0

高危漏洞

6

中危漏洞

3

低危漏洞

5

警告

文件名 A7B7D86DD6F3C1EA1B14333025AA0E5B.apk?mkey=5e147791b70ea27e&f=0c58&fsname=com.ancda.parents_4.3.11_289.apk&csr=1bbd&cip=183.14.132.139&proto=https
上传者 570114616@qq.com
文件大小 62.196401596069MB
MD5 a7b7d86dd6f3c1ea1b14333025aa0e5b
包名 com.ancda.parents
Main Activity com.ancda.parents.activity.StartActivity
Min SDK 19
Target SDK 28

权限列表

# 名称 说明 提示
0 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
1 android.permission.ACCESS_FINE_LOCATION 访问精准的位置源,例如手机上的全球定位系统(如果有)。恶意应用程序可能会借此确定您所处的位置,并可能消耗额外的电池电量。 注意
2 android.permission.ACCESS_LOCATION_EXTRA_COMMANDS 访问额外的位置信息提供程序命令。恶意应用程序可借此干扰GPS或其他位置源的正常工作。 注意
3 android.permission.BLUETOOTH 允许应用程序查看本地蓝牙手机的配置,以及建立或接受与配对设备的连接。 注意
4 android.permission.BROADCAST_STICKY 允许应用程序发送顽固广播,这些广播在结束后仍会保留。恶意应用程序可能会借此使手机耗用太多内存,从而降低其速度或稳定性。 注意
5 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
6 android.permission.RECEIVE_BOOT_COMPLETED 允许应用程序在系统完成启动后即自行启动。这样会延长手机的启动时间,而且如果应用程序一直运行,会降低手机的整体速度。 注意
7 android.permission.RECORD_AUDIO 允许应用程序访问录音路径。 注意
8 android.permission.REORDER_TASKS 允许应用程序将任务移至前端和后台。恶意应用程序可借此强行进入前端,而不受您的控制。 注意
9 android.permission.SYSTEM_ALERT_WINDOW 允许应用程序显示系统警报窗口。恶意应用程序可借此掌控整个手机屏幕。 注意
10 android.permission.WRITE_SETTINGS 允许应用程序修改系统设置方面的数据。恶意应用程序可借此破坏您的系统配置。 注意
11 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
12 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
13 android.permission.CAMERA 允许应用程序使用相机拍照,这样应用程序可随时收集进入相机镜头的图像。 提示
14 android.permission.CHANGE_NETWORK_STATE 允许应用程序更改网络连接的状态。 提示
15 android.permission.CHANGE_WIFI_STATE 允许应用程序连接到WLAN接入点以及与WLAN接入点断开连接,并对配置的WLAN网络进行更改。 提示
16 android.permission.FLASHLIGHT 允许应用程序控制闪光灯。 提示
17 android.permission.INTERNET 允许程序访问网络. 提示
18 android.permission.KILL_BACKGROUND_PROCESSES 无论内存资源是否紧张,都允许应用程序结束其他应用程序的后台进程。 提示
19 android.permission.MODIFY_AUDIO_SETTINGS 允许应用程序修改整个系统的音频设置,如音量和路由。 提示
20 android.permission.VIBRATE 允许应用程序控制振动器。 提示
21 android.permission.WAKE_LOCK 允许应用程序防止手机进入休眠状态。 提示
22 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

com.ancda.parents.wxapi.WXEntryActivity
com.ancda.parents.wxapi.WXPayEntryActivity
cn.jpush.android.ui.PopWinActivity
cn.jpush.android.ui.PushActivity
cn.jpush.android.service.JNotifyActivity
com.ancda.parents.activity.WebToAppActivity
com.huawei.android.hms.agent.common.HMSAgentActivity
com.huawei.hms.activity.BridgeActivity
com.huawei.updatesdk.service.otaupdate.AppUpdateActivity
com.huawei.updatesdk.support.pm.PackageInstallerActivity
com.tencent.tauth.AuthActivity
com.ancda.parents.activity.StartActivity
com.ancda.parents.FrameActivity
com.ancda.parents.activity.WebViewActivity
com.ancda.parents.activity.HomepageActivity
com.ancda.parents.activity.MyCollectionActivity
com.ancda.parents.activity.VideoRecordActivity
com.ancda.parents.activity.CaptureActivity
com.ancda.parents.activity.FirstStartActivity
com.ancda.parents.activity.LoginActivity
com.ancda.parents.activity.BigImageBrowseActivity
com.ancda.parents.activity.PublishDynamicActivity
com.ancda.parents.activity.GalleryActivity
com.ancda.parents.activity.ChooseClassActivity
com.ancda.parents.activity.PlayerActivity
com.ancda.parents.activity.NoticeDetailActivity
com.ancda.parents.activity.NoticeActivity
com.ancda.parents.activity.HomeworkInfoActivity
com.ancda.parents.activity.ActivitiesInfoActivity
com.ancda.parents.activity.AnnouceDetailActivity
com.ancda.parents.activity.ForgetPasswordActivity
com.ancda.parents.activity.ResetPasswordActivity
com.ancda.parents.activity.PublishNoticeActivity
com.ancda.parents.activity.PublishSchoolExercisesActivity
com.ancda.parents.activity.PublishChooseWeekActivity
com.ancda.parents.activity.PublishCookBookActivity
com.ancda.parents.activity.PublishCourseActivity
com.ancda.parents.activity.VideoPlayActivity
com.ancda.parents.activity.VideoSendActivity
com.ancda.parents.activity.ContactsActivity
com.ancda.parents.activity.MessageActivity
com.ancda.parents.activity.MessageForDirectorActivity
com.ancda.parents.activity.ChatActivity
com.ancda.parents.activity.ParentReadNotifyInfoActivity
com.ancda.parents.activity.DynamicSingleActivity
com.ancda.parents.activity.UserInfoActivity
com.ancda.parents.activity.MyRelatedActivity
com.ancda.parents.activity.ImageBrowseActivity
com.ancda.parents.activity.SetWallsActivity
com.ancda.parents.activity.ChangeNicknameActivity
com.ancda.parents.activity.ChangeSignatureActivity
com.ancda.parents.activity.ChangePassActivity
com.ancda.parents.activity.SetPickPeopleActivity
com.ancda.parents.activity.PicturesSelectActivity
com.ancda.parents.activity.LeaderCardActivity
com.ancda.parents.activity.PublishPuickupActivity
com.yalantis.ucrop.UCropActivity
com.ancda.parents.activity.BabyInformationActivity
com.ancda.parents.activity.GetExercisesActivity
com.ancda.parents.activity.ThermometerActivity
com.ancda.parents.activity.PickupActivity
com.ancda.parents.activity.ChooseStudentActivity
com.ancda.parents.activity.PickupRejectActivity
com.ancda.parents.activity.RankingActivity
com.ancda.parents.activity.BabyOnlineActivity
com.ancda.parents.activity.ParentBabyOnlineActivity
com.ancda.parents.activity.GrowingHistoryActivity
com.ancda.parents.activity.GrowingMoreActivity
com.ancda.parents.activity.GrowingHistoryInfoActivity
com.ancda.parents.activity.PublicGrowingActivity
com.ancda.parents.activity.GetVerifyCodeActivity
com.ancda.parents.activity.SendVerifyCodeActivity
com.ancda.parents.activity.VerifyDeviceListActivity
com.ancda.parents.activity.ConflictActivity
com.ancda.parents.activity.PushDialogActivity
com.ancda.parents.activity.ShareDialogActivity
com.ancda.parents.activity.TLContactsListActivity
com.ancda.parents.activity.SearchActivity
com.ancda.parents.activity.PeopleTypeActivity
com.ancda.parents.activity.DynamicImageDetailActivity
com.ancda.parents.activity.MyLevelActivity
com.ancda.parents.activity.SchoolBusTrackActivity
com.ancda.parents.activity.SchoolBusListActivity
com.ancda.parents.activity.FlowerActivity
com.ancda.parents.activity.ChangeAddressActivity
com.ancda.parents.activity.NewUserInfoActivity
com.ancda.parents.activity.SchoolTeacherList
com.ancda.parents.activity.TeacherDetailActivity
com.ancda.parents.activity.GetNotifyClassesActivity
com.ancda.parents.activity.AttendancePersonalActivity
com.ancda.parents.activity.AttendanceTLookS
com.ancda.parents.activity.AttendanceHistoryActivity
com.ancda.parents.activity.AskForLeaveActivity
com.ancda.parents.activity.PublishAskForLeaveActivity
com.ancda.parents.activity.SelectApprovalActivity
com.ancda.parents.activity.PublishDynmicImageBrowseActivity
com.ancda.parents.activity.VacateActivity
com.ancda.parents.activity.AttendanceLLookT
com.ancda.parents.activity.AskForLeaveDetailActivity
com.ancda.parents.activity.ApprovalVacateTtoS
com.ancda.parents.activity.VacateLeaderActivity
com.ancda.parents.activity.ApprovalVacateLtoT
com.ancda.parents.activity.PublishNews2Activity
com.ancda.parents.activity.PublishNewNoticeActivity
com.ancda.parents.activity.NewNoticeTemplateActivity
com.ancda.parents.activity.NewNoticeRangeActivity
com.ancda.parents.activity.ReviewNoticeActivity
com.ancda.parents.activity.NewNoticePreviewActivity
com.ancda.parents.activity.NewNoticePreviewX5Activity
com.ancda.parents.activity.NewsWebActivity
com.ancda.parents.activity.NewsX5WebActivity
com.ancda.parents.activity.NewNoticeX5WebActivity
com.ancda.parents.activity.NewNoticeWebActivity
com.ancda.parents.activity.NewNoticeCountActivity
com.ancda.parents.activity.NewNoticeCountV4Activity
com.ancda.parents.activity.TeacherRecordActivity
com.ancda.parents.activity.DynamicCheckActivity
com.ancda.parents.activity.AttendanceSchool
com.ancda.parents.activity.InviteFamilyListActivity
com.ancda.parents.activity.InviteFamilyActivity
com.ancda.parents.activity.AttendanceClass
com.ancda.parents.activity.SettingRemindActivity
com.ancda.parents.activity.PaymentActivity
com.ancda.parents.activity.SchoolWebActivity
com.ancda.parents.activity.WaitActivity
com.ancda.parents.activity.ReviewsActivity
com.ancda.parents.activity.GetHomeWorkClassesActivity
com.ancda.parents.activity.ReviewsListActivity
com.ancda.parents.activity.CoachChildViewActivity
com.ancda.parents.activity.ReviewsListParentActivity
com.ancda.parents.activity.FeesManageActivity
com.ancda.parents.activity.FeesClassActivity
com.ancda.parents.activity.FeesDetailActivity
com.ancda.parents.activity.WebPaymentActivity
com.alipay.sdk.app.H5PayActivity
com.alipay.sdk.auth.AuthActivity
com.ancda.parents.activity.VideoSendGrowingActivity
com.ancda.parents.activity.PAActivity
com.ancda.parents.activity.MultiImageSelectorActivity2
com.ancda.parents.activity.VideoCompileActivity
com.ancda.parents.activity.IMVideoCompileActivity
com.ancda.parents.activity.UpdateNoticeActivity
com.ancda.parents.activity.UpdateActivitiesInfoActivity
com.ancda.parents.video.recorder.RecorderActivity
com.ancda.parents.video.recorder.IMRecorderActivity
com.ancda.parents.video.recorder.VideoStoreActivity
com.ancda.parents.video.recorder.IMVideoStoreActivity
com.ancda.parents.activity.VideoPublishPreviewActivity
com.ancda.parents.activity.PublishHiddenTroubleActivity
com.ancda.parents.activity.HiddenTroubleManageActivity
com.ancda.parents.activity.ShareImageBowerActivity
com.ancda.parents.activity.FlowerSystemActivity
com.ancda.parents.activity.MyFlowerActivity
com.ancda.parents.activity.RegisterAccountActivity
com.ancda.parents.activity.RegisterVerifyCodeActivity
com.ancda.parents.activity.RegisterPasswordActivity
com.ancda.parents.activity.JoinClassActivity
com.ancda.parents.activity.JoinClassSearchSchoolActivity
com.ancda.parents.activity.JoinClassSearchClassActivity
com.ancda.parents.activity.JoinClassEditStudentInfoActivity
com.ancda.parents.activity.CheckJoinClassActivity
com.ancda.parents.activity.CheckJoinClassSearchActivity
com.ancda.parents.activity.AliShopActivity
com.ancda.parents.activity.SelectCountryCodeActivity
com.ancda.parents.im.ui.BaseActivity
com.ancda.parents.im.ui.ConversionActivity
com.ancda.parents.im.ui.ImChatActivity
com.ancda.parents.im.ui.ContextMenuActivity
com.ancda.parents.im.ui.GroupDetailsActivity
com.ancda.parents.im.easeui.EaseShowBigImageActivity
com.ancda.parents.im.ui.ImageGridActivity
com.ancda.parents.im.ui.RecorderVideoActivity
com.ancda.parents.im.ui.NewImChatActivity
com.ancda.parents.im.ui.QunFaActivity
com.ancda.parents.im.ui.QunFaChatActivity
com.ancda.parents.im.easeui.EaseShowVideoActivity
com.ancda.parents.activity.SubmitJobActivity
com.ancda.parents.activity.SecretaryActivity
com.ancda.parents.activity.RecordActivity
com.ancda.parents.activity.RecordForStatusActivity
com.ancda.parents.activity.UpdateNewsActivity
com.ancda.parents.activity.PublishPostActivity
com.ancda.parents.activity.PublishPostNextActivity
com.ancda.parents.activity.SecretaryDetailActivity
com.ancda.parents.video.recorder.VideoCutActivity
com.ancda.parents.activity.ClassPhotosVideoActivity
com.ancda.parents.activity.EditCourseActivity
com.ancda.parents.activity.TodayTaskActivity
com.ancda.parents.activity.CourseWeekActivity
com.ancda.parents.activity.HWorkListActivity
com.ancda.parents.activity.HWorkReplyListActivity
com.ancda.parents.activity.HWorkInfoActivity
com.ancda.parents.activity.HWorkNoSubmitListActivity
com.ancda.parents.activity.SchoolBusCountActivity
com.ancda.parents.activity.BindAttendanceCardActivity
com.ancda.parents.activity.AddChildInfoActivity
com.ancda.parents.activity.AccountSafeActivity
com.ancda.parents.activity.ChangePhoneActivity
com.ancda.parents.activity.ChangeNameActivity
com.ancda.parents.activity.ApplyListActivity
com.ancda.parents.activity.ElectronStudentCardActivity
com.ancda.parents.activity.HidenTroubleDetailActivity
com.ancda.parents.activity.AddVoteActivity
com.ancda.parents.activity.AddMusicActivity
com.ancda.parents.activity.ReviewListActivity
com.ancda.parents.activity.ReviewDetailActivity
com.ancda.parents.activity.TestRtmpActivity
com.ancda.parents.activity.ChatInfoActivity
com.ancda.parents.activity.ChangeChatGroupNameActivity
com.ancda.parents.activity.AddChatGroupMemberActivity
com.ancda.parents.activity.ParentContactActivity
com.ancda.parents.activity.ChatGroupContactActivity
com.ancda.parents.activity.ContactRecordActivity
com.ancda.parents.activity.ContactManualTemplateDetailActivity
com.ancda.parents.activity.CommentTemplateListActivity
com.ancda.parents.activity.ContactManualDetailsActivity
com.ancda.parents.activity.HomeContactClassListActivity
com.ancda.parents.activity.HomeContactTimeListActivity
com.ancda.parents.activity.HomeContactSettingActivity
com.ancda.parents.activity.AddHomeContactTimeActivity
com.ancda.parents.activity.HomeContactStudentListActivity
com.ancda.parents.activity.PublishReviewActivity
com.ancda.parents.activity.InviteFamilyWXActivity
com.ancda.parents.activity.GroupSearchActivity
com.ancda.parents.im.ui.GroupListActivity
com.ancda.parents.im.ui.AncdaForwardMessageActivity
com.ancda.parents.activity.ReportActivity
com.ancda.parents.activity.ReportManageActivity
com.ancda.parents.activity.ReportManageClassParentActivity
com.ancda.parents.activity.ReportRankingActivity
com.ancda.parents.activity.ReportWorkInfoActivity
com.ancda.parents.activity.ReportSearchActivity
com.ancda.parents.activity.ApplyDetailActivity
com.ancda.parents.activity.ApplyRecodAddActivity
com.ancda.parents.activity.SettingSysActivity
com.ancda.parents.activity.AboutUsActivity
com.ancda.parents.activity.DiscoveryCircleActivity
com.ancda.parents.activity.DiscoveryCircleDetailActivity
com.ancda.parents.activity.NewNewsEditorActivity
com.ancda.parents.activity.InputNewsTitleActivity
com.ancda.parents.activity.ChangeNewsCoverBgActivity
com.ancda.parents.activity.NewsBlowerWebViewActivity
com.ancda.parents.activity.FansAndAttentionListActivity
com.ancda.parents.activity.MsgSecretaryActivity
com.ancda.parents.activity.CommunityMsgActivity
com.ancda.parents.activity.DiscoverySearchActivity
com.ancda.parents.activity.ClassActivitysActivity
com.ancda.parents.activity.AnnouncementActivity
com.ancda.parents.activity.NewsActivity
com.ancda.parents.activity.CookbookActivity
com.ancda.parents.activity.PickerPreviewActivity
com.ancda.parents.video.play.VitamioPlayActivity
com.ancda.parents.activity.AddUserActivity
com.ancda.parents.activity.NetWorkSetActivity
com.ancda.parents.activity.ProxyPaymentActivity
com.ancda.parents.activity.ProxyPaymentListActivity
com.ancda.parents.activity.FeedbackActivity
com.ancda.parents.activity.ForwardMessageContastActivity
com.tencent.connect.common.AssistActivity
com.ancda.parents.activity.WebActivity
com.ancda.parents.video.play.VideoPlayActivity
com.ancda.parents.video.play.VitamioPlayActivity2
com.ancda.parents.activity.ChristmasDetailsActivity
com.ancda.parents.activity.NewsEditTextActivity
com.ancda.parents.activity.NewPushActivity
com.ancda.parents.activity.WxLoginActivity
com.ancda.parents.activity.ChristmasMsgActivity
com.ancda.parents.activity.IntegralActivity
com.ancda.parents.activity.GrowingActivity
com.ancda.parents.activity.ParentingGuideActivity
com.ancda.parents.activity.PostDetailsActivity
com.ancda.parents.activity.PostDetailsCommentActivity
com.ancda.parents.activity.TeacherContactsActivity
com.ancda.parents.activity.MenuManageActivity
com.ancda.parents.activity.NewSigninActivity
com.ancda.parents.activity.BabyStarRankActivity
com.ancda.parents.activity.ActivationRateActivity
com.ancda.parents.activity.DiscoverSerialDetailActivity
com.ancda.parents.activity.DiscoverMusicPlayPageActivity
com.ancda.parents.activity.HistoryNotificationActivity
com.ancda.parents.activity.ActiveRankingActivity
com.ancda.parents.activity.PlacementBroadcastActivity
com.ancda.parents.activity.PlacementBroadcastConfigInfoActivity
com.ancda.parents.activity.ChangePbConfigNameActivity
com.ancda.parents.activity.WxLoginVerificationNumberActivity
com.ancda.parents.activity.WxLoginVerifyCodeActivity
com.ancda.parents.activity.SocialAccountActivity
com.ancda.parents.activity.ViewGroupMembersActivity
com.ancda.parents.activity.RemoveChatGroupMemberActivity
com.ancda.parents.activity.CommentTeamplateSearchActivity
com.ancda.parents.activity.FaceEntryInfoActivity
com.ancda.parents.activity.MyFaceEntryActivity
com.ancda.parents.activity.DynamicFilterActivity
com.ancda.parents.activity.FaceAlbumActivity
com.ancda.parents.activity.ChangeBabyHeightOrWeightActivity
com.ancda.parents.activity.KinderParentFaceListActivity
com.ancda.parents.activity.NewChangeMusicActivity
com.ancda.parents.activity.MusicCategoryActivity
com.qq.e.ads.ADActivity
com.qq.e.ads.PortraitADActivity
com.qq.e.ads.LandscapeADActivity
com.baidu.mobads.AppActivity
com.facebook.react.devsupport.DevSettingsActivity
com.ancda.parents.react.ReactNativeActivity
com.kwad.sdk.page.KsAdWebViewActivity
com.kwad.sdk.page.VideoWebViewActivity
com.kwad.sdk.page.KsFullScreenVideoActivity
com.kwad.sdk.page.KSRewardVideoActivity
com.qq.e.ads.RewardvideoPortraitADActivity
com.qq.e.ads.RewardvideoLandscapeADActivity
com.alipay.sdk.app.H5AuthActivity
com.alipay.sdk.app.PayResultActivity
com.alipay.sdk.app.AlipayResultActivity

cn.jpush.android.service.DownloadService
cn.jpush.android.service.PushService
cn.jpush.android.service.DaemonService
com.ancda.parents.push.JPushService
com.huawei.updatesdk.service.deamon.download.DownloadService
com.ancda.parents.shuttlenotice.PartitionBroadcastService
com.ancda.parents.GuardService
com.hyphenate.chat.EMChatService
com.hyphenate.chat.EMJobService
com.ancda.parents.utils.scan.WebSocketService
com.xiaomi.mipush.sdk.PushMessageHandler
com.xiaomi.mipush.sdk.MessageHandleService
com.xiaomi.push.service.XMJobService
com.xiaomi.push.service.XMPushService
com.qq.e.comm.DownloadService
com.ancda.parents.service.PushMessageService
com.ancda.parents.service.NeteaseIMService
com.kwai.filedownloader.services.FileDownloadService$SharedMainProcessService
com.kwai.filedownloader.services.FileDownloadService$SeparateProcessService
com.ksad.download.service.DownloadService
com.meizu.cloud.pushsdk.NotificationService

cn.jpush.android.service.PushReceiver
cn.jpush.android.service.AlarmReceiver
com.ancda.parents.push.JGPushReceiver
com.ancda.parents.push.MyJPushMessageReceiver
com.huawei.hms.support.api.push.PushEventReceiver
com.ancda.parents.Receiver.BringToFrontReceiver
com.ancda.parents.Receiver.NetWorkReceiver
com.ancda.parents.im.receiver.GCMPushBroadCast
com.ancda.parents.im.receiver.StartServiceReceiver
com.ancda.parents.Receiver.HMSPushReceiver
com.netease.nimlib.mixpush.hw.HWPushReceiver
com.hyphenate.chat.EMMonitorReceiver
com.hyphenate.chat.EMMipushReceiver
com.netease.nimlib.mixpush.mi.MiPushReceiver
com.xiaomi.push.service.receivers.PingReceiver
com.xiaomi.push.service.receivers.NetworkStatusReceiver
com.ancda.parents.Receiver.AppletsSkipBroastcast
com.ksad.download.DownloadReceiver
com.meizu.cloud.pushsdk.SystemReceiver

cn.jpush.android.service.DataProvider
android.support.v4.content.FileProvider
com.huawei.hms.update.provider.UpdateProvider
com.huawei.updatesdk.fileprovider.UpdateSdkFileProvider
com.imagepicker.FileProvider
com.kwad.sdk.widget.AdSdkFileProvider

第三方库

# 库名 介绍
0 com.alibaba.fastjson Fast JSON Processor https://github.com/alibaba/fastjson/wiki
1 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
2 com.makeramen.roundedimageview A fast ImageView that supports rounded corners, ovals, and circles.
3 com.iflytek 讯飞开放平台作为全球首个开放的智能交互技术服务平台,致力于为开发者打造一站式智能人机交互解决方案。用户可通过互联网、移动互联网,使用任何设备、在任何时间、任何地点,随时随地享受讯飞开放平台提供的“听、说、读、写……”等全方位的人工智能服务。目前,开放平台以“云+端”的形式向开发者提供语音合成、语音识别、语音唤醒、语义理解、人脸识别、个性化彩铃、移动应用分析等多项服务。
4 com.amap.api 高德LBS开放平台将高德最专业的定位、地图、搜索、导航等能力,以API、SDK等形式向广大开发者免费开放
5 cn.jpush.android.api 极光推送,使得开发者可以即时地向其应用程序的用户推送通知或者消息,与用户保持互动,从而有效地提高留存率,提升用户体验。平台提供整合了Android推送、iOS推送的统一推送服务。
6 pl.droidsonroids.gif Views and Drawable for displaying animated GIFs on Android
7 okhttp3 An HTTP+SPDY client for Android and Java applications.
8 com.umeng.analytics 友盟统计分析平台是国内最大的移动应用统计分析平台。
9 com.bumptech.glide An image loading and caching library for Android focused on smooth scrolling
10 com.alipay.sdk 支付宝移动支付功能
11 android.support.transition A backport of the new Transitions API for Android.
12 com.tencent.smtt 腾讯X5浏览服务由QQ浏览器团队出品,致力于优化移动端webview体验的整套解决方案,使用QQ浏览器X5内核SDK和X5云端服务,解决移动端webview使用过程中出现的一切问题,优化用户的浏览体验,同时腾讯还将持续提供后续的更新和优化,为开发者提供最新最优秀的功能和服务。
13 com.facebook.imagepipeline An image management library by FaceBook.
14 android.support.multidex DEPRECATED
15 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
16 com.androidquery AndroidQuery
17 com.iflytek 讯飞开放平台作为全球首个开放的智能交互技术服务平台,致力于为开发者打造一站式智能人机交互解决方案。用户可通过互联网、移动互联网,使用任何设备、在任何时间、任何地点,随时随地享受讯飞开放平台提供的“听、说、读、写……”等全方位的人工智能服务。目前,开放平台以“云+端”的形式向开发者提供语音合成、语音识别、语音唤醒、语义理解、人脸识别、个性化彩铃、移动应用分析等多项服务。
18 com.coremedia.iso Provides a Java API for parsing MP4 files
19 com.bigkoo.pickerview 仿iOS的PickerView控件,有时间选择和选项选择并支持一二三级联动效果
20 com.facebook.cache.common An image management library by FaceBook.
21 com.bumptech.glide An image loading and caching library for Android focused on smooth scrolling
22 com.google.zxing Official ZXing ("Zebra Crossing") project home
23 com.koushikdutta.async Asynchronous socket, http (client+server), websocket, and socket.io library for android. Based on nio, not threads.
24 com.baidu.mobads 百度移动推广SDK
25 com.facebook.imagepipeline An image management library by FaceBook.
26 com.umeng.analytics 友盟统计分析平台是国内最大的移动应用统计分析平台。
27 com.xiaomi.mipush.sdk 小米推送(MiPush)是小米公司为开发者提供的消息推送服务,通过在云端和客户端之间建立一条稳定、可靠的长连接,为开发者提供向客户端应用推送实时消息的服务,帮助开发者有效地拉动用户活跃。
28 com.tencent.connect 腾讯开放平台
29 pl.droidsonroids.gif Views and Drawable for displaying animated GIFs on Android
30 okhttp3 An HTTP+SPDY client for Android and Java applications.
31 com.mp4parser A Java API to read, write and create MP4 files.
32 io.realm Realm is a mobile database=> a replacement for SQLite & ORMs.
33 com.tencent.smtt 腾讯X5浏览服务由QQ浏览器团队出品,致力于优化移动端webview体验的整套解决方案,使用QQ浏览器X5内核SDK和X5云端服务,解决移动端webview使用过程中出现的一切问题,优化用户的浏览体验,同时腾讯还将持续提供后续的更新和优化,为开发者提供最新最优秀的功能和服务。
34 de.hdodenhof.circleimageview A fast circular ImageView perfect for profile images.
35 com.tencent.tauth 腾讯QQ互联平台为广大开发者整理了SDK列表,辅助开发者快速接入QQ登录、分享等功能。QQ互联是腾讯旗下的开放平台,通过QQ互联,网站主和开发者可以申请接入QQ登录、用户可以使用QQ账号登录接入的站点,通过添加分享和赞组件,将站点内容分享到QQ空间和朋友网,通过获取API授权,网站主还可以将用户操作同步到QQ空间和朋友网。
36 com.qiniu.android Qiniu Resource (Cloud) Storage SDK for Android
37 com.loopj.android.http An Asynchronous HTTP Library for Android http://loopj.com/android-async-http/
38 org.apache.http The Apache HttpComponents™ project is responsible for creating and maintaining a toolset of low level Java components focused on HTTP and associated protocols.
39 org.json 根据Gson库使用的要求,将JSONObject格式的String 解析成实体
40 com.makeramen.roundedimageview A fast ImageView that supports rounded corners, ovals, and circles.
41 com.baidu.mobads 百度移动推广SDK
42 com.tencent.map 腾讯地图Android SDK是一套基于Android2.3及以上设备的应用接口,通过该接口,您可以方便地访问腾讯地图为您提供的高质量地点数据和服务,构建丰富而实用的地图及位置服务类应用。腾讯地图Android SDK除提供创建底图、缩放、平滑移图等基础功能外,还提供定位、地址解析、反地址解析、周边搜索、路线方案等拓展服务,助你在应用开发中事半功倍。腾讯地图Android SDK的服务需要注册,免费的向第三方提供,任何非盈利性网站均可使用。
43 com.tencent.map 腾讯地图Android SDK是一套基于Android2.3及以上设备的应用接口,通过该接口,您可以方便地访问腾讯地图为您提供的高质量地点数据和服务,构建丰富而实用的地图及位置服务类应用。腾讯地图Android SDK除提供创建底图、缩放、平滑移图等基础功能外,还提供定位、地址解析、反地址解析、周边搜索、路线方案等拓展服务,助你在应用开发中事半功倍。腾讯地图Android SDK的服务需要注册,免费的向第三方提供,任何非盈利性网站均可使用。

静态扫描发现风险点

风险等级 风险名称

中危

检测到当前标志被设置成true或没设置,这会导致adb调试备份允许恶意攻击者复制应用程序数据,造成数据泄露。

中危

检测到6处证书弱校验漏洞。

位置: classes2.dex
com.ancda.parents.http.SSLContextEx$1;
com.huawei.updatesdk.sdk.service.download.h$1;

位置: classes3.dex
com.zhy.http.okhttp.https.HttpsUtils$UnSafeTrustManager;
com.loopj.android.http.MySSLSocketFactory$1;
org.jsoup.helper.HttpConnection$Response$2;
com.meizu.cloud.pushsdk.platform.a$b;

当移动App客户端使用https或ssl/tls进行通信时,如果不校验证书的可信性,将存在中间人攻击漏洞,可导致信息泄露,传输数据被篡改,甚至通过中间人劫持将原有信息替换成恶意链接或恶意代码程序,以达到远程控制等攻击意图。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
www.wooyun.org/bugs/wooyun-2014-079358

参考资料:
http://drops.wooyun.org/tips/3296
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

检测到1个未移除的敏感Test或Debug组件

com.ancda.parents.activity.TestRtmpActivity

建议:
在正式发布app前移除敏感的Test或Debug组件

中危

检测到6处中间人攻击漏洞。

位置: classes.dex
com.ancda.parents.activity.NewsBlowerWebViewActivity$DownloadZipFile;->run()V

位置: classes2.dex
com.ancda.parents.http.AncdaFileAsyncTask;->baseConnection(Ljava.net.URL; Lcom.ancda.parents.utils.DataInitConfig;)Ljava.net.HttpURLConnection;
com.ancda.parents.update.UpdateManager2$checkThread;->run()V
com.ancda.parents.http.AncdaAsyncTask;->baseConnection(Ljava.net.URL; Lcom.ancda.parents.utils.DataInitConfig;)Ljava.net.HttpURLConnection;
com.ancda.parents.http.AncdaAsyncTask;->doConnection(Ljava.lang.String;)Lorg.apache.http.HttpResponse;
com.ancda.parents.utils.bitmap.download.SimpleDownloader;->getFromHttp(Ljava.lang.String; Lcom.ancda.parents.utils.afinal.FinalBitmap$BitmapLoadAndDisplayTask;)[B

setHostnameVerifier方法设置ALLOW_ALL_HOSTNAME_VERIFIER,直接接受任意域名,可能造成中间人攻击漏洞。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-042710
http://www.wooyun.org/bugs/wooyun-2010-052339
http://www.wooyun.org/bugs/wooyun-2016-0190773

参考资料:
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

检测到15个WebView远程执行漏洞。

位置: classes.dex
com.ancda.parents.activity.NewsX5WebActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.CoachChildViewActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.NewNoticeWebActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.NewsBlowerWebViewActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.NewsWebActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.SchoolWebActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.WebViewActivity;->onCreate(Landroid.os.Bundle;)V

位置: classes2.dex
com.facebook.react.views.webview.ReactWebViewManager$ReactWebView;->setMessagingEnabled(Z)V
com.ancda.parents.fragments.NewDiscoveryFragment;->initView()V
com.ancda.parents.view.edit.RichEditor;->initJsEditor()V

位置: classes3.dex
com.tencent.smtt.sdk.JsContext;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.tencent.smtt.sdk.WebView;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.tencent.smtt.sdk.X5JsCore;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.tencent.smtt.sdk.JsVirtualMachine$a;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.tencent.smtt.sdk.WebView;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V

Android API < 17之前版本存在远程代码执行安全漏洞,该漏洞源于程序没有正确限制使用addJavaScriptInterface方法,攻击者可以通过Java反射利用该漏洞执行任意Java对象的方法,导致远程代码执行安全漏洞。
(1)API等于高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252
http://drops.wooyun.org/papers/548

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis
https://developer.android.com/reference/android/webkit/WebView.html

中危

检测到35处setSavePassword密码明文存储漏洞。

位置: classes.dex
com.ancda.parents.fragments.VideoIntroductionFragment;
com.ancda.parents.activity.CoachChildViewActivity;
com.ancda.parents.activity.NewNoticeWebActivity$2$1;
com.ancda.parents.activity.NewNoticeWebActivity$4;
com.ancda.parents.activity.NewsWebActivity;
com.ancda.parents.activity.FlowerActivity;
com.ancda.parents.activity.WebViewActivity$MyWebChromeClient$1;
com.ancda.parents.activity.SchoolWebActivity;
com.ancda.parents.activity.NewsWebActivity$3;
com.ancda.parents.activity.NewsBlowerWebViewActivity;
com.ancda.parents.activity.WebPaymentActivity;
com.ancda.parents.activity.WebViewActivity;
com.ancda.parents.activity.ChristmasDetailsActivity;
com.ancda.parents.activity.SecretaryDetailActivity;
com.ancda.parents.activity.NewNoticePreviewActivity;
com.ancda.parents.activity.NewNoticeWebActivity;
com.ancda.parents.activity.WebActivity;
com.ancda.parents.activity.IntegralActivity;
com.ancda.parents.activity.IntegralActivity$1$1;

位置: classes2.dex
com.androidquery.WebDialog;
com.ancda.parents.view.edit.RichEditor;
com.iflytek.sunflower.CollectorJs;
com.ancda.parents.fragments.NewDiscoveryFragment;
com.facebook.react.views.webview.ReactWebViewManager$ReactWebView;
com.kwad.sdk.widget.KsAdWebView;
com.ancda.parents.fragments.VideoIntroductionFragment$MyWebChromeClient$1;
com.facebook.react.views.webview.ReactWebViewManager;
com.ancda.parents.view.edit.EditorWebViewAbstract;
com.androidquery.util.WebImage;
com.ancda.parents.fragments.WebFragment;

位置: classes3.dex
com.tencent.smtt.sdk.WebSettings;
com.tencent.open.SocialApiIml;

位置: assets/bdxadsdk.jar
com.baidu.mobads.container.landingpage.App2Activity;

位置: assets/gdt_plugin/gdtadv2.jar
com.qq.e.comm.plugin.util.m;
com.qq.e.comm.plugin.ad.f.c;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

低危

检测9处Intent Scheme URI漏洞。

位置: classes.dex
Lcn/jpush/android/e/b;->e(Landroid/content/Context; Ljava/lang/String;)Z
Lcn/jpush/android/e/b;->f(Landroid/content/Context; Ljava/lang/String;)Z
Lcom/ancda/parents/activity/WebViewActivity$4;->shouldOverrideUrlLoadingByApp(Landroid/webkit/WebView; Ljava/lang/String;)Z

位置: classes2.dex
Lcom/huawei/hms/support/api/push/a/a/a;->g()V
Lcom/huawei/hms/support/api/push/a/c/h;->b(Landroid/content/Context; Lcom/huawei/hms/support/api/push/a/b/a;)Landroid/content/Intent;
Lcom/kwad/sdk/d/a;->a(Landroid/content/Context; Ljava/lang/String;)I

位置: classes3.dex
Lcom/xiaomi/mipush/sdk/av;->a(Landroid/content/Context; Ljava/lang/String; Ljava/util/Map;)Landroid/content/Intent;
Lcom/xiaomi/push/service/z;->a(Landroid/content/Context; Ljava/lang/String; I Ljava/util/Map;)Landroid/content/Intent;
Lcom/meizu/cloud/pushsdk/handler/a/a/a;->a(Landroid/content/Context; Lcom/meizu/cloud/pushsdk/handler/MessageV3;)Landroid/content/Intent;


Intent Scheme URI是一种特殊的URL格式,用来通过Web页面启动已安装应用的Activity组件,大多数主流浏览器都支持此功能。如果在app中,没有检查获取到的load_url的值,攻击者可以构造钓鱼网站,诱导用户点击加载,就可以盗取用户信息。所以,对Intent URI的处理不当时,就会导致基于Intent的攻击。建议:
如果使用了Intent.parseUri函数,获取的intent必须严格过滤,intent至少包含addCategory(“android.intent.category.BROWSABLE”),setComponent(null),setSelector(null)3个策略。

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://drops.wooyun.org/papers/2893
http://drops.wooyun.org/mobile/15202

低危

检测到6处主机名弱校验检测漏洞。

位置: classes2.dex
com.ancda.parents.http.SSLContextEx$TrustAllHostnameVerifier;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

位置: classes3.dex
com.meizu.cloud.pushsdk.platform.a$a;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z
com.tendcloud.tenddata.dh;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z
com.zhy.http.okhttp.https.HttpsUtils$UnSafeHostnameVerifier;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z
cz.msebera.android.httpclient.conn.ssl.NoopHostnameVerifier;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z
org.jsoup.helper.HttpConnection$Response$1;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

自定义HostnameVerifier类,却不实现其verify方法验证域名直接返回true,直接接受任意域名。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考资料:
http://drops.wooyun.org/tips/3296
https://www.91ri.org/12534.html

低危

检测到5处地方在自定义实现的WebViewClient类在onReceivedSslError调用proceed()方法。

位置: classes.dex
cn.jpush.android.ui.a;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V
com.alipay.sdk.app.b;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V
com.alipay.sdk.auth.AuthActivity$c;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V

位置: classes2.dex
com.ancda.parents.fragments.NewDiscoveryFragment$WebViewListener;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V
com.ancda.parents.fragments.WebFragment$WebViewListener;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V

Android WebView组件加载网页发生证书认证错误时,会调用WebViewClient类的onReceivedSslError方法,如果该方法实现调用了handler.proceed()来忽略该证书错误,则会受到中间人攻击的威胁,可能导致隐私泄露。建议:
当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0109266

参考资料:
https://jaq.alibaba.com/blog.htm?id=60
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/

警告

检测到32个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

activity com.ancda.parents.wxapi.WXEntryActivity
activity com.ancda.parents.wxapi.WXPayEntryActivity
activity cn.jpush.android.service.JNotifyActivity
activity com.ancda.parents.activity.WebToAppActivity
activity com.tencent.tauth.AuthActivity
activity com.ancda.parents.FrameActivity
activity com.ancda.parents.activity.LoginActivity
activity com.ancda.parents.activity.ContactsActivity
activity com.ancda.parents.im.ui.ConversionActivity
activity com.ancda.parents.im.ui.NewImChatActivity
activity com.alipay.sdk.app.PayResultActivity
activity com.alipay.sdk.app.AlipayResultActivity
service cn.jpush.android.service.DaemonService
service com.ancda.parents.push.JPushService
service com.ancda.parents.shuttlenotice.PartitionBroadcastService
service com.ancda.parents.GuardService
service com.hyphenate.chat.EMChatService
service com.xiaomi.mipush.sdk.PushMessageHandler
service com.meizu.cloud.pushsdk.NotificationService
receiver com.ancda.parents.push.MyJPushMessageReceiver
receiver com.huawei.hms.support.api.push.PushEventReceiver
receiver com.ancda.parents.Receiver.BringToFrontReceiver
receiver com.ancda.parents.Receiver.NetWorkReceiver
receiver com.ancda.parents.Receiver.HMSPushReceiver
receiver com.netease.nimlib.mixpush.hw.HWPushReceiver
receiver com.hyphenate.chat.EMMonitorReceiver
receiver com.hyphenate.chat.EMMipushReceiver
receiver com.netease.nimlib.mixpush.mi.MiPushReceiver
receiver com.xiaomi.push.service.receivers.NetworkStatusReceiver
receiver com.ancda.parents.Receiver.AppletsSkipBroastcast
receiver com.ksad.download.DownloadReceiver
receiver com.meizu.cloud.pushsdk.SystemReceiver

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测到2个导出的隐式Service组件。
service cn.jpush.android.service.DaemonService
service com.ancda.parents.push.JPushService

建议:为了确保应用的安全性,启动Service时,请始终使用显式Intent,且不要为服务声明Intent过滤器。使用隐式Intent启动服务存在安全隐患,因为您无法确定哪些服务将响应Intent,且用户无法看到哪些服务已启动。从Android 5.0(API 级别 21)开始,如果使用隐式 Intent 调用 bindService(),系统会抛出异常。

参考资料:
https://developer.android.com/guide/components/intents-filters.html#Types

警告

检测3处組件設置了android.intent.category.BROWSABLE属性。
com.ancda.parents.activity.WebToAppActivity
com.tencent.tauth.AuthActivity
com.alipay.sdk.app.AlipayResultActivity


在AndroidManifest文件中定义了android.intent.category.BROWSABLE属性的组件,可以通过浏览器唤起,这会导致远程命令执行漏洞攻击。建议:
(1)APP中任何接收外部输入数据的地方都是潜在的攻击点,过滤检查来自网页的参数。
(2)不要通过网页传输敏感信息,有的网站为了引导已经登录的用户到APP上使用,会使用脚本动态的生成URL Scheme的参数,其中包括了用户名、密码或者登录态token等敏感信息,让用户打开APP直接就登录了。恶意应用也可以注册相同的URL Sechme来截取这些敏感信息。Android系统会让用户选择使用哪个应用打开链接,但是如果用户不注意,就会使用恶意应用打开,导致敏感信息泄露或者其他风险。

參考案例:
http://www.wooyun.org/bugs/wooyun-2014-073875
http://www.wooyun.org/bugs/wooyun-2014-067798

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://www.jssec.org/dl/android_securecoding_en.pdf
http://drops.wooyun.org/mobile/15202
http://blog.csdn.net/l173864930/article/details/36951805
http://drops.wooyun.org/papers/2893

警告

检测到38潜在的XSS漏洞。

位置: classes.dex
cn.jpush.android.i.a;->a(Landroid.webkit.WebSettings;)V
com.alipay.sdk.auth.AuthActivity;->onCreate(Landroid.os.Bundle;)V
com.alipay.sdk.util.n;->a(Landroid.app.Activity; Ljava.lang.String; Ljava.lang.String;)Landroid.webkit.WebView;
com.alipay.sdk.widget.WebViewWindow;->c(Landroid.content.Context;)V
com.alipay.sdk.widget.WebViewWindow;->c(Landroid.content.Context;)V
com.ancda.parents.activity.NewNoticeWebActivity$4;->onPageFinished(Landroid.webkit.WebView; Ljava.lang.String;)V
com.ancda.parents.activity.NewNoticeWebActivity$4;->onPageStarted(Landroid.webkit.WebView; Ljava.lang.String; Landroid.graphics.Bitmap;)V
com.ancda.parents.activity.NewsWebActivity$3;->onPageFinished(Landroid.webkit.WebView; Ljava.lang.String;)V
com.ancda.parents.activity.NewsWebActivity$3;->onPageStarted(Landroid.webkit.WebView; Ljava.lang.String; Landroid.graphics.Bitmap;)V
com.alipay.sdk.widget.h;->a(Landroid.webkit.WebView; Landroid.content.Context;)V
com.ancda.parents.fragments.VideoIntroductionFragment;->initView(Landroid.view.View;)V
com.ancda.parents.activity.ChristmasDetailsActivity;->initView()V
com.ancda.parents.activity.CoachChildViewActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.IntegralActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.NewNoticePreviewActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.NewNoticeWebActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.NewsBlowerWebViewActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.NewsWebActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.SchoolWebActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.SecretaryDetailActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.WebActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.WebPaymentActivity;->onCreate(Landroid.os.Bundle;)V
com.ancda.parents.activity.WebViewActivity;->onCreate(Landroid.os.Bundle;)V

位置: classes2.dex
com.ancda.parents.view.edit.EditorWebViewAbstract;->configureWebView()V
com.androidquery.WebDialog;->setupWebView(Landroid.widget.RelativeLayout;)V
com.androidquery.util.WebImage;->load()V
com.iflytek.sunflower.CollectorJs;->(Landroid.content.Context; Landroid.webkit.WebView; Landroid.webkit.WebChromeClient;)V
com.kwad.sdk.widget.KsAdWebView;->h()V
com.kwad.sdk.widget.KsAdWebView;->h()V
com.ancda.parents.fragments.NewDiscoveryFragment;->initView()V
com.ancda.parents.fragments.WebFragment;->initView()V

位置: classes3.dex
com.tencent.connect.auth.a;->d()V
com.tencent.open.SocialApiIml;->writeEncryToken(Landroid.content.Context;)V
com.tencent.open.TDialog;->b()V
com.tencent.open.c;->c()V

位置: assets/bdxadsdk.jar
com.baidu.mobads.container.y;->(Landroid.content.Context; Lcom.baidu.mobads.interfaces.utils.IXAdLogger; Z Z Lcom.baidu.mobads.container.y$c;)V

位置: assets/gdt_plugin/gdtadv2.jar
com.qq.e.comm.plugin.ad.d;->l()V
com.qq.e.comm.plugin.ad.f.c;->(Landroid.content.Context; Landroid.webkit.WebViewClient; Lcom.qq.e.comm.plugin.ad.f.b; Lorg.json.JSONObject;)V

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到5处provider的grantUriPermissions设置为true。
android.support.v4.content.FileProvider
com.huawei.hms.update.provider.UpdateProvider
com.huawei.updatesdk.fileprovider.UpdateSdkFileProvider
com.imagepicker.FileProvider
com.kwad.sdk.widget.AdSdkFileProvider


grant-uri-permission若设置为true,可被其它程序员通过uri访问到content provider的内容,容易造成信息泄露。

参考资料:
https://security.tencent.com/index.php/blog/msg/6


动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书