。 提示

四大组件

组件名称

telecom.mdesk.Launcher
telecom.mdesk.LauncherEntrance
telecom.mdesk.EmptyLauncher
telecom.mdesk.MyLauncherSettings
telecom.mdesk.setting.ShowLogSetting
telecom.mdesk.LauncherAdvancedFragmentActivity
telecom.mdesk.LauncherSettingFontSizeActivity
telecom.mdesk.widget.LauncherWidget
telecom.mdesk.ActivityPickerActivity
telecom.mdesk.WallpaperChooser
telecom.mdesk.FeedbackActivity
telecom.mdesk.netfolder.component.FileSelectiveActivity
telecom.mdesk.backup.TelecomTabActivity
cn.com.chinatelecom.account.lib.ct.DownloadApkActivity
telecom.mdesk.widget.SimpleAlertDialogActivity
telecom.mdesk.widget.ThemeSimpleAlertDialogActivityOthers
telecom.mdesk.ShortcutCreationActivity
telecom.mdesk.widget.SimpleAlertDialogActivityRemote
telecom.mdesk.theme.AppOnlineDetailActivity
telecom.mdesk.ShareAppManager
telecom.mdesk.component.BrightnessActivity
telecom.mdesk.netfolder.component.MediaFilePicker
telecom.mdesk.goldenegg.GoldenEggDialogContainerActivity
telecom.mdesk.component.OneClickShootCameraActivity
telecom.mdesk.appwidget.switches.switcher.LockScreenSwitcher$AddDeviceAdminProxyActivity
telecom.mdesk.floatwidget.assisitivetouch.AddPreferedAppActivity
telecom.mdesk.activities.goldenegg.GoldenEggRecordActivity
telecom.mdesk.activities.poker.PokerRecordActivity
com.ct.ct10000.OtherNetTipActivity
com.ct.ct10000.LauncherDialogActivity
com.ct.ct10000.OrderFlowDialogActivity
com.ct.ct10000.PayByCardDialogActivity
com.ct.ct10000.PayOnLineActivity
com.tisson.OrderDetail
com.ct.ct10000.RechargeChoiceActivity
com.ct.ct10000.OtherNetOrderActivity
com.ct.ct10000.NotificationDialogActivity
com.ct.ct10000.AccountLoginActivity
net.bitquill.ocr.WordCaptureActivity
com.ct.ct10000.CT10000MainActivity
com.ct.ct10000.CT10000DetailActivity
telecom.mdesk.theme.ThemeSettingActivity
telecom.mdesk.theme.ThemeTabRecommendActivity
telecom.mdesk.theme.ThemeTabclassificationActivity
telecom.mdesk.theme.ThemeTabOnlineActivity
telecom.mdesk.theme.ThemeTabWallpaperActivity
telecom.mdesk.theme.ThemeTabLockActivity
telecom.mdesk.theme.ThemeTabRingActivity
telecom.mdesk.theme.ThemeTabRingEmptyActivity
telecom.mdesk.theme.ThemeTabMusicActivity
telecom.mdesk.theme.BillboardContentListActivity
telecom.mdesk.theme.RingColumActivity
telecom.mdesk.theme.RingColumActivityActivity
telecom.mdesk.theme.ThemeRingDetailActivity
telecom.mdesk.account.PersonalAccountHome
telecom.mdesk.account.PersonalAccountSetting
telecom.mdesk.account.PersonalAccountMailActivity
telecom.mdesk.account.PersonalAccountMailDetailActivity
telecom.mdesk.account.HistoryOrFriendIntegralBoardActivity
telecom.mdesk.account.EmailActivity
telecom.mdesk.account.FriendsDynamicActivity
telecom.mdesk.news.NewsActivity
telecom.mdesk.news.NewsDetailWebViewActivity
telecom.mdesk.news.NewsDetailCustomWebViewActivity
telecom.mdesk.news.NewsSelectInterestActivity
telecom.mdesk.account.HappyDayActivity
telecom.mdesk.account.HappyDayDetailActivity
telecom.mdesk.advert.AdvertCenterActivity
telecom.mdesk.account.PersonalAccountSigninActivity
telecom.mdesk.account.PersonalAccountJumpExchangeActivity
telecom.mdesk.account.IntegralInviteUserActivity
telecom.mdesk.theme.SearchCrbtActivity
telecom.mdesk.theme.CrbtOderActivity
telecom.mdesk.theme.CtbriBookingActivity
telecom.mdesk.theme.MusicDetailActivity
telecom.mdesk.theme.SearchThemeRingActivity
telecom.mdesk.theme.ThemeOnlineDetailActivity
telecom.mdesk.theme.ThemeAndLockOnlineDetailActivity
telecom.mdesk.theme.ThemeChangeLoadingActivity
telecom.mdesk.theme.ThemeSelectWallpaperActivity
telecom.mdesk.theme.ThemeFontOnlineDetailActivity
telecom.mdesk.theme.FontManagerLoadActivity
telecom.mdesk.theme.ThemeFontSetActivity
telecom.mdesk.theme.ThemeFontPreActivity
telecom.mdesk.theme.ThemeTabWallpaperPrevLocalActivity
telecom.mdesk.theme.ThemeSelectImageActivity
telecom.mdesk.theme.ThemeSelectImageDetailActivity
telecom.mdesk.theme.ThemeTabWallpaperPrevOnlineActivity
telecom.mdesk.theme.ThemeTabWallpaperPrevOneModelActivity
telecom.mdesk.theme.ThemeChangeWallpaperScrollActivity
telecom.mdesk.theme.ThemeChangeSettingActivity
telecom.mdesk.theme.ThemeLockChangeSettingActivity
telecom.mdesk.theme.SearchThemeWallpaperActivity
telecom.mdesk.theme.SearchThemeFontActivity
telecom.mdesk.theme.WallpaperPreImageActivity
telecom.mdesk.theme.SearchWallpaperActivity
telecom.mdesk.theme.WallPaperRateActivity
telecom.mdesk.theme.ThemeLockerRateActivity
telecom.mdesk.theme.ThemeLockerShareActivity
telecom.mdesk.theme.ThemeWallpaperOnlineActivity
telecom.mdesk.theme.ThemeWallpaperOnlinePreActivity
telecom.mdesk.theme.ThemeOnlineTypeActivity
telecom.mdesk.theme.ThemeStartLauncherActivity
telecom.mdesk.theme.ThemeTabFontActivity
telecom.mdesk.component.InstallPreCheckActivity
telecom.mdesk.appwidget.switches.SwitchesMoreActivity
telecom.mdesk.appwidget.search.SearchActivity
telecom.mdesk.appwidget.search.LauncherAppSearchActivity
telecom.mdesk.appwidget.search.LauncherAppSearch2Activity
telecom.mdesk.component.AirplaneModeActivity
telecom.mdesk.component.FlashLightAct
telecom.mdesk.theme.ThemeCurrentUninsted
telecom.mdesk.sns.component.EditAccountActivity
telecom.mdesk.sns.component.TweetPostActivity
telecom.mdesk.component.WebviewActivity
telecom.mdesk.checkremind.CheckVisitManagerActivity
telecom.mdesk.checkremind.CheckVisitLauncherActivity
telecom.mdesk.checkremind.CheckVisitThemeShopActivity
telecom.mdesk.theme.ThemePhotography
telecom.mdesk.netfolder.component.MediaFilePickerS
telecom.mdesk.utils.IntentChooserActivity
telecom.mdesk.ChangeLogActivity
telecom.mdesk.floatwidget.assisitivetouch.AssistiveTouchControllActivity
telecom.mdesk.ShareChooserActivity
telecom.mdesk.appwidget.switches.switcher.IntentSwitcher$IntentProxyActivity
telecom.mdesk.account.AccountLogInActivity
telecom.mdesk.account.BindingPhoneNumberActivity
com.tencent.connect.avatar.ImageActivity
com.tencent.connect.common.AssistActivity
com.tencent.tauth.AuthActivity
telecom.mdesk.utils.download.downapk.DownloadAppActivity
telecom.mdesk.appmanager.LauncherDownloadAppActivity
telecom.mdesk.component.HelpAndFeedbackActivity
telecom.mdesk.component.PushDialogActivity
telecom.mdesk.widgetprovider.app.ui.BoutiqueAppPics
telecom.mdesk.widgetprovider.app.ui.NotificationActivity
telecom.mdesk.widgetprovider.app.activity.V2BoutiqueFragmentActivity
telecom.mdesk.widgetprovider.app.activity.V2BoutiqueSingleCategoryActivity
telecom.mdesk.widgetprovider.app.ui.V2BoutiqueAppDetail
telecom.mdesk.widgetprovider.app.appmgr.ui.V2AppManagerActivity
telecom.mdesk.widgetprovider.app.ui.V2AppSearchActivity
telecom.mdesk.widgetprovider.app.ui.V2BoutiqueAppSettingActivity
telecom.mdesk.widgetprovider.app.dldmgr.app.ui.HandleDeleteIntentAcitivity
telecom.mdesk.widgetprovider.app.ui.V2BannerSubjectActivity
telecom.mdesk.widgetprovider.app.appmgr.ui.BrowserActivity
telecom.mdesk.widgetprovider.app.ui.V2BoutiqueNearAppActivity
telecom.mdesk.widgetprovider.app.ui.V2NearRecommandAppActivity
telecom.mdesk.popupactivity.PopupActivity
telecom.mdesk.lockscreen.LockScreenIntegrationActivity
telecom.mdesk.account.task.DayTaskActivity
telecom.mdesk.account.addandinvite.InviteActivity
telecom.mdesk.account.addandinvite.AddFriendsActivity
telecom.mdesk.account.addandinvite.CTHomeUserSearchActivty
telecom.mdesk.lockscreen.LockScreenActivity
telecom.mdesk.wxapi.WXEntryActivity
telecom.mdesk.lockscreen.LockScreenShareActivity
telecom.mdesk.lockscreen.LockScreenSettingsActivity
telecom.mdesk.MdeskShakeDialogActity
telecom.mdesk.LauncherSettingFirstlyWizard
telecom.mdesk.SystemLockscreenClosingAlert
telecom.mdesk.LogCollectActivity
com.iflytek.voiceadsdemo.BannerAdActivity
com.iflytek.voiceadsdemo.InterstitialAdActivity
com.iflytek.voiceadsdemo.FullScreenAdActivity
com.huisuoping.ui.activity.LockScreenActivity
com.huisuoping.ui.activity.AppDetailActivity
com.huisuoping.ui.activity.CustomBrowserActivity
telecom.mdest.weather.WeatherActivity
telecom.mdest.weather.WeatherAddCityActivity
telecom.mdest.weather.WeatherAddedCityManagerActivity

telecom.mdesk.floatwidget.FloatWidgetService
telecom.mdesk.notification.StatusbarNotificationListenerService
telecom.mdesk.sync.SyncronizeService
telecom.mdesk.component.PushMessageService
telecom.mdesk.activities.goldenegg.GoldenEggIntentService
telecom.mdesk.activities.poker.PokerIntentService
telecom.mdesk.account.AccountManagerService
com.ct.ct10000.service.WidgetService
com.ct.ct10000.service.UpdateService
telecom.mdesk.checkremind.CheckVisitManagerService
telecom.mdesk.widgetprovider.app.dldmgr.app.impl.DownloadService
com.baidu.location.f
telecom.mdesk.appwidget.MdeskAppSearchWidgetRefresh
telecom.mdesk.lockscreen.LockScreenService
telecom.mdesk.stat.IntegralService
com.iflytek.voiceads.update.DownloadService
com.huisuoping.service.system.LockScreenService
telecom.mdesk.appwidget.weather.WeatherWidgetService
telecom.mdesk.appwidget.weather.WeatherManageService

telecom.mdesk.WallpaperChangedReceiver
telecom.mdesk.RestartReceiver
telecom.mdesk.others.SDCardUnmountReceiver
telecom.mdesk.component.itemcounter.NewItemCounterBrodcastReceiver
telecom.mdesk.UninstallShortcutReceiver
telecom.mdesk.sync.SimpleSmsReceiver
telecom.mdesk.sync.NewCallReceiver
telecom.mdesk.sync.BootupReceiver
telecom.mdesk.sync.ShutdownReceiver
telecom.mdesk.appmanager.DownloadInstallApkReceiver
telecom.mdesk.appmanager.DownloadInstallApkReceiver
telecom.mdesk.appmanager.DownloadInstallApkReceiver
telecom.mdesk.activities.poker.PokerBroadcastReceiver
com.ct.ct10000.service.ConnectivityReceiver
telecom.mdesk.appmanager.ChangeThemeReceiver
telecom.mdesk.checkremind.CheckReceiver
telecom.mdesk.appwidget.switches.DeviceAdminHandleReceiver
telecom.mdesk.widgetprovider.app.service.InstallReceiver
telecom.mdesk.widgetprovider.app.widget.V2WidgetProvider
com.ct.ct10000.widget.FlowWidget_4x2
com.ct.ct10000.service.NetworkStateBroadcast
telecom.mdesk.appwidget.switches.SwitchesAppWidget
telecom.mdesk.appwidget.search.SearchAppWidget
telecom.mdesk.appwidget.HotWordClickRecevier
telecom.mdesk.theme.ChangeSimReceiver
telecom.mdesk.advert.AdvertActionRecevier
telecom.mdesk.account.HappyDayAppWidget
telecom.mdesk.themesupport.WeatherAppWidget

telecom.mdesk.LauncherProvider
telecom.mdesk.utils.data.ApplicationExtInfoProvider
telecom.mdesk.utils.PreferenceProvider
telecom.mdesk.utils.download.DownloadProvider

第三方库

# 库名 介绍
0 com.db.chart Android library to create charts.
1 com.tencent.mm.sdk 微信支付
2 com.iflytek 讯飞开放平台作为全球首个开放的智能交互技术服务平台,致力于为开发者打造一站式智能人机交互解决方案。用户可通过互联网、移动互联网,使用任何设备、在任何时间、任何地点,随时随地享受讯飞开放平台提供的“听、说、读、写……”等全方位的人工智能服务。目前,开放平台以“云+端”的形式向开发者提供语音合成、语音识别、语音唤醒、语义理解、人脸识别、个性化彩铃、移动应用分析等多项服务。
3 com.tencent.connect 腾讯开放平台
4 com.sina.weibo 新浪微博开放平台(Weibo Open Platform)是基于新浪微博海量用户和强大的传播能力,接入第三方合作伙伴服务,向用户提供丰富应用和完善服务的开放平台。将你的服务接入微博平台,有助于推广产品,增加网站/应用的流量、拓展新用户,获得收益。
5 com.j256.ormlite ORMLite Android functionality used in conjunction with ormlite-core.
6 com.nostra13.universalimageloader Powerful and flexible library for loading, caching and displaying images on Android.
7 com.tencent.tauth 腾讯QQ互联平台为广大开发者整理了SDK列表,辅助开发者快速接入QQ登录、分享等功能。QQ互联是腾讯旗下的开放平台,通过QQ互联,网站主和开发者可以申请接入QQ登录、用户可以使用QQ账号登录接入的站点,通过添加分享和赞组件,将站点内容分享到QQ空间和朋友网,通过获取API授权,网站主还可以将用户操作同步到QQ空间和朋友网。
8 com.baidu.mobstat 百度移动统计SDK
9 com.viewpagerindicator Paging indicator widgets compatible with the ViewPager from the Android Support Library and ActionBarSherlock.

静态扫描发现风险点

风险等级 风险名称

中危

检测到当前标志被设置成true或没设置,这会导致adb调试备份允许恶意攻击者复制应用程序数据,造成数据泄露。

中危

检测到2处证书弱校验漏洞。

位置: classes.dex
com.tisson.c.g$1;
com.baidu.location.s$a$1;

当移动App客户端使用https或ssl/tls进行通信时,如果不校验证书的可信性,将存在中间人攻击漏洞,可导致信息泄露,传输数据被篡改,甚至通过中间人劫持将原有信息替换成恶意链接或恶意代码程序,以达到远程控制等攻击意图。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
www.wooyun.org/bugs/wooyun-2014-079358

参考资料:
http://drops.wooyun.org/tips/3296
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

检测到1处中间人攻击漏洞。

位置: classes.dex
com.baidu.location.s;->if(Lorg.apache.http.params.HttpParams;)Lorg.apache.http.client.HttpClient;

setHostnameVerifier方法设置ALLOW_ALL_HOSTNAME_VERIFIER,直接接受任意域名,可能造成中间人攻击漏洞。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-042710
http://www.wooyun.org/bugs/wooyun-2010-052339
http://www.wooyun.org/bugs/wooyun-2016-0190773

参考资料:
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

该app需要移除大部分日志打印代码。
经扫描该包仍存在大量打日志代码,共发现238处打日志代码.(此处扫描的日志打印代码,是指调用android.util.Log.* 打印的.)
详情如下:

位置: classes.dex
telecom.mdesk.widgetprovider.update.c$1;->handleMessage(Landroid/os/Message;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.c.m;->a(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.d;->a(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.a.d;->b()I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.iflytek.voiceads.g.h;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.ui.CircleImageView;->setDefaultImage(Ljava/lang/Integer;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.receiver.UpgradeReceiver;->onReceive(Landroid/content/Context; Landroid/content/Intent;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.appmgr.c.a;->doInBackground([Ljava/lang/Object;)Ljava/lang/Object;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.daemon.c.a;->a(Lcom/ct/bri/wifi/sdk/daemon/a/b; Lcom/ct/bri/wifi/sdk/daemon/a/c;)Lcom/ct/bri/wifi/sdk/daemon/a/a;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.iflytek.voiceads.update.DownloadService;->a(Landroid/content/Intent;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.n;->a(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.d.d;->run()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.search.SearchAppWidget;->a(Landroid/content/Context;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.utils.au;->a(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.ui.V2BoutiqueAppDetail;->onSaveInstanceState(Landroid/os/Bundle;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.stericson.a.a;->a(Ljava/lang/String; Ljava/lang/String; I Ljava/lang/Exception;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.utils.c;->c(Landroid/content/Context;)[D==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.b.m;->(Ljava/lang/String; Landroid/content/Context;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.widget.refreshLayout.PullToRefreshBase;->e()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.d;->a(Landroid/content/Context; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.s$2;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.daemon.g;->d()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ct.a.d;->onServiceConnected(Landroid/content/ComponentName; Landroid/os/IBinder;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.switches.switcher.LockScreenSwitcher$AddDeviceAdminProxyActivity;->onCreate(Landroid/os/Bundle;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.lockscreen.m;->a()Ljava/util/List;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.c.i;->f(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mobstat.n;->c(Ljava/lang/String;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ct.a.e;->a()Ljava/lang/Void;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.a.a;->a(Ljava/util/ArrayList;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.daemon.g;->b(Landroid/content/Context;)Lcom/ct/bri/wifi/sdk/daemon/a/a;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.weather.a.b;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.lockscreen.m;->a()Ljava/util/List;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.s$5;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.weather.WeatherWidgetService$2;->onReceive(Landroid/content/Context; Landroid/content/Intent;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.a.d;->c(Landroid/database/sqlite/SQLiteDatabase; I)Ljava/util/List;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdest.weather.WeatherActivity$2;->a([Ltelecom/mdesk/q/b;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.widget.refreshLayout.PullToRefreshBase;->setHeaderScroll(I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.service.CtbriWifiLocService;->onRebind(Landroid/content/Intent;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.b.f;->onCreate(Landroid/os/Bundle;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.search.AppSearchActivity;->a(Landroid/net/Uri;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.weather.b.a;->a(I)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.ui.EshoreAlertController;->a(Landroid/widget/LinearLayout; Landroid/widget/LinearLayout; Landroid/view/View; Z Z Landroid/view/View;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.MemoryCleanerTextView;->a(Landroid/graphics/Canvas; I I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; I J J J Ljava/lang/String;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ct.a.d;->onServiceDisconnected(Landroid/content/ComponentName;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.commonlib.downloadmgr.b.b;->d(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.d;->a(Landroid/content/Context; Ljava/lang/String; J J J I Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.search.x;->a(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.ui.CircleImageView$2$1;->onLoadingComplete(Ljava/lang/String; Landroid/view/View; Landroid/graphics/Bitmap;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.c.j;->a(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mobstat.util.e;->c(Ljava/lang/String;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.utils.au;->b(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.e.a.b;->b()Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.utils.ah;->()V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.c.c;->a(Lcom/tencent/connect/b/n; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle; Ljava/lang/String;)Lorg/json/JSONObject;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.platformtools.c;->b(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.widget.refreshLayout.PullToRefreshBase;->setMode(Ltelecom/mdesk/news/widget/refreshLayout/c;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.aj$a;->X()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.ad;->onDestroy()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ct.ct10000.PayByCardDialogActivity$3;->a(Lcom/ct/ct10000/b/j;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.a.k;->b(Ljava/lang/Object;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdest.weather.a.c;->a(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mobstat.n;->b(Ljava/lang/String;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->onCreate(Landroid/database/sqlite/SQLiteDatabase;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.a.k;->d(Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdest.weather.WeatherActivity$2;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.e.a.b;->a()Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.commonlib.downloadmgr.b.b;->a(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdest.weather.WeatherActivity;->a()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.e.a.b;->a()Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->b()Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.d$1;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.e.r;->d(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.daemon.c.b;->a()Lcom/ct/bri/wifi/sdk/daemon/b/k;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.switches.j;->a(I I Ljava/lang/Object;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.sina.weibo.sdk.utils.LogUtil;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.themesupport.WeatherAppWidget;->onReceive(Landroid/content/Context; Landroid/content/Intent;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.appmgr.d.d;->b(Landroid/content/Context; Ljava/lang/String;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.netfolder.component.MediaFilePicker;->onClick(Landroid/view/View;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.k;->a(Lcom/inveno/se/e/h; Z)[D==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.q.a$4;->a(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ct.ct10000.util.j;->a(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.p;->a(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.sina.weibo.sdk.utils.LogUtil;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.search.FloatLayout;->onLayout(Z I I I I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TaskGuide$e;->onInterceptTouchEvent(Landroid/view/MotionEvent;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mobstat.util.e;->b(Ljava/lang/String;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.view.a;->a(F)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.iflytek.voiceads.g.h;->c(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.k;->onBindViewHolder(Landroid/support/v7/widget/RecyclerView$ViewHolder; I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.platformtools.c;->a(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.update.PatchUtils;->a(Landroid/content/Context; Ltelecom/mdesk/widgetprovider/app/appmgr/entity/UpdatableApp;)Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.stat.c;->onReceive(Landroid/content/Context; Landroid/content/Intent;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.appmgr.d.d;->a(Landroid/content/Context; Ljava/lang/String;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.inveno.se.f.a;->b(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.j256.ormlite.android.AndroidLog;->log(Lcom/j256/ormlite/logger/Log$Level; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.j256.ormlite.android.AndroidLog;->log(Lcom/j256/ormlite/logger/Log$Level; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.search.SearchAppWidget;->onAppWidgetOptionsChanged(Landroid/content/Context; Landroid/appwidget/AppWidgetManager; I Landroid/os/Bundle;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.view.RandomLayout;->onLayout(Z I I I I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mobstat.util.c;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Z)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.widget.refreshLayout.PullToRefreshBase;->a(Ltelecom/mdesk/news/widget/refreshLayout/k; [Z)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.MemoryCleanerTextView$2;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.switches.i;->a(Lcom/gandulf/guilib/drag/f; Z)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.lockscreen.c;->b()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.iflytek.voiceads.g.h;->g(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.a.d;->a(Landroid/database/sqlite/SQLiteDatabase; I)Ljava/util/List;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.themesupport.WeatherAppWidget;->onReceive(Landroid/content/Context; Landroid/content/Intent;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.daemon.c.a;->a(Lcom/ct/bri/wifi/sdk/daemon/a/c; Lcom/ct/bri/wifi/sdk/daemon/a/b;)Lcom/ct/bri/wifi/sdk/daemon/a/a;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
cn.com.chinatelecom.account.a.d;->a(Ljava/lang/String; Ljava/lang/String;)[B==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.hdicondata.b;->a(Ljava/util/List;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.c;->if(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.e.a.b;->a(Lorg/simalliance/openmobileapi/Channel; [B I)Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.j256.ormlite.android.AndroidLog;->log(Lcom/j256/ormlite/logger/Log$Level; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.LocationClient;->setLocOption(Lcom/baidu/location/LocationClientOption;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.weather.WeatherWidgetService;->onStartCommand(Landroid/content/Intent; I I)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mobstat.GetReverse;->getCooperService(Landroid/content/Context;)Lcom/baidu/mobstat/ICooperService;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.q.a$2;->onReceiveLocation(Lcom/baidu/location/BDLocation;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.ui.CircleImageView$2;->onLoadingCancelled(Ljava/lang/String; Landroid/view/View;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.update.b;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.weather.a.c;->a(Ljava/lang/String; Ltelecom/mdesk/utils/http/Request;)Lorg/apache/http/client/methods/HttpPost;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.search.SearchAppWidget;->onUpdate(Landroid/content/Context; Landroid/appwidget/AppWidgetManager; [I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.m;->a(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mobstat.v;->handleMessage(Landroid/os/Message;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.iflytek.voiceads.g.h;->a(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.daemon.sniff.h;->a([Lcom/ct/bri/wifi/sdk/daemon/a/a;)Ljava/lang/Void;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.MemoryCleanerTextView;->onClick(Landroid/view/View;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ct.a.b;->a()Lcom/ct/a/a;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.widget.refreshLayout.PullToRefreshBase;->onSizeChanged(I I I I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
cn.com.chinatelecom.account.lib.ct.Authorizer;->eSurfingLogin(I I I Z)Lcn/com/chinatelecom/account/lib/apk/AuthResult;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.a.c;->onLoadResource(Landroid/webkit/WebView; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.account.CustomScrollView;->dispatchTouchEvent(Landroid/view/MotionEvent;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.i;->onBindViewHolder(Landroid/support/v7/widget/RecyclerView$ViewHolder; I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->a(Ljava/util/ArrayList;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.service.CtbriWifiLocService;->onUnbind(Landroid/content/Intent;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.a.d;->c()Ljava/util/List;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.weather.a.b;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.inveno.se.volley.y;->c(Ljava/lang/String; [Ljava/lang/Object;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.a.c;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.appmgr.ui.h;->(Landroid/content/Context;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.e.r;->e(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.daemon.c.b;->b(Lcom/ct/bri/wifi/sdk/daemon/a/c;)Lcom/ct/bri/wifi/sdk/daemon/b/g;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.e;->(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.weather.WeatherWidgetService$3;->onReceive(Landroid/content/Context; Landroid/content/Intent;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.s$1;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.iflytek.voiceads.g.h;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.commonlib.downloadmgr.b.b;->b(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.b.b;->a(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.p;->a(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->onUpgrade(Landroid/database/sqlite/SQLiteDatabase; I I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.ui.CircleImageView$2;->onLoadingFailed(Ljava/lang/String; Landroid/view/View; Lcom/nostra13/universalimageloader/core/assist/FailReason;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ct.ct10000.PayByCardDialogActivity;->onCreate(Landroid/os/Bundle;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mobstat.q;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mobstat.n;->a(Ljava/lang/String;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->d()Ljava/util/ArrayList;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.c.a;->a(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/b;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.stat.IntegralService;->onStartCommand(Landroid/content/Intent; I I)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.d;->a(Landroid/content/Context; Ljava/lang/String; J J J I Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.widget.refreshLayout.l;->a(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.sina.weibo.sdk.utils.LogUtil;->w(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.MdeskAppSearchWidgetRefresh$2;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.a.k;->f(Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ct.ct10000.util.j;->c(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.MdeskAppSearchWidgetRefresh;->a(Ltelecom/mdesk/appwidget/MdeskAppSearchWidgetRefresh; Ltelecom/mdesk/utils/http/data/Array;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tisson.a.a;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Ljava/util/Map;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.iflytek.voiceads.g.h;->b(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.utils.au;->c(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.LocationClient$1;->onServiceConnected(Landroid/content/ComponentName; Landroid/os/IBinder;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.utils.au;->e(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->onUpgrade(Landroid/database/sqlite/SQLiteDatabase; I I)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tisson.c.a$1;->onClick(Landroid/content/DialogInterface; I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.commonlib.downloadmgr.b.b;->e(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.a.k;->a(Ljava/lang/Exception;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.j$a;->(Lcom/baidu/location/j; Landroid/os/Message;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.e.r;->c(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.TaskGuide$e;->onTouchEvent(Landroid/view/MotionEvent;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->a(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; I J J J Ljava/lang/String;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.s$4;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mobstat.util.e;->a(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.c;->if(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.e.r;->a(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.a.d;->a()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.stat.a.k;->a(Ljava/lang/Object;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.n;->a(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
cn.com.chinatelecom.account.lib.ct.Authorizer;->getCTPassSign(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; I)Ljava/lang/String;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.daemon.sniff.a;->a(Lcom/ct/bri/wifi/sdk/daemon/a/a;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.ui.V2BannerSubjectActivity;->onSaveInstanceState(Landroid/os/Bundle;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.mm.sdk.platformtools.c;->c(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.daemon.d.b;->a(Ljava/lang/String; [B)[B==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.weather.WeatherWidgetService;->onReceiveLocation(Lcom/baidu/location/BDLocation;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.j256.ormlite.android.AndroidLog;->log(Lcom/j256/ormlite/logger/Log$Level; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.com.chinatelecom.account.a.e;->e(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.d$1;->run()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.connect.c.b$2;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.e.r;->b(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.c;->onCreate(Landroid/database/sqlite/SQLiteDatabase;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.appmgr.ui.V2AppManagerActivity$13$1;->run()V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.daemon.sniff.d;->(Landroid/content/Context;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.hdicondata.b;->b(Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.inveno.se.f.a;->a(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.widget.V2WebView;->destroy()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.ad;->onCreate(Landroid/content/Context;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.lockscreen.LockScreenBgView;->setBg(Landroid/graphics/Bitmap;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdest.weather.WeatherActivity$2;->a(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.q.a;->a(Ltelecom/mdesk/q/a; Ljava/lang/String; Ltelecom/mdesk/utils/http/Response; Ltelecom/mdesk/q/e;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.appmgr.d.d;->b(Landroid/content/Context; Ljava/lang/String;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.weather.a.c;->a(Ljava/lang/String; Ltelecom/mdesk/utils/http/Data; Ltelecom/mdesk/appwidget/weather/g;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.appmgr.ui.i;->(Landroid/content/Context;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.c.m;->a(Landroid/content/Context;)Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.weather.WeatherWidgetService;->b()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.commonlib.downloadmgr.b.b;->c(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.sdk.a.d;->b(Landroid/database/sqlite/SQLiteDatabase; I)Lcom/ct/bri/wifi/sdk/a/c;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ct.ct10000.util.j;->b(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.location.s$3;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.utils.au;->d(Ljava/lang/String; Ljava/lang/String;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.ct.bri.wifi.service.CtbriWifiLocService;->onBind(Landroid/content/Intent;)Landroid/os/IBinder;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.MemoryCleanerTextView$1;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.wxapi.WXEntryActivity;->a(Lcom/tencent/mm/sdk/openapi/b;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.AllAppsIndexedView;->a(I I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.ui.CircleImageView$1;->onLoadingComplete(Ljava/lang/String; Landroid/view/View; Landroid/graphics/Bitmap;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.utils.ag;->a()Ltelecom/mdesk/utils/ag;==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->c()Ljava/util/ArrayList;==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.ui.CircleImageView$2;->onLoadingStarted(Ljava/lang/String; Landroid/view/View;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.stericson.a.d.c;->a(Lcom/stericson/a/c/a;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.appwidget.search.SearchAppWidget;->b(Landroid/content/Context;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.baidu.mobstat.util.c;->c(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.m;->a(Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.d;->a(Landroid/content/Context; I)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.j.b;->h(Landroid/content/Context;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.ct.ct10000.PayByCardDialogActivity$1;->a(Lcom/ct/ct10000/b/j;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.widget.refreshLayout.PullToRefreshBase;->addView(Landroid/view/View; I Landroid/view/ViewGroup$LayoutParams;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.b;->run()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.d;->a(Landroid/content/Context;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.iflytek.voiceads.g.h;->f(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.widgetprovider.app.ui.CircleImageView$2;->onLoadingComplete(Ljava/lang/String; Landroid/view/View; Landroid/graphics/Bitmap;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
telecom.mdesk.news.i;->a(Lcom/inveno/se/e/h; Z)[D==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.sina.weibo.sdk.utils.LogUtil;->i(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.c.j;->a(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.tencent.open.a.b;->a()Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I

中危

检测到6个WebView远程执行漏洞。

位置: classes.dex
cn.com.chinatelecom.account.lib.ct.DownloadApkActivity;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.news.NewsDetailCustomWebViewActivity;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.component.WebviewActivity;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.news.NewsDetailCustomWebViewActivity$8;->a(Ljava.lang.Object;)V
telecom.mdesk.theme.ThemeTabRingActivity;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.widgetprovider.app.appmgr.ui.BaseBrowserActivity;->a()V

Android API < 17之前版本存在远程代码执行安全漏洞,该漏洞源于程序没有正确限制使用addJavaScriptInterface方法,攻击者可以通过Java反射利用该漏洞执行任意Java对象的方法,导致远程代码执行安全漏洞。
(1)API等于高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252
http://drops.wooyun.org/papers/548

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis
https://developer.android.com/reference/android/webkit/WebView.html

中危

检测到190条敏感明文信息,建议移除。

位置: classes.dex
'10.0.0.172' used in: Lcom/baidu/location/s;->()V
'10.0.0.172' used in: Ltelecom/mdesk/utils/a/c;->()V
'10.0.0.172' used in: Lcom/tencent/stat/a/i;->a(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.172' used in: Lcom/baidu/mobstat/util/c;->()V
'10.0.0.172' used in: Lcom/baidu/location/s;->if(Landroid/content/Context; Landroid/net/NetworkInfo;)I
'10.0.0.200' used in: Lcom/tencent/stat/a/i;->a(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.200' used in: Ltelecom/mdesk/utils/a/d;->()V
'10.0.0.200' used in: Lcom/baidu/mobstat/util/c;->()V
'10.0.0.200' used in: Lcom/baidu/location/s;->if(Landroid/content/Context; Landroid/net/NetworkInfo;)I
'Epay@bestpay.cn' used in: Lcom/ct/ct10000/PayOnLineActivity$3;->run()V
'ctnet@mycdma.cn' used in: Ltelecom/mdesk/utils/a/d;->()V
'ctwap@mycdma.cn' used in: Ltelecom/mdesk/utils/a/d;->()V
'file:///android_asset/news_detail_index.html' used in: Ltelecom/mdesk/news/NewsDetailCustomWebViewActivity$8;->a(Ljava/lang/Object;)V
'http://(([a-zA-z0-9]|-){1,}\\.){1,}[a-zA-z0-9]{1,}-*' used in: Lcom/inveno/se/e/h;->a(Lorg/json/JSONObject;)Lcom/inveno/se/e/h;
'http://116.228.55.155:6060/commonserver/query?sid=115&restype=json&cenx=' used in: Lcn/com/chinatelecom/account/lib/apk/i;->doInBackground([Ljava/lang/Object;)Ljava/lang/Object;
'http://124.127.116.142/rest1.php' used in: Lcom/ct/bri/wifi/sdk/daemon/c;->a(Ljava/lang/Throwable;)Ljava/lang/String;
'http://124.127.116.142/rest1.php' used in: Lcom/ct/bri/wifi/sdk/daemon/d/d;->run()V
'http://59travel.205.5ghl.cn/server.jar' used in: Lcom/baidu/mobstat/Download;->(Landroid/content/Context;)V
'http://a.app.qq.com/o/simple.jsp?pkgname=telecom.mdesk&g_f=991653' used in: Ltelecom/mdesk/MyLauncherSettings$2$1;->a(Ltelecom/mdesk/m/g; I)V
'http://a.app.qq.com/o/simple.jsp?pkgname=telecom.mdesk&g_f=991653' used in: Ltelecom/mdesk/goldenegg/GoldenEggDialogContainerActivity$10;->a(Ltelecom/mdesk/m/g; I)V
'http://ads.voiceads.cn/ad/report/v2' used in: Lcom/iflytek/voiceads/d/b;->()V
'http://ads.voiceads.cn/ad/request' used in: Lcom/iflytek/voiceads/d/b;->()V
'http://app.sina.cn/appdetail.php?appID=84560' used in: Lcom/sina/weibo/sdk/api/share/WeiboDownloader;->downloadWeibo(Landroid/content/Context;)V
'http://appsupport.qq.com/cgi-bin/qzapps/mapp_addapp.cgi' used in: Lcom/tencent/connect/b/b;->(Lcom/tencent/connect/b/a; Lcom/tencent/tauth/b;)V
'http://baidu.com' used in: Ltelecom/mdesk/Launcher;->a(I Landroid/view/View;)V
'http://baidu.com/dynamic?' used in: Lcom/baidu/mobstat/ak;->b(Landroid/content/Context; Ljava/io/File;)V
'http://cgi.connect.qq.com/qqconnectopen/openapi/policy_conf' used in: Lcom/tencent/c/i$1;->run()V
'http://cgi.connect.qq.com/qqconnectutil/sdk' used in: Lcom/tencent/connect/b/m;->(Ljava/lang/String; Landroid/content/Context;)V
'http://cgi.qplus.com/report/report' used in: Lcom/tencent/c/m$1;->run()V
'http://chat10.live800.com/live800/chatClient/chatbox.jsp?companyID=380510&configID=189309&jid=1596154749' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://ct10000w.189qas.com/CHMOService/api' used in: Lcom/ct/ct10000/util/f;->()V
'http://e.189.cn/help/eaccount.do' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->(Landroid/content/Context;)V
'http://e.189.cn/help/eaccount.do' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->getLatestAccountAPK()V
'http://e.189.cn/help/end.do' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->(Landroid/content/Context;)V
'http://e.189.cn/help/end.do' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->getLatestAccountAPK()V
'http://e.189.cn/wap/centre.do' used in: Lcn/com/chinatelecom/account/lib/ct/h;->(Landroid/content/Context;)V
'http://e.189.cn/wap/login.do' used in: Lcn/com/chinatelecom/account/lib/ct/h;->(Landroid/content/Context;)V
'http://fancy.189.cn/integralexplain.html' used in: Ltelecom/mdesk/widgetprovider/app/ui/V2BoutiqueAppDetail$9;->onClick(Landroid/view/View;)V
'http://fancy.189.cn/portal/app/download/1108749' used in: Lcom/tisson/c/a$1;->onClick(Landroid/content/DialogInterface; I)V
'http://fancy.189.cn/portal/flow/list?token=' used in: Ltelecom/mdesk/widgetprovider/app/e/f;->()V
'http://fancy.189.cn/portal/getclientapk' used in: Ltelecom/mdesk/goldenegg/GoldenEggDialogContainerActivity;->a(Landroid/net/Uri; Ltelecom/mdesk/utils/http/data/GoldenEggReward;)V
'http://fancy.189.cn/portal/goods/list?login=true&forceLogin=true' used in: Ltelecom/mdesk/widgetprovider/app/e/f;->()V
'http://fancy.189.cn/portal/wap/mdesk' used in: Ltelecom/mdesk/theme/az;->a(Landroid/graphics/Bitmap; Ltelecom/mdesk/b/b; I)Ltelecom/mdesk/m/g;
'http://fancy.189.cn/portal/wap/recommend/app/detailspk/#APPPKG#?type=5' used in: Ltelecom/mdesk/widgetprovider/app/e/f;->()V
'http://fancy.189.cn/res/apprepo/2537/telecom.mdesk/16168/icon.png' used in: Ltelecom/mdesk/account/IntegralInviteUserActivity;->onClick(Landroid/view/View;)V
'http://fancy.189.cn/service/duibaapi/tourl' used in: Ltelecom/mdesk/lockscreen/LockScreenIntegrationActivity;->()V
'http://fancy.189.cn/service/request' used in: Lcom/c/a/b/b;->a(Landroid/content/Context; Ljava/util/List;)Ljava/lang/String;
'http://fancy.189.cn/service/request' used in: Ltelecom/mdesk/widgetprovider/app/e/f;->()V
'http://fancy.189.cn/service/request' used in: Lcom/c/a/b/b;->a(Landroid/content/Context; Ljava/lang/String; I)Lcom/c/a/a;
'http://fancy.189.cn:8000/mdeskocr/uploadimg.do' used in: Lnet/bitquill/ocr/b;->a(Lnet/bitquill/ocr/b; Landroid/graphics/Bitmap;)V
'http://go.uc.cn/page/hao/ucmeng2?source=fancy' used in: Ltelecom/mdesk/appwidget/search/LauncherAppSearch2Activity;->a()V
'http://help.21cn.com/feedback/addFeedback.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://hmma.baidu.com/app.gif' used in: Lcom/baidu/mobstat/DataCore;->sendLogData(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)Z
'http://hmma.baidu.com/app.gif' used in: Lcom/baidu/mobstat/CooperService;->getHost()Ljava/lang/String;
'http://jfsj.fancy.189.cn/statisGether/androidGzipGether.html' used in: Lcom/d/b/e/a;->e()V
'http://kuikui.javaeye.com#Intent;action=android.intent.action.VIEW;end' used in: Ltelecom/mdesk/eb;->b([Ljava/util/Map;)[Ljava/util/Map;
'http://lb.21cn.com/api/getUserCoin.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://lb.21cn.com/api/getUserEarningList.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://lba.baidu.com/' used in: Lcom/baidu/location/BDLocation;->getAdUrl(Ljava/lang/String;)Ljava/lang/String;
'http://loc.map.baidu.com/fence' used in: Lcom/baidu/location/a4$a;->X()V
'http://loc.map.baidu.com/fence' used in: Lcom/baidu/location/ay$b;->X()V
'http://loc.map.baidu.com/oqur.php' used in: Lcom/baidu/location/c;->()V
'http://loc.map.baidu.com/sdk.php' used in: Lcom/baidu/location/c;->()V
'http://loc.map.baidu.com/sdk_ep.php' used in: Lcom/baidu/location/c;->()V
'http://loc.map.baidu.com/tcu.php' used in: Lcom/baidu/location/c;->()V
'http://loc.map.baidu.com/user_err.php' used in: Lcom/baidu/location/c;->()V
'http://locate.189.cn:7070/lsmp/rest/locate' used in: Lcom/ct/bri/wifi/sdk/daemon/c/a;->a(Lcom/ct/bri/wifi/sdk/daemon/a/c; Lcom/ct/bri/wifi/sdk/daemon/a/b;)Lcom/ct/bri/wifi/sdk/daemon/a/a;
'http://locate.189.cn:7070/lsmp/rest/locate' used in: Lcom/ct/bri/wifi/sdk/daemon/c/a;->a(Lcom/ct/bri/wifi/sdk/daemon/a/b; Lcom/ct/bri/wifi/sdk/daemon/a/c;)Lcom/ct/bri/wifi/sdk/daemon/a/a;
'http://m.baidu.com/s?from=1002026a&word=' used in: Ltelecom/mdesk/appwidget/search/AppSearchActivity;->()V
'http://m.baidu.com/s?from=1002026a&word=' used in: Ltelecom/mdesk/appwidget/search/AppSearchActivity;->onResume()V
'http://m.baidu.com/s?from=1002026a&word=' used in: Ltelecom/mdesk/appwidget/search/LauncherAppSearch2Activity;->c()V
'http://m.baidu.com/s?from=1002026a&word=' used in: Ltelecom/mdesk/appwidget/search/AppSearchActivity;->onClick(Landroid/view/View;)V
'http://m.baidu.com/s?from=1002026a&word=' used in: Ltelecom/mdesk/appwidget/search/SearchActivity;->onCreate(Landroid/os/Bundle;)V
'http://m.baidu.com/s?from=1002026a&word=' used in: Ltelecom/mdesk/widgetprovider/app/ui/V2AppSearchActivity;->onClick(Landroid/view/View;)V
'http://m.baidu.com/s?from=1002026a&word=' used in: Ltelecom/mdesk/appwidget/search/AppSearchActivity;->L(Ltelecom/mdesk/appwidget/search/AppSearchActivity;)V
'http://m.baidu.com/su?from=1002026a&wd=' used in: Ltelecom/mdesk/appwidget/search/x;->b(Ljava/lang/String;)Ljava/util/List;
'http://m.diyring.cc/friend/5cd7c555889ea0c7' used in: Ltelecom/mdesk/theme/ThemeTabRingActivity;->onCreate(Landroid/os/Bundle;)V
'http://open.e.189.cn/api/account/bindMasterMobile.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/captcha.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/findPwd.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/generateQrcodeImg.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/getQrCodeUUID.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/getTokenByCookie.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/getUserInfo.do' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->qrUserInfo(Lcn/com/chinatelecom/account/lib/apk/QueryUserInfoParam;)Lcn/com/chinatelecom/account/lib/apk/QueryUserInfoResult;
'http://open.e.189.cn/api/account/getUserInfo.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/getUserInfoByName.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/isUserNameExist.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/login.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/loginByIMSI.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/loginLog.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/mailLogin.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/mergeAccount.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/qrCodeLogin.do' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->qrCodeLogin(Lcn/com/chinatelecom/account/lib/apk/QrCodeloginParamForCT;)Lcn/com/chinatelecom/account/lib/apk/QrCodeloginResult;
'http://open.e.189.cn/api/account/qrCodeLogin.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/qrcodeLoginResult.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/queryCTPackage.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/queryCTUserBill.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/queryCTUserCurrentBalance.do ' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/queryTc.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/queryUserId.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/register.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/registerAccount.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/ssoForClient.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/unifyLessLogin.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/updatePwd.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/updateUserInfo.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/updateUserName.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/account/uploadPhoto.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/authorized/issueAccessToken.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/authorized/queryList.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/authorized/queryStatus.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/authorized/revoke.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/basePlatform/checkAccessToken.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/accountSetStates.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/authAccessToken.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/autoLogin.do' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->eSurfingLogin(I I I Z)Lcn/com/chinatelecom/account/lib/apk/AuthResult;
'http://open.e.189.cn/api/clientSuit/autoLogin.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/checkSysMessage.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/checkUpdate.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/downloadSuit.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/evaluateSecurityLevel.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/getAccountInfo.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/getCaptcha.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/getLoginLog.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/getSecurityScore.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/getSyncAppConfig.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/login.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/queryMDNByIMSI.do' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->getMobileByImsi(Ljava/lang/String; Ljava/lang/String;)Lcn/com/chinatelecom/account/lib/apk/GetMobileByImsiResult;
'http://open.e.189.cn/api/clientSuit/queryMDNByIMSI.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/recomendAppDetail.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/recomendAppList.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/tysuitBindMobile.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/uploadInstallStates.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/uploadLogs.do' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->(Landroid/content/Context;)V
'http://open.e.189.cn/api/clientSuit/uploadLogs.do' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->uploadStatInfo(Lcn/com/chinatelecom/account/lib/apk/UploadStatInfoCTParam;)Lcn/com/chinatelecom/account/lib/apk/UploadResult;
'http://open.e.189.cn/api/clientSuit/uploadLogs.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/uploadResponseLog.do' used in: Lcn/com/chinatelecom/account/lib/apk/u;->a(I Ljava/lang/String; Ljava/lang/String; Lorg/json/JSONObject;)V
'http://open.e.189.cn/api/clientSuit/uploadResponseLog.do' used in: Lcn/com/chinatelecom/account/lib/apk/u;->a(I Ljava/lang/String; Ljava/lang/String; Lorg/json/JSONObject; Ljava/lang/String;)V
'http://open.e.189.cn/api/clientSuit/uploadResponseLog.do' used in: Lcn/com/chinatelecom/account/lib/apk/u;->(Landroid/content/Context;)V
'http://open.e.189.cn/api/clientSuit/uploadResponseLog.do' used in: Lcn/com/chinatelecom/account/lib/apk/u;->a(I I Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)V
'http://open.e.189.cn/api/clientSuit/uploadResponseLog.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/clientSuit/verify189Pwd.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/message/issueVerifyCode.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/message/messageRemain.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/message/sendMsg.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/message/sendMsgPassport.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/oneKeyLogin/getLoginCmd.do' used in: Lcn/com/chinatelecom/account/lib/apk/k;->e()Lcn/com/chinatelecom/account/lib/apk/AccessTokenResult;
'http://open.e.189.cn/api/oneKeyLogin/getLoginCmd.do' used in: Lcn/com/chinatelecom/account/lib/apk/k;->b()Ljava/lang/String;
'http://open.e.189.cn/api/oneKeyLogin/getLoginCmd.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/oneKeyLogin/login.do' used in: Lcn/com/chinatelecom/account/lib/apk/k;->e()Lcn/com/chinatelecom/account/lib/apk/AccessTokenResult;
'http://open.e.189.cn/api/oneKeyLogin/login.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/pay/getPaySign.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/pay/sdkSubmit.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/statistics/activationLog.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://open.e.189.cn/api/statistics/activeLog.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'http://openmobile.qq.com/api/check?page=shareindex.html&style=9' used in: Lcom/tencent/connect/c/a;->a(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/b;)V
'http://pingma.qq.com:80/mstat/report' used in: Lcom/tencent/stat/b;->()V
'http://qzs.qq.com' used in: Lcom/tencent/connect/b/a;->a(Landroid/content/Context;)V
'http://schemas.android.com/apk/res/android' used in: Ltelecom/mdesk/appwidget/j;->a(Landroid/content/ComponentName; Landroid/content/pm/ResolveInfo;)Ltelecom/mdesk/appwidget/n;
'http://tipsdk.baidu.com' used in: Lcom/baidu/kirin/KirinConfig;->()V
'http://upload.189qas.com/statisGether/androidGzipGether.html' used in: Lcom/d/a/e/a;->e()V
'http://wspeed.qq.com/w.cgi' used in: Lcom/tencent/open/a/d;->a(Landroid/content/Context; Ljava/lang/String;)V
'http://www.10010.com/' used in: Lcom/ct/ct10000/OtherNetTipActivity;->onClick(Landroid/view/View;)V
'http://www.10086.cn/' used in: Lcom/ct/ct10000/OtherNetTipActivity;->onClick(Landroid/view/View;)V
'http://www.189.cn' used in: Lcom/ct/ct10000/LauncherDialogActivity;->onClick(Landroid/view/View;)V
'http://www.weibo.com' used in: Ltelecom/mdesk/account/AccountLogInActivity;->onCreate(Landroid/os/Bundle;)V
'http://www.weibo.com' used in: Ltelecom/mdesk/account/d;->onClick(Landroid/view/View;)V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Ltelecom/mdesk/gv;->d()V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lmobi/intuitit/android/a/a/a;->setFeature(Ljava/lang/String; Z)V
'https://bjtianyi.inveno.com/' used in: Lcom/inveno/se/f/i;->()V
'https://client.bestpay.com.cn:8091/MEPF_INF2/phonebusiness' used in: Lcom/tisson/c/c;->a(Ljava/util/List; Landroid/content/Context;)Ljava/lang/String;
'https://open.e.189.cn/api/account/udbSSO.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'https://open.e.189.cn/api/account/unifyAccountCheck.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'https://open.e.189.cn/api/account/unifyAccountLogin.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'https://open.e.189.cn/api/account/unifyAccountLogout.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'https://open.e.189.cn/api/clientSuit/uploadResponseLog.do' used in: Lcn/com/chinatelecom/account/lib/apk/u;->(Landroid/content/Context;)V
'https://open.e.189.cn/api/clientSuit/wapLogin4ct.do' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->getWapLogin4ctDo(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; I)Lcn/com/chinatelecom/account/lib/apk/d;
'https://open.e.189.cn/api/clientSuit/wapLogin4ct.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'https://open.e.189.cn/api/clientSuit/wapLogin4third.do' used in: Lcn/com/chinatelecom/account/a/c;->()V
'https://open.e.189.cn/api/oauth2/accessSuitToken.do' used in: Lcn/com/chinatelecom/account/lib/ct/h;->(Landroid/content/Context;)V
'https://open.e.189.cn/api/oauth2/accessSuitToken.do?clientId=' used in: Lcn/com/chinatelecom/account/lib/ct/h;->c()V
'https://open.e.189.cn/api/oauthLoginSuitCallBack.jsp' used in: Lcn/com/chinatelecom/account/lib/ct/Authorizer;->getWapLogin4ctDo(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; I)Lcn/com/chinatelecom/account/lib/apk/d;
'https://open.weibo.cn/oauth2/authorize?' used in: Lcom/sina/weibo/sdk/auth/WeiboAuth;->startDialog(Lcom/sina/weibo/sdk/auth/WeiboAuthListener; I)V
'https://openmobile.qq.com/' used in: Lcom/tencent/c/c;->a(Lcom/tencent/connect/b/n; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle; Ljava/lang/String;)Lorg/json/JSONObject;
'https://openmobile.qq.com/oauth2.0/m_authorize?' used in: Lcom/tencent/connect/b/a;->a(Landroid/app/Activity; Ljava/lang/String; Lcom/tencent/tauth/b; Z)I
'https://openmobile.qq.com/user/user_login_statis' used in: Lcom/tencent/connect/b/a;->a(Lcom/tencent/connect/b/a; Ljava/lang/String;)V
'https://sapi.skyhookwireless.com/wps2/location' used in: Lcom/baidu/location/c;->()V
'javascript:loadCommentFailed()' used in: Ltelecom/mdesk/news/NewsDetailCustomWebViewActivity$9$1;->run()V
'javascript:loadCommentSuccessed(' used in: Ltelecom/mdesk/news/NewsDetailCustomWebViewActivity$9$2;->run()V
'javascript:setUserComment("' used in: Ltelecom/mdesk/news/NewsDetailCustomWebViewActivity$10$1$1;->run()V

中危

检测到15处setSavePassword密码明文存储漏洞。

位置: classes.dex
cn.com.chinatelecom.account.lib.ct.h;
telecom.mdesk.widgetprovider.app.appmgr.ui.BaseBrowserActivity;
telecom.mdesk.appwidget.search.LauncherAppSearch2Activity;
telecom.mdesk.component.WebviewActivity;
com.tencent.connect.b.a;
com.iflytek.voiceads.d.e;
com.iflytek.voiceads.view.AdView;
telecom.mdesk.news.NewsDetailCustomWebViewActivity$8;
telecom.mdesk.theme.ThemeTabRingActivity;
telecom.mdesk.account.bc;
com.ct.ct10000.OrderFlowDialogActivity;
telecom.mdesk.news.NewsDetailWebViewActivity;
com.baidu.mobstat.StatService;
telecom.mdesk.news.NewsDetailCustomWebViewActivity;
telecom.mdesk.widgetprovider.app.widget.V2WebView;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

低危

检测到10个WebView系统隐藏接口未移除。

位置: classes.dex
com.ct.ct10000.OrderFlowDialogActivity;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.component.WebviewActivity;->onCreate(Landroid.os.Bundle;)V
com.tencent.connect.b.a;->a(Landroid.content.Context;)V
telecom.mdesk.theme.ThemeTabRingActivity;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.news.NewsDetailCustomWebViewActivity$8;->a(Ljava.lang.Object;)V
com.iflytek.voiceads.d.e;->s(Landroid.content.Context;)Ljava.lang.String;
com.tencent.connect.b.f;->onCreate(Landroid.os.Bundle;)V
com.baidu.mobstat.StatService;->bindJSInterface(Landroid.content.Context; Landroid.webkit.WebView; Landroid.webkit.WebViewClient;)V
com.sina.weibo.sdk.auth.WeiboDialog;->initWebView()V
telecom.mdesk.account.bc;->onCreateView(Landroid.view.LayoutInflater; Landroid.view.ViewGroup; Landroid.os.Bundle;)Landroid.view.View;

android webview组件包含3个隐藏的系统接口:searchBoxJavaBridge_,accessibilityTraversal以及accessibility,恶意程序可以利用它们实现远程代码执行。
如果使用了WebView,那么使用WebView.removeJavascriptInterface(String name) API,显示的移除searchBoxJavaBridge_、accessibility、accessibilityTraversal这三个接口。

参考资料:
http://wolfeye.baidu.com/blog/android-webview/
http://blog.csdn.net/u013107656/article/details/51729398
http://wolfeye.baidu.com/blog/android-webview-cve-2014-7224/

低危

检测15处Intent Scheme URI漏洞。

位置: classes.dex
Ltelecom/mdesk/s;->(Landroid/content/ContentValues;)V
Ltelecom/mdesk/UninstallShortcutReceiver;->onReceive(Landroid/content/Context; Landroid/content/Intent;)V
Ltelecom/mdesk/eb;->b(Landroid/content/Context; [Ljava/util/Map;)[Ljava/util/Map;
Ltelecom/mdesk/eb;->b(Landroid/content/Context; [Ljava/util/Map;)[Ljava/util/Map;
Ltelecom/mdesk/ej;->a(Landroid/content/ContentResolver; Ltelecom/mdesk/Launcher; Landroid/content/pm/PackageManager;)V
Ltelecom/mdesk/ej;->c()V
Ltelecom/mdesk/ej;->c()V
Ltelecom/mdesk/em;->a(Landroid/database/Cursor;)Ljava/util/List;
Ltelecom/mdesk/em;->a(Landroid/content/Context; Landroid/database/sqlite/SQLiteDatabase; Landroid/content/ContentValues; Landroid/content/res/TypedArray;)Z
Ltelecom/mdesk/em;->a(Landroid/content/Context; Landroid/database/sqlite/SQLiteDatabase; Landroid/content/ContentValues; Landroid/content/res/TypedArray; J)Z
Ltelecom/mdesk/em;->a(Ljava/lang/String; Landroid/content/res/TypedArray; I)Z
Ltelecom/mdesk/em;->e(Landroid/database/sqlite/SQLiteDatabase;)V
Ltelecom/mdesk/em;->j(Landroid/database/sqlite/SQLiteDatabase;)V
Ltelecom/mdesk/floatwidget/assisitivetouch/k;->a(Landroid/database/sqlite/SQLiteDatabase; Landroid/content/Context;)Landroid/util/SparseArray;
Ltelecom/mdesk/widget/ActivityContainerView;->setActivityIntent(Ljava/lang/CharSequence;)V


Intent Scheme URI是一种特殊的URL格式,用来通过Web页面启动已安装应用的Activity组件,大多数主流浏览器都支持此功能。如果在app中,没有检查获取到的load_url的值,攻击者可以构造钓鱼网站,诱导用户点击加载,就可以盗取用户信息。所以,对Intent URI的处理不当时,就会导致基于Intent的攻击。建议:
如果使用了Intent.parseUri函数,获取的intent必须严格过滤,intent至少包含addCategory(“android.intent.category.BROWSABLE”),setComponent(null),setSelector(null)3个策略。

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://drops.wooyun.org/papers/2893
http://drops.wooyun.org/mobile/15202

低危

检测到3处AES/DES弱加密风险。

位置: classes.dex
Lcom/baidu/mobstat/util/a;->a(Ljava/lang/String; [B)[B
com.baidu.mobstat.util.a;->b(Ljava.lang.String; [B)[B
com.tencent.mm.sdk.platformtools.d;->a(Ljava.io.PrintStream; [B Ljava.lang.String; Ljava.lang.String;)V

使用AES/DES/DESede加密算法时,如果使用ECB模式,容易受到攻击风险,造成信息泄露。建议在使用AES/DES/DESede加密算法时,应显示指定使用CBC或CFB加密模式

参考资料:
http://blog.csdn.net/u013107656/article/details/51997957
https://developer.android.com/reference/javax/crypto/Cipher.html
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

低危

非debug包,需要通过打包平台proguard脚本,移除大部分系统输出代码。
经扫描该包仍存在大量系统输出代码,共发现17处系统输出代码.(此处扫描的系统输出代码,是指调用System.out.print*输出的,本应在打包平台移除的系统输出代码.)
各个bundle系统输出代码详情如下:

位置: classes.dex
com.baidu.mobstat.aw;
com.sina.weibo.sdk.utils.MD5;
com.tisson.c.c;
com.baidu.mobstat.g;
telecom.mdest.weather.c.c;
com.inveno.se.f.d;
com.baidu.mobstat.f;
cn.com.chinatelecom.account.b.c;
telecom.mdesk.news.m;
com.ct.bri.wifi.sdk.a.b;
com.nostra13.universalimageloader.cache.disc.impl.ext.DiskLruCache;
telecom.mdesk.widgetprovider.app.appmgr.d.a;
cn.com.chinatelecom.account.b.e;
com.tencent.c.m;
b.a.a.b.h;
com.baidu.mobstat.k;
telecom.mdesk.utils.http.c;

警告

检测到58处addFlags使用Intent.FLAG_ACTIVITY_NEW_TASK。

位置: classes.dex
telecom.mdesk.appwidget.weather.f;->a
com.ct.ct10000.service.WidgetService;->a
com.ct.ct10000.widget.FlowWidget;->onReceive
telecom.mdesk.floatwidget.assisitivetouch.AssistiveTouchControllActivity;->a
telecom.mdesk.widgetprovider.app.receiver.UpgradeReceiver;->onReceive
telecom.mdesk.activities.goldenegg.GoldenEggRecordActivity;->a
telecom.mdesk.account.AccountLogInActivity;->a
telecom.mdesk.floatwidget.assisitivetouch.AssistiveTouchControllActivity;->b
telecom.mdesk.account.AccountLogInActivity;->b
com.ct.ct10000.LauncherDialogActivity;->onClick
telecom.mdesk.Launcher;->b
com.ct.ct10000.CT10000MainActivity$2;->a
telecom.mdesk.utils.bt;->a
com.tencent.c.m;->a
telecom.mdesk.activities.poker.PokerIntentService;->onHandleIntent
telecom.mdesk.appwidget.switches.switcher.IntentSwitcher$IntentProxyActivity;->a
telecom.mdesk.theme.df;->shouldOverrideUrlLoading
com.ct.ct10000.LauncherDialogActivity$7;->a
telecom.mdesk.account.i;->c
com.ct.ct10000.LauncherDialogActivity;->c
com.ct.ct10000.widget.FlowWidget_4x2;->onReceive
telecom.mdesk.utils.http.l;->a
telecom.mdesk.component.OneClickShootCameraActivity;->a
cn.com.chinatelecom.account.lib.ct.Authorizer;->webTouchDownLoad
telecom.mdesk.account.HappyDayAppWidget;->c
telecom.mdesk.lockscreen.TransparentLockScreenView;->b
telecom.mdesk.advert.AdvertActionRecevier;->onReceive
telecom.mdesk.em;->a
telecom.mdesk.Launcher;->onPrepareOptionsMenu
telecom.mdesk.m.h;->a
telecom.mdesk.appwidget.switches.SwitchesAppWidget;->a
telecom.mdesk.appwidget.search.SearchActivity;->a
telecom.mdesk.Launcher;->onOptionsItemSelected
telecom.mdesk.appwidget.switches.switcher.LockScreenSwitcher$AddDeviceAdminProxyActivity;->a
com.tencent.connect.b.h;->shouldOverrideUrlLoading
telecom.mdesk.appwidget.search.SearchAppWidget;->d
telecom.mdesk.widgetprovider.app.ui.V2BoutiqueAppDetail$9;->onClick
telecom.mdesk.appwidget.search.AppSearchActivity;->a
telecom.mdesk.appwidget.switches.switcher.i;->a
telecom.mdesk.component.InstallPreCheckActivity;->c
telecom.mdesk.component.WebviewActivity;->a
cn.com.chinatelecom.account.lib.ct.Authorizer;->getWapLogin4ctDo
telecom.mdesk.component.PushDialogActivity;->a
telecom.mdesk.n.f;->a
com.tisson.c.b;->onPostExecute
telecom.mdesk.activities.poker.PokerRecordActivity;->a
com.tencent.mm.sdk.channel.b;->a
telecom.mdesk.appwidget.switches.switcher.IntentSwitcher;->a
telecom.mdesk.activities.goldenegg.GoldenEggIntentService;->onHandleIntent
telecom.mdesk.MyLauncherSettings;->a
telecom.mdesk.appwidget.switches.switcher.h;->
telecom.mdesk.widgetprovider.app.ui.V2BannerSubjectActivity;->onClick
telecom.mdesk.widgetprovider.app.c.b;->b
telecom.mdesk.widgetprovider.app.appmgr.d.d;->c
telecom.mdesk.appwidget.switches.switcher.b;->a
telecom.mdesk.widgetprovider.app.appmgr.d.d;->a
telecom.mdesk.widgetprovider.app.c.b;->a
telecom.mdesk.gk;->a

APP创建Intent传递数据到其他Activity,如果创建的Activity不是在同一个Task中打开,就很可能被其他的Activity劫持读取到Intent内容,跨Task的Activity通过Intent传递敏感信息是不安全的。建议:
尽量避免使用包含FLAG_ACTIVITY_NEW_TASK标志的Intent来传递敏感信息。

参考资料:
http://wolfeye.baidu.com/blog/intent-data-leak

警告

检测到62个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

activity telecom.mdesk.MyLauncherSettings
activity telecom.mdesk.WallpaperChooser
activity telecom.mdesk.backup.TelecomTabActivity
activity telecom.mdesk.theme.AppOnlineDetailActivity
activity com.ct.ct10000.PayByCardDialogActivity
activity telecom.mdesk.theme.ThemeSettingActivity
activity telecom.mdesk.theme.ThemeTabRecommendActivity
activity telecom.mdesk.theme.ThemeTabOnlineActivity
activity telecom.mdesk.theme.ThemeTabWallpaperActivity
activity telecom.mdesk.theme.ThemeTabLockActivity
activity telecom.mdesk.account.PersonalAccountHome
activity telecom.mdesk.news.NewsActivity
activity telecom.mdesk.advert.AdvertCenterActivity
activity telecom.mdesk.theme.ThemeAndLockOnlineDetailActivity
activity telecom.mdesk.theme.ThemeChangeLoadingActivity
activity telecom.mdesk.theme.ThemeFontOnlineDetailActivity
activity telecom.mdesk.theme.FontManagerLoadActivity
activity telecom.mdesk.theme.ThemeFontPreActivity
activity telecom.mdesk.appwidget.search.LauncherAppSearchActivity
activity telecom.mdesk.checkremind.CheckVisitManagerActivity
activity telecom.mdesk.checkremind.CheckVisitLauncherActivity
activity telecom.mdesk.checkremind.CheckVisitThemeShopActivity
activity com.tencent.tauth.AuthActivity
activity telecom.mdesk.utils.download.downapk.DownloadAppActivity
activity telecom.mdesk.appmanager.LauncherDownloadAppActivity
activity telecom.mdesk.component.HelpAndFeedbackActivity
activity telecom.mdesk.widgetprovider.app.activity.V2BoutiqueFragmentActivity
activity telecom.mdesk.widgetprovider.app.ui.V2BoutiqueAppDetail
activity telecom.mdesk.widgetprovider.app.appmgr.ui.V2AppManagerActivity
activity telecom.mdesk.account.addandinvite.InviteActivity
activity telecom.mdesk.account.addandinvite.AddFriendsActivity
activity telecom.mdesk.account.addandinvite.CTHomeUserSearchActivty
activity telecom.mdesk.wxapi.WXEntryActivity
activity telecom.mdesk.LauncherSettingFirstlyWizard
activity telecom.mdesk.LogCollectActivity
activity telecom.mdest.weather.WeatherActivity
activity-alias telecom.mdesk.Home
service telecom.mdesk.sync.SyncronizeService
service com.baidu.location.f
service telecom.mdesk.appwidget.weather.WeatherWidgetService
receiver telecom.mdesk.WallpaperChangedReceiver
receiver telecom.mdesk.RestartReceiver
receiver telecom.mdesk.others.SDCardUnmountReceiver
receiver telecom.mdesk.component.itemcounter.NewItemCounterBrodcastReceiver
receiver telecom.mdesk.sync.SimpleSmsReceiver
receiver telecom.mdesk.sync.NewCallReceiver
receiver telecom.mdesk.sync.BootupReceiver
receiver telecom.mdesk.sync.ShutdownReceiver
receiver telecom.mdesk.appmanager.DownloadInstallApkReceiver
receiver telecom.mdesk.appmanager.DownloadInstallApkReceiver
receiver telecom.mdesk.appmanager.DownloadInstallApkReceiver
receiver telecom.mdesk.activities.poker.PokerBroadcastReceiver
receiver com.ct.ct10000.service.ConnectivityReceiver
receiver telecom.mdesk.appmanager.ChangeThemeReceiver
receiver telecom.mdesk.checkremind.CheckReceiver
receiver telecom.mdesk.appwidget.switches.DeviceAdminHandleReceiver
receiver telecom.mdesk.widgetprovider.app.service.InstallReceiver
receiver telecom.mdesk.appwidget.search.SearchAppWidget
receiver telecom.mdesk.appwidget.HotWordClickRecevier
receiver telecom.mdesk.theme.ChangeSimReceiver
receiver telecom.mdesk.advert.AdvertActionRecevier
receiver telecom.mdesk.themesupport.WeatherAppWidget

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测到2个导出的隐式Service组件。
service com.baidu.location.f
service telecom.mdesk.appwidget.weather.WeatherWidgetService

建议:为了确保应用的安全性,启动Service时,请始终使用显式Intent,且不要为服务声明Intent过滤器。使用隐式Intent启动服务存在安全隐患,因为您无法确定哪些服务将响应Intent,且用户无法看到哪些服务已启动。从Android 5.0(API 级别 21)开始,如果使用隐式 Intent 调用 bindService(),系统会抛出异常。

参考资料:
https://developer.android.com/guide/components/intents-filters.html#Types

警告

检测1处組件設置了android.intent.category.BROWSABLE属性。
com.tencent.tauth.AuthActivity


在AndroidManifest文件中定义了android.intent.category.BROWSABLE属性的组件,可以通过浏览器唤起,这会导致远程命令执行漏洞攻击。建议:
(1)APP中任何接收外部输入数据的地方都是潜在的攻击点,过滤检查来自网页的参数。
(2)不要通过网页传输敏感信息,有的网站为了引导已经登录的用户到APP上使用,会使用脚本动态的生成URL Scheme的参数,其中包括了用户名、密码或者登录态token等敏感信息,让用户打开APP直接就登录了。恶意应用也可以注册相同的URL Sechme来截取这些敏感信息。Android系统会让用户选择使用哪个应用打开链接,但是如果用户不注意,就会使用恶意应用打开,导致敏感信息泄露或者其他风险。

參考案例:
http://www.wooyun.org/bugs/wooyun-2014-073875
http://www.wooyun.org/bugs/wooyun-2014-067798

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://www.jssec.org/dl/android_securecoding_en.pdf
http://drops.wooyun.org/mobile/15202
http://blog.csdn.net/l173864930/article/details/36951805
http://drops.wooyun.org/papers/2893

警告

检测到16潜在的XSS漏洞。

位置: classes.dex
cn.com.chinatelecom.account.lib.ct.DownloadApkActivity;->onCreate(Landroid.os.Bundle;)V
cn.com.chinatelecom.account.lib.ct.h;->d()V
com.baidu.mobstat.StatService;->bindJSInterface(Landroid.content.Context; Landroid.webkit.WebView; Landroid.webkit.WebViewClient;)V
com.ct.ct10000.OrderFlowDialogActivity;->onCreate(Landroid.os.Bundle;)V
com.iflytek.voiceads.view.AdView;->q()V
com.sina.weibo.sdk.auth.WeiboDialog;->initWebView()V
com.tencent.connect.b.a;->a(Landroid.content.Context;)V
com.tencent.connect.b.f;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.account.bc;->onCreateView(Landroid.view.LayoutInflater; Landroid.view.ViewGroup; Landroid.os.Bundle;)Landroid.view.View;
telecom.mdesk.appwidget.search.LauncherAppSearch2Activity;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.component.WebviewActivity;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.news.NewsDetailCustomWebViewActivity$8;->a(Ljava.lang.Object;)V
telecom.mdesk.news.NewsDetailCustomWebViewActivity;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.news.NewsDetailWebViewActivity;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.theme.ThemeTabRingActivity;->onCreate(Landroid.os.Bundle;)V
telecom.mdesk.widgetprovider.app.widget.V2WebView;->a(Landroid.content.Context;)V

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到6处IvParameterSpec的使用。

位置: classes.dex
cn.com.chinatelecom.account.b.e;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
cn.com.chinatelecom.account.b.e;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.baidu.location.b.b.a;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.baidu.location.b.b.a;->if(Ljava.lang.String; Ljava.lang.String; [B)[B
com.baidu.mobstat.a;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.baidu.mobstat.a;->b(Ljava.lang.String; Ljava.lang.String; [B)[B

使用IVParameterSpec函数,如果使用了固定的初始化向量,那么密码文本可预测性高得多,容易受到字典攻击等。建议禁止使用常量初始化矢量构造IVParameterSpec,使用聚安全提供的安全组件。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到1个导出的组件存在Intent不安全反射风险。


位置: classes.dex
telecom.mdesk.MyLauncherSettings;->a

建议:
(1)不要通过Intent接收的Extra传播的反射函数
(2)将接受反射的组件设置为非导出组件。

警告

检测到3处使用空Intent构造PendingIntent。

位置: classes.dex
telecom.mdesk.Launcher;->d()Z
com.iflytek.voiceads.update.d.c;->a(Landroid.content.Context; I Landroid.content.Intent; Landroid.content.Intent; Ljava.lang.String;)Landroid.app.Notification;
telecom.mdesk.Launcher;->e()V

使用pendingIntent时候,如果使用了一个空Intent,会导致恶意用户劫持Intent的内容。禁止使用空intent去构造pendingIntent。建议:
禁止使用空intent去构造pendingIntent。

参考资料:
http://wolfeye.baidu.com/blog/pendingintent-leak-information
http://bbs.mob.com/thread-5249-1-1.html

警告

这个app应该声明permission的"android:protectionLevel"属性值为"signature"或者"signatureOrSystem",保证其他app无法注册或者从这个app接收消息。有安全隐患的permission如下:
telecom.mdesk.permission.WRITE_SETTINGS normal
telecom.mdesk.permission.READ_SETTINGS normal
telecom.mdesk.permission.PERMISSION_ACCOUNT normal

警告

检测到10处使用了加解密算法。密钥处理不当可能会导致信息泄露。

位置: classes.dex
telecom.mdesk.widgetprovider.app.e.x;->a([B Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.baidu.location.b.b.a;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.baidu.mobstat.a;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.baidu.mobstat.util.a;->b(Ljava.lang.String; [B)[B
telecom.mdesk.widgetprovider.app.e.x;->b([B Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
cn.com.chinatelecom.account.b.e;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.baidu.mobstat.util.a;->a(Ljava.lang.String; [B)[B
com.baidu.mobstat.a;->b(Ljava.lang.String; Ljava.lang.String; [B)[B
cn.com.chinatelecom.account.b.e;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.baidu.location.b.b.a;->if(Ljava.lang.String; Ljava.lang.String; [B)[B

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0105766
http://www.wooyun.org/bugs/wooyun-2015-0162907
http://www.wooyun.org/bugs/wooyun-2010-0187287

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html


动态扫描发现风险点

风险等级 风险名称

中危

telecom.mdesk.Home
telecom.mdesk.backup.TelecomTabActivity
telecom.mdesk.checkremind.CheckVisitManagerActivity
telecom.mdesk.widgetprovider.app.activity.V2BoutiqueFragmentActivity

中危

content://mms
content://sms
content://mms-sms/undelivered
content://mms-sms/conversations
content://mms-sms/draft
content://telephony/carriers

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书