0

高危漏洞

4

中危漏洞

2

低危漏洞

1

警告

文件名 电影雷达.apk
上传者 4444
文件大小 4.1911897659302MB
MD5 db1138d87b21d5a35185c2492c24b535
包名 com.liuchao.sanji.movieheaven
Main Activity com.liuchao.sanji.movieheaven.ui.MainActivity
Min SDK 16
Target SDK 25

权限列表

# 名称 说明 提示
0 android.permission.GET_TASKS 允许应用程序检索有关当前和最近运行的任务的信息。恶意应用程序可借此发现有关其他应用程序的保密信息。 注意
1 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
2 android.permission.INTERNET 允许程序访问网络. 提示
3 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

com.liuchao.sanji.movieheaven.ui.MainActivity
com.liuchao.sanji.movieheaven.ui.movie.playInfo.InfoMovieActivity
com.liuchao.sanji.movieheaven.ui.movie.playInfo.SeeBigImageActivity
com.liuchao.sanji.movieheaven.ui.movie.search.SearchActivity
com.liuchao.sanji.movieheaven.ui.other.AboutActivity
com.liuchao.sanji.movieheaven.ui.live.fragment.LiveIndexMoreActivity
com.liuchao.sanji.movieheaven.ui.live.player.LivePlayerInfoActivity
com.zxy.recovery.core.RecoveryActivity

com.zxy.recovery.core.RecoveryService

第三方库

# 库名 介绍
0 com.alibaba.fastjson Fast JSON Processor https://github.com/alibaba/fastjson/wiki
1 android.support.transition A backport of the new Transitions API for Android.
2 retrofit2 Type-safe REST client for Android and Java by Square, Inc.
3 okhttp3 An HTTP+SPDY client for Android and Java applications.
4 com.bumptech.glide An image loading and caching library for Android focused on smooth scrolling
5 butterknife View "injection" library for Android.
6 com.orhanobut.logger Simple, pretty and powerful logger for android
7 de.hdodenhof.circleimageview A fast circular ImageView perfect for profile images.
8 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
9 org.json 根据Gson库使用的要求,将JSONObject格式的String 解析成实体

静态扫描发现风险点

风险等级 风险名称

中危

检测到当前标志被设置成true或没设置,这会导致adb调试备份允许恶意攻击者复制应用程序数据,造成数据泄露。

中危

检测到1处证书弱校验漏洞。

位置: classes.dex
org.jsoup.helper.HttpConnection$Response$2;

当移动App客户端使用https或ssl/tls进行通信时,如果不校验证书的可信性,将存在中间人攻击漏洞,可导致信息泄露,传输数据被篡改,甚至通过中间人劫持将原有信息替换成恶意链接或恶意代码程序,以达到远程控制等攻击意图。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
www.wooyun.org/bugs/wooyun-2014-079358

参考资料:
http://drops.wooyun.org/tips/3296
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

该app需要移除大部分日志打印代码。
经扫描该包仍存在大量打日志代码,共发现75处打日志代码.(此处扫描的日志打印代码,是指调用android.util.Log.* 打印的.)
详情如下:

位置: classes.dex
me.yokeyword.fragmentation.FragmentationDelegate;->popTo(Ljava/lang/String; Z Ljava/lang/Runnable; Landroid/support/v4/app/FragmentManager;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
me.yokeyword.fragmentation.FragmentationDelegate;->checkFragmentManager(Landroid/support/v4/app/FragmentManager; Landroid/support/v4/app/Fragment;)Landroid/support/v4/app/FragmentManager;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.davemorrissey.labs.subscaleview.SubsamplingScaleImageView;->debug(Ljava/lang/String; [Ljava/lang/Object;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.github.piasy.biv.view.BigImageView;->showImage(Landroid/net/Uri;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.davemorrissey.labs.subscaleview.SubsamplingScaleImageView;->getExifOrientation(Landroid/content/Context; Ljava/lang/String;)I==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.Glide;->getPhotoCacheDir(Landroid/content/Context; Ljava/lang/String;)Ljava/io/File;==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
cn.bingoogolapple.swipebacklayout.BGASwipeBackLayout;->drawChild(Landroid/graphics/Canvas; Landroid/view/View; J)Z==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.resource.bitmap.TransformationUtils;->fitCenter(Landroid/graphics/Bitmap; Lcom/bumptech/glide/load/engine/bitmap_recycle/BitmapPool; I I)Landroid/graphics/Bitmap;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.github.piasy.biv.view.BigImageView;->showImage(Landroid/net/Uri; Landroid/net/Uri;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.bitmap_recycle.LruBitmapPool;->clearMemory()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->onAutoCompletion()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.request.target.ViewTarget$SizeDeterminer$SizeDeterminerLayoutListener;->onPreDraw()Z==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.DecodeJob;->logWithTimeAndKey(Ljava/lang/String; J)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCMediaManager;->onSurfaceTextureSizeChanged(Landroid/graphics/SurfaceTexture; I I)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->release()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.cache.MemorySizeCalculator;->(Landroid/content/Context; Landroid/app/ActivityManager; Lcom/bumptech/glide/load/engine/cache/MemorySizeCalculator$ScreenDimensions;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.orhanobut.logger.AndroidLogAdapter;->w(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
cn.bingoogolapple.swipebacklayout.BGASwipeBackLayout;->onMeasure(I I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.github.piasy.biv.view.BigImageView;->onCacheMiss(Ljava/io/File;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->onCompletion()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer$1;->onAudioFocusChange(I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.resource.bitmap.RecyclableBufferedInputStream;->fillbuf(Ljava/io/InputStream; [B)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.github.piasy.biv.view.BigImageView;->onCacheHit(Ljava/io/File;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.data.HttpUrlFetcher;->getStreamForSuccessfulRequest(Ljava/net/HttpURLConnection;)Ljava/io/InputStream;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.Engine;->logWithTimeAndKey(Ljava/lang/String; J Lcom/bumptech/glide/load/Key;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->playOnThisJcvd()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.resource.bitmap.BitmapEncoder;->encode(Lcom/bumptech/glide/load/engine/Resource; Ljava/io/OutputStream;)Z==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.orhanobut.logger.AndroidLogAdapter;->d(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.orhanobut.logger.AndroidLogAdapter;->v(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.EngineRunnable;->decodeFromCache()Lcom/bumptech/glide/load/engine/Resource;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->releaseAllVideos()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.bitmap_recycle.LruBitmapPool;->put(Landroid/graphics/Bitmap;)Z==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.request.GenericRequest;->logV(Ljava/lang/String;)V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.zxy.recovery.tools.RecoveryLog;->e(Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.bitmap_recycle.LruBitmapPool;->trimMemory(I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
butterknife.ButterKnife;->createBinding(Ljava/lang/Object; Landroid/view/View;)Lbutterknife/Unbinder;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->startWindowTiny()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
me.yokeyword.fragmentation.FragmentationDelegate;->supportCommit(Landroid/support/v4/app/FragmentManager; Landroid/support/v4/app/FragmentTransaction;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.Glide;->buildModelLoader(Ljava/lang/Class; Ljava/lang/Class; Landroid/content/Context;)Lcom/bumptech/glide/load/model/ModelLoader;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->onClick(Landroid/view/View;)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
me.yokeyword.fragmentation.FragmentationDelegate;->dispatchStartTransaction(Landroid/support/v4/app/FragmentManager; Lme/yokeyword/fragmentation/SupportFragment; Lme/yokeyword/fragmentation/SupportFragment; I I I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
com.orhanobut.logger.AndroidLogAdapter;->i(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.bitmap_recycle.LruBitmapPool;->dumpUnchecked()V==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.bitmap_recycle.LruBitmapPool;->getDirty(I I Landroid/graphics/Bitmap$Config;)Landroid/graphics/Bitmap;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
me.yokeyword.fragmentation.FragmentationDelegate;->logFragmentRecords(Ljava/lang/String;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.bitmap_recycle.LruBitmapPool;->getDirty(I I Landroid/graphics/Bitmap$Config;)Landroid/graphics/Bitmap;==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.prefill.BitmapPreFillRunner;->allocate()Z==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->onTouch(Landroid/view/View; Landroid/view/MotionEvent;)Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.orhanobut.logger.AndroidLogAdapter;->e(Ljava/lang/String; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
butterknife.ButterKnife;->findBindingConstructorForClass(Ljava/lang/Class;)Ljava/lang/reflect/Constructor;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCResizeTextureView;->onMeasure(I I)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.CacheLoader;->load(Lcom/bumptech/glide/load/Key; Lcom/bumptech/glide/load/ResourceDecoder; I I)Lcom/bumptech/glide/load/engine/Resource;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.liuchao.sanji.movieheaven.ui.BaseActivity;->onStop()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->addTextureView()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCMediaManager;->onSurfaceTextureAvailable(Landroid/graphics/SurfaceTexture; I I)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->startWindowFullscreen()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.gifencoder.AnimatedGifEncoder;->getImagePixels()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->onInfo(I I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->onVideoSizeChanged()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->onClick(Landroid/view/View;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->backPress()Z==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.resource.bitmap.ImageHeaderParser;->getExifSegment()[B==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.manager.RequestManagerRetriever;->handleMessage(Landroid/os/Message;)Z==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->prepareMediaPlayer()V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.gifdecoder.GifDecoder;->getNextFrame()Landroid/graphics/Bitmap;==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.resource.gif.GifResourceEncoder;->encode(Lcom/bumptech/glide/load/engine/Resource; Ljava/io/OutputStream;)Z==>android.util.Log;->v(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->onStopTrackingTouch(Landroid/widget/SeekBar;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->onStartTrackingTouch(Landroid/widget/SeekBar;)V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.bitmap_recycle.LruBitmapPool;->trimToSize(I)V==>android.util.Log;->w(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.util.ByteArrayPool;->getBytes()[B==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
me.yokeyword.fragmentation.FragmentationDelegate;->startWithPop(Landroid/support/v4/app/FragmentManager; Lme/yokeyword/fragmentation/SupportFragment; Lme/yokeyword/fragmentation/SupportFragment; Ljava/lang/String;)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->onError(I I)V==>android.util.Log;->e(Ljava/lang/String; Ljava/lang/String;)I
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;->onPrepared()V==>android.util.Log;->i(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.resource.bitmap.ImageHeaderParser;->parseExifSegment(Lcom/bumptech/glide/load/resource/bitmap/ImageHeaderParser$RandomAccessReader;)I==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I
com.bumptech.glide.load.engine.bitmap_recycle.LruBitmapPool;->trimToSize(I)V==>android.util.Log;->d(Ljava/lang/String; Ljava/lang/String;)I

中危

检测到36条敏感明文信息,建议移除。

位置: classes.dex
'file:///' used in: Lcom/davemorrissey/labs/subscaleview/ImageSource;->(Landroid/net/Uri;)V
'file:///' used in: Lcom/davemorrissey/labs/subscaleview/ImageSource;->uri(Ljava/lang/String;)Lcom/davemorrissey/labs/subscaleview/ImageSource;
'file:///' used in: Lcom/davemorrissey/labs/subscaleview/SubsamplingScaleImageView;->getExifOrientation(Landroid/content/Context; Ljava/lang/String;)I
'file:///android_asset/' used in: Lcom/davemorrissey/labs/subscaleview/SubsamplingScaleImageView;->getExifOrientation(Landroid/content/Context; Ljava/lang/String;)I
'file:///android_asset/' used in: Lcom/davemorrissey/labs/subscaleview/decoder/SkiaImageRegionDecoder;->init(Landroid/content/Context; Landroid/net/Uri;)Landroid/graphics/Point;
'file:///android_asset/' used in: Lcom/davemorrissey/labs/subscaleview/decoder/SkiaImageDecoder;->decode(Landroid/content/Context; Landroid/net/Uri;)Landroid/graphics/Bitmap;
'file:///android_asset/' used in: Lcom/davemorrissey/labs/subscaleview/ImageSource;->asset(Ljava/lang/String;)Lcom/davemorrissey/labs/subscaleview/ImageSource;
'file:///android_asset/' used in: Lcom/bumptech/glide/load/model/AssetUriParser;->()V
'http://43.241.224.161' used in: Lcom/liuchao/sanji/movieheaven/network/RequestManager;->getLiveServiceClient()Lcom/liuchao/sanji/movieheaven/network/live/ILiveService;
'http://img' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadNames(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://img' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadUrls(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://localhost/' used in: Lretrofit2/Response;->error(I Lokhttp3/ResponseBody;)Lretrofit2/Response;
'http://localhost/' used in: Lretrofit2/Response;->success(Ljava/lang/Object; Lokhttp3/Headers;)Lretrofit2/Response;
'http://localhost/' used in: Lretrofit2/Response;->success(Ljava/lang/Object;)Lretrofit2/Response;
'http://s.dydytt.net' used in: Lcom/liuchao/sanji/movieheaven/network/RequestManager;->getSearchRetrofitClient()Lcom/liuchao/sanji/movieheaven/network/movie/IMovieSearchInfoService;
'http://schemas.android.com/apk/res/android' used in: Landroid/support/graphics/drawable/TypedArrayUtils;->hasAttribute(Lorg/xmlpull/v1/XmlPullParser; Ljava/lang/String;)Z
'http://taobao' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadNames(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://taobao' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadUrls(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.dy2018.net' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadNames(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.dy2018.net' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadUrls(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.dygod.cn' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadNames(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.dygod.cn' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadUrls(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.dytt8.net' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadNames(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.dytt8.net' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadUrls(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.xunm.com/' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadNames(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.xunm.com/' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadUrls(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.ygdy8.com' used in: Lcom/liuchao/sanji/movieheaven/network/RequestManager;->getInfoRetrofitClient()Lcom/liuchao/sanji/movieheaven/network/movie/IMovieSearchInfoService;
'http://www.ygdy8.com' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadUrls(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.ygdy8.com' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadNames(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.ygdy8.com' used in: Lcom/liuchao/sanji/movieheaven/network/RequestManager;->getTvRetrofitClient()Lcom/liuchao/sanji/movieheaven/network/movie/IMovieTVService;
'http://www.ygdy8.com' used in: Lcom/liuchao/sanji/movieheaven/ui/movie/BaseDataBind$3;->onSimpleItemLongClick(Lcom/chad/library/adapter/base/BaseQuickAdapter; Landroid/view/View; I)V
'http://www.ygdy8.com' used in: Lcom/liuchao/sanji/movieheaven/network/RequestManager;->getComicRetrofitClient()Lcom/liuchao/sanji/movieheaven/network/movie/IMovieComicService;
'http://www.ygdy8.com' used in: Lcom/liuchao/sanji/movieheaven/network/RequestManager;->getVarietyRetrofitClient()Lcom/liuchao/sanji/movieheaven/network/movie/IMovieVarietyService;
'http://www.ygdy8.com' used in: Lcom/liuchao/sanji/movieheaven/network/RequestManager;->getMovieRetrofitClient()Lcom/liuchao/sanji/movieheaven/network/movie/IMovieService;
'http://www.ygdy8.net' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadNames(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;
'http://www.ygdy8.net' used in: Lcom/liuchao/sanji/movieheaven/utils/InfoHtmlAsListUtil;->getDownloadUrls(Lorg/jsoup/nodes/Document;)Ljava/util/ArrayList;

低危

非debug包,需要通过打包平台proguard脚本,移除大部分系统输出代码。
经扫描该包仍存在大量系统输出代码,共发现5处系统输出代码.(此处扫描的系统输出代码,是指调用System.out.print*输出的,本应在打包平台移除的系统输出代码.)
各个bundle系统输出代码详情如下:

位置: classes.dex
com.bumptech.glide.disklrucache.DiskLruCache;
fm.jiecao.jcvideoplayer_lib.JCVideoPlayer;
org.jsoup.examples.HtmlToPlainText;
io.reactivex.exceptions.CompositeException$WrappedPrintStream;
org.jsoup.examples.ListLinks;

低危

检测到1处主机名弱校验检测漏洞。

位置: classes.dex
org.jsoup.helper.HttpConnection$Response$1;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

自定义HostnameVerifier类,却不实现其verify方法验证域名直接返回true,直接接受任意域名。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考资料:
http://drops.wooyun.org/tips/3296
https://www.91ri.org/12534.html

警告

检测到4处使用了加解密算法。密钥处理不当可能会导致信息泄露。

位置: classes.dex
okio.ByteString;->hmac(Ljava.lang.String; Lokio.ByteString;)Lokio.ByteString;
okio.HashingSource;->(Lokio.Source; Lokio.ByteString; Ljava.lang.String;)V
okio.Buffer;->hmac(Ljava.lang.String; Lokio.ByteString;)Lokio.ByteString;
okio.HashingSink;->(Lokio.Sink; Lokio.ByteString; Ljava.lang.String;)V

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0105766
http://www.wooyun.org/bugs/wooyun-2015-0162907
http://www.wooyun.org/bugs/wooyun-2010-0187287

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html


动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书