0

高危漏洞

6

中危漏洞

4

低危漏洞

7

警告

文件名 com.bkjk.apollo.apk
上传者 sf
文件大小 38.261359214783MB
MD5 df1a0362268cb62ad5df381e84e7617a
包名 com.bkjk.apollo
Main Activity com.apollo.activity.AppLaucherActivity
Min SDK 16
Target SDK 27

权限列表

# 名称 说明 提示
0 android.permission.CALL_PHONE 允许应用程序在您不介入的情况下拨打电话。恶意应用程序可借此在您的话费单上产生意外通话费。请注意,此权限不允许应用程序拨打紧急呼救电话。 警告
1 android.permission.PROCESS_OUTGOING_CALLS 允许应用程序处理外拨电话或更改要拨打的号码。恶意应用程序可能会借此监视、另行转接甚至阻止外拨电话。 警告
2 android.permission.READ_SMS 允许应用程序读取您的手机或SIM卡中存储的短信。恶意应用程序可借此读取您的机密信息。 警告
3 android.permission.SEND_SMS 允许应用程序发送短信。恶意应用程序可能会不经您的确认就发送信息,给您带来费用。 警告
4 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
5 android.permission.ACCESS_FINE_LOCATION 访问精准的位置源,例如手机上的全球定位系统(如果有)。恶意应用程序可能会借此确定您所处的位置,并可能消耗额外的电池电量。 注意
6 android.permission.ACCESS_LOCATION_EXTRA_COMMANDS 访问额外的位置信息提供程序命令。恶意应用程序可借此干扰GPS或其他位置源的正常工作。 注意
7 android.permission.BLUETOOTH 允许应用程序查看本地蓝牙手机的配置,以及建立或接受与配对设备的连接。 注意
8 android.permission.BROADCAST_STICKY 允许应用程序发送顽固广播,这些广播在结束后仍会保留。恶意应用程序可能会借此使手机耗用太多内存,从而降低其速度或稳定性。 注意
9 android.permission.CHANGE_WIFI_MULTICAST_STATE 允许应用程序接收并非直接向您的设备发送的数据包。这样在查找附近提供的服务时很有用。这种操作所耗电量大于非多播模式。 注意
10 android.permission.GET_TASKS 允许应用程序检索有关当前和最近运行的任务的信息。恶意应用程序可借此发现有关其他应用程序的保密信息。 注意
11 android.permission.READ_CALENDAR 允许应用程序读取您手机上存储的所有日历活动。恶意应用程序可借此将您的日历活动发送给其他人。 注意
12 android.permission.READ_CONTACTS 允许应用程序读取您手机上存储的所有联系人(地址)数据。恶意应用程序可借此将您的数据发送给其他人。 注意
13 android.permission.READ_OWNER_DATA 允许应用程序读取您手机上存储的手机所有者数据。恶意应用程序可借此读取手机所有者数据。 注意
14 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
15 android.permission.RECEIVE_BOOT_COMPLETED 允许应用程序在系统完成启动后即自行启动。这样会延长手机的启动时间,而且如果应用程序一直运行,会降低手机的整体速度。 注意
16 android.permission.RECEIVE_MMS 允许应用程序接收和处理彩信。恶意应用程序可借此监视您的信息,或者将信息删除而不向您显示。 注意
17 android.permission.RECEIVE_SMS 允许应用程序接收和处理短信。恶意应用程序可借此监视您的信息,或者将信息删除而不向您显示。 注意
18 android.permission.RECEIVE_WAP_PUSH 允许应用程序接收和处理WAP信息。恶意应用程序可借此监视您的信息,或者将信息删除而不向您显示。 注意
19 android.permission.RECORD_AUDIO 允许应用程序访问录音路径。 注意
20 android.permission.REORDER_TASKS 允许应用程序将任务移至前端和后台。恶意应用程序可借此强行进入前端,而不受您的控制。 注意
21 android.permission.SUBSCRIBED_FEEDS_WRITE 允许应用程序修改您当前同步的供稿。恶意应用程序可借此更改您同步的供稿。 注意
22 android.permission.SYSTEM_ALERT_WINDOW 允许应用程序显示系统警报窗口。恶意应用程序可借此掌控整个手机屏幕。 注意
23 android.permission.WRITE_CALENDAR 允许应用程序添加或更改日历中的活动,这可能会向邀请对象发送电子邮件。恶意应用程序可能会借此清除或修改您的日历活动,或者向邀请对象发送电子邮件。 注意
24 android.permission.WRITE_CONTACTS 允许应用程序修改您手机上存储的联系人(地址)数据。恶意应用程序可借此清除或修改您的联系人数据。 注意
25 android.permission.WRITE_OWNER_DATA 允许应用程序修改您手机上存储的手机所有者数据。恶意应用程序可借此清除或修改所有者数据。 注意
26 android.permission.WRITE_SETTINGS 允许应用程序修改系统设置方面的数据。恶意应用程序可借此破坏您的系统配置。 注意
27 android.permission.WRITE_SMS 允许应用程序写入手机或SIM卡中存储的短信。恶意应用程序可借此删除您的信息。 注意
28 android.permission.WRITE_SYNC_SETTINGS 允许应用程序修改同步设置,例如是否为\“联系人\”启用同步。 注意
29 android.permission.WRITE_USER_DICTIONARY 允许应用程序向用户词典中写入新词。 注意
30 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
31 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
32 android.permission.AUTHENTICATE_ACCOUNTS 允许应用程序使用AccountManager的帐户身份验证程序功能,包括创建帐户以及获取和设置其密码。 提示
33 android.permission.BATTERY_STATS 允许修改收集的电池使用情况统计信息。普通应用程序不能使用此权限。 提示
34 android.permission.BLUETOOTH_ADMIN 允许应用程序配置本地蓝牙手机,以及发现远程设备并与其配对。 提示
35 android.permission.CAMERA 允许应用程序使用相机拍照,这样应用程序可随时收集进入相机镜头的图像。 提示
36 android.permission.CHANGE_CONFIGURATION 允许应用程序更改当前配置,例如语言设置或整体的字体大小。 提示
37 android.permission.CHANGE_NETWORK_STATE 允许应用程序更改网络连接的状态。 提示
38 android.permission.CHANGE_WIFI_STATE 允许应用程序连接到WLAN接入点以及与WLAN接入点断开连接,并对配置的WLAN网络进行更改。 提示
39 android.permission.CLEAR_APP_CACHE 允许应用程序通过删除应用程序缓存目录中的文件释放手机存储空间。通常此权限只适用于系统进程。 提示
40 android.permission.DISABLE_KEYGUARD 允许应用程序停用键锁和任何关联的密码安全设置。例如,在手机上接听电话时停用键锁,在通话结束后重新启用键锁。 提示
41 android.permission.EXPAND_STATUS_BAR 允许应用程序展开或收拢状态栏。 提示
42 android.permission.FLASHLIGHT 允许应用程序控制闪光灯。 提示
43 android.permission.GET_ACCOUNTS 允许应用程序获取手机已知的帐户列表。 提示
44 android.permission.GET_PACKAGE_SIZE 允许应用程序检索其代码、数据和缓存大小 提示
45 android.permission.INTERNET 允许程序访问网络. 提示
46 android.permission.KILL_BACKGROUND_PROCESSES 无论内存资源是否紧张,都允许应用程序结束其他应用程序的后台进程。 提示
47 android.permission.MANAGE_ACCOUNTS 允许应用程序执行添加、删除帐户及删除其密码之类的操作。 提示
48 android.permission.MODIFY_AUDIO_SETTINGS 允许应用程序修改整个系统的音频设置,如音量和路由。 提示
49 android.permission.MOUNT_UNMOUNT_FILESYSTEMS 允许应用程序装载和卸载可移动存储器的文件系统。 提示
50 android.permission.PERSISTENT_ACTIVITY 允许应用程序部分持续运行,这样系统便不能将其用于其他应用程序。 提示
51 android.permission.READ_LOGS 允许应用程序从系统的各日志文件中读取信息。这样应用程序可以发现您的手机使用情况,但这些信息不应包含任何个人信息或保密信息。 提示
52 android.permission.READ_SYNC_SETTINGS 允许应用程序读取同步设置,例如是否为\“联系人\”启用同步。 提示
53 android.permission.READ_SYNC_STATS 允许应用程序读取同步统计信息;例如已发生的同步历史记录。 提示
54 android.permission.READ_USER_DICTIONARY 允许应用程序读取用户在用户词典中存储的任意私有字词、名称和短语。 提示
55 android.permission.RESTART_PACKAGES 允许程序自己重启或重启其他程序 提示
56 android.permission.SET_TIME_ZONE 允许应用程序更改手机的时区。 提示
57 android.permission.SET_WALLPAPER 允许应用程序设置系统壁纸。 提示
58 android.permission.SET_WALLPAPER_HINTS 允许应用程序设置有关壁纸大小的提示。 提示
59 android.permission.SUBSCRIBED_FEEDS_READ 允许应用程序获取有关当前同步的供稿的详细信息。 提示
60 android.permission.USE_CREDENTIALS 允许应用程序请求身份验证标记。 提示
61 android.permission.VIBRATE 允许应用程序控制振动器。 提示
62 android.permission.WAKE_LOCK 允许应用程序防止手机进入休眠状态。 提示
63 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示
64 com.android.browser.permission.WRITE_HISTORY_BOOKMARKS 允许应用程序写入浏览器历史和书签记录。 提示

四大组件

组件名称

com.apollo.activity.AppLaucherActivity
com.facebook.react.devsupport.DevSettingsActivity
com.apollo.activity.AppWebViewActivity
com.apollo.rn.RnReactActivity
com.apollo.activity.AppHomeActivity
com.apollo.activity.AppPreviewPDFActivity
com.webank.mdl_sdk.MDLIndexActivity
com.webank.comm.facelight.ui.FaceVerifyActivity
com.bkjk.apollo_uc.activity.UCSettingActivity
com.bkjk.apollo_uc.activity.UCCertificationInfoActivity
com.bkjk.apollo_uc.activity.UCBankCardListActivity
com.bkjk.apollo_uc.activity.UCResetPwdActivity
com.bkjk.apollo_uc.activity.UCCertificationActivity
com.bkjk.apollo_uc.activity.UCBindBankCardActivity
com.bkjk.apollo_uc.activity.UCCamerActivity
com.bkjk.apollo_uc.activity.UCSetGestureActivity
com.bkjk.apollo_uc.activity.UCModGestureActivity
com.bkjk.apollo_uc.activity.UCFingerPrintActivity
com.bkjk.apollo_uc.activity.UCCertificationStateActivity
com.bkjk.apollo_uc.activity.UCIDCardUploadActivity
com.bkjk.apollo_uc.activity.UCAboutBKJKActivity
com.bkjk.apollo_uc.activity.UCCardCouponsActivity
com.bkjk.apollo_uc.activity.UCLoanRecordActivity
com.bkjk.apollo_uc.activity.UCMemberCenterActivity
com.bkjk.apollo_uc.activity.UCPersonalInfoActivity
com.bkjk.apollo_uc.activity.UCFeedBackActivity
com.bkjk.apollo_uc.activity.UCCollectActivity
com.bkjk.apollo_uc.activity.UCSetPwdActivity
com.bkjk.apollo_uc.activity.UCPersonalInfoActivity
com.bkjk.apollo_uc.activity.UCPersonalBaseInfoEditActivity
com.bkjk.apollo_uc.activity.UCPersonalAssetInfoEditActivity
com.bkjk.apollo_uc.activity.UCCertificationUploadActivity
com.bkjk.apollo_uc.activity.ApolloUCCloseAccountActivity
com.bkjk.apollo_uc.activity.ApolloUCBindBankCardResultActivity
com.bkjk.apollo_uc.activity.ApolloUCCloseAccountConfirmActivity
com.bkjk.apollo_uc.debug.UcCashierDebugActivity
com.bkjk.apollo_uc.debug.UcDebugTestActivity
com.bkjk.apollo_uc.debug.UcRefundDebugActivity
com.bkjk.apollo_uc.debug.UcNetRecordActivity
com.bkjk.apollo_login.activity.BKJFIdentifyCodeLoginActivity
com.bkjk.apollo_login.activity.BKJFRegistActivity
com.bkjk.apollo_login.activity.BKJFLoginActivity
com.bkjk.apollo_login.activity.BKJFForgotPwdActivity
com.bkjk.apollo_home.activity.HomeChangeCityActivity
com.bkjk.apollo_home.activity.HomeCityListActivity
com.bkjk.apollo_home.activity.ApolloHomeNetSignActivity
com.bkjk.apollo_home.activity.ApolloHomeNetSignResultActivity
com.bkjf.infra.bzocr.ocr.ui.OCRGetIdCardActivity
com.bkjf.infra.bzocr.living.ui.LivingStartActivity
com.bkjf.infra.bzocr.living.ui.LivingResultActivity
com.bkjf.infra.bzocr.living.ui.LivingWebActivity
com.bkjf.infra.wallet.BKJFWalletActivity
com.sina.weibo.sdk.component.WeiboSdkBrowser
com.bkjk.core.service_component.mvp.view.AndroidOPermissionActivity
com.bkjf.infra.splash.BKJFSplashActivity
com.bkjf.infra.guide.BKJFGuideActivity
com.bkjf.infra.libqr.activity.BKJFQRCaptureActivity
com.bkjf.walletsdk.activity.WalletHomeActivity
com.bkjf.walletsdk.activity.WalletBalanceActivity
com.bkjf.walletsdk.activity.WalletLoadingActivity
cn.com.ehomepay.sdk.cashier.activity.BKPayMoneyActivity
cn.com.ehomepay.sdk.cashier.activity.BKCashierActivity
cn.com.ehomepay.sdk.cashier.activity.BKSelectPayMethodActivity
cn.com.ehomepay.sdk.cashier.activity.BKMessagePayActivity
cn.com.ehomepay.sdk.cashier.activity.WXPayEntryActivity
com.bkjf.walletsdk.common.base.BKJFWalletWebViewActivity
com.megvii.meglive_sdk.activity.FmpActivity
com.megvii.meglive_sdk.activity.ActionLivenessActivity
com.bkjf.mf.android.ocr.ui.IDCardScanActivity
com.bkjf.mf.android.ocr.ui.BankCardScanActivity
com.bkjf.mf.android.ocr.ui.IdCardDetectActivity
com.bkjf.mf.android.ocr.ui.BankcardDetectActivity
com.sina.weibo.sdk.web.WeiboSdkWebActivity
com.sina.weibo.sdk.share.WbShareTransActivity
com.sina.weibo.sdk.share.WbShareToStoryActivity

com.amap.api.location.APSService

android.support.v4.content.FileProvider

第三方库

# 库名 介绍
0 com.umeng.analytics 友盟统计分析平台是国内最大的移动应用统计分析平台。
1 rx.android RxJava bindings for Android
2 retrofit2 Type-safe REST client for Android and Java by Square, Inc.
3 android.support.multidex DEPRECATED
4 rx RxJava – Reactive Extensions for the JVM – a library for composing asynchronous and event-based programs using observable sequences for the Java VM.
5 pl.droidsonroids.gif Views and Drawable for displaying animated GIFs on Android
6 okhttp3 An HTTP+SPDY client for Android and Java applications.
7 com.facebook.cache.common An image management library by FaceBook.
8 com.bumptech.glide An image loading and caching library for Android focused on smooth scrolling
9 com.j256.ormlite ORMLite Android functionality used in conjunction with ormlite-core.
10 butterknife View "injection" library for Android.
11 android.support.transition A backport of the new Transitions API for Android.
12 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
13 com.amap.api 高德LBS开放平台将高德最专业的定位、地图、搜索、导航等能力,以API、SDK等形式向广大开发者免费开放
14 com.facebook.imagepipeline An image management library by FaceBook.
15 com.facebook.imagepipeline An image management library by FaceBook.
16 com.tencent.bugly 腾讯Bugly,面向移动开发者提供最专业的Crash监控、崩溃分析等质量跟踪服务,为您修复用户的每一次Crash!
17 rx.android RxJava bindings for Android
18 retrofit2 Type-safe REST client for Android and Java by Square, Inc.
19 com.umeng.analytics.game 友盟游戏统计分析为移动游戏开发者提供了开箱即用的一站式解决方案。
20 me.henrytao.smoothappbarlayout Smooth version of Google Support Design AppBarLayout
21 com.tencent.tauth 腾讯QQ互联平台为广大开发者整理了SDK列表,辅助开发者快速接入QQ登录、分享等功能。QQ互联是腾讯旗下的开放平台,通过QQ互联,网站主和开发者可以申请接入QQ登录、用户可以使用QQ账号登录接入的站点,通过添加分享和赞组件,将站点内容分享到QQ空间和朋友网,通过获取API授权,网站主还可以将用户操作同步到QQ空间和朋友网。
22 rx RxJava – Reactive Extensions for the JVM – a library for composing asynchronous and event-based programs using observable sequences for the Java VM.
23 com.umeng.analytics 友盟统计分析平台是国内最大的移动应用统计分析平台。
24 okhttp3 An HTTP+SPDY client for Android and Java applications.
25 pl.droidsonroids.gif Views and Drawable for displaying animated GIFs on Android
26 com.j256.ormlite ORMLite Android functionality used in conjunction with ormlite-core.
27 com.google.zxing Official ZXing ("Zebra Crossing") project home
28 com.koushikdutta.async Asynchronous socket, http (client+server), websocket, and socket.io library for android. Based on nio, not threads.
29 com.nineoldandroids Android library for using the Honeycomb animation API on all versions of the platform back to 1.0!
30 com.tencent.connect 腾讯开放平台
31 org.apache.http The Apache HttpComponents™ project is responsible for creating and maintaining a toolset of low level Java components focused on HTTP and associated protocols.
32 com.sina.weibo 新浪微博开放平台(Weibo Open Platform)是基于新浪微博海量用户和强大的传播能力,接入第三方合作伙伴服务,向用户提供丰富应用和完善服务的开放平台。将你的服务接入微博平台,有助于推广产品,增加网站/应用的流量、拓展新用户,获得收益。
33 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.

静态扫描发现风险点

风险等级 风险名称

中危

检测到3处证书弱校验漏洞。

位置: classes.dex
com.bkjf.infra.basicnetwork.utils.SSLUtils$1;

位置: classes2.dex
com.bkjk.core.service_component.utils.OtherUtils$1;
com.bkjk.core.service_component.net.SslContextFactory$TrustAllCerts;

当移动App客户端使用https或ssl/tls进行通信时,如果不校验证书的可信性,将存在中间人攻击漏洞,可导致信息泄露,传输数据被篡改,甚至通过中间人劫持将原有信息替换成恶意链接或恶意代码程序,以达到远程控制等攻击意图。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
www.wooyun.org/bugs/wooyun-2014-079358

参考资料:
http://drops.wooyun.org/tips/3296
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

检测到4个未移除的敏感Test或Debug组件

com.bkjk.apollo_uc.debug.UcCashierDebugActivity
com.bkjk.apollo_uc.debug.UcDebugTestActivity
com.bkjk.apollo_uc.debug.UcRefundDebugActivity
com.bkjk.apollo_uc.debug.UcNetRecordActivity

建议:
在正式发布app前移除敏感的Test或Debug组件

中危

检测到1处中间人攻击漏洞。

位置: classes2.dex
com.bkjk.core.service_component.utils.OtherUtils;->trustAllHttpsURLConnection()V

setHostnameVerifier方法设置ALLOW_ALL_HOSTNAME_VERIFIER,直接接受任意域名,可能造成中间人攻击漏洞。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-042710
http://www.wooyun.org/bugs/wooyun-2010-052339
http://www.wooyun.org/bugs/wooyun-2016-0190773

参考资料:
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

检测到10个WebView远程执行漏洞。

位置: classes.dex
com.apollo.jsbridge.view.ProgressBarWebView;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.apollo.activity.AppWebViewActivity;->O00000oo()V

位置: classes2.dex
com.bkjf.infra.web.BKJFWebDoc;->(Lcom.bkjf.infra.web.BKJFWebDoc$BKJFWebBuilder;)V
com.bkjf.walletsdk.common.widget.BKJFWalletWebView;->addJavascriptInterface(Ljava.lang.Object; Ljava.lang.String;)V
com.bkjf.walletsdk.common.base.BKJFWalletWebViewActivity;->initWebView()V

位置: classes3.dex
com.facebook.react.views.webview.ReactWebViewManager$ReactWebView;->setMessagingEnabled(Z)V
com.growingio.android.sdk.collection.VdsJsHelper;->wrapWebChromeClient(Landroid.view.View;)V
com.growingio.android.sdk.collection.VdsJsHelper;->wrapWebChromeClient(Landroid.view.View;)V
com.tencent.bugly.webank.crashreport.CrashReport;->setJavascriptMonitor(Landroid.webkit.WebView; Z Z)Z
com.growingio.android.sdk.circle.HybridEventEditDialog;->prepareWebView(Landroid.content.Context;)V

Android API < 17之前版本存在远程代码执行安全漏洞,该漏洞源于程序没有正确限制使用addJavaScriptInterface方法,攻击者可以通过Java反射利用该漏洞执行任意Java对象的方法,导致远程代码执行安全漏洞。
(1)API等于高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252
http://drops.wooyun.org/papers/548

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis
https://developer.android.com/reference/android/webkit/WebView.html

中危

检测到187条敏感明文信息,建议移除。

位置: classes.dex
'10.0.0.172' used in: L0o0/lj;->O000000o(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.200' used in: L0o0/lj;->O000000o(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'data:image/jpeg;base64,' used in: Lcom/growingio/android/sdk/circle/socket/CircleSocketCenter;->sendScreenUpdate()Z
'file:///android_asset/' used in: Lcom/bumptech/glide/load/model/O000000o;->()V
'http://172.29.33.25' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'http://172.29.64.51' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'http://172.29.65.34' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'http://abroad.apilocate.amap.com/mobile/binary' used in: Lcom/amap/api/col/sln3/gu;->O000000o(Landroid/content/Context;)V
'http://abroad.apilocate.amap.com/mobile/binary' used in: Lcom/amap/api/col/sln3/gu;->O00000o0(Landroid/content/Context;)V
'http://abroad.apilocate.amap.com/mobile/binary' used in: Lcom/amap/api/col/sln3/go;->O000000o(Lcom/amap/api/col/sln3/gq;)V
'http://abroad.apilocate.amap.com/mobile/binary' used in: Lcom/amap/api/col/sln3/ha;->O000000o(Lcom/amap/api/location/AMapLocation;)Z
'http://api.dev.bkjk.cn/' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'http://api.faceid.com/faceid/v1/sdk/authm' used in: L0o0/fi;->O00000o(Ljava/lang/String;)Ljava/lang/String;
'http://api.test.bkjk.cn/' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'http://api.test.bkjk.cn/upload' used in: Lcom/bkjf/infra/bzocr/ocr/utils/UploadFileUtils;->uploadIdCardImge(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Lcom/bkjf/infra/bzocr/ocr/listener/HttpCallbackListener;)V
'http://apilocate.amap.com/mobile/binary' used in: Lcom/amap/api/col/sln3/gu;->O00000o0(Landroid/content/Context;)V
'http://cf-zlfq.test.bkjk.cn/leaseloan-web/internal/repay/callback' used in: Lcom/apollo/activity/AppWebViewActivity$9;->onClick(Landroid/view/View;)V
'http://declorder.test.bkjk.cn/decoloan-web/repayment/callback' used in: Lcom/apollo/activity/AppWebViewActivity$8;->onClick(Landroid/view/View;)V
'http://dev-pay-ewallet.ehomepay.com.cn' used in: Lcom/bkjf/walletsdk/common/config/BKJFWalletConfig$ENVIRONMENT;->()V
'http://fusion.qq.com/cgi-bin/qzapps/unified_jump?appid=%1$s&from=%2$s&isOpenAppID=1' used in: L0o0/js;->O000000o(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/O00000Oo;)V
'http://fusion.qq.com/cgi-bin/qzapps/unified_jump?appid=%1$s&from=%2$s&isOpenAppID=1' used in: L0o0/jt;->O000000o(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/O00000Oo;)V
'http://localhost/' used in: Lretrofit2/Response;->success(Ljava/lang/Object; Lokhttp3/O000OO;)Lretrofit2/Response;
'http://localhost/' used in: Lretrofit2/Response;->error(I Lokhttp3/O00O000o;)Lretrofit2/Response;
'http://localhost/' used in: Lretrofit2/Response;->success(Ljava/lang/Object;)Lretrofit2/Response;
'http://m5.amap.com/' used in: Lcom/autonavi/ae/gmap/GLMapEngine;->O000000o(Lcom/autonavi/ae/gmap/GLMapEngine$O000000o;)V
'http://mpsapi.amap.com/' used in: Lcom/autonavi/ae/gmap/GLMapEngine;->O000000o(Lcom/autonavi/ae/gmap/GLMapEngine$O000000o;)V
'http://mt.test.bkjk.com/front-lease/rent-index' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'http://restapi.amap.com' used in: Lcom/amap/api/col/sln3/ce;->O000000o(Landroid/content/Context;)Ljava/net/Proxy;
'http://restapi.amap.com' used in: Lcom/amap/api/col/sln3/oOo000o0;->(Landroid/content/Context; I Lcom/amap/api/col/sln3/oO0OO00o;)V
'http://restapi.amap.com/v3' used in: Lcom/amap/api/col/sln3/l;->O00000o0()Ljava/lang/String;
'http://restapi.amap.com/v3' used in: Lcom/amap/api/col/sln3/aw;->O000000o()Ljava/lang/String;
'http://restapi.amap.com/v3' used in: Lcom/amap/api/col/sln3/oo000000;->O00000o0()Ljava/lang/String;
'http://restapi.amap.com/v3/assistant/inputtips?' used in: Lcom/amap/api/col/sln3/oOOO0O0o;->O00000o0()Ljava/lang/String;
'http://restapi.amap.com/v3/geocode/regeo' used in: Lcom/amap/api/col/sln3/gp;->O000000o(Landroid/content/Context; D D)Ljava/lang/String;
'http://restapi.amap.com/v3/iasdkauth' used in: Lcom/amap/api/col/sln3/bu$O00000Oo;->O00000o0()Ljava/lang/String;
'http://restapi.amap.com/v4' used in: Lcom/amap/api/col/sln3/o000000;->O00000o0()Ljava/lang/String;
'http://restapi.amap.com/v4' used in: Lcom/amap/api/col/sln3/O00OoOO0;->O00000o0()Ljava/lang/String;
'http://restapi.amap.com/v4/gridmap?' used in: Lcom/amap/api/col/sln3/o0O00OOO$O000000o;->(Lcom/amap/api/col/sln3/o0O00OOO; I I I Ljava/lang/String;)V
'http://restapi.amap.com/v4/stats/alitts' used in: Lcom/amap/api/col/sln3/oOo000o0;->(Landroid/content/Context; I Lcom/amap/api/col/sln3/oO0OO00o;)V
'http://schemas.android.com/apk/res/android' used in: Lcn/passguard/u;->b()Landroid/view/View;
'http://schemas.android.com/apk/res/android' used in: Landroid/support/graphics/drawable/TypedArrayUtils;->hasAttribute(Lorg/xmlpull/v1/XmlPullParser; Ljava/lang/String;)Z
'http://service.weibo.com/share/mobilesdk.php' used in: L0o0/jn;->O00000Oo()Ljava/lang/String;
'http://service.weibo.com/share/mobilesdk_uppic.php' used in: L0o0/jn;->O000000o(L0o0/jl$O000000o;)V
'http://storage-ops.bkjk.cn/internal/small/download/' used in: Lcom/bkjf/infra/bzocr/ocr/utils/UploadFileUtils;->uploadIdCardImge(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Lcom/bkjf/infra/bzocr/ocr/listener/HttpCallbackListener;)V
'http://storage-ops.test.bkjk.cn/internal/small/download/' used in: Lcom/bkjf/infra/bzocr/ocr/utils/UploadFileUtils;->uploadIdCardImge(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Lcom/bkjf/infra/bzocr/ocr/listener/HttpCallbackListener;)V
'http://test1-pay-ewallet.ehomepay.com.cn' used in: Lcom/bkjf/walletsdk/common/config/BKJFWalletConfig$ENVIRONMENT;->()V
'http://toctest.bkjk.com/' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'http://wprd0%d.is.autonavi.com/appmaptile?' used in: Lcom/amap/api/col/sln3/o0O00OOO$O000000o;->(Lcom/amap/api/col/sln3/o0O00OOO; I I I Ljava/lang/String;)V
'http://www.android.com/' used in: Lcom/facebook/soloader/SoLoader;->loadLibrary(Ljava/lang/String;)V
'https://adiu.amap.com/ws/device/adius' used in: Lcom/amap/api/col/sln3/ep;->O00000o0()Ljava/lang/String;
'https://api%s.growingio.com/v3' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://api.bkjk.com/' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'https://api.bkjk.com/upload' used in: Lcom/bkjf/infra/bzocr/ocr/utils/UploadFileUtils;->uploadIdCardImge(Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Lcom/bkjf/infra/bzocr/ocr/listener/HttpCallbackListener;)V
'https://api.megvii.com/security/v1/xid_checksum' used in: L0o0/ei;->O0000o00()V
'https://api.megvii.com/security/v1_1/get_configuration' used in: L0o0/ei;->O0000o0()V
'https://api.weibo.com/oauth2/getaid.json' used in: L0o0/it;->O00000o0()Ljava/lang/String;
'https://apis.bkjk.com' used in: Lcom/bkjf/walletsdk/common/config/BKJFWalletConfig$ENVIRONMENT;->()V
'https://apis.dev.bkjk.com' used in: Lcom/bkjf/walletsdk/common/config/BKJFWalletConfig$ENVIRONMENT;->()V
'https://apis.stage.bkjk.com' used in: Lcom/bkjf/walletsdk/common/config/BKJFWalletConfig$ENVIRONMENT;->()V
'https://apis.test.bkjk.com' used in: Lcom/bkjf/walletsdk/common/config/BKJFWalletConfig$ENVIRONMENT;->()V
'https://assets.growingio.com' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://assets.growingio.com/sdk/hybrid' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://chat.bkjk.com' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'https://chatupload.bkjk.com' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'https://countly.bkjk.com' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'https://crashapi%s.growingio.com/v2' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://mirror-pay-ewallet.ehomepay.com.cn' used in: Lcom/bkjf/walletsdk/common/config/BKJFWalletConfig$ENVIRONMENT;->()V
'https://mt.bkjk.com/front-lease/rent-index' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'https://mt.test.bkjk.com/front-decoration/repay-confirm?id=1650312&from=record&code=15408717536655' used in: Lcom/apollo/activity/AppWebViewActivity$8;->onClick(Landroid/view/View;)V
'https://pay-ewallet.ehomepay.com.cn' used in: Lcom/bkjf/walletsdk/common/config/BKJFWalletConfig$ENVIRONMENT;->()V
'https://restapi.amap.com/v3' used in: Lcom/amap/api/col/sln3/l;->O00000o0()Ljava/lang/String;
'https://restapi.amap.com/v3' used in: Lcom/amap/api/col/sln3/aw;->O000000o()Ljava/lang/String;
'https://restapi.amap.com/v3' used in: Lcom/amap/api/col/sln3/oo000000;->O00000o0()Ljava/lang/String;
'https://restapi.amap.com/v3/iasdkauth' used in: Lcom/amap/api/col/sln3/bu$O00000Oo;->O00000o0()Ljava/lang/String;
'https://t%s.growingio.com/app' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://t.growingio.com/app/%s/%s/devices' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->getDeeplinkHost()Ljava/lang/String;
'https://t.growingio.com/app/%s/%s/devices' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://tags%s.growingio.com' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'https://toc.bkjk.com/' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'https://toc.bkjk.com/apollo/faceAgreement.html' used in: Lcom/bkjf/infra/bzocr/living/ui/LivingWebActivity;->initView()V
'https://toc.test.bkjk-inc.com/' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'https://tocpre.bkjk.com/' used in: Lcom/bkjk/apollo/libapollo_bz/config/ConstantsURL;->init()V
'https://www.growingio.com' used in: Lcom/growingio/android/sdk/collection/NetworkConfig;->()V
'javascript:%s.callback(%d, %d %s);' used in: Lcn/pedant/SafeWebViewBridge/JsCallback;->apply([Ljava/lang/Object;)V
'javascript:(function(b){console.log("' used in: Lcn/pedant/SafeWebViewBridge/JsCallJava;->(Ljava/lang/String; Ljava/lang/Class;)V
'javascript:WebViewJavascriptBridge.' used in: Lcom/apollo/jsbridge/bridge/BridgeUtil;->parseFunctionName(Ljava/lang/String;)Ljava/lang/String;
'javascript:WebViewJavascriptBridge._fetchQueue();' used in: Lcom/apollo/jsbridge/bridge/BridgeWebView;->flushMessageQueue()V
"javascript:WebViewJavascriptBridge._handleMessageFromNative('%s');" used in: Lcom/apollo/jsbridge/bridge/BridgeWebView;->dispatchMessage(Lcom/apollo/jsbridge/bridge/Message;)V
"javascript:addText('" used in: Lcn/passguard/r;->run()V
"javascript:onCallJs('" used in: Lcom/apollo/activity/AppWebViewActivity$O00000o0$1$1;->onResult(Ljava/lang/String;)V
"javascript:onCallJs('" used in: Lcom/apollo/activity/AppWebViewActivity$O00000o0$1$1;->onFail(Ljava/lang/String;)V
'javascript:try{(function(){' used in: Lcom/growingio/android/sdk/utils/Util;->callJavaScript(Landroid/view/View; Ljava/lang/String; [Ljava/lang/Object;)V
'javascript:window.JsBridge&&JsBridge.callback(' used in: L0o0/km$O000000o;->O000000o(Ljava/lang/Object;)V
'javascript:window.JsBridge&&JsBridge.callback(' used in: L0o0/km$O000000o;->O000000o()V
'javascript:window.history.back();' used in: Lcom/apollo/activity/AppWebViewActivity;->onBackPressed()V

位置: classes2.dex
'http://172.29.65.40/apollo/recommend/recommend.html' used in: Lcom/bkjk/apollo_uc/fragment/UcFragment;->onClick(Landroid/view/View;)V
'http://schemas.android.com/apk/res/android' used in: Lcom/bkjk/apollo_home/widgets/tablayout/SlidingTabLayout;->(Landroid/content/Context; Landroid/util/AttributeSet; I)V
'http://schemas.android.com/apk/res/android' used in: Lcom/bkjk/apollo_home/widgets/tablayout/CommonTabLayout;->(Landroid/content/Context; Landroid/util/AttributeSet; I)V
'http://schemas.android.com/apk/res/android' used in: Lcom/bkjk/apollo_home/widgets/tablayout/SegmentTabLayout;->(Landroid/content/Context; Landroid/util/AttributeSet; I)V
'http://test' used in: Lcom/bkjk/apollo_uc/debug/UcDebugTestActivity;->O000000o(I)V
'http://test1-bkcashier.ehomepay.com.cn/?rembId=' used in: Lcom/bkjk/apollo_uc/debug/UcDebugTestActivity;->O000000o(I)V
'http://www.baidu.com' used in: Lcom/bkjk/apollo_uc/debug/UcCashierDebugActivity;->onClick(Landroid/view/View;)V
'http://www.bkjk.com/' used in: Lcom/bkjk/apollo_uc/activity/UCAboutBKJKActivity;->onClick(Landroid/view/View;)V
'https://api.bkjk.com/' used in: Lcom/bkjf/mf/android/ocr/network/OCRConfig$URL;->()V
'https://api.test.bkjk.com/' used in: Lcom/bkjf/mf/android/ocr/network/OCRConfig$URL;->()V
'https://api.weibo.com/oauth2/default.html' used in: Lcom/bkjf/infra/social/BKJFSocialShareUtils;->RegiesterWeiBo(Landroid/content/Context;)V
'https://cashier.zufangzi.com/' used in: Lcom/bkjf/infra/wallet/BKJFWalletActivity$BKJFWalletWebViewClient;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z
'https://ecashier.ehomepay.com.cn' used in: Lcom/bkjf/walletsdk/common/net/BKJFWalletRequest;->getRequestUrl(Ljava/lang/String;)Ljava/lang/String;
'https://toc.bkjk.com/' used in: Lcom/bkjk/apollo_uc/debug/UcCashierDebugActivity;->O000000o()Ljava/lang/String;
'https://tuituike.test.bkjk.com/user/applyRecord?JWT=' used in: Lcom/bkjk/apollo_uc/debug/UcDebugTestActivity;->onClick(Landroid/view/View;)V
'https://tuituike.test.bkjk.com/user/home?JWT=' used in: Lcom/bkjk/apollo_uc/debug/UcDebugTestActivity;->onClick(Landroid/view/View;)V
'https://www.bkjk.com' used in: Lcom/bkjk/apollo_uc/activity/UCLoanRecordActivity$1;->O00000Oo(I)V
'https://wx.tenpay.com/' used in: Lcom/bkjf/infra/wallet/BKJFWalletActivity$BKJFWalletWebViewClient;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z
'javascript:WebViewJavascriptBridge.' used in: Lcom/bkjf/infra/wallet/jsbridge/bridge/BridgeUtil;->parseFunctionName(Ljava/lang/String;)Ljava/lang/String;
'javascript:WebViewJavascriptBridge.' used in: Lcom/bkjf/walletsdk/common/jsbridge/bridge/BridgeUtil;->parseFunctionName(Ljava/lang/String;)Ljava/lang/String;
'javascript:WebViewJavascriptBridge.' used in: Lcom/bkjf/infra/web/bridge/BridgeUtil;->parseFunctionName(Ljava/lang/String;)Ljava/lang/String;
'javascript:WebViewJavascriptBridge._fetchQueue();' used in: Lcom/bkjf/infra/wallet/jsbridge/bridge/BridgeWebView;->flushMessageQueue()V
'javascript:WebViewJavascriptBridge._fetchQueue();' used in: Lcom/bkjf/infra/web/bridge/BridgeWebView;->flushMessageQueue()V
'javascript:WebViewJavascriptBridge._fetchQueue();' used in: Lcom/bkjf/walletsdk/common/jsbridge/bridge/BridgeWebView;->flushMessageQueue()V
"javascript:WebViewJavascriptBridge._handleMessageFromNative('%s');" used in: Lcom/bkjf/infra/wallet/jsbridge/bridge/BridgeWebView;->dispatchMessage(Lcom/bkjf/infra/wallet/jsbridge/bridge/Message;)V
"javascript:WebViewJavascriptBridge._handleMessageFromNative('%s');" used in: Lcom/bkjf/walletsdk/common/jsbridge/bridge/BridgeWebView;->dispatchMessage(Lcom/bkjf/walletsdk/common/jsbridge/bridge/Message;)V
"javascript:WebViewJavascriptBridge._handleMessageFromNative('%s');" used in: Lcom/bkjf/infra/web/bridge/BridgeWebView;->dispatchMessage(Lcom/bkjf/infra/web/bridge/Message;)V
'javascript:window.androidBack()' used in: Lcom/bkjf/walletsdk/common/base/BKJFWalletWebViewActivity;->dispatchKeyEvent(Landroid/view/KeyEvent;)Z
'javascript:window.androidBack();' used in: Lcom/bkjf/infra/wallet/BKJFWalletActivity;->dispatchKeyEvent(Landroid/view/KeyEvent;)Z
'javascript:window.history.back();' used in: Lcom/bkjk/core/service_component/ui/activity/BaseWebViewActivity;->onBackPressed()V
'www.baidu.com' used in: Lcom/bkjk/apollo_uc/debug/UcRefundDebugActivity;->O00000Oo()V

位置: classes3.dex
'10.0.0.172' used in: Lcom/umeng/commonsdk/stateless/e;->(Landroid/content/Context;)V
'10.0.0.172' used in: Lcom/umeng/commonsdk/statistics/internal/c;->(Landroid/content/Context;)V
'10.0.2.2' used in: Lcom/facebook/react/modules/systeminfo/AndroidInfoHelpers;->getServerIpAddress(I)Ljava/lang/String;
'10.0.3.2' used in: Lcom/facebook/react/modules/systeminfo/AndroidInfoHelpers;->getServerIpAddress(I)Ljava/lang/String;
'data:image/jpeg;base64,' used in: Lcom/growingio/android/sdk/circle/ScreenshotInfo;->getScreenShotInfo()Lorg/json/JSONObject;
'data:image/jpeg;base64,' used in: Lcom/growingio/android/sdk/circle/HybridEventEditDialog$HybridCircleContent;->(Ljava/util/List; Landroid/app/Activity; Ljava/lang/String; Ljava/lang/String;)V
'http://%s/%s' used in: Lcom/facebook/react/devsupport/DevServerHelper;->createResourceURL(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'http://%s/%s.bundle?platform=android&dev=%s&hot=%s&minify=%s' used in: Lcom/facebook/react/devsupport/DevServerHelper;->getSourceUrl(Ljava/lang/String;)Ljava/lang/String;
'http://%s/%s.bundle?platform=android&dev=%s&hot=%s&minify=%s' used in: Lcom/facebook/react/devsupport/DevServerHelper;->()V
'http://%s/%s.bundle?platform=android&dev=%s&hot=%s&minify=%s' used in: Lcom/facebook/react/devsupport/DevServerHelper;->createBundleURL(Ljava/lang/String; Ljava/lang/String; Z Z Z)Ljava/lang/String;
'http://%s/inspector/device?name=%s&app=%s' used in: Lcom/facebook/react/devsupport/DevServerHelper;->getInspectorDeviceUrl()Ljava/lang/String;
'http://%s/jscheapcaptureupload' used in: Lcom/facebook/react/devsupport/DevServerHelper;->getHeapCaptureUploadUrl()Ljava/lang/String;
'http://%s/launch-js-devtools' used in: Lcom/facebook/react/devsupport/DevServerHelper;->createLaunchJSDevtoolsCommandUrl()Ljava/lang/String;
'http://%s/onchange' used in: Lcom/facebook/react/devsupport/DevServerHelper;->createOnChangeEndpointUrl()Ljava/lang/String;
'http://%s/open-stack-frame' used in: Lcom/facebook/react/devsupport/DevServerHelper;->createOpenStackFrameURL(Ljava/lang/String;)Ljava/lang/String;
'http://%s/status' used in: Lcom/facebook/react/devsupport/DevServerHelper;->createPackagerStatusURL(Ljava/lang/String;)Ljava/lang/String;
'http://%s/symbolicate' used in: Lcom/facebook/react/devsupport/DevServerHelper;->createSymbolicateURL(Ljava/lang/String;)Ljava/lang/String;
'http://api.weibo.cn/2/sdk/login' used in: Lcom/sina/weibo/sdk/network/intercept/GuestParamInterception;->needIntercept(Lcom/sina/weibo/sdk/network/IRequestParam; Landroid/os/Bundle;)Z
'http://cgi.connect.qq.com/qqconnectopen/openapi/policy_conf' used in: Lcom/tencent/open/utils/O00000o$1;->run()V
'http://fir.im/GIOAndroidApp' used in: Lcom/growingio/android/sdk/circle/CircleManager$21;->onClick(Landroid/content/DialogInterface; I)V
'http://openmobile.qq.com/oauth2.0/m_jump_by_version?' used in: Lcom/tencent/connect/common/O000000o;->O000000o(Ljava/lang/String;)Ljava/lang/String;
'http://pingma.qq.com:80/mstat/report' used in: Lcom/tencent/stat/O00000o0;->()V
'http://schemas.android.com/apk/res/android' used in: Lpl/droidsonroids/gif/O0000O0o;->O000000o(Landroid/widget/ImageView; Landroid/util/AttributeSet; Z)I
'http://schemas.android.com/apk/res/android' used in: Lpl/droidsonroids/gif/GifTextureView;->O000000o(Landroid/util/AttributeSet; I I)V
'http://schemas.android.com/apk/res/android' used in: Lpl/droidsonroids/gif/GifTextView;->O000000o(Landroid/util/AttributeSet; I I)V
'https://203.107.1.1/144428/d?host=' used in: Lcom/growingio/android/sdk/utils/DNSService$HttpDNSTask;->query()Lcom/growingio/android/sdk/utils/DNSService$HostInformation;
'https://api.megvii.com/faceid/v3/sdk/get_liveness_config' used in: Lcom/megvii/meglive_sdk/g/O000OOo;->O00000Oo()Ljava/lang/String;
'https://api.megvii.com/faceid/v3/sdk/internal/grant_access' used in: Lcom/megvii/meglive_sdk/g/O000OOo;->O000000o()Ljava/lang/String;
'https://api.megvii.com/security/v1/collection' used in: Lcom/megvii/apo/util/O0000Oo;->O000000o(Ljava/io/File;)V
'https://api.weibo.cn/2/sdk/login' used in: Lcom/sina/weibo/sdk/network/intercept/GuestParamInterception;->needIntercept(Lcom/sina/weibo/sdk/network/IRequestParam; Landroid/os/Bundle;)Z
'https://api.weibo.cn/2/sdk/login' used in: Lcom/sina/weibo/sdk/network/intercept/CommonParamInterception;->doIntercept(Lcom/sina/weibo/sdk/network/IRequestParam; Landroid/os/Bundle;)Z
'https://api.weibo.com/oauth2/access_token' used in: Lcom/sina/weibo/sdk/auth/AccessTokenKeeper;->refreshToken(Ljava/lang/String; Landroid/content/Context; Lcom/sina/weibo/sdk/net/RequestListener;)V
'https://api.youtu.qq.com/auth/report' used in: Lcom/tencent/youtulivecheck/YoutuLiveCheck;->report(Ljava/lang/String;)V
'https://api.youtu.qq.com/auth/report' used in: Lcom/tencent/youtulivecheck/YoutuLiveCheck$2;->run()V
'https://api.youtu.qq.com/auth/report' used in: Lcom/tencent/youtulivecheck/YoutuLiveCheck$4;->run()V
'https://appsupport.qq.com/cgi-bin/appstage/mstats_batch_report' used in: Lcom/tencent/open/b/O0000OOo$5;->run()V
'https://cmnsguider.yunos.com:443/genDeviceToken' used in: Lcom/umeng/commonsdk/statistics/idtracking/s;->b(Ljava/lang/String;)Ljava/lang/String;
'https://huatuocode.huatuo.qq.com' used in: Lcom/tencent/open/b/O00000o0;->O000000o(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/Long; I I Ljava/lang/String;)V
'https://open.weibo.cn/oauth2/authorize?' used in: Lcom/sina/weibo/sdk/auth/BaseSsoHandler;->startWebAuth()V
'https://openmobile.qq.com/' used in: Lcom/tencent/open/utils/HttpUtils;->O000000o(L0o0/jq; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle; Ljava/lang/String;)Lorg/json/JSONObject;
'https://ouplog.umeng.com' used in: Lcom/umeng/commonsdk/stateless/a;->()V
'https://personal.webank.com/s/hsfs/mdl-web' used in: Lcom/webank/mdl_sdk/constants/MDLServerConfig;->getH5BaseUrl()Ljava/lang/String;
'https://ug.edm.weibo.cn/api/gettoken' used in: Lcom/sina/weibo/sdk/network/intercept/RequestTokenInterception;->doIntercept(Lcom/sina/weibo/sdk/network/IRequestParam; Landroid/os/Bundle;)Z
'https://ug.edm.weibo.cn/api/gettoken' used in: Lcom/sina/weibo/sdk/network/intercept/RequestTokenInterception;->needIntercept(Lcom/sina/weibo/sdk/network/IRequestParam; Landroid/os/Bundle;)Z
'https://ug.edm.weibo.cn/api/refreshtoken' used in: Lcom/sina/weibo/sdk/network/intercept/RequestTokenInterception;->doIntercept(Lcom/sina/weibo/sdk/network/IRequestParam; Landroid/os/Bundle;)Z
'https://ug.edm.weibo.cn/api/refreshtoken' used in: Lcom/sina/weibo/sdk/network/intercept/RequestTokenInterception;->needIntercept(Lcom/sina/weibo/sdk/network/IRequestParam; Landroid/os/Bundle;)Z
'https://wspeed.qq.com/w.cgi' used in: Lcom/tencent/open/b/O0000OOo$4;->run()V
'https://www.webank.com' used in: Lcom/webank/mdl_sdk/constants/MDLServerConfig;->getCookieDomain()Ljava/lang/String;
'javascript:(function () {var event;var data = ' used in: Lcom/facebook/react/views/webview/ReactWebViewManager;->receiveCommand(Landroid/webkit/WebView; I Lcom/facebook/react/bridge/ReadableArray;)V
'javascript:(function() {\n' used in: Lcom/facebook/react/views/webview/ReactWebViewManager$ReactWebView;->callInjectedJavaScript()V
"javascript:(function() {var parent = document.getElementsByTagName('head').item(0);var script = document.createElement('script');script.type = 'text/javascript';script.charset= 'utf-8';script.innerHTML = window.atob('" used in: Lcom/growingio/android/sdk/collection/VdsJsHelper;->injectScriptFile(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;
'javascript:(function(){try{%s}catch(e){}})()' used in: Lcom/growingio/android/sdk/collection/VdsJsHelper;->getInitPatternServer()Ljava/lang/String;
'javascript:(function(){try{%s}catch(e){}})()' used in: Lcom/growingio/android/sdk/collection/VdsJsHelper;->getVdsHybridConfig()Ljava/lang/String;
"javascript:(function(){try{var p=document.createElement('script');p.src='%s';document.head.appendChild(p);}catch(e){}})()" used in: Lcom/growingio/android/sdk/collection/VdsJsHelper;->getCirclePluginSrc(Landroid/content/Context;)Ljava/lang/String;
"javascript:(function(){try{var p=document.createElement('script');p.src='%s';document.head.appendChild(p);}catch(e){}})()" used in: Lcom/growingio/android/sdk/collection/VdsJsHelper;->getVdsHybridSrc(Landroid/content/Context;)Ljava/lang/String;
'javascript:(window.originalPostMessage = window.postMessage,window.postMessage = function(data) {__REACT_WEB_VIEW_BRIDGE.postMessage(String(data));})' used in: Lcom/facebook/react/views/webview/ReactWebViewManager$ReactWebView;->linkBridge()V
'javascript:WebViewJavascriptBridge.' used in: Lcom/webank/mdl_sdk/jsbridge/O00000Oo;->O000000o(Ljava/lang/String;)Ljava/lang/String;
'javascript:WebViewJavascriptBridge._fetchQueue();' used in: Lcom/webank/mdl_sdk/jsbridge/BridgeWebView;->O00000Oo()V
"javascript:WebViewJavascriptBridge._handleMessageFromNative('%s');" used in: Lcom/webank/mdl_sdk/jsbridge/BridgeWebView;->O000000o(Lcom/webank/mdl_sdk/jsbridge/O0000OOo;)V
'javascript:hideBody();' used in: Lcom/growingio/android/sdk/circle/HybridEventEditDialog;->detachWebView()V
'liwei31@staff.weibo.com' used in: Lcom/sina/weibo/sdk/network/intercept/RequestTokenInterception;->doIntercept(Lcom/sina/weibo/sdk/network/IRequestParam; Landroid/os/Bundle;)Z

中危

检测到16处setSavePassword密码明文存储漏洞。

位置: classes.dex
com.apollo.jsbridge.view.ProgressBarWebView;

位置: classes2.dex
com.bkjf.infra.web.bridge.BridgeWebView;
com.bkjf.infra.web.BKJFWebDoc;
com.bkjf.infra.wallet.jsbridge.view.ProgressBarWebView;
com.bkjk.core.service_component.ui.fragment.WebViewFragment;
com.bkjf.walletsdk.common.widget.BKJFWalletWebView;
com.bkjk.core.service_component.ui.fragment.WebViewFragment$1;
com.bkjf.infra.wallet.jsbridge.bridge.BridgeWebView;

位置: classes3.dex
com.facebook.react.views.webview.ReactWebViewManager$ReactWebView;
com.growingio.android.sdk.collection.VdsJsHelper;
com.webank.mdl_sdk.jsbridge.BridgeWebView;
com.facebook.react.views.webview.ReactWebViewManager;
com.growingio.android.sdk.circle.HybridEventEditDialog;
com.webank.mdl_sdk.MDLIndexActivity;
com.tencent.bugly.webank.crashreport.CrashReport;
com.growingio.android.sdk.collection.DeviceUUIDFactory;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

低危

检测到16个WebView系统隐藏接口未移除。

位置: classes2.dex
com.bkjf.infra.web.bridge.DefaultBridgeWebSettings;->setDefaultWebSettings(Landroid.webkit.WebView;)Landroid.webkit.WebSettings;

位置: classes3.dex
com.facebook.react.views.webview.ReactWebViewManager;->setDomStorageEnabled(Landroid.webkit.WebView; Z)V
com.facebook.react.views.webview.ReactWebViewManager;->setScalesPageToFit(Landroid.webkit.WebView; Z)V
com.facebook.react.views.webview.ReactWebViewManager;->setJavaScriptEnabled(Landroid.webkit.WebView; Z)V
com.growingio.android.sdk.collection.VdsJsHelper;->wrapWebChromeClient(Landroid.view.View;)V
com.sina.weibo.sdk.web.WeiboSdkWebActivity;->O00000o0()Landroid.view.View;
com.sina.weibo.sdk.web.WeiboSdkWebActivity;->O00000o()V
com.facebook.react.views.webview.ReactWebViewManager;->setMediaPlaybackRequiresUserAction(Landroid.webkit.WebView; Z)V
com.facebook.react.views.webview.ReactWebViewManager;->setUserAgent(Landroid.webkit.WebView; Ljava.lang.String;)V
com.growingio.android.sdk.collection.DeviceUUIDFactory;->initUserAgent(Landroid.content.Context;)V
com.facebook.react.views.webview.ReactWebViewManager;->setSaveFormDataDisabled(Landroid.webkit.WebView; Z)V
com.facebook.react.views.webview.ReactWebViewManager;->setMixedContentMode(Landroid.webkit.WebView; Ljava.lang.String;)V
com.tencent.bugly.webank.crashreport.CrashReport;->setJavascriptMonitor(Landroid.webkit.WebView; Z Z)Z
com.facebook.react.views.webview.ReactWebViewManager;->setSource(Landroid.webkit.WebView; Lcom.facebook.react.bridge.ReadableMap;)V
com.facebook.react.views.webview.ReactWebViewManager;->setAllowUniversalAccessFromFileURLs(Landroid.webkit.WebView; Z)V
com.growingio.android.sdk.circle.HybridEventEditDialog;->prepareWebView(Landroid.content.Context;)V

android webview组件包含3个隐藏的系统接口:searchBoxJavaBridge_,accessibilityTraversal以及accessibility,恶意程序可以利用它们实现远程代码执行。
如果使用了WebView,那么使用WebView.removeJavascriptInterface(String name) API,显示的移除searchBoxJavaBridge_、accessibility、accessibilityTraversal这三个接口。

参考资料:
http://wolfeye.baidu.com/blog/android-webview/
http://blog.csdn.net/u013107656/article/details/51729398
http://wolfeye.baidu.com/blog/android-webview-cve-2014-7224/

低危

检测到4处使用了DES弱加密算法。

位置: classes2.dex
'DES/CBC/PKCS5Padding' used in: Lcom/bkjk/core/service_component/utils/EncrytUtils;->decode(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'DES/CBC/PKCS5Padding' used in: Lcom/bkjk/core/service_component/utils/EncrytUtils;->encode(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;

位置: classes3.dex
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/bugly/webank/proguard/af;->a([B)[B
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/bugly/webank/proguard/af;->b([B)[B

使用弱加密算法会大大增加黑客攻击的概率,黑客可能会破解隐私数据、猜解密钥、中间人攻击等,造成隐私信息的泄漏,甚至造成财产损失。建议使用AES加密算法。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

低危

检测到8处AES/DES弱加密风险。

位置: classes.dex
Lcom/bkjf/infra/basicnetwork/encrypt/DESedeUtils;->decrypt(Ljava/lang/String; [B)Ljava/lang/String;
0o0.O0000o;->O000000o([B [B)[B
Lcom/bkjk/core/service_component/utils/AESCryptor;->encrypt(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
Lcom/bkjk/core/service_component/utils/AESCryptor;->decrypt(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
L0o0/Oo00;->O000000o([B [B)[B
L0o0/Oo00;->O00000Oo([B [B)[B
Lcom/bkjf/infra/basicnetwork/encrypt/DESedeUtils;->encrypt(Ljava/lang/String; [B)Ljava/lang/String;

位置: classes3.dex
Lcom/growingio/android/sdk/utils/EncryptionUtil;->ecbDecrypt(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;

使用AES/DES/DESede加密算法时,如果使用ECB模式,容易受到攻击风险,造成信息泄露。建议在使用AES/DES/DESede加密算法时,应显示指定使用CBC或CFB加密模式

参考资料:
http://blog.csdn.net/u013107656/article/details/51997957
https://developer.android.com/reference/javax/crypto/Cipher.html
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

低危

检测到2处主机名弱校验检测漏洞。

位置: classes.dex
com.bkjf.infra.basicnetwork.utils.SSLUtils$2;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

位置: classes2.dex
com.bkjk.core.service_component.net.SslContextFactory$1;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

自定义HostnameVerifier类,却不实现其verify方法验证域名直接返回true,直接接受任意域名。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考资料:
http://drops.wooyun.org/tips/3296
https://www.91ri.org/12534.html

警告

检测到5个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

activity com.bkjf.infra.libqr.activity.BKJFQRCaptureActivity
activity cn.com.ehomepay.sdk.cashier.activity.WXPayEntryActivity
activity com.sina.weibo.sdk.share.WbShareTransActivity
activity com.sina.weibo.sdk.share.WbShareToStoryActivity
activity-alias com.bkjk.apollo.wxapi.WXPayEntryActivity

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测3处組件設置了android.intent.category.BROWSABLE属性。
com.apollo.activity.AppLaucherActivity
com.bkjf.walletsdk.activity.WalletBalanceActivity
cn.com.ehomepay.sdk.cashier.activity.BKCashierActivity


在AndroidManifest文件中定义了android.intent.category.BROWSABLE属性的组件,可以通过浏览器唤起,这会导致远程命令执行漏洞攻击。建议:
(1)APP中任何接收外部输入数据的地方都是潜在的攻击点,过滤检查来自网页的参数。
(2)不要通过网页传输敏感信息,有的网站为了引导已经登录的用户到APP上使用,会使用脚本动态的生成URL Scheme的参数,其中包括了用户名、密码或者登录态token等敏感信息,让用户打开APP直接就登录了。恶意应用也可以注册相同的URL Sechme来截取这些敏感信息。Android系统会让用户选择使用哪个应用打开链接,但是如果用户不注意,就会使用恶意应用打开,导致敏感信息泄露或者其他风险。

參考案例:
http://www.wooyun.org/bugs/wooyun-2014-073875
http://www.wooyun.org/bugs/wooyun-2014-067798

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://www.jssec.org/dl/android_securecoding_en.pdf
http://drops.wooyun.org/mobile/15202
http://blog.csdn.net/l173864930/article/details/36951805
http://drops.wooyun.org/papers/2893

警告

检测到14潜在的XSS漏洞。

位置: classes.dex
0o0.kl;->O00000Oo()V
com.apollo.activity.AppWebViewActivity;->O00000oo()V

位置: classes2.dex
com.bkjf.infra.web.bridge.DefaultBridgeWebSettings;->setDefaultWebSettings(Landroid.webkit.WebView;)Landroid.webkit.WebSettings;
com.bkjf.infra.wallet.jsbridge.bridge.BridgeWebView;->init()V
com.bkjf.infra.web.bridge.BridgeWebView;->init()V
com.bkjk.core.service_component.ui.fragment.WebViewFragment;->onCreateView(Landroid.view.LayoutInflater; Landroid.view.ViewGroup; Landroid.os.Bundle;)Landroid.view.View;
com.bkjf.walletsdk.common.base.BKJFWalletWebViewActivity;->initWebView()V
com.bkjf.infra.wallet.BKJFWalletActivity;->initWebViewSetting()V

位置: classes3.dex
com.growingio.android.sdk.collection.VdsJsHelper;->wrapWebChromeClient(Landroid.view.View;)V
com.tencent.bugly.webank.crashreport.CrashReport;->setJavascriptMonitor(Landroid.webkit.WebView; Z Z)Z
com.webank.mdl_sdk.jsbridge.BridgeWebView;->O00000o0()V
com.growingio.android.sdk.circle.HybridEventEditDialog;->prepareWebView(Landroid.content.Context;)V
com.sina.weibo.sdk.web.WeiboSdkWebActivity;->O00000o()V
com.webank.mdl_sdk.MDLIndexActivity;->O00000o()V

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到26处IvParameterSpec的使用。

位置: classes.dex
com.amap.api.col.sln3.bu;->O000000o(Landroid.content.Context; Lcom.amap.api.col.sln3.cg; Ljava.lang.String; Ljava.util.Map; Z)Lcom.amap.api.col.sln3.bu$O000000o;
com.amap.api.col.sln3.cb;->O000000o([B [B [B)[B
com.amap.api.col.sln3.cb;->O00000o0([B [B [B)[B
com.amap.api.col.sln3.gj;->()V
com.amap.api.col.sln3.gj;->O000000o([B)[B
com.amap.api.col.sln3.gj;->O00000o([B Ljava.lang.String;)[B
com.amap.api.col.sln3.gj;->O00000o0([B Ljava.lang.String;)[B
com.amap.api.col.sln3.hx;->()V
com.amap.api.col.sln3.hx;->O000000o([B)[B
com.amap.api.col.sln3.o0O0000O;->O000000o([B [B [B)Ljava.lang.String;
com.bkjf.infra.basicnetwork.encrypt.AESUtils;->decryptDataIv(Ljava.lang.String; Ljava.lang.String; [B)[B
com.bkjf.infra.basicnetwork.encrypt.AESUtils;->encryptDataIv(Ljava.lang.String; Ljava.lang.String; [B)Ljava.lang.String;
com.bkjf.infra.basicnetwork.encrypt.DESUtils;->decryptData(Ljava.lang.String; [B)Ljava.lang.String;
com.bkjf.infra.basicnetwork.encrypt.DESUtils;->encryptData(Ljava.lang.String; [B)Ljava.lang.String;

位置: classes2.dex
com.bkjk.core.service_component.utils.CryptAESNew;->()V
com.bkjk.core.service_component.utils.EncrytUtils;->decode(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.bkjk.core.service_component.utils.EncrytUtils;->encode(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;

位置: classes3.dex
com.megvii.apo.util.O000000o;->O00000Oo([B)V
com.tencent.bugly.webank.proguard.a;->a(I [B [B)[B
com.umeng.commonsdk.stateless.f;->a([B [B)[B
com.umeng.commonsdk.statistics.common.DataHelper;->decrypt([B [B)[B
com.umeng.commonsdk.statistics.common.DataHelper;->encrypt([B [B)[B
com.tencent.bugly.webank.proguard.ae;->a([B)[B
com.tencent.bugly.webank.proguard.ae;->b([B)[B
com.tencent.bugly.webank.proguard.af;->a([B)[B
com.tencent.bugly.webank.proguard.af;->b([B)[B

使用IVParameterSpec函数,如果使用了固定的初始化向量,那么密码文本可预测性高得多,容易受到字典攻击等。建议禁止使用常量初始化矢量构造IVParameterSpec,使用聚安全提供的安全组件。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到1处调用不安全的方法:SSLCertificateSocketFactory#getInsecure。

位置: classes3.dex
Lcom.tencent.open.utils.O0000Oo;->


SSLCertificateSocketFactory#getInsecure方法无法执行SSL验证检查,使得网络通信遭受中间人攻击。建议:
移除SSLCertificateSocketFactory#getInsecure方法。

参考资料:
https://developer.android.com/reference/android/net/SSLCertificateSocketFactory.html
http://developer.android.com/reference/android/net/SSLCertificateSocketFactory.html#getInsecure(int, android.net.SSLSessionCache)

警告

检测到1处provider的grantUriPermissions设置为true。
android.support.v4.content.FileProvider


grant-uri-permission若设置为true,可被其它程序员通过uri访问到content provider的内容,容易造成信息泄露。

参考资料:
https://security.tencent.com/index.php/blog/msg/6

警告

检测到1处socket通信。

位置: classes.dex
Lcom.amap.api.col.sln3.O00O0o$O00000o0;->run

Android应用通常使用PF_UNIX、PF_INET、PF_NETLINK等不同domain的socket来进行本地IPC或者远程网络通信,这些暴露的socket代表了潜在的本地或远程攻击面,历史上也出现过不少利用socket进行拒绝服务、root提权或者远程命令执行的案例特别是PF_INET类型的网络socket,可以通过网络与Android应用通信,其原本用于linux环境下开放网络服务,由于缺乏对网络调用者身份或者本地调用者id、permission等细粒度的安全检查机制,在实现不当的情况下,可以突破Android的沙箱限制,以被攻击应用的权限执行命令,通常出现比较严重的漏洞

参考案例:
http://www.wooyun.org/bugs/wooyun-2015-0148406
http://www.wooyun.org/bugs/wooyun-2015-0145365

参考资料:
http://wolfeye.baidu.com/blog/open-listen-port
http://blog.csdn.net/jltxgcy/article/details/50686858
https://www.bigniu.com/article/view/10
http://drops.wooyun.org/mobile/6973


动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书