0

高危漏洞

5

中危漏洞

6

低危漏洞

11

警告

文件名 FA84897612D51C91DF1924734E1E48C8.apk?mkey=5d7d83977b713e2f&f=8935&fsname=com.smile.gifmaker_6.8.0.10654_10654.apk&csr=1bbd&cip=123.113.24.218&proto=https
上传者 hi
文件大小 79.968996047974MB
MD5 fa84897612d51c91df1924734e1e48c8
包名 com.smile.gifmaker
Main Activity com.yxcorp.gifshow.HomeActivity
Min SDK 16
Target SDK 26

权限列表

# 名称 说明 提示
0 android.permission.CALL_PHONE 允许应用程序在您不介入的情况下拨打电话。恶意应用程序可借此在您的话费单上产生意外通话费。请注意,此权限不允许应用程序拨打紧急呼救电话。 警告
1 android.permission.ACCESS_COARSE_LOCATION 访问大概的位置源(例如蜂窝网络数据库)以确定手机的大概位置(如果可以)。恶意应用程序可借此确定您所处的大概位置。 注意
2 android.permission.ACCESS_FINE_LOCATION 访问精准的位置源,例如手机上的全球定位系统(如果有)。恶意应用程序可能会借此确定您所处的位置,并可能消耗额外的电池电量。 注意
3 android.permission.BLUETOOTH 允许应用程序查看本地蓝牙手机的配置,以及建立或接受与配对设备的连接。 注意
4 android.permission.GET_TASKS 允许应用程序检索有关当前和最近运行的任务的信息。恶意应用程序可借此发现有关其他应用程序的保密信息。 注意
5 android.permission.READ_CALENDAR 允许应用程序读取您手机上存储的所有日历活动。恶意应用程序可借此将您的日历活动发送给其他人。 注意
6 android.permission.READ_CONTACTS 允许应用程序读取您手机上存储的所有联系人(地址)数据。恶意应用程序可借此将您的数据发送给其他人。 注意
7 android.permission.READ_PHONE_STATE 允许应用程序访问设备的手机功能。有此权限的应用程序可确定此手机的号码和序列号,是否正在通话,以及对方的号码等。 注意
8 android.permission.RECEIVE_BOOT_COMPLETED 允许应用程序在系统完成启动后即自行启动。这样会延长手机的启动时间,而且如果应用程序一直运行,会降低手机的整体速度。 注意
9 android.permission.RECORD_AUDIO 允许应用程序访问录音路径。 注意
10 android.permission.REORDER_TASKS 允许应用程序将任务移至前端和后台。恶意应用程序可借此强行进入前端,而不受您的控制。 注意
11 android.permission.SYSTEM_ALERT_WINDOW 允许应用程序显示系统警报窗口。恶意应用程序可借此掌控整个手机屏幕。 注意
12 android.permission.WRITE_CALENDAR 允许应用程序添加或更改日历中的活动,这可能会向邀请对象发送电子邮件。恶意应用程序可能会借此清除或修改您的日历活动,或者向邀请对象发送电子邮件。 注意
13 android.permission.WRITE_SYNC_SETTINGS 允许应用程序修改同步设置,例如是否为\“联系人\”启用同步。 注意
14 android.permission.ACCESS_NETWORK_STATE 允许应用程序查看所有网络的状态。 提示
15 android.permission.ACCESS_WIFI_STATE 允许应用程序查看有关WLAN状态的信息。 提示
16 android.permission.AUTHENTICATE_ACCOUNTS 允许应用程序使用AccountManager的帐户身份验证程序功能,包括创建帐户以及获取和设置其密码。 提示
17 android.permission.BLUETOOTH_ADMIN 允许应用程序配置本地蓝牙手机,以及发现远程设备并与其配对。 提示
18 android.permission.CAMERA 允许应用程序使用相机拍照,这样应用程序可随时收集进入相机镜头的图像。 提示
19 android.permission.CHANGE_NETWORK_STATE 允许应用程序更改网络连接的状态。 提示
20 android.permission.CHANGE_WIFI_STATE 允许应用程序连接到WLAN接入点以及与WLAN接入点断开连接,并对配置的WLAN网络进行更改。 提示
21 android.permission.EXPAND_STATUS_BAR 允许应用程序展开或收拢状态栏。 提示
22 android.permission.FLASHLIGHT 允许应用程序控制闪光灯。 提示
23 android.permission.GET_ACCOUNTS 允许应用程序获取手机已知的帐户列表。 提示
24 android.permission.GET_PACKAGE_SIZE 允许应用程序检索其代码、数据和缓存大小 提示
25 android.permission.INTERNET 允许程序访问网络. 提示
26 android.permission.KILL_BACKGROUND_PROCESSES 无论内存资源是否紧张,都允许应用程序结束其他应用程序的后台进程。 提示
27 android.permission.MODIFY_AUDIO_SETTINGS 允许应用程序修改整个系统的音频设置,如音量和路由。 提示
28 android.permission.RESTART_PACKAGES 允许程序自己重启或重启其他程序 提示
29 android.permission.USE_CREDENTIALS 允许应用程序请求身份验证标记。 提示
30 android.permission.VIBRATE 允许应用程序控制振动器。 提示
31 android.permission.WAKE_LOCK 允许应用程序防止手机进入休眠状态。 提示
32 android.permission.WRITE_EXTERNAL_STORAGE 允许应用程序写入SD卡。 提示

四大组件

组件名称

com.yxcorp.gifshow.HomeActivity
com.kuaishou.gifshow.kuaishan.ui.edit.KuaiShanEditActivity
com.kuaishou.gifshow.kuaishan.ui.select.KSSelectActivity
com.yxcorp.gifshow.record.album.MediaSelectorActivity
com.yxcorp.gifshow.camera.record.album.PhotoPickActivity
com.yxcorp.gifshow.camera.record.album.AlbumActivity
com.yxcorp.gifshow.camera.record.album.preview.MediaPreviewActivity
com.yxcorp.plugin.qrcode.QRCodeScanActivity
com.yxcorp.plugin.qrcode.MyQRCodeActivity
com.yxcorp.plugin.qrcode.QRCodeLoginActivity
com.yxcorp.plugin.qrcode.AuthorizationActivity
com.yxcorp.gifshow.camera.ktv.tune.list.category.detail.KtvCategoryDetailActivity
com.yxcorp.gifshow.camera.ktv.record.KtvRecordActivity
com.yxcorp.gifshow.camera.ktv.record.KtvSchemeDispatchActivity
com.yxcorp.gifshow.camera.ktv.tune.KtvTuneActivity
com.yxcorp.gifshow.camera.ktv.record.clip.KtvClipActivity
com.yxcorp.gifshow.camera.ktv.tune.detail.MelodyDetailActivity
com.kuaishou.post.story.activity.PostStoryActivity
com.kuaishou.post.story.activity.StoryAlbumActivity
com.kuaishou.post.story.activity.StoryEditActivity
com.kuaishou.gifshow.smartalbum.ui.select.SASelectActivity
com.kuaishou.gifshow.smartalbum.ui.grid.SmartAlbumGridListActivity
com.kuaishou.gifshow.smartalbum.ui.SmartAlbumLoadingActivity
com.yxcorp.gifshow.record.album.ReviewActivity
com.yxcorp.gifshow.record.album.LocalAlbumActivity
com.yxcorp.gifshow.ad.webview.FansTopWebViewActivity
com.yxcorp.gifshow.ad.activity.CommercialLocationActivity
com.yxcorp.gifshow.ad.activity.CommercialLocationPreviewActivity
com.yxcorp.gifshow.ad.webview.PhotoAdvertisementWebActivity
com.yxcorp.gifshow.ad.profile.activity.BusinessAtPhotoManagerActivity
com.yxcorp.gifshow.ad.poi.activity.BusinessPoiActivity
com.yxcorp.gifshow.ad.webview.CommercialWebActivity
com.yxcorp.gifshow.v3.mixed.MixImporterActivity
com.yxcorp.plugin.live.entry.VoicePartyEntryActivity
com.yxcorp.gifshow.camera.record.CameraActivity
com.yxcorp.gifshow.camera.record.album.AlbumActivityV2
com.yxcorp.gifshow.camera.record.album.RecordAlbumActivity
com.yxcorp.gifshow.camera.authenticate.live.LiveAuthenticateCameraActivity
com.yxcorp.gifshow.camera.authenticate.account.AccountAuthenticateCameraActivity
com.yxcorp.gifshow.camera.record.photo.TakePictureActivity
com.yxcorp.gifshow.camera.record.preview.VideoPreviewActivity
com.yxcorp.gifshow.camera.record.preview.PreviewVideoActivity
com.yxcorp.gifshow.camera.record.sameframe.SameFrameActivity
com.yxcorp.gifshow.camera.record.followshoot.FollowShootActivity
com.yxcorp.gifshow.camera.record.joint.JointActivity
com.yxcorp.gifshow.camera.record.permission.CameraPermissionActivity
com.yxcorp.gifshow.camera.record.kmoji.KmojiActivity
com.yxcorp.gifshow.music.rank.MusicRankActivity
com.yxcorp.gifshow.music.rank.detail.MusicRankDetailActivity
com.yxcorp.gifshow.music.cloudmusic.MusicActivity
com.yxcorp.gifshow.music.cloudmusic.MineMusicActivity
com.yxcorp.gifshow.music.cloudmusic.subcategory.SubCategoryMusicActivity
com.yxcorp.gifshow.music.upload.MusicChooseActivity
com.yxcorp.gifshow.music.singer.PersonalUploadedMusicActivity
com.yxcorp.gifshow.music.upload.CopyrightNoticeActivity
com.yxcorp.gifshow.music.upload.LocalMusicEditActivity
com.yxcorp.gifshow.music.upload.FileSelectActivity
com.yxcorp.gifshow.music.upload.MusicGenreSelectActivity
com.yxcorp.gifshow.music.lyric.MusicClipActivity
com.yxcorp.gifshow.music.lyric.MusicClipAnchorActivity
com.yxcorp.gifshow.music.lyric.MusicReportActivity
com.yxcorp.gifshow.music.singer.ArtistActivity
com.yxcorp.gifshow.music.cloudmusic.MusicImportActivity
com.yxcorp.gifshow.music.localmusic.MusicPickerActivity
com.kuaishou.gamezone.GameZoneHomeActivity
com.kuaishou.gamezone.gamecategory.GzoneGameCategoriesActivity
com.kuaishou.gamezone.gamedetail.GzoneGameDetailActivity
com.kuaishou.gamezone.gamedetail.GzoneGameDescriptionActivity
com.kuaishou.gamezone.gamedetail.GzoneGameMoreHeroActivity
com.kuaishou.gamezone.GzoneRouterActivity
com.kuaishou.gamezone.playback.GzonePlaybackActivity
com.yxcorp.plugin.live.LivePushActivity
com.yxcorp.gifshow.activity.LiveSettingsActivity
com.yxcorp.plugin.live.LivePlayActivity
com.yxcorp.plugin.live.sensitivewords.LiveSensitiveWordsActivity
com.yxcorp.plugin.voiceparty.feed.VoicePartyFeedActivity
com.yxcorp.gifshow.detail.musicstation.plugin.personal.MusicStationPersonalActivity
com.yxcorp.gifshow.detail.musicstation.aggregate.MusicStationLiveAggregateActivity
com.yxcorp.plugin.payment.activity.MyWalletActivity
com.yxcorp.plugin.payment.activity.WithdrawActivity
com.yxcorp.plugin.payment.activity.ExchangeKwaiCoinActivity
com.yxcorp.plugin.payment.activity.RechargeKwaiCoinListActivity
com.yxcorp.plugin.payment.activity.VerifyPhoneActivity
com.yxcorp.plugin.payment.activity.ExchangeKwaiCoinVerifyCodeActivity
com.smile.gifmaker.wxapi.WXPayEntryActivity
com.yxcorp.plugin.payment.activity.VerifyIdActivity
com.yxcorp.plugin.payment.activity.KwaiPayActivity
com.yxcorp.gifshow.notice.NoticeListActivity
com.yxcrop.plugin.relation.ShareFollowActivity
com.yxcrop.plugin.relation.ShareNameEditActivity
com.yxcrop.plugin.relation.ShareDetailActivity
com.yxcorp.plugin.message.MessageActivity
com.yxcorp.plugin.message.StrangerConversationActivity
com.yxcorp.plugin.message.ConversationInfoActivity
com.yxcorp.plugin.message.group.GroupMemberManagerActivity
com.yxcorp.plugin.message.group.GroupListActivity
com.yxcorp.plugin.message.group.GroupMemberListActivity
com.yxcorp.plugin.message.group.GroupModifyNameActivity
com.yxcorp.plugin.message.group.GroupModifyDescActivity
com.yxcorp.plugin.message.group.GroupViewDescActivity
com.yxcorp.plugin.message.group.GroupModifyNickNameActivity
com.yxcorp.plugin.message.group.GroupInviteApproveActivity
com.yxcorp.plugin.message.group.GroupQrCodeActivity
com.yxcorp.plugin.message.CommonConcernActivity
com.yxcorp.plugin.message.MessageSearchActivity
com.yxcorp.plugin.message.MessageSearchMoreActivity
com.yxcorp.plugin.message.function.LikePhotoActivity
com.yxcorp.plugin.message.CustomizeEmotionActivity
com.yxcorp.plugin.message.CustomizeEmotionPreviewActivity
com.yxcorp.plugin.message.emotion.EmotionDetailActivity
com.yxcorp.plugin.message.emotion.EmotionPackageDetailsActivity
com.yxcorp.newgroup.manage.GroupOptionsActivity
com.yxcorp.newgroup.manage.GroupDataEditActivity
com.yxcorp.newgroup.manage.GroupJoinModeActivity
com.yxcorp.newgroup.manage.GroupAvatarActivity
com.yxcorp.newgroup.manage.GroupNameActivity
com.yxcorp.newgroup.profile.GroupProfileActivity
com.yxcorp.plugin.message.group.SelectIMFriendsActivity
com.yxcorp.newgroup.create.entrance.CreatePublicGroupEntranceActivity
com.yxcorp.newgroup.create.category.SelectGroupCategoryActivity
com.yxcorp.newgroup.create.EditGroupInfoActivity
com.yxcorp.newgroup.audit.activity.HandleJoinGroupRequestActivity
com.yxcorp.newgroup.audit.activity.RejectJoinGroupActivity
com.yxcorp.newgroup.create.GroupIntroduceActivity
com.yxcorp.newgroup.stick.SelectStickGroupActivity
com.yxcorp.newgroup.stick.StickGuestGroupListActivity
com.yxcorp.newgroup.manage.GroupAdminManagerActivity
com.yxcorp.newgroup.manage.GroupMemberUpgradeActivity
com.yxcorp.gifshow.profile.activity.MyProfileActivity
com.yxcorp.gifshow.profile.activity.UserProfileActivity
com.yxcorp.gifshow.profile.activity.MomentPublishActivity
com.yxcorp.gifshow.profile.activity.MomentListActivity
com.yxcorp.gifshow.profile.activity.PicturePreviewActivity
com.yxcorp.gifshow.profile.activity.MultipleImagePreviewActivity
com.yxcorp.gifshow.profile.activity.PhotoImportActivity
com.yxcorp.gifshow.profile.activity.ProfileCoverEditActivity
com.yxcorp.gifshow.profile.activity.RecommendFeedActivity
com.yxcorp.gifshow.profile.activity.CollectionActivity
com.yxcorp.gifshow.profile.activity.BrowseHistoryActivity
com.yxcorp.gifshow.profile.activity.ShareMultiPhotoDetailActivity
com.yxcorp.gifshow.profile.activity.ProfilePhotoTopActivity
com.yxcorp.gifshow.story.detail.StoryDetailActivity
com.yxcorp.gifshow.story.StoryRouterActivity
com.yxcorp.gifshow.story.profile.aggregation.StoryAggregationActivity
com.yxcorp.gifshow.gamecenter.GameCenterActivity
com.yxcorp.gifshow.gamecenter.GameManagerActivity
com.yxcorp.gifshow.gamecenter.GameWebViewActivity
com.yxcorp.gifshow.gamecenter.H5GameWebViewActivity
com.yxcorp.login.userlogin.OneKeyLoginActivity
com.yxcorp.login.userlogin.QuickLoginActivity
com.yxcorp.login.userlogin.RegisterActivity
com.yxcorp.login.userlogin.RegisterUserInfoSettingActivity
com.yxcorp.login.userlogin.CaptchaCodeLoginActivity
com.yxcorp.login.userlogin.CaptchaResetPasswordActivity
com.yxcorp.login.userlogin.RetrievePasswordActivity
com.yxcorp.login.bind.BindPhoneNumberActivity
com.yxcorp.login.bind.BindPhoneVerifyActivity
com.yxcorp.login.bind.BindPhoneV2Activity
com.yxcorp.login.userlogin.MultiLoginAccountSelectActivity
com.yxcorp.login.userlogin.MultiRetrieveAccountSelectActivity
com.yxcorp.login.userlogin.ResetSelectedAccountPasswordActivity
com.yxcorp.login.userlogin.PhoneOneKeyLoginActivity
com.yxcorp.login.userlogin.SwitchAccountActivity
com.yxcorp.login.userlogin.SetPasswordActivity
com.yxcorp.login.userlogin.VerifyPhoneV2CheckActivity
com.yxcorp.login.userlogin.FullScreenLoginActivity
com.yxcorp.login.userlogin.PhoneOneKeyLoginV2Activity
com.yxcorp.login.userlogin.PhoneLoginV2Activity
com.yxcorp.login.userlogin.HistoryLoginActivity
com.yxcorp.login.userlogin.AccountSecurityActivity
com.yxcorp.gifshow.follow.feeds.moment.detail.MomentDetailActivity
com.yxcorp.gifshow.follow.feeds.pymi.detail.PymiUserDetailActivity
com.yxcorp.gifshow.tube.latest.TubeLatestActivity
com.yxcorp.gifshow.tube.rank.TubeRankActivity
com.yxcorp.gifshow.tube.feed.TubeFeedActivity
com.yxcorp.gifshow.tube.series.TubeSeriesActivity
com.yxcorp.gifshow.tube.feed.history.TubeHistoryActivity
com.yxcorp.gifshow.tube.TubeDefaultActivity
com.yxcorp.gifshow.tube.slideplay.TubeDetailActivity
com.yxcorp.gifshow.tube.series.PickEpisodeActivity
com.yxcorp.gifshow.tube.feed.search.TubeSearchActivity
com.yxcorp.gifshow.tube.feed.channel.TubeChannelListActivity
com.yxcorp.plugin.activity.login.WeChatSSOActivity
com.smile.gifmaker.wxapi.WXEntryActivity
com.sina.weibo.sdk.component.WeiboSdkBrowser
com.tencent.tauth.AuthActivity
com.tencent.connect.common.AssistActivity
com.yxcorp.plugin.activity.login.WeiboSSOActivity
com.yxcorp.plugin.activity.login.QQSSOActivity
com.yxcorp.plugin.activity.login.WebAuthActivity
com.yxcorp.gifshow.users.UserListActivity
com.yxcorp.gifshow.users.FollowingFriendActivity
com.yxcorp.gifshow.activity.MsgPrivacySettingActivity
com.yxcorp.gifshow.activity.ExploreFriendActivity
com.yxcorp.gifshow.users.activity.AutoReplySettingActivity
com.kuaishou.merchant.detail.MerchantDetailActivity
com.kuaishou.merchant.selfbuild.SelfBuildDetailActivity
com.kuaishou.merchant.taopass.TaoPassWebViewActivity
com.kuaishou.gifshow.platfom.protector.protector.ProtectorDialogActivity
com.kuaishou.gifshow.platform.debug.IocStateActivity
com.yxcorp.gifshow.activity.UriRouterActivity
com.yxcorp.gifshow.activity.KwaiMiniAppListActivity
com.yxcorp.gifshow.activity.KwaiMiniAppShareActivity
com.yxcorp.plugin.search.SearchActivity
com.yxcorp.plugin.search.SearchTagRecommendActivity
com.yxcorp.plugin.search.recommendV2.activity.SearchUserRecommendActivityV2
com.yxcorp.plugin.search.recommendV2.activity.SearchTagRecommendActivityV2
com.yxcorp.plugin.search.AddFriendActivity
com.yxcorp.plugin.search.SearchGroupResultActivity
com.yxcorp.plugin.setting.activity.SettingsActivity
com.yxcorp.plugin.setting.activity.PrivateSettingsActivity
com.yxcorp.plugin.setting.activity.GeneralSettingsActivity
com.yxcorp.plugin.setting.activity.PushSettingsActivity
com.yxcorp.plugin.setting.activity.AboutUsActivity
com.yxcorp.plugin.setting.activity.UserSettingsUpdateActivity
com.yxcorp.plugin.setting.activity.PushDetailSettingsActivity
com.yxcorp.plugin.setting.activity.PushSilenceSettingActivity
com.yxcorp.plugin.setting.activity.LanguageSettingsActivity
com.yxcorp.map.local.RoamCityActivity
com.yxcorp.map.local.ResortPickActivity
com.yxcorp.map.advertisement.PoiAdvertisementWebActivity
com.yxcorp.cobra.activity.CobraIntroduceActivity
com.yxcorp.cobra.activity.CobraConnectActivity
com.yxcorp.cobra.activity.CobraGuideActivity
com.yxcorp.cobra.activity.CobraSettingActivity
com.yxcorp.cobra.activity.CobraSettingDetailActivity
com.yxcorp.cobra.activity.CobraRestoreActivity
com.yxcorp.cobra.activity.CobraPreviewActivity
com.yxcorp.cobra.activity.CobraHelpActivity
com.yxcorp.plugin.tag.music.TagMusicActivity
com.yxcorp.plugin.tag.detail.TagDescriptionDetailActivity
com.yxcorp.plugin.tag.sameframe.TagSameFrameActivity
com.yxcorp.plugin.tag.chorus.TagChorusActivity
com.yxcorp.plugin.tag.detail.TagDetailActivity
com.yxcorp.plugin.tag.magicface.TagMagicFaceActivity
com.yxcorp.plugin.tag.music.SoundTrackRenameActivity
com.yxcorp.plugin.tag.music.creationchallenge.CreationChallengeActivity
com.yxcorp.plugin.tag.opus.TagOpusActivity
com.yxcorp.gifshow.advertisement.SplashActivity
com.yxcorp.gifshow.activity.TXKingCardActivity
com.yxcorp.gifshow.activity.TXKingCardActivity2
com.yxcorp.gifshow.activity.preview.PhotoPreviewActivity
com.yxcorp.plugin.activity.record.VideoClipV2Activity
com.yxcorp.gifshow.v3.EditorActivity
com.yxcorp.gifshow.activity.share.ShareActivity
com.yxcorp.gifshow.activity.share.ShareToGroupActivity
com.yxcorp.gifshow.activity.share.TopicAddActivity
com.yxcorp.gifshow.activity.share.LocationActivity
com.yxcorp.gifshow.activity.VideoViewActivity
com.yxcorp.gifshow.detail.PhotoDetailActivity
com.yxcorp.gifshow.detail.musicstation.MusicStationLoadingActivity
com.yxcorp.gifshow.recommenduser.RecommendUserResultActivity
com.yxcorp.gifshow.aggregate.AggregateActivity
com.yxcorp.gifshow.users.activity.RelationFriendsActivity
com.yxcorp.gifshow.message.photo.MessagePickPhotoActivity
com.yxcorp.gifshow.fragment.message.PhotoPreviewActivity
com.yxcorp.gifshow.activity.ReportActivity
com.yxcorp.gifshow.advertisement.AdWebViewActivity
com.yxcorp.gifshow.advertisement.PhotoAdDetailWebViewActivity
com.yxcorp.login.userlogin.LoginActivity
com.yxcorp.gifshow.faceverify.activity.RecordHelperActivity
com.yxcorp.gifshow.payment.activity.GatewayBindHelperActivity
com.yxcorp.gifshow.activity.SelectCountryActivity
com.kuaishou.gifshow.ImageCropActivity
com.yxcorp.gifshow.activity.UserInfoEditActivity
com.yxcorp.gifshow.activity.AvatarActivity
com.yxcorp.gifshow.activity.UserInfoDetailEditActivity
com.yxcorp.gifshow.activity.ContactsListActivity
com.yxcorp.gifshow.activity.PlatformFriendsActivity
com.yxcorp.gifshow.activity.UserRelationFriendsGuideActivity
com.yxcorp.gifshow.activity.UserContactsFriendsGuideActivity
com.yxcorp.gifshow.activity.UserQQFriendsGuideActivity
com.yxcorp.gifshow.activity.BlacklistActivity
com.yxcorp.gifshow.activity.share.UploadToPlatformActivity
com.yxcorp.gifshow.activity.SelectFriendsActivity
com.yxcorp.gifshow.users.SelectConversationFriendsActivity
com.yxcorp.gifshow.activity.RecommendUsersActivity
com.yxcorp.gifshow.debug.TestConfigActivity
com.yxcorp.gifshow.debug.WidgetTestActivity
com.yxcorp.gifshow.activity.LogListActivity
com.yxcorp.login.bind.ChangePhoneActivity
com.yxcorp.login.bind.ChangePhoneVerifyActivity
com.yxcorp.login.userlogin.VerifyPhoneV2Activity
com.yxcorp.login.userlogin.VerifyPhoneActivity
com.yxcorp.gifshow.xlab.XlabActivity
com.yxcorp.gifshow.peoplenearby.PeopleNearbyActivity
com.yxcorp.gifshow.livenearby.LiveNearbyActivity
com.yxcorp.gifshow.activity.BrowseSettingsActivity
com.yxcorp.gifshow.childlock.ChildLockGuideActivity
com.yxcorp.gifshow.childlock.ChildVerifyActivity
com.yxcorp.gifshow.childlock.ChildLockSettingActivity
com.yxcorp.gifshow.childlock.ChildLockSettingConfirmActivity
com.yxcorp.gifshow.activity.ClearCacheActivity
com.yxcorp.gifshow.activity.EditChannelActivity
com.yxcorp.gifshow.activity.InterestTagActivity
com.yxcorp.gifshow.activity.ReminderActivity
com.yxcorp.gifshow.activity.share.CustomShareActivity
com.yxcorp.gifshow.activity.ModifyTrustDeviceNameActivity
com.yxcorp.gifshow.v3.editor.sticker.vote.VoteDetailActivity
com.yxcorp.gifshow.authorization.AuthActivity
com.yxcorp.gifshow.activity.PromotionRouterActivity
com.yxcorp.gifshow.activity.SchemeActivity
com.yxcorp.plugin.setting.activity.WatermarkSettingsActivity
com.yxcorp.gifshow.photoad.download.PhotoAdDownloadCenterActivity
com.yxcorp.gifshow.activity.share.SharePhotoVisibilitySelectionActivity
com.yxcorp.gifshow.users.ShareFollowActivity
com.yxcorp.plugin.share.QQShareActivity
com.yxcorp.plugin.share.WeiboShareProxyActivity
com.yxcorp.gifshow.webview.KwaiWebViewActivity
com.yxcorp.gifshow.activity.DebugOptionSelectActivity
com.kwai.kwapp.activity.KwaiAppActivity
com.kwai.kwapp.activity.KwaiAppActivity1
com.kwai.kwapp.activity.KwaiAppActivity2
com.kwai.kwapp.activity.KwaiAppActivity3
com.kwai.kwapp.activity.KwaiAppActivity4
com.kwai.kwapp.component.KSGalleryActivity
com.tencent.android.tpush.XGPushActivity
com.huawei.hms.activity.BridgeActivity
com.yxcorp.gifshow.push.huawei.HuaweiPushActivity
com.yxcorp.gifshow.push.oppo.ActionRouterActivity
com.vivo.push.sdk.LinkProxyClientActivity
com.igexin.sdk.PushActivity
com.igexin.sdk.GActivity
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_00
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_01
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_02
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_03
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_04
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_05
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_06
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_07
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_08
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_09
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_00_T
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_01_T
com.kwai.hotfix.loader.hotplug.ActivityStubs$STDStub_02_T
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_00
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_01
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_02
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_03
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_04
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_05
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_06
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_07
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_08
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_09
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_00_T
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_01_T
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTStub_02_T
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_00
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_01
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_02
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_03
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_04
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_05
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_06
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_07
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_08
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_09
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_00_T
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_01_T
com.kwai.hotfix.loader.hotplug.ActivityStubs$SGTKStub_02_T
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_00
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_01
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_02
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_03
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_04
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_05
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_06
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_07
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_08
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_09
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_00_T
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_01_T
com.kwai.hotfix.loader.hotplug.ActivityStubs$SIStub_02_T
com.yxcorp.gateway.pay.activity.GatewayH5PayActivity
com.yxcorp.gateway.pay.activity.GatewayPayActivity
com.yxcorp.gateway.pay.activity.GatewayPayOrderActivity
com.yxcorp.gateway.pay.activity.GatewayOrderPrepayActivity
com.yxcorp.gateway.pay.activity.PayWebViewActivity
com.yxcorp.gateway.pay.activity.WechatSSOActivity
com.alipay.sdk.app.H5PayActivity
com.alipay.sdk.app.H5AuthActivity
com.kwai.middleware.azeroth.upgrade.SdkUpgradeDialogActivity
com.webank.facelight.ui.FaceVerifyActivity
com.webank.facelight.ui.FaceProtocalActivity
com.kwad.sdk.page.KsAdWebViewActivity

com.q.m.QS
com.yxcorp.gifshow.push.PushService
com.yxcorp.gifshow.push.LocalPushJobService
com.yxcorp.patch.tinker.MainProcessResultService
com.yxcorp.gifshow.tips.InAppNoticeService
com.yxcorp.gifshow.camerasdk.compatibility.HardwareEncodeTestService
com.yxcorp.gifshow.debug.DebugLogService
com.yxcorp.gifshow.debug.DebugLogJobService
com.yxcorp.gifshow.photoad.download.PhotoAdApkDownloadVpnService
com.yxcorp.gifshow.keepalive.MIUIAlarmService
com.yxcorp.gifshow.keepalive.MIUIAlarmJobService
com.kwai.kwapp.service.KwaiAppManageService
com.kwai.kwapp.service.KwaiAppService
com.kwai.kwapp.service.KwaiAppService1
com.kwai.kwapp.service.KwaiAppService2
com.kwai.kwapp.service.KwaiAppService3
com.kwai.kwapp.service.KwaiAppService4
com.yxcorp.gifshow.log.service.LogService
com.yxcorp.gifshow.log.service.LogJobService
com.tencent.android.tpush.service.XGPushServiceV3
com.tencent.android.tpush.rpc.XGRemoteService
com.coloros.mcssdk.PushService
com.vivo.push.sdk.service.CommandClientService
com.igexin.download.DownloadService
com.igexin.sdk.PushService
com.yxcorp.gifshow.push.getui.GetuiPushIntentService
com.yxcorp.gifshow.push.getui.GetuiPushService
com.xiaomi.push.service.XMPushService
com.xiaomi.push.service.XMJobService
com.xiaomi.mipush.sdk.PushMessageHandler
com.xiaomi.mipush.sdk.MessageHandleService
com.yxcorp.gifshow.keepalive.KeepAliveService
com.yxcorp.gifshow.keepalive.KeepAliveRemoveNotificationService
com.yxcorp.gifshow.keepalive.KeepAliveJobService
com.yxcorp.gifshow.systemaccount.AccountAlarmService
com.yxcorp.gifshow.systemaccount.PeriodJobService
com.yxcorp.gifshow.systemaccount.AccountsAuthenticatorService
com.yxcorp.gifshow.systemaccount.AccountSyncService
com.yxcorp.gifshow.keepalive.KeepAliveProcessService
com.kwai.hotfix.lib.service.HotfixForgService
com.kwai.hotfix.lib.service.HotFixPatchService
com.kwai.hotfix.lib.service.HotFixPatchService$InnerService
com.kwai.hotfix.lib.service.DefaultHotfixResultService
com.kwai.hotfix.lib.service.ExternalLogService
com.kwai.chat.kwailink.service.KwaiLinkService
com.yxcorp.gifshow.push.PushSdkService
com.liulishuo.filedownloader.services.FileDownloadService$SharedMainProcessService
com.liulishuo.filedownloader.services.FileDownloadService$SeparateProcessService
com.meizu.cloud.pushsdk.NotificationService

com.yxcorp.gifshow.push.LocalPushReceiver
com.yxcorp.gifshow.push.ClickPushButtonBroadcastReceiver
com.yxcorp.gifshow.ad.detail.AppInstalledReceiver
com.yxcorp.gifshow.camera.shortcut.ShortcutReceiver
com.yxcorp.gifshow.socialgame.SocialGameNotificationClickReceiver
com.yxcorp.gifshow.download.NotifyClickReceiver
com.yxcorp.gifshow.keepalive.MIUIAlarmReceiver
cn.jpush.android.service.AlarmReceiver
cn.jpush.android.service.PushReceiver
com.yxcorp.gifshow.push.jpush.JPushReceiver
com.tencent.android.tpush.XGPushReceiver
com.yxcorp.gifshow.push.xinge.XinGePushReceiver
com.yxcorp.gifshow.push.meizu.MeizuPushReceiver
com.yxcorp.gifshow.push.meizu.MeizuSystemReceiver
com.yxcorp.gifshow.push.huawei.HuaweiPushReceiver
com.yxcorp.gifshow.push.huawei.HuaweiPushEventReceiver
com.yxcorp.gifshow.push.vivo.VivoPushReceiver
com.igexin.download.DownloadReceiver
com.yxcorp.gifshow.push.getui.GetuiPushReceiver
com.xiaomi.push.service.receivers.NetworkStatusReceiver
com.xiaomi.push.service.receivers.PingReceiver
com.yxcorp.gifshow.push.xiaomi.XiaomiPushReceiver
com.yxcorp.gifshow.keepalive.KeepAliveReceiver
com.yxcorp.gifshow.keepalive.KeepAliveProcessReceiver
com.kwai.chat.kwailink.receiver.AlarmReceiver
com.kwai.chat.kwailink.client.KwaiLinkNotifyClientBroadcastReceiver
com.yxcorp.download.DownloadReceiver
com.meizu.cloud.pushsdk.SystemReceiver

com.yxcorp.gifshow.util.KwaiPreferenceProvider
com.yxcorp.gifshow.activity.share.ShareAuthProvider
com.yxcorp.gifshow.authorization.AuthProvider
com.lsjwzh.fonts.FontsProvider
android.support.v4.content.FileProvider
com.kwai.kwapp.KwaiAppFileProvider
com.tencent.android.tpush.XGPushProvider
com.tencent.android.tpush.SettingsContentProvider
com.tencent.mid.api.MidProvider
com.huawei.hms.update.provider.UpdateProvider
com.igexin.download.DownloadProvider
com.yxcorp.gifshow.systemaccount.AccountProvider
kuaishou.perf.battery.allprocess.upload.BatteryStatsProvider
com.yxcorp.gifshow.push.PushProvider
android.arch.lifecycle.ProcessLifecycleOwnerInitializer
com.kuaishou.android.vader.VaderContextProvider

第三方库

# 库名 介绍
0 com.tencent.bugly 腾讯Bugly,面向移动开发者提供最专业的Crash监控、崩溃分析等质量跟踪服务,为您修复用户的每一次Crash!
1 android.support.transition A backport of the new Transitions API for Android.
2 retrofit2 Type-safe REST client for Android and Java by Square, Inc.
3 com.google.protobuf Protocol Buffers - Google's data interchange format https://developers.google.com/protocol-buffers/
4 android.support.multidex DEPRECATED
5 com.alipay.sdk 支付宝移动支付功能
6 butterknife View "injection" library for Android.
7 org.chromium.base Android WebView implementation that uses the latest Chromium code
8 com.baidu.lbsapi 百度Android全景SDK是为Android移动平台提供的一套全景图服务接口,面向广大开发者提供全景图的检索、显示和交互功能,从而更加清晰方便地展示目标位置的周边环境。
9 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
10 com.baidu.mapapi 百度地图 Android SDK是一套基于Android 2.1及以上版本设备的应用程序接口。 您可以使用该套 SDK开发适用于Android系统移动设备的地图应用,通过调用地图SDK接口,您可以轻松访问百度地图服务和数据,构建功能丰富、交互性强的地图类应用程序。
11 com.facebook.imagepipeline An image management library by FaceBook.
12 com.google.android.gms.maps 谷歌地图是 Google 公司提供的电子地图服务,包括局部详细的卫星照片。此款服务可以提供含有政区和交通以及商业信息的矢量地图、不同分辨率的卫星照片和可以用来显示地形和等高线地形视图。在各类平台均有应用,操作简单方便。
13 com.igexin 通过个推的技术,APP可主动向用户推送新闻动态、版本更新、优惠活动、生活服务等各类信息,并通过多维度用户群组分析进行智能匹配,给合适的人群合适的场景推送合适的内容,大幅度提升消息点击率、用户活跃度和留存率
14 com.google.protobuf Protocol Buffers - Google's data interchange format https://developers.google.com/protocol-buffers/
15 com.facebook.cache.common An image management library by FaceBook.
16 com.bumptech.glide An image loading and caching library for Android focused on smooth scrolling
17 com.google.zxing Official ZXing ("Zebra Crossing") project home
18 com.facebook.rebound A Java library that models spring dynamics and adds real world physics to your app.
19 com.facebook.imagepipeline An image management library by FaceBook.
20 com.daimajia.easing Android Animation Easing Functions. Let's make animation more real!
21 com.baidu.mapapi 百度地图 Android SDK是一套基于Android 2.1及以上版本设备的应用程序接口。 您可以使用该套 SDK开发适用于Android系统移动设备的地图应用,通过调用地图SDK接口,您可以轻松访问百度地图服务和数据,构建功能丰富、交互性强的地图类应用程序。
22 com.google.gson A Java serialization library that can convert Java Objects into JSON and back.
23 com.tencent.map.geolocation 腾讯地图定位SDK是一套基于Android 2.1及以上版本设备的应用程序接口,通过该接口,您可以轻松使用腾讯地图定位服务,构建LBS应用程序。
定位SDK包括GPS定位与网络定位,实现了经纬度坐标偏转与当前位置的POI名称、地址或者行政区划的查询。采用了移动缓存策略,节省流量与电量。定位原理
定位SDK使用当前设备的GPS、基站信号和WiFi信号生成定位依据,并将定位依据发送到腾讯的定位服务器。
定位服务器对定位依据进行计算得到定位结果,最后将结果返回给定位SDK。
24 com.tencent.bugly 腾讯Bugly,面向移动开发者提供最专业的Crash监控、崩溃分析等质量跟踪服务,为您修复用户的每一次Crash!
25 com.makeramen.roundedimageview A fast ImageView that supports rounded corners, ovals, and circles.
26 com.umeng.analytics.game 友盟游戏统计分析为移动游戏开发者提供了开箱即用的一站式解决方案。
27 com.tencent.connect 腾讯开放平台
28 com.sina.weibo 新浪微博开放平台(Weibo Open Platform)是基于新浪微博海量用户和强大的传播能力,接入第三方合作伙伴服务,向用户提供丰富应用和完善服务的开放平台。将你的服务接入微博平台,有助于推广产品,增加网站/应用的流量、拓展新用户,获得收益。
29 com.umeng.analytics 友盟统计分析平台是国内最大的移动应用统计分析平台。
30 com.tencent.android.tpush 多种推送方式灵活方便\n推送目标分类 精准营销\n推送数据统计 效果跟踪
31 com.tencent.tauth 腾讯QQ互联平台为广大开发者整理了SDK列表,辅助开发者快速接入QQ登录、分享等功能。QQ互联是腾讯旗下的开放平台,通过QQ互联,网站主和开发者可以申请接入QQ登录、用户可以使用QQ账号登录接入的站点,通过添加分享和赞组件,将站点内容分享到QQ空间和朋友网,通过获取API授权,网站主还可以将用户操作同步到QQ空间和朋友网。
32 com.xiaomi.mipush.sdk 小米推送(MiPush)是小米公司为开发者提供的消息推送服务,通过在云端和客户端之间建立一条稳定、可靠的长连接,为开发者提供向客户端应用推送实时消息的服务,帮助开发者有效地拉动用户活跃。
33 com.tencent.tencentmap 腾讯地图Android SDK是一套基于Android2.3及以上设备的应用接口,通过该接口,您可以方便地访问腾讯地图为您提供的高质量地点数据和服务,构建丰富而实用的地图及位置服务类应用。腾讯地图Android SDK除提供创建底图、缩放、平滑移图等基础功能外,还提供定位、地址解析、反地址解析、周边搜索、路线方案等拓展服务,助你在应用开发中事半功倍。腾讯地图Android SDK的服务需要注册,免费的向第三方提供,任何非盈利性网站均可使用。
34 dagger A fast dependency injector for Android and Java.
35 okhttp3 An HTTP+SPDY client for Android and Java applications.
36 master.flame.danmaku 大弹幕时代来临了,这里是Android上最好的开源弹幕引擎·烈焰弹幕使 ~ 被弹幕吞噬吧!
37 pl.droidsonroids.gif Views and Drawable for displaying animated GIFs on Android
38 net.sourceforge.pinyin4j Pinyin4j is a popular Java library supporting convertion between Chinese characters and most popular Pinyin systems. The output format of pinyin could be customized.
39 org.aspectj AspectJ Tools
40 me.leolin.shortcutbadger The ShortcutBadger makes your Android App show the count of unread messages as a badge on your App shortcut!
41 org.chromium.base Android WebView implementation that uses the latest Chromium code
42 uk.co.alt236.bluetoothlelib This library allows for easy access to a Bluetooth LE device's AdRecord and RSSI value. It offers additional functionality for iBeacons.
43 retrofit2 Type-safe REST client for Android and Java by Square, Inc.
44 org.json 根据Gson库使用的要求,将JSONObject格式的String 解析成实体
45 uk.co.senab.photoview Implementation of ImageView for Android that supports zooming, by various touch gestures.

静态扫描发现风险点

风险等级 风险名称

中危

检测到2处证书弱校验漏洞。

位置: classes4.dex
com.kwai.middleware.azeroth.b.h$1;

位置: classes8.dex
com.yxcorp.router.d.a$1;

当移动App客户端使用https或ssl/tls进行通信时,如果不校验证书的可信性,将存在中间人攻击漏洞,可导致信息泄露,传输数据被篡改,甚至通过中间人劫持将原有信息替换成恶意链接或恶意代码程序,以达到远程控制等攻击意图。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考案例:
www.wooyun.org/bugs/wooyun-2014-079358

参考资料:
http://drops.wooyun.org/tips/3296
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/
https://jaq.alibaba.com/blog.htm?id=60

中危

检测到8个未移除的敏感Test或Debug组件

com.yxcorp.gifshow.tube.latest.TubeLatestActivity
com.kuaishou.gifshow.platform.debug.IocStateActivity
com.yxcorp.gifshow.debug.TestConfigActivity
com.yxcorp.gifshow.debug.WidgetTestActivity
com.yxcorp.gifshow.activity.DebugOptionSelectActivity
com.yxcorp.gifshow.camerasdk.compatibility.HardwareEncodeTestService
com.yxcorp.gifshow.debug.DebugLogService
com.yxcorp.gifshow.debug.DebugLogJobService

建议:
在正式发布app前移除敏感的Test或Debug组件

中危

检测到8个WebView远程执行漏洞。

位置: classes.dex
com.tencent.bugly.crashreport.CrashReport$1;->addJavascriptInterface(Lcom.tencent.bugly.crashreport.crash.h5.H5JavaScriptInterface; Ljava.lang.String;)V
com.yxcorp.gifshow.ad.detail.presenter.ad.AdPopWebViewPresenter;->a()V
com.yxcorp.gifshow.gamecenter.web.GameWebViewFragment;->onViewCreated(Landroid.view.View; Landroid.os.Bundle;)V

位置: classes4.dex
com.yxcorp.gateway.pay.activity.PayWebViewActivity;->initWebView()V
com.tencent.bugly.webank.crashreport.CrashReport;->setJavascriptMonitor(Landroid.webkit.WebView; Z Z)Z
com.kwai.kwapp.c.a.d;->b(Ljava.lang.Object; Ljava.lang.String;)V

位置: classes5.dex
com.yxcorp.gifshow.ad.webview.KwaiWebPresenter;->onBind()V

位置: classes6.dex
com.yxcorp.gifshow.webview.view.KwaiWebViewFragment;->onViewCreated(Landroid.view.View; Landroid.os.Bundle;)V

Android API < 17之前版本存在远程代码执行安全漏洞,该漏洞源于程序没有正确限制使用addJavaScriptInterface方法,攻击者可以通过Java反射利用该漏洞执行任意Java对象的方法,导致远程代码执行安全漏洞。
(1)API等于高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252
http://drops.wooyun.org/papers/548

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis
https://developer.android.com/reference/android/webkit/WebView.html

中危

检测到312条敏感明文信息,建议移除。

位置: classes.dex
'10.0.0.172' used in: Lcom/baidu/lbsapi/auth/g;->b()Ljavax/net/ssl/HttpsURLConnection;
'10.0.0.172' used in: Lc/t/m/g/x;->e()V
'10.0.0.200' used in: Lcom/baidu/lbsapi/auth/g;->b()Ljavax/net/ssl/HttpsURLConnection;
'10.0.0.200' used in: Lc/t/m/g/x;->e()V
'10.1.5.1013148' used in: Lcom/alipay/sdk/util/k;->()V
'10.1.5.1013151' used in: Lcom/alipay/sdk/util/k;->()V
'10.50.2.16' used in: Lcom/yxcorp/plugin/message/b/b;->b()V
'data:offset:length:opts' used in: Lcom/airbnb/lottie/b/b;->()V
'http://192.168.42.1:8080/' used in: Lcom/yxcorp/cobra/connection/manager/b;->(Lcom/yxcorp/cobra/connection/manager/GlassesManager;)V
'http://analytics.map.qq.com/?sf' used in: Lc/t/m/g/cr$a;->a(Ljava/lang/String;)Z
'http://api.map.baidu.com/geosearch/v2/bound' used in: Lcom/baidu/mapapi/cloud/BoundSearchInfo;->()V
'http://api.map.baidu.com/geosearch/v2/detail/' used in: Lcom/baidu/mapapi/cloud/DetailSearchInfo;->()V
'http://api.map.baidu.com/geosearch/v2/local' used in: Lcom/baidu/mapapi/cloud/LocalSearchInfo;->()V
'http://api.map.baidu.com/geosearch/v2/nearby' used in: Lcom/baidu/mapapi/cloud/NearbySearchInfo;->()V
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/cloudrgc/v1' used in: Lcom/baidu/mapapi/cloud/CloudRgcInfo;->a()Ljava/lang/String;
'http://app.navi.baidu.com/mobile/#navi/naving/' used in: Lcom/baidu/mapapi/navi/BaiduMapNavigation;->a(Lcom/baidu/mapapi/navi/NaviParaOption; Landroid/content/Context;)V
'http://daohang.map.baidu.com/mobile/#navi/naving/start=' used in: Lcom/baidu/mapapi/navi/BaiduMapNavigation;->openWebBaiduMapNavi(Lcom/baidu/mapapi/navi/NaviParaOption; Landroid/content/Context;)V
'http://daohang.map.baidu.com/mobile/#search/search/qt=nav&sn=2$$$$$$' used in: Lcom/baidu/mapapi/navi/BaiduMapNavigation;->openWebBaiduMapNavi(Lcom/baidu/mapapi/navi/NaviParaOption; Landroid/content/Context;)V
'http://h5.m.taobao.com/trade/paySuccess.html?bizOrderId=$OrderId$&' used in: Lcom/alipay/sdk/b/a;->()V
'http://h5.m.taobao.com/trade/paySuccess.html?bizOrderId=$OrderId$&' used in: Lcom/alipay/sdk/b/a;->b()Lcom/alipay/sdk/b/a;
'http://h5.m.taobao.com/trade/paySuccess.html?bizOrderId=$OrderId$&' used in: Lcom/alipay/sdk/b/b;->run()V
'http://m.alipay.com/?action=h5quit' used in: Lcom/alipay/sdk/util/k;->a(Landroid/webkit/WebView; Ljava/lang/String; Landroid/app/Activity;)Z
'http://m.kuaishou.com/' used in: Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls;->a(Ljava/lang/String; Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls$WebType;)Ljava/lang/String;
'http://m.kuaishou.com/user/' used in: Lcom/smile/gifshow/a;->eJ()Ljava/util/HashMap;
'http://mobilegw-1-64.test.alipay.net/mgw.htm' used in: Lcom/alipay/apmobilesecuritysdk/b/a;->c()Ljava/lang/String;
'http://mobilegw-1-64.test.alipay.net/mgw.htm' used in: Lcom/alipay/apmobilesecuritysdk/b/a;->c()Ljava/lang/String;
'http://mobilegw.aaa.alipay.net/mgw.htm' used in: Lcom/alipay/apmobilesecuritysdk/b/a;->c()Ljava/lang/String;
'http://mobilegw.aaa.alipay.net/mgw.htm' used in: Lcom/alipay/apmobilesecuritysdk/b/a;->c()Ljava/lang/String;
'http://mobilegw.stable.alipay.net/mgw.htm' used in: Lcom/alipay/apmobilesecuritysdk/b/a;->c()Ljava/lang/String;
'http://mobilegw.stable.alipay.net/mgw.htm' used in: Lcom/alipay/apmobilesecuritysdk/b/a;->c()Ljava/lang/String;
'http://schemas.android.com/apk/res/android' used in: Landroid/support/v4/content/b/e;->a(Lorg/xmlpull/v1/XmlPullParser; Ljava/lang/String;)Z
'http://www.kwai.com/' used in: Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls;->a(Ljava/lang/String; Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls$WebType;)Ljava/lang/String;
'https://api.map.baidu.com/geosearch/v2/bound' used in: Lcom/baidu/mapapi/cloud/BoundSearchInfo;->()V
'https://api.map.baidu.com/geosearch/v2/detail/' used in: Lcom/baidu/mapapi/cloud/DetailSearchInfo;->()V
'https://api.map.baidu.com/geosearch/v2/local' used in: Lcom/baidu/mapapi/cloud/LocalSearchInfo;->()V
'https://api.map.baidu.com/geosearch/v2/nearby' used in: Lcom/baidu/mapapi/cloud/NearbySearchInfo;->()V
'https://api.map.baidu.com/sdkcs/verify' used in: Lcom/baidu/lbsapi/auth/LBSAuthManager;->a(Z Ljava/lang/String; Ljava/util/Hashtable; [Ljava/lang/String; Ljava/lang/String;)V
'https://api.map.baidu.com/sdkcs/verify' used in: Lcom/baidu/lbsapi/auth/LBSAuthManager;->a(Z Ljava/lang/String; Ljava/util/Hashtable; Ljava/lang/String;)V
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/cloudrgc/v1' used in: Lcom/baidu/mapapi/cloud/CloudRgcInfo;->a()Ljava/lang/String;
'https://app.m.kuaishou.com/' used in: Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls;->a(Ljava/lang/String; Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls$WebType;)Ljava/lang/String;
'https://cc.map.qq.com/?get_c3' used in: Lc/t/m/g/da$a;->a()Lorg/json/JSONObject;
'https://live.kuaishou.com/' used in: Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls;->a(Ljava/lang/String; Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls$WebType;)Ljava/lang/String;
'https://m-ketang.kuaishou.com/' used in: Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls;->a(Ljava/lang/String; Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls$WebType;)Ljava/lang/String;
'https://mcgw.alipay.com/sdklog.do' used in: Lcom/alipay/sdk/e/a/c;->a(Landroid/content/Context; Ljava/lang/String;)Lcom/alipay/sdk/e/b;
'https://mclient.alipay.com/home/exterfaceAssign.htm?' used in: Lcom/alipay/sdk/app/PayTask;->pay(Ljava/lang/String; Z)Ljava/lang/String;
'https://mobilegw.alipay.com/mgw.htm' used in: Lcom/alipay/apmobilesecuritysdk/b/a;->c()Ljava/lang/String;
'https://mobilegw.alipaydev.com/mgw.htm' used in: Lcom/alipay/sdk/util/j;->a(Landroid/content/Context;)Ljava/lang/String;
'https://open.e.189.cn/openapi/special/getTimeStamp.do' used in: Lcn/com/chinatelecom/account/api/c/a;->b(Landroid/content/Context;)V
'https://pages.kuaishou.com/' used in: Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls;->a(Ljava/lang/String; Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls$WebType;)Ljava/lang/String;
'https://ue.indoorloc.map.qq.com/' used in: Lc/t/m/g/dq;->a(Landroid/os/Looper;)V
'https://ue.indoorloc.map.qq.com/?wl' used in: Lc/t/m/g/dq$a;->handleMessage(Landroid/os/Message;)V
'https://up-hl.3g.qq.com/upreport' used in: Lc/t/m/g/aq;->a([B I Z Ljava/lang/Object; Lc/t/m/g/aw$a;)Z
'https://verify.kuaishou.com/' used in: Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls;->a(Ljava/lang/String; Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls$WebType;)Ljava/lang/String;
'https://wallet.m.kuaishou.com/' used in: Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls;->a(Ljava/lang/String; Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls$WebType;)Ljava/lang/String;
'https://wappaygw.alipay.com/home/exterfaceAssign.htm?' used in: Lcom/alipay/sdk/app/PayTask;->pay(Ljava/lang/String; Z)Ljava/lang/String;
'https://webapp.kuaishou.com/' used in: Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls;->a(Ljava/lang/String; Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls$WebType;)Ljava/lang/String;
'https://www.kwaishop.com/' used in: Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls;->a(Ljava/lang/String; Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls$WebType;)Ljava/lang/String;
'https://www.starci.cn/faq' used in: Lcom/yxcorp/cobra/fragment/CobraSettingFragment;->a(Landroid/view/View;)V
'https://yun-hl.3g.qq.com/halleycloud' used in: Lc/t/m/g/cb;->run()V
'www.kwaishop.com' used in: Lcom/yxcorp/gifshow/retrofit/d/f;->c(Ljava/lang/String;)Lcom/yxcorp/gifshow/webview/hybrid/WebEntryUrls$WebType;

位置: classes2.dex
'10.0.0.172' used in: Lcom/baidu/mapsdkplatform/comapi/commonutils/SysUpdateUtil;->updateNetworkProxy(Landroid/content/Context;)V
'10.0.0.200' used in: Lcom/baidu/mapsdkplatform/comapi/commonutils/SysUpdateUtil;->updateNetworkProxy(Landroid/content/Context;)V
'data:image' used in: Lcom/bumptech/glide/load/b/e$c$1;->a(Ljava/lang/String;)Ljava/lang/Object;
'data:image' used in: Lcom/bumptech/glide/load/b/e;->a(Ljava/lang/Object;)Z
'data:offset:length' used in: Lcom/facebook/webpsupport/WebpBitmapFactoryImpl;->()V
'data:offset:length:opts' used in: Lcom/facebook/webpsupport/WebpBitmapFactoryImpl;->()V
'data:offset:length:opts' used in: Lcom/facebook/imagepipeline/platform/g;->()V
'data:offset:length:opts' used in: Lcom/facebook/imagepipeline/a/e;->()V
'file:///' used in: Lcom/davemorrissey/labs/subscaleview/a;->a(Ljava/lang/String;)Lcom/davemorrissey/labs/subscaleview/a;
'file:///' used in: Lcom/davemorrissey/labs/subscaleview/a;->(Landroid/net/Uri;)V
'file:///' used in: Lcom/davemorrissey/labs/subscaleview/SubsamplingScaleImageView;->a(Landroid/content/Context; Ljava/lang/String;)I
'file:///android_asset/' used in: Lcom/davemorrissey/labs/subscaleview/SubsamplingScaleImageView;->(Landroid/content/Context; Landroid/util/AttributeSet;)V
'file:///android_asset/' used in: Lcom/davemorrissey/labs/subscaleview/a/f;->a(Landroid/content/Context; Landroid/net/Uri;)Landroid/graphics/Point;
'file:///android_asset/' used in: Lcom/davemorrissey/labs/subscaleview/a/e;->a(Landroid/content/Context; Landroid/net/Uri;)Landroid/graphics/Bitmap;
'file:///android_asset/' used in: Lcom/davemorrissey/labs/subscaleview/SubsamplingScaleImageView;->a(Landroid/content/Context; Ljava/lang/String;)I
'http://api.map.baidu.com/direction?' used in: Lcom/baidu/mapapi/utils/route/BaiduMapRoutePlan;->a(Lcom/baidu/mapapi/utils/route/RouteParaOption; Landroid/content/Context; I)V
'http://api.map.baidu.com/place/detail?' used in: Lcom/baidu/mapapi/utils/poi/BaiduMapPoiSearch;->a(Lcom/baidu/mapapi/utils/poi/PoiParaOption; Landroid/content/Context;)V
'http://api.map.baidu.com/place/search?' used in: Lcom/baidu/mapapi/utils/poi/BaiduMapPoiSearch;->b(Lcom/baidu/mapapi/utils/poi/PoiParaOption; Landroid/content/Context;)V
'http://api.map.baidu.com/sdkproxy/lbs_android/tripshare/v1/passenger/pullpath' used in: Lcom/baidu/mapsdkplatform/comapi/synchronization/b/f;->b()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/RadarService/' used in: Lcom/baidu/platform/comapi/radar/c;->a(Lcom/baidu/mapapi/radar/RadarUploadInfo; Ljava/lang/String;)Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/RadarService/' used in: Lcom/baidu/platform/comapi/radar/c;->a(Lcom/baidu/mapapi/radar/RadarNearbySearchOption; Ljava/lang/String; Lcom/baidu/mapapi/model/LatLng;)Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/RadarService/' used in: Lcom/baidu/platform/comapi/radar/c;->a(Ljava/lang/String;)Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/apimap/v1/' used in: Lcom/baidu/platform/domain/a;->o()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/apimap/v1/s' used in: Lcom/baidu/platform/domain/a;->r()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/indoor/v1/' used in: Lcom/baidu/platform/domain/a;->c()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/pathplan/v2/riding' used in: Lcom/baidu/platform/domain/a;->j()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/pathplan/v2/transit' used in: Lcom/baidu/platform/domain/a;->g()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui/v1/' used in: Lcom/baidu/platform/domain/a;->m()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui/v1/' used in: Lcom/baidu/platform/domain/a;->f()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui2/v1/' used in: Lcom/baidu/platform/domain/a;->l()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui2/v1/' used in: Lcom/baidu/platform/domain/a;->n()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui2/v1/' used in: Lcom/baidu/platform/domain/a;->k()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui2/v1/' used in: Lcom/baidu/platform/domain/a;->i()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui2/v1/' used in: Lcom/baidu/platform/domain/a;->h()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/v2/lbs_androidsdk/geocoder/v2' used in: Lcom/baidu/platform/domain/a;->e()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/v2/lbs_androidsdk/place/v2/detail' used in: Lcom/baidu/platform/domain/a;->b()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/v2/lbs_androidsdk/place/v2/search' used in: Lcom/baidu/platform/domain/a;->a()Ljava/lang/String;
'http://api.map.baidu.com/sdkproxy/v2/lbs_androidsdk/place/v2/suggestion' used in: Lcom/baidu/platform/domain/a;->d()Ljava/lang/String;
'http://client.map.baidu.com/imap/share/ps' used in: Lcom/baidu/platform/domain/a;->q()Ljava/lang/String;
'http://data.hicloud.com:8089/sdkv2' used in: Lcom/c/a/b/a/a;->i()Ljava/lang/String;
'http://j.map.baidu.com/' used in: Lcom/baidu/platform/domain/a;->p()Ljava/lang/String;
'http://map.baidu.com/?newmap=1&s=' used in: Lcom/baidu/platform/core/e/e;->a(Lcom/baidu/mapapi/search/share/RouteShareURLOption;)V
'http://map.baidu.com/zt/client/index/?fr=sdk_[' used in: Lcom/baidu/mapapi/utils/OpenClientUtil;->getLatestBaiduMapApp(Landroid/content/Context;)V
'http://schemas.android.com/apk/lib/com.google.android.gms.plus' used in: Lcom/google/android/gms/plus/PlusOneButton;->(Landroid/content/Context; Landroid/util/AttributeSet;)V
'http://wapmap.baidu.com/s?tn=Detail&pid=' used in: Lcom/baidu/platform/core/e/c;->a(Lcom/baidu/mapapi/search/share/PoiDetailShareURLOption;)V
'http://www.cmpassport.com/unisdk/' used in: Lcom/cmic/sso/sdk/d/u;->e(Landroid/content/Context;)Ljava/lang/String;
'http://www.cmpassport.com/unisdk/' used in: Lcom/cmic/sso/sdk/d/d;->a(Ljava/lang/String; I Lcom/cmic/sso/sdk/d/d$a; Ljava/net/HttpURLConnection; Landroid/net/Network; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Landroid/os/Bundle;)V
'https://%s/app/game?utm_source=share_by_game&hyId=gameTag&layoutType=1' used in: Lcom/kuaishou/gamezone/home/presenter/GzoneHomeActionBarPresenter;->a(Landroid/view/View;)V
'https://api.map.baidu.com/sdkproxy/lbs_android/tripshare/v1/passenger/pullpath' used in: Lcom/baidu/mapsdkplatform/comapi/synchronization/b/f;->a()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/RadarService/' used in: Lcom/baidu/platform/comapi/radar/c;->a(Lcom/baidu/mapapi/radar/RadarUploadInfo; Ljava/lang/String;)Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/RadarService/' used in: Lcom/baidu/platform/comapi/radar/c;->a(Lcom/baidu/mapapi/radar/RadarNearbySearchOption; Ljava/lang/String; Lcom/baidu/mapapi/model/LatLng;)Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/RadarService/' used in: Lcom/baidu/platform/comapi/radar/c;->a(Ljava/lang/String;)Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/apimap/v1/' used in: Lcom/baidu/platform/domain/b;->o()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/apimap/v1/s' used in: Lcom/baidu/platform/domain/b;->r()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/indoor/v1/' used in: Lcom/baidu/platform/domain/b;->c()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/pathplan/v2/riding' used in: Lcom/baidu/platform/domain/b;->j()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/pathplan/v2/transit' used in: Lcom/baidu/platform/domain/b;->g()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui/v1/' used in: Lcom/baidu/platform/domain/b;->m()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui/v1/' used in: Lcom/baidu/platform/domain/b;->f()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui2/v1/' used in: Lcom/baidu/platform/domain/b;->k()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui2/v1/' used in: Lcom/baidu/platform/domain/b;->n()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui2/v1/' used in: Lcom/baidu/platform/domain/b;->h()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui2/v1/' used in: Lcom/baidu/platform/domain/b;->i()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/lbs_androidsdk/phpui2/v1/' used in: Lcom/baidu/platform/domain/b;->l()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/v2/lbs_androidsdk/geocoder/v2' used in: Lcom/baidu/platform/domain/b;->e()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/v2/lbs_androidsdk/place/v2/detail' used in: Lcom/baidu/platform/domain/b;->b()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/v2/lbs_androidsdk/place/v2/search' used in: Lcom/baidu/platform/domain/b;->a()Ljava/lang/String;
'https://api.map.baidu.com/sdkproxy/v2/lbs_androidsdk/place/v2/suggestion' used in: Lcom/baidu/platform/domain/b;->d()Ljava/lang/String;
'https://client.map.baidu.com/imap/share/ps' used in: Lcom/baidu/platform/domain/b;->q()Ljava/lang/String;
'https://config.cmpassport.com/client/uniConfig' used in: Lcom/cmic/sso/sdk/d/d;->a(Ljavax/net/ssl/HttpsURLConnection; Landroid/os/Bundle; Ljava/lang/String;)V
'https://config.cmpassport.com/client/uniConfig' used in: Lcom/cmic/sso/sdk/b/b/a;->a(Z Landroid/os/Bundle; Lcom/cmic/sso/sdk/b/b/b;)V
'https://j.map.baidu.com/' used in: Lcom/baidu/platform/domain/b;->p()Ljava/lang/String;
'https://log1.cmpassport.com:9443/log/logReport' used in: Lcom/cmic/sso/sdk/d/u;->b(Landroid/content/Context; Lorg/json/JSONObject;)V
'https://log1.cmpassport.com:9443/log/logReport' used in: Lcom/cmic/sso/sdk/d/u;->g(Landroid/content/Context;)Ljava/lang/String;
'https://onekey1.cmpassport.com/unisdk/' used in: Lcom/cmic/sso/sdk/d/u;->f(Landroid/content/Context;)Ljava/lang/String;
'https://onekey1.cmpassport.com/unisdk/' used in: Lcom/cmic/sso/sdk/d/u;->b(Landroid/content/Context; Lorg/json/JSONObject;)V
'https://play.google.com/store/apps/details?id=com.huawei.hwid' used in: Lcom/huawei/hms/update/e/q;->b(Landroid/app/Activity;)V
'https://query.hicloud.com/hwid/v2/CheckEx.action' used in: Lcom/huawei/hms/update/a/e;->d()I
'https://static.yximgs.com/udata/pkg/WEB-LIVE/game_img_share_cover_loaded.png' used in: Lcom/kuaishou/gamezone/c/a;->b()Ljava/lang/String;
'www.cmpassport.com' used in: Lcom/cmic/sso/sdk/b/b/a;->b(Landroid/content/Context; Landroid/os/Bundle; Lcom/cmic/sso/sdk/b/b/b;)V
'www.kstv.com' used in: Lcom/kuaishou/gamezone/home/presenter/GzoneHomeActionBarPresenter;->a(Landroid/view/View;)V

位置: classes3.dex
'http://www.gifshow.com/fw/live' used in: Lcom/kuaishou/gifshow/e/a/d;->()V
'http://www.gifshow.com/fw/live' used in: Lcom/kuaishou/gifshow/e/a;->b()Ljava/lang/String;
'http://www.gifshow.com/fw/photo' used in: Lcom/kuaishou/gifshow/e/a/d;->()V
'http://www.gifshow.com/fw/photo' used in: Lcom/kuaishou/gifshow/e/a;->c()Ljava/lang/String;
'http://www.gifshow.com/fw/user/' used in: Lcom/kuaishou/gifshow/e/a/d;->()V

位置: classes4.dex
'10.0.0.172' used in: Lcom/tencent/stat/common/k;->a(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'10.0.0.172' used in: Lcom/umeng/analytics/pro/ad;->(Landroid/content/Context;)V
'10.0.0.200' used in: Lcom/xiaomi/push/w;->b(Landroid/content/Context; Ljava/net/URL;)Ljava/net/HttpURLConnection;
'10.0.0.200' used in: Lcom/tencent/stat/common/k;->a(Landroid/content/Context;)Lorg/apache/http/HttpHost;
'data:image/jpeg' used in: Lcom/kwai/kwapp/KWAppApi;->getLocalImageData(Ljava/lang/Integer; Ljava/lang/String; I)V
'data:offset:length' used in: Lcom/kwai/camerasdk/videoCapture/cameras/camera2/c;->()V
'data:offset:length' used in: Lcom/kwai/camerasdk/videoCapture/cameras/a/c$1;->()V
'http://%1$s/gslb/?ver=4.0' used in: Lcom/xiaomi/push/cu;->a(Ljava/util/ArrayList; Ljava/lang/String; Ljava/lang/String; Z)Ljava/lang/String;
'http://10.50.2.16:8084/report/monitor' used in: Lcom/kwai/chat/messagesdk/sdk/client/a;->a(Landroid/content/Context; Ljava/lang/String; Lcom/kwai/chat/kwailink/data/ClientAppInfo; Lcom/kwai/chat/kwailink/config/KwaiLinkDefaultServerInfo; Lcom/kwai/chat/kwailink/data/b; Lcom/kwai/chat/messagesdk/sdk/logreport/config/a; Lcom/kwai/chat/kwailink/base/b; Z Z I)V
'http://10.50.2.16:8084/report/monitor' used in: Lcom/kwai/chat/messagesdk/sdk/client/a;->a(Landroid/content/Context; Ljava/lang/String; Lcom/kwai/chat/kwailink/data/ClientAppInfo; Lcom/kwai/chat/kwailink/config/KwaiLinkDefaultServerInfo; Lcom/kwai/chat/kwailink/data/b; Lcom/kwai/chat/messagesdk/sdk/logreport/config/a; Lcom/kwai/chat/kwailink/base/b; Z Z I)V
'http://api.weibo.cn/2/client/common_config' used in: Lcom/sina/weibo/sdk/a/g;->b(Landroid/content/Context; Ljava/lang/String;)Ljava/lang/String;
'http://app.sina.cn/appdetail.php?appID=84560' used in: Lcom/sina/weibo/sdk/api/share/k$1;->onClick(Landroid/content/DialogInterface; I)V
'http://appsupport.qq.com/cgi-bin/qzapps/mapp_addapp.cgi' used in: Lcom/tencent/connect/auth/AuthAgent$b;->a()V
'http://appsupport.qq.com/cgi-bin/qzapps/mapp_addapp.cgi' used in: Lcom/tencent/connect/auth/AuthAgent$b;->(Lcom/tencent/connect/auth/AuthAgent; Lcom/tencent/tauth/IUiListener;)V
'http://ccc.sys.miui.com' used in: Lcom/xiaomi/push/aw;->a(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'http://cgi.connect.qq.com/qqconnectopen/openapi/policy_conf' used in: Lcom/tencent/open/utils/f$1;->run()V
'http://cgi.qplus.com/report/report' used in: Lcom/tencent/open/utils/k$1;->run()V
'http://fusion.qq.com/cgi-bin/qzapps/unified_jump?appid=%1$s&from=%2$s&isOpenAppID=1' used in: Lcom/tencent/connect/share/QQShare;->shareToQQ(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://fusion.qq.com/cgi-bin/qzapps/unified_jump?appid=%1$s&from=%2$s&isOpenAppID=1' used in: Lcom/tencent/connect/share/QzoneShare;->shareToQzone(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://im.gifshow.com/report/monitor' used in: Lcom/kwai/chat/kwailink/d/a;->a(Ljava/lang/String;)Z
'http://im.gifshow.com/report/monitor' used in: Lcom/kwai/chat/messagesdk/sdk/client/a;->a(Landroid/content/Context; Ljava/lang/String; Lcom/kwai/chat/kwailink/data/ClientAppInfo; Lcom/kwai/chat/kwailink/config/KwaiLinkDefaultServerInfo; Lcom/kwai/chat/kwailink/data/b; Lcom/kwai/chat/messagesdk/sdk/logreport/config/a; Lcom/kwai/chat/kwailink/base/b; Z Z I)V
'http://log.qchannel03.cn/n/dpz/' used in: Lcom/sijla/d/a;->a(Landroid/content/Context; Ljava/io/File;)V
'http://log.umsns.com/share/api/' used in: Lcom/umeng/analytics/social/b;->a(Landroid/content/Context; Lcom/umeng/analytics/social/b$b; Ljava/lang/String; [Lcom/umeng/analytics/social/UMPlatformData;)V
'http://norma-external-collect.meizu.com/android/exchange/getpublickey.do' used in: Lcom/meizu/cloud/pushsdk/a/a/a;->d()V
'http://norma-external-collect.meizu.com/push/android/external/add.do' used in: Lcom/meizu/cloud/pushsdk/a/a/b;->b(Ljava/lang/String; Ljava/util/Map; Ljava/lang/String;)Lcom/meizu/cloud/pushsdk/a/a/c;
'http://openmobile.qq.com/oauth2.0/m_jump_by_version?' used in: Lcom/tencent/connect/common/BaseApi;->a(Ljava/lang/String;)Ljava/lang/String;
'http://pingma.qq.com:80/mstat/report' used in: Lcom/tencent/stat/StatConfig;->()V
'http://qzs.qq.com' used in: Lcom/tencent/open/SocialApiIml;->writeEncryToken(Landroid/content/Context;)V
'http://qzs.qq.com/open/mobile/invite/sdk_invite.html?' used in: Lcom/tencent/open/SocialApiIml;->invite(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/login/qzsjump.html?' used in: Lcom/tencent/connect/auth/a;->a()Ljava/lang/String;
'http://qzs.qq.com/open/mobile/login/qzsjump.html?' used in: Lcom/tencent/connect/common/BaseApi;->a(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/login/qzsjump.html?' used in: Lcom/tencent/connect/auth/a$a;->onReceivedError(Landroid/webkit/WebView; I Ljava/lang/String; Ljava/lang/String;)V
'http://qzs.qq.com/open/mobile/request/sdk_request.html?' used in: Lcom/tencent/open/SocialApiIml;->a(Landroid/app/Activity; Ljava/lang/String; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://qzs.qq.com/open/mobile/sendstory/sdk_sendstory_v1.3.html?' used in: Lcom/tencent/open/SocialApiIml;->story(Landroid/app/Activity; Landroid/os/Bundle; Lcom/tencent/tauth/IUiListener;)V
'http://resolver.msg.xiaomi.net/psc/?t=a' used in: Lcom/xiaomi/push/service/ac;->a()V
'http://schemas.android.com/apk/res/android' used in: Lcom/yxcorp/gifshow/ad/detail/comment/presenter/adcomment/CornerCoverView;->(Landroid/content/Context; Landroid/util/AttributeSet; I)V
'http://service.weibo.com/share/mobilesdk.php' used in: Lcom/sina/weibo/sdk/component/f;->c(Ljava/lang/String;)Ljava/lang/String;
'http://service.weibo.com/share/mobilesdk_uppic.php' used in: Lcom/sina/weibo/sdk/component/WeiboSdkBrowser;->onCreate(Landroid/os/Bundle;)V
'http://sixinpic.ksapisrv.com/rest/file/upload' used in: Lcom/kwai/chat/messagesdk/sdk/logreport/b/a;->a()Ljava/lang/String;
'http://sixinpic.ksapisrv.com/rest/v2/download?resourceId={RESOURCE_ID}' used in: Lcom/kwai/chat/config/HardCodeResourceRule;->()V
'http://sixinpic.ksapisrv.com/rest/v2/download?resourceId={RESOURCE_ID}&w={w}&h={h}&webp=true' used in: Lcom/kwai/chat/config/HardCodeResourceRule;->()V
'http://sixinpic.ksapisrv.com/rest/v2/download?resourceId={RESOURCE_ID}&webp=true' used in: Lcom/kwai/chat/config/HardCodeResourceRule;->()V
'http://widget.weibo.com/distribution/socail_comments_sdk.php' used in: Lcom/sina/weibo/sdk/component/view/CommentComponentView$1;->onClick(Landroid/view/View;)V
'http://widget.weibo.com/relationship/followsdk.php' used in: Lcom/sina/weibo/sdk/component/view/AttentionComponentView$1;->onClick(Landroid/view/View;)V
'http://www.gifshow.com/fw/photo' used in: Lcom/yxcorp/gifshow/account/n;->b(Ljava/lang/String; Ljava/lang/String; Lcom/kuaishou/android/model/feed/BaseFeed;)Ljava/lang/String;
'http://www.gifshow.com/fw/tag' used in: Lcom/yxcorp/gifshow/account/l;->a(Ljava/lang/String;)Ljava/lang/String;
'http://www.gifshow.com/fw/user/' used in: Lcom/yxcorp/gifshow/account/n;->a(Ljava/lang/String; Ljava/lang/String; Lcom/kuaishou/android/model/user/User;)Ljava/lang/String;
'http://www.gifshow.com/i/sp/agrm' used in: Lcom/yxcorp/cobra/fragment/CobraIntroduceFragment$5;->onClick(Landroid/view/View;)V
'http://www.gifshow.com/i/sp/agrm' used in: Lcom/yxcorp/cobra/fragment/CobraIntroduceFragment$6;->onClick(Landroid/view/View;)V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lcom/ta/utdid2/b/a/e;->a(Ljava/util/Map; Ljava/io/OutputStream;)V
'http://xmlpull.org/v1/doc/features.html#indent-output' used in: Lcom/ta/utdid2/b/a/a;->setFeature(Ljava/lang/String; Z)V
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/push/fg;->()V
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/push/gm;->b()V
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/push/fr;->()V
'http://xmlpull.org/v1/doc/features.html#process-namespaces' used in: Lcom/xiaomi/push/gn;->a(Lorg/xmlpull/v1/XmlPullParser;)Lcom/xiaomi/push/gg;
'https://a.qchannel03.cn/lfc' used in: Lcom/sijla/c/d;->a(Z)Z
'https://ad-api-test3.corp.kuaishou.com/rest/e/v1/open/log' used in: Lcom/kwad/sdk/b;->b()Ljava/lang/String;
'https://ad-api-test3.corp.kuaishou.com/rest/e/v1/open/univ' used in: Lcom/kwad/sdk/b;->a()Ljava/lang/String;
'https://api-push.in.meizu.com/garcia/api/client/' used in: Lcom/meizu/cloud/pushsdk/platform/a/a;->(Landroid/content/Context;)V
'https://api-push.meizu.com' used in: Lcom/meizu/cloud/pushsdk/b/c/e;->b(Lcom/meizu/cloud/pushsdk/b/c/i;)Ljava/net/HttpURLConnection;
'https://api-push.meizu.com/garcia/api/client/' used in: Lcom/meizu/cloud/pushsdk/platform/a/a;->(Landroid/content/Context;)V
'https://api.e.kuaishou.com/rest/e/v1/open/log' used in: Lcom/kwad/sdk/b;->b()Ljava/lang/String;
'https://api.e.kuaishou.com/rest/e/v1/open/univ' used in: Lcom/kwad/sdk/b;->a()Ljava/lang/String;
'https://api.weibo.com/2/friendships/show.json' used in: Lcom/sina/weibo/sdk/component/view/AttentionComponentView;->setAttentionParam(Lcom/sina/weibo/sdk/component/view/AttentionComponentView$a;)V
'https://api.weibo.com/oauth2/getaid.json' used in: Lcom/sina/weibo/sdk/b/b;->b()Ljava/lang/String;
'https://api.xmpush.xiaomi.com/upload/app_log?file=' used in: Lcom/xiaomi/mipush/sdk/bk;->run()V
'https://api.xmpush.xiaomi.com/upload/crash_log?file=' used in: Lcom/xiaomi/mipush/sdk/bm;->run()V
'https://api.xmpush.xiaomi.com/upload/xmsf_log?file=' used in: Lcom/xiaomi/mipush/sdk/bk;->run()V
'https://api.youtu.qq.com/auth/report' used in: Lcom/tencent/youtulivecheck/YoutuLiveCheck$4;->run()V
'https://api.youtu.qq.com/auth/report' used in: Lcom/tencent/youtulivecheck/YoutuLiveCheck;->report(Ljava/lang/String;)V
'https://api.youtu.qq.com/auth/report' used in: Lcom/tencent/youtulivecheck/YoutuLiveCheck$2;->run()V
'https://api.yuncheapp.cn/ad_server/rest/e/v1/open/log' used in: Lcom/kwad/sdk/b;->b()Ljava/lang/String;
'https://api.yuncheapp.cn/ad_server/rest/e/v1/open/univ' used in: Lcom/kwad/sdk/b;->a()Ljava/lang/String;
'https://appsupport.qq.com/cgi-bin/appstage/mstats_batch_report' used in: Lcom/tencent/open/b/g$5;->run()V
'https://b.qchannel03.cn/n/ard' used in: Lcom/sijla/f/w;->a(Landroid/content/Context; Ljava/lang/String; Z)V
'https://b.qchannel03.cn/n/qts' used in: Lcom/sijla/g/a;->a(Landroid/content/Context; Lorg/json/JSONObject; Lcom/sijla/callback/QtCallBack; Z)V
'https://cmnsguider.yunos.com:443/genDeviceToken' used in: Lcom/umeng/analytics/pro/t;->b()Ljava/lang/String;
'https://cn.register.xmpush.xiaomi.com' used in: Lcom/xiaomi/push/service/bd;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Lcom/xiaomi/push/service/bc;
'https://fr.register.xmpush.global.xiaomi.com' used in: Lcom/xiaomi/push/service/bd;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Lcom/xiaomi/push/service/bc;
'https://graph.qq.com/cgi-bin/qunopensdk/check_group' used in: Lcom/tencent/open/SocialOperation;->joinGroup(Landroid/app/Activity; Ljava/lang/String; Lcom/tencent/tauth/IUiListener;)V
'https://graph.qq.com/cgi-bin/qunopensdk/check_group' used in: Lcom/tencent/open/SocialOperation;->bindQQGroup(Landroid/app/Activity; Ljava/lang/String; Ljava/lang/String; Lcom/tencent/tauth/IUiListener;)V
'https://graph.qq.com/cgi-bin/qunopensdk/unbind' used in: Lcom/tencent/open/SocialOperation;->unBindGroup(Landroid/content/Context; Ljava/lang/String; Lcom/tencent/tauth/IUiListener;)V
'https://graph.qq.com/oauth2.0/me' used in: Lcom/tencent/connect/UnionInfo;->getUnionId(Lcom/tencent/tauth/IUiListener;)V
'https://huatuocode.huatuo.qq.com' used in: Lcom/tencent/open/b/d;->a(I Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String; Ljava/lang/Long; I I Ljava/lang/String;)V
'https://ics.webankcdn.net/faceid/WbLightScore.json' used in: Lcom/webank/facelight/tools/WbCloudFaceVerifySdk;->init(Landroid/content/Context; Landroid/os/Bundle; Lcom/webank/facelight/listerners/WbCloudFaceVeirfyLoginListner;)V
'https://ida.webank.com/' used in: Lcom/webank/facelight/tools/WbCloudFaceVerifySdk;->init(Landroid/content/Context; Landroid/os/Bundle; Lcom/webank/facelight/listerners/WbCloudFaceVeirfyLoginListner;)V
'https://idmb.register.xmpush.global.xiaomi.com' used in: Lcom/xiaomi/push/service/bd;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Lcom/xiaomi/push/service/bc;
'https://long.open.weixin.qq.com/connect/l/qrconnect?f=json&uuid=%s' used in: Lcom/tencent/mm/opensdk/diffdev/a/f;->(Ljava/lang/String; Lcom/tencent/mm/opensdk/diffdev/OAuthListener;)V
'https://m-ketang.kuaishou.com/knowledge/course/detail' used in: Lcom/smile/gifshow/l/a;->e()Ljava/lang/String;
'https://metok.sys.miui.com' used in: Lcom/xiaomi/push/bu;->handleMessage(Landroid/os/Message;)V
'https://metok.sys.miui.com' used in: Lcom/xiaomi/push/aq;->d()Ljava/lang/String;
'https://open.weibo.cn/oauth2/authorize?' used in: Lcom/sina/weibo/sdk/auth/sso/a;->b(Lcom/sina/weibo/sdk/auth/c; I)V
'https://open.weixin.qq.com/connect/sdk/qrconnect?appid=%s&noncestr=%s×tamp=%s&scope=%s&signature=%s' used in: Lcom/tencent/mm/opensdk/diffdev/a/d;->()V
'https://openapi.alipay.com/gateway.do?charset=utf-8' used in: Lcom/yxcorp/gateway/pay/activity/GatewayH5PayActivity;->startAlipay(Landroid/webkit/WebViewClient;)V
'https://openmobile.qq.com/' used in: Lcom/tencent/open/utils/HttpUtils;->request(Lcom/tencent/connect/auth/QQToken; Landroid/content/Context; Ljava/lang/String; Landroid/os/Bundle; Ljava/lang/String;)Lorg/json/JSONObject;
'https://openmobile.qq.com/oauth2.0/m_authorize?' used in: Lcom/tencent/connect/auth/AuthAgent;->a(Z Lcom/tencent/tauth/IUiListener; Z)I
'https://openmobile.qq.com/user/user_login_statis' used in: Lcom/tencent/connect/auth/AuthAgent;->a(Lcom/tencent/tauth/IUiListener;)V
'https://openmobile.qq.com/v3/user/get_info' used in: Lcom/tencent/connect/auth/AuthAgent;->b(Lcom/tencent/tauth/IUiListener;)V
'https://paygw-web.test.gifshow.com/' used in: Lcom/yxcorp/gateway/pay/api/PayManager;->buildOrderCashierUrl(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'https://register.xmpush.global.xiaomi.com' used in: Lcom/xiaomi/push/service/bd;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Lcom/xiaomi/push/service/bc;
'https://ru.register.xmpush.global.xiaomi.com' used in: Lcom/xiaomi/push/service/bd;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String; Ljava/lang/String;)Lcom/xiaomi/push/service/bc;
'https://static.inkuai.com/udata/pkg/ks_poi_share_empty_image-bTKUSV.png' used in: Lcom/yxcorp/gifshow/ad/poi/presenter/BusinessPoiShareButtonClickPresenter;->onShareClick()V
'https://static.inkuai.com/udata/pkg/ks_poi_share_icon_image-LfvWEI.png' used in: Lcom/yxcorp/gifshow/ad/poi/presenter/BusinessPoiShareButtonClickPresenter;->onShareClick()V
'https://static.inkuai.com/udata/pkg/ks_poi_share_map_image-WKYIud.png' used in: Lcom/yxcorp/gifshow/ad/poi/presenter/BusinessPoiShareButtonClickPresenter;->onShareClick()V
'https://test-trace.webank.com/h' used in: Lcom/webank/facelight/ui/h;->a()V
'https://truth.qchannel03.cn/truth' used in: Lcom/sijla/g/a;->a(Landroid/content/Context; Ljava/lang/String;)V
'https://uop.umeng.com' used in: Lcom/umeng/analytics/pro/ad;->a()V
'https://wspeed.qq.com/w.cgi' used in: Lcom/tencent/open/b/g$4;->run()V
'https://www.kuaishoupay.com/' used in: Lcom/yxcorp/gateway/pay/e/a;->d()Ljava/lang/String;
'https://www.kuaishoupay.com/' used in: Lcom/yxcorp/gateway/pay/api/PayManager;->buildOrderCashierUrl(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'https://www.qchannel01.cn/center/adj' used in: Lcom/sijla/g/a;->a(Landroid/content/Context; Lorg/json/JSONObject; Lcom/sijla/callback/QtCallBack; Z)V
'https://www.qchannel01.cn/center/ard' used in: Lcom/sijla/f/w;->a(Landroid/content/Context; Ljava/lang/String; Z)V
'javascript:(function JsAddJavascriptInterface_(){' used in: Lcom/kwad/sdk/widget/CommonWebView;->g()Ljava/lang/String;
'javascript:window.JsBridge&&JsBridge.callback(' used in: Lcom/tencent/open/a$a;->a(Ljava/lang/Object;)V
'javascript:window.JsBridge&&JsBridge.callback(' used in: Lcom/tencent/open/a$a;->a()V
'www.baidu.com:80' used in: Lcom/xiaomi/push/service/e;->run()V
'www.kuaishoupay.com' used in: Lcom/yxcorp/gateway/pay/webview/b;->b()V
'www.kuaishoupay.com' used in: Lcom/yxcorp/gateway/pay/webview/b;->a()V

位置: classes5.dex
'http://schemas.android.com/apk/res/android' used in: Lcom/yxcorp/gifshow/detail/comment/presenter/adcomment/CornerCoverView;->(Landroid/content/Context; Landroid/util/AttributeSet; I)V
'http://stark.corp.kuaishou.com/te/api' used in: Lcom/yxcorp/gifshow/debug/n;->a(Ljava/lang/String;)Ljava/util/List;
'https://open.kuaishou.com/oauth2/authorize' used in: Lcom/yxcorp/gifshow/authorization/AuthActivity;->o()V
'https://open.kuaishou.com/oauth2/authorize' used in: Lcom/yxcorp/gifshow/authorization/AuthActivity;->r()V
'https://raw.githubusercontent.com/3HJack/plugin/master/dialog_net_icon_background.png' used in: Lcom/yxcorp/gifshow/debug/WidgetTestActivity;->n(Landroid/app/Activity; Landroid/view/View;)V
'user03@gmail.com' used in: Lcom/yxcorp/gifshow/debug/WidgetTestActivity;->f(Landroid/app/Activity; Landroid/view/View;)V

位置: classes6.dex
'10.0.0.2' used in: Lcom/yxcorp/gifshow/photoad/download/PhotoAdApkDownloadVpnService$a;->c()Z
'data:%s date:%s' used in: Lcom/yxcorp/gifshow/t/a;->a(Landroid/net/Uri;)V
'data:image/jpg;base64,' used in: Lcom/yxcorp/gifshow/webview/bridge/a$91;->a(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'data:image/jpg;base64,' used in: Lcom/yxcorp/gifshow/webview/bridge/a$92;->a(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'data:image/jpg;base64,' used in: Lcom/yxcorp/gifshow/webview/bridge/a$92;->b(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'data:image/jpg;base64,' used in: Lcom/yxcorp/gifshow/webview/helper/g$1;->a(Ljava/lang/String; Lcom/yxcorp/gifshow/webview/helper/g$a;)V
'data:offset:length' used in: Lcom/yxcorp/gifshow/util/BitmapUtil;->()V
'http://ali.static.yximgs.com/degradation/config/fallbackable2CdnConfig?version=' used in: Lcom/yxcorp/gifshow/retrofit/degrade/e;->i()V
'http://ali.static.yximgs.com/degradation/config/fallbackable2CdnConfig?version=' used in: Lcom/yxcorp/gifshow/retrofit/degrade/b;->intercept(Lokhttp3/r$a;)Lokhttp3/x;
'http://m.kuaishou.com/user/' used in: Lcom/yxcorp/gifshow/model/config/SystemStatCommonPojo;->()V
'http://tx.static.yximgs.com/degradation/config/fallbackable2CdnConfig?version=' used in: Lcom/yxcorp/gifshow/retrofit/degrade/e;->i()V
'http://tx.static.yximgs.com/degradation/config/fallbackable2CdnConfig?version=' used in: Lcom/yxcorp/gifshow/retrofit/degrade/b;->intercept(Lokhttp3/r$a;)Lokhttp3/x;
'https://app.m.kuaishou.com/public/index.html#/protocol/music' used in: Lcom/yxcorp/gifshow/music/upload/LocalMusicEditFragment;->goVerifyTips()V
'https://m-ketang.kuaishou.com/knowledge/course/detail' used in: Lcom/yxcorp/gifshow/webview/d/a;->()V
'https://open.kuaishou.com/app/latest?app_id=' used in: Lcom/yxcorp/gifshow/webview/bridge/a$106;->a(Ljava/io/Serializable;)V
'https://static.yximgs.com/bs2/fes/app_kwai_logo.png' used in: Lcom/yxcorp/gifshow/share/wechat/m;->a(Lcom/yxcorp/gifshow/share/KwaiOperator;)Lio/reactivex/l;
'kwai@kwai.com' used in: Lcom/yxcorp/gifshow/plugin/SocialGamePluginImpl;->addCalendarAccount(Landroid/content/Context;)J
'www.gifshow.com' used in: Lcom/yxcorp/gifshow/webview/helper/d;->()V
'www.kuaishou.com' used in: Lcom/yxcorp/gifshow/webview/helper/d;->()V
'www.kwai.com' used in: Lcom/yxcorp/gifshow/webview/helper/d;->()V
'www.kwaishop.com' used in: Lcom/yxcorp/gifshow/webview/helper/d;->()V

位置: classes7.dex
'data:offset:length' used in: Lcom/yxcorp/plugin/share/QQShareActivity;->()V
'data:offset:length' used in: Lcom/yxcorp/plugin/qrcode/AuthorizationActivity;->()V
'http://%s/rest/n/redPack/luckiestDraw' used in: Lcom/yxcorp/plugin/redpacket/SeeSnatchRedPacketLuckDialog;->b()Ljava/lang/String;
'http://maps.googleapis.com/maps/api/geocode/json?latlng=%s,%s&sensor=true&language=zh_cn' used in: Lcom/yxcorp/plugin/tencent/map/TencentMapLocation;->updateAddress()V
'http://www.gifshow.com/i/connect/cbsina' used in: Lcom/yxcorp/plugin/login/SinaWeiboPlatform;->createAuthInfo(Landroid/content/Context;)Lcom/sina/weibo/sdk/auth/a;
'https://api.weibo.com/oauth2/revokeoauth2?access_token=' used in: Lcom/yxcorp/plugin/login/SinaWeiboPlatform;->lambda$logout$0(Ljava/lang/String;)V
'https://api.weixin.qq.com/sns/userinfo?access_token=%s&openid=%s' used in: Lcom/yxcorp/plugin/activity/login/WeChatSSOActivity$2;->c()Ljava/lang/Boolean;
'https://app.m.kuaishou.com/live/fans-group/instruction' used in: Lcom/yxcorp/plugin/live/http/LiveConfigStartupResponse$LiveFansGroupConfig;->()V
'https://graph.qq.com/oauth2.0/authorize?display=mobile&client_id=100228415&redirect_uri=' used in: Lcom/yxcorp/plugin/login/TencentPlatform;->getWebAuthUrl()Ljava/lang/String;
'https://imgcache.qq.com' used in: Lcom/yxcorp/plugin/login/TencentPlatform;->onWebAuthRequest(Ljava/lang/String;)I
'https://ppg.viviv.com/block/activity/page/HhNvOSeP' used in: Lcom/yxcorp/plugin/lotteryredpacket/shareredpacket/LiveShareRedPacketSendPresenter;->showGuide()V
'https://static.inkuai.com/udata/pkg/ks_poi_share_empty_image-bTKUSV.png' used in: Lcom/yxcorp/map/presenter/ShareButtonClickPresenter;->onShareClick()V
'https://static.inkuai.com/udata/pkg/ks_poi_share_icon_image-LfvWEI.png' used in: Lcom/yxcorp/map/presenter/ShareButtonClickPresenter;->onShareClick()V
'https://static.inkuai.com/udata/pkg/ks_poi_share_map_image-WKYIud.png' used in: Lcom/yxcorp/map/presenter/ShareButtonClickPresenter;->onShareClick()V

位置: classes8.dex
'http://%s:%d/%s/%s' used in: Lcom/yxcorp/video/proxy/g;->a(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'http://schemas.android.com/apk/res/android' used in: Lpl/droidsonroids/gif/GifTextureView;->a(Landroid/util/AttributeSet; I I)V
'http://schemas.android.com/apk/res/android' used in: Lpl/droidsonroids/gif/d;->a(Landroid/widget/ImageView; Landroid/util/AttributeSet; Z)I
'http://schemas.android.com/apk/res/android' used in: Lpl/droidsonroids/gif/GifTextView;->a(Landroid/util/AttributeSet; I I)V
'http://www.android.com/' used in: Lold/soloader/SoLoader;->a(Ljava/lang/String; I)Z
'https://ppg.viviv.com/block/activity/page/inraXNgR' used in: Lcom/yxcorp/plugin/wheeldecide/anchor/LiveWheelDecideAnchorRulesPresenter;->a()V
'https://ppg.viviv.com/block/activity/page/inraXNgR' used in: Lcom/yxcorp/plugin/wheeldecide/LiveWheelDecideAudienceFragment;->l()V

中危

检测到16处setSavePassword密码明文存储漏洞。

位置: classes.dex
com.yxcorp.gifshow.ad.detail.presenter.ad.AdPopWebViewPresenter;
com.tencent.bugly.crashreport.CrashReport$1;

位置: classes4.dex
com.kwai.kwapp.a.d;
com.tencent.open.SocialApiIml;
com.webank.facelight.ui.FaceProtocalActivity;
com.yxcorp.gateway.pay.webview.PayWebView;
com.yxcorp.gateway.pay.activity.GatewayH5PayActivity;
com.kwad.sdk.widget.KsAdWebView;
com.tencent.bugly.webank.crashreport.CrashReport;
com.tencent.open.c.c;

位置: classes5.dex
com.yxcorp.gifshow.gamecenter.view.GameCenterWebView;
com.yxcorp.gifshow.ad.webview.PhotoAdvertisementWebActivity;
com.yxcorp.gifshow.ad.webview.KwaiWebPresenter;

位置: classes6.dex
com.yxcorp.gifshow.webview.view.KwaiWebView;
com.yxcorp.gifshow.webview.c.b;

位置: classes7.dex
com.yxcorp.plugin.live.music.bgm.importmusic.LiveBgmAnchorImportMusicGuideFragment;

webview的保存密码功能默认设置为true。Webview会明文保存网站上的密码到本地私有文件”databases/webview.db”中。对于可以被root的系统环境或者配合其他漏洞(如webview的同源绕过漏洞),攻击者可以获取到用户密码。
建议:显示设置webView.getSetting().setSavePassword(false)。

参考案例:
www.wooyun.org/bugs/wooyun-2010-021420
www.wooyun.org/bugs/wooyun-2013-020246

参考资料:
http://wolfeye.baidu.com/blog/
www.claudxiao.net/2013/03/android-webview-cache/

低危

检测到9个WebView系统隐藏接口未移除。

位置: classes.dex
com.tencent.bugly.crashreport.CrashReport$1;->setJavaScriptEnabled(Z)V

位置: classes4.dex
com.tencent.bugly.webank.crashreport.CrashReport;->setJavascriptMonitor(Landroid.webkit.WebView; Z Z)Z
com.webank.facelight.ui.FaceProtocalActivity;->onCreate(Landroid.os.Bundle;)V
com.yxcorp.gateway.pay.activity.GatewayH5PayActivity;->onDestroy()V
com.sina.weibo.sdk.component.WeiboSdkBrowser;->onCreate(Landroid.os.Bundle;)V
com.yxcorp.gateway.pay.activity.GatewayH5PayActivity;->initWebViewSettings()V

位置: classes5.dex
com.yxcorp.gifshow.ad.webview.PhotoAdvertisementWebActivity;->a(Lcom.yxcorp.gifshow.webview.api.d; Landroid.webkit.WebView;)V

位置: classes6.dex
com.yxcorp.gifshow.webview.c.b;->a(Ljava.lang.String;)V

位置: classes7.dex
com.yxcorp.plugin.live.music.bgm.importmusic.LiveBgmAnchorImportMusicGuideFragment;->onCreateView(Landroid.view.LayoutInflater; Landroid.view.ViewGroup; Landroid.os.Bundle;)Landroid.view.View;

android webview组件包含3个隐藏的系统接口:searchBoxJavaBridge_,accessibilityTraversal以及accessibility,恶意程序可以利用它们实现远程代码执行。
如果使用了WebView,那么使用WebView.removeJavascriptInterface(String name) API,显示的移除searchBoxJavaBridge_、accessibility、accessibilityTraversal这三个接口。

参考资料:
http://wolfeye.baidu.com/blog/android-webview/
http://blog.csdn.net/u013107656/article/details/51729398
http://wolfeye.baidu.com/blog/android-webview-cve-2014-7224/

低危

检测到8处使用了DES弱加密算法。

位置: classes.dex
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/bugly/proguard/ai;->a([B)[B
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/bugly/proguard/ai;->b([B)[B

位置: classes4.dex
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/open/utils/d;->a(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/bugly/webank/proguard/af;->b([B)[B
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/open/utils/d;->b(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'DES/CBC/PKCS5Padding' used in: Lcom/sijla/e/b;->b(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'DES/CBC/PKCS5Padding' used in: Lcom/sijla/e/b;->a(Ljava/lang/String; Ljava/lang/String;)Ljava/lang/String;
'DES/CBC/PKCS5Padding' used in: Lcom/tencent/bugly/webank/proguard/af;->a([B)[B

使用弱加密算法会大大增加黑客攻击的概率,黑客可能会破解隐私数据、猜解密钥、中间人攻击等,造成隐私信息的泄漏,甚至造成财产损失。建议使用AES加密算法。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

低危

检测7处Intent Scheme URI漏洞。

位置: classes4.dex
Lcom/kwad/sdk/d/a;->a(Landroid/content/Context; Ljava/lang/String; Ljava/lang/String;)I
Lcom/xiaomi/mipush/sdk/ag;->a(Landroid/content/Context; Ljava/lang/String; Ljava/util/Map;)Landroid/content/Intent;
Lcom/xiaomi/push/service/br;->b(Landroid/content/Context; Ljava/lang/String; I Ljava/util/Map;)Landroid/content/Intent;
Lcom/yxcorp/gateway/pay/f/h;->a(Landroid/content/Context; Landroid/net/Uri; Z Z)Landroid/content/Intent;
Lcom/kwad/sdk/widget/KsAdWebView$b;->shouldOverrideUrlLoading(Landroid/webkit/WebView; Ljava/lang/String;)Z
Lcom/vivo/push/c/s;->a(Lcom/vivo/push/y;)V

位置: classes6.dex
Lcom/yxcorp/gifshow/util/gg;->a(Landroid/content/Context; Landroid/net/Uri; Z Z)Landroid/content/Intent;


Intent Scheme URI是一种特殊的URL格式,用来通过Web页面启动已安装应用的Activity组件,大多数主流浏览器都支持此功能。如果在app中,没有检查获取到的load_url的值,攻击者可以构造钓鱼网站,诱导用户点击加载,就可以盗取用户信息。所以,对Intent URI的处理不当时,就会导致基于Intent的攻击。建议:
如果使用了Intent.parseUri函数,获取的intent必须严格过滤,intent至少包含addCategory(“android.intent.category.BROWSABLE”),setComponent(null),setSelector(null)3个策略。

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://drops.wooyun.org/papers/2893
http://drops.wooyun.org/mobile/15202

低危

检测到4处AES/DES弱加密风险。

位置: classes.dex
com.alipay.sdk.c.b;->a(I Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;

位置: classes2.dex
com.coloros.mcssdk.c.a;->a(Ljava.lang.String;)Ljava.lang.String;

位置: classes4.dex
Lcom/sina/weibo/sdk/b/a;->a(Ljava/lang/String;)Ljava/lang/String;

位置: classes6.dex
Lcom/yxcorp/gifshow/util/gs;->a(Ljava/lang/String;)Ljava/lang/String;

使用AES/DES/DESede加密算法时,如果使用ECB模式,容易受到攻击风险,造成信息泄露。建议在使用AES/DES/DESede加密算法时,应显示指定使用CBC或CFB加密模式

参考资料:
http://blog.csdn.net/u013107656/article/details/51997957
https://developer.android.com/reference/javax/crypto/Cipher.html
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

低危

检测到2处主机名弱校验检测漏洞。

位置: classes5.dex
com.yxcorp.gifshow.debug.r$a$1;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

位置: classes8.dex
com.yxcorp.router.d.b$1;->verify(Ljava.lang.String; Ljavax.net.ssl.SSLSession;)Z

自定义HostnameVerifier类,却不实现其verify方法验证域名直接返回true,直接接受任意域名。建议:
对SSL证书进行强校验,包括签名CA是否合法、证书是否是自签名、主机域名是否匹配、证书是否过期等。

参考资料:
http://drops.wooyun.org/tips/3296
https://www.91ri.org/12534.html

低危

检测到1处地方在自定义实现的WebViewClient类在onReceivedSslError调用proceed()方法。

位置: classes4.dex
com.webank.facelight.ui.b;->onReceivedSslError(Landroid.webkit.WebView; Landroid.webkit.SslErrorHandler; Landroid.net.http.SslError;)V

Android WebView组件加载网页发生证书认证错误时,会调用WebViewClient类的onReceivedSslError方法,如果该方法实现调用了handler.proceed()来忽略该证书错误,则会受到中间人攻击的威胁,可能导致隐私泄露。建议:
当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面当发生证书认证错误时,采用默认的处理方法handler.cancel(),停止加载问题页面。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0109266

参考资料:
https://jaq.alibaba.com/blog.htm?id=60
http://wolfeye.baidu.com/blog/webview-ignore-ssl-error/

警告

检测到108个导出的组件接收其他app的消息,这些组件会被其他app引用并导致dos攻击。

activity com.yxcorp.plugin.qrcode.AuthorizationActivity
activity com.yxcorp.gifshow.camera.ktv.tune.list.category.detail.KtvCategoryDetailActivity
activity com.yxcorp.gifshow.camera.ktv.record.KtvSchemeDispatchActivity
activity com.yxcorp.gifshow.camera.ktv.tune.KtvTuneActivity
activity com.yxcorp.gifshow.record.album.LocalAlbumActivity
activity com.yxcorp.gifshow.ad.activity.CommercialLocationActivity
activity com.yxcorp.gifshow.ad.activity.CommercialLocationPreviewActivity
activity com.yxcorp.gifshow.ad.profile.activity.BusinessAtPhotoManagerActivity
activity com.yxcorp.gifshow.ad.poi.activity.BusinessPoiActivity
activity com.yxcorp.gifshow.ad.webview.CommercialWebActivity
activity com.yxcorp.gifshow.camera.record.CameraActivity
activity com.yxcorp.gifshow.music.rank.MusicRankActivity
activity com.yxcorp.gifshow.music.cloudmusic.MusicImportActivity
activity com.kuaishou.gamezone.gamecategory.GzoneGameCategoriesActivity
activity com.kuaishou.gamezone.GzoneRouterActivity
activity com.yxcorp.plugin.live.LivePlayActivity
activity com.yxcorp.plugin.payment.activity.MyWalletActivity
activity com.yxcorp.plugin.payment.activity.RechargeKwaiCoinListActivity
activity com.smile.gifmaker.wxapi.WXPayEntryActivity
activity com.yxcorp.plugin.payment.activity.KwaiPayActivity
activity com.yxcrop.plugin.relation.ShareDetailActivity
activity com.yxcorp.plugin.message.MessageActivity
activity com.yxcorp.plugin.message.ConversationInfoActivity
activity com.yxcorp.plugin.message.group.GroupModifyDescActivity
activity com.yxcorp.plugin.message.CommonConcernActivity
activity com.yxcorp.newgroup.manage.GroupDataEditActivity
activity com.yxcorp.newgroup.profile.GroupProfileActivity
activity com.yxcorp.gifshow.profile.activity.MyProfileActivity
activity com.yxcorp.gifshow.profile.activity.UserProfileActivity
activity com.yxcorp.gifshow.profile.activity.MomentListActivity
activity com.yxcorp.gifshow.profile.activity.ShareMultiPhotoDetailActivity
activity com.yxcorp.gifshow.story.StoryRouterActivity
activity com.yxcorp.gifshow.gamecenter.H5GameWebViewActivity
activity com.yxcorp.login.userlogin.QuickLoginActivity
activity com.yxcorp.login.userlogin.AccountSecurityActivity
activity com.yxcorp.gifshow.tube.latest.TubeLatestActivity
activity com.yxcorp.gifshow.tube.rank.TubeRankActivity
activity com.yxcorp.gifshow.tube.feed.TubeFeedActivity
activity com.yxcorp.gifshow.tube.series.TubeSeriesActivity
activity com.yxcorp.gifshow.tube.slideplay.TubeDetailActivity
activity com.smile.gifmaker.wxapi.WXEntryActivity
activity com.tencent.tauth.AuthActivity
activity com.yxcorp.gifshow.users.UserListActivity
activity com.yxcorp.gifshow.users.FollowingFriendActivity
activity com.yxcorp.gifshow.activity.MsgPrivacySettingActivity
activity com.yxcorp.gifshow.activity.ExploreFriendActivity
activity com.kuaishou.merchant.detail.MerchantDetailActivity
activity com.kuaishou.merchant.selfbuild.SelfBuildDetailActivity
activity com.yxcorp.gifshow.activity.UriRouterActivity
activity com.yxcorp.plugin.search.SearchActivity
activity com.yxcorp.plugin.setting.activity.SettingsActivity
activity com.yxcorp.map.local.RoamCityActivity
activity com.yxcorp.cobra.activity.CobraConnectActivity
activity com.yxcorp.plugin.tag.music.TagMusicActivity
activity com.yxcorp.plugin.tag.sameframe.TagSameFrameActivity
activity com.yxcorp.plugin.tag.chorus.TagChorusActivity
activity com.yxcorp.plugin.tag.detail.TagDetailActivity
activity com.yxcorp.plugin.tag.magicface.TagMagicFaceActivity
activity com.yxcorp.plugin.tag.music.creationchallenge.CreationChallengeActivity
activity com.yxcorp.gifshow.activity.TXKingCardActivity
activity com.yxcorp.gifshow.activity.TXKingCardActivity2
activity com.yxcorp.gifshow.detail.PhotoDetailActivity
activity com.yxcorp.gifshow.aggregate.AggregateActivity
activity com.yxcorp.gifshow.activity.UserInfoEditActivity
activity com.yxcorp.gifshow.activity.ContactsListActivity
activity com.yxcorp.gifshow.activity.ReminderActivity
activity com.yxcorp.gifshow.v3.editor.sticker.vote.VoteDetailActivity
activity com.yxcorp.gifshow.authorization.AuthActivity
activity com.yxcorp.gifshow.activity.PromotionRouterActivity
activity com.yxcorp.gifshow.activity.SchemeActivity
activity com.yxcorp.plugin.share.WeiboShareProxyActivity
activity com.yxcorp.gifshow.webview.KwaiWebViewActivity
activity com.yxcorp.gifshow.push.huawei.HuaweiPushActivity
activity com.yxcorp.gifshow.push.oppo.ActionRouterActivity
activity com.igexin.sdk.GActivity
activity com.yxcorp.gateway.pay.activity.GatewayPayActivity
service com.yxcorp.gifshow.push.PushService
service com.yxcorp.gifshow.keepalive.MIUIAlarmService
service com.tencent.android.tpush.service.XGPushServiceV3
service com.tencent.android.tpush.rpc.XGRemoteService
service com.coloros.mcssdk.PushService
service com.vivo.push.sdk.service.CommandClientService
service com.igexin.sdk.PushService
service com.yxcorp.gifshow.push.getui.GetuiPushService
service com.xiaomi.mipush.sdk.PushMessageHandler
service com.yxcorp.gifshow.systemaccount.AccountsAuthenticatorService
service com.yxcorp.gifshow.systemaccount.AccountSyncService
service com.meizu.cloud.pushsdk.NotificationService
receiver com.yxcorp.gifshow.push.LocalPushReceiver
receiver com.yxcorp.gifshow.ad.detail.AppInstalledReceiver
receiver com.yxcorp.gifshow.keepalive.MIUIAlarmReceiver
receiver cn.jpush.android.service.AlarmReceiver
receiver cn.jpush.android.service.PushReceiver
receiver com.yxcorp.gifshow.push.jpush.JPushReceiver
receiver com.tencent.android.tpush.XGPushReceiver
receiver com.yxcorp.gifshow.push.xinge.XinGePushReceiver
receiver com.yxcorp.gifshow.push.meizu.MeizuPushReceiver
receiver com.yxcorp.gifshow.push.meizu.MeizuSystemReceiver
receiver com.yxcorp.gifshow.push.huawei.HuaweiPushReceiver
receiver com.yxcorp.gifshow.push.huawei.HuaweiPushEventReceiver
receiver com.yxcorp.gifshow.push.vivo.VivoPushReceiver
receiver com.igexin.download.DownloadReceiver
receiver com.yxcorp.gifshow.push.getui.GetuiPushReceiver
receiver com.xiaomi.push.service.receivers.NetworkStatusReceiver
receiver com.yxcorp.gifshow.push.xiaomi.XiaomiPushReceiver
receiver com.kwai.chat.kwailink.receiver.AlarmReceiver
receiver com.kwai.chat.kwailink.client.KwaiLinkNotifyClientBroadcastReceiver
receiver com.yxcorp.download.DownloadReceiver

建议:
(1)最小化组件暴露。对不会参与跨应用调用的组件建议显示添加android:exported="false"属性。
(2)设置组件访问权限。对provider设置权限,同时将权限的protectionLevel设置为"signature"或"signatureOrSystem"。
(3)组件传输数据验证。对组件之间,特别是跨应用的组件之间的数据传入与返回做验证和增加异常处理,防止恶意调试数据传入,更要防止敏感数据返回。

参考案例:
http://www.wooyun.org/bugs/wooyun-2010-0169746
http://www.wooyun.org/bugs/wooyun-2010-0104965

参考资料:
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.Wz4OeC&id=55
《Android安全技术解密与防范》

警告

检测到5个导出的隐式Service组件。
service com.yxcorp.gifshow.push.PushService
service com.coloros.mcssdk.PushService
service com.igexin.sdk.PushService
service com.yxcorp.gifshow.systemaccount.AccountsAuthenticatorService
service com.yxcorp.gifshow.systemaccount.AccountSyncService

建议:为了确保应用的安全性,启动Service时,请始终使用显式Intent,且不要为服务声明Intent过滤器。使用隐式Intent启动服务存在安全隐患,因为您无法确定哪些服务将响应Intent,且用户无法看到哪些服务已启动。从Android 5.0(API 级别 21)开始,如果使用隐式 Intent 调用 bindService(),系统会抛出异常。

参考资料:
https://developer.android.com/guide/components/intents-filters.html#Types

警告

检测58处組件設置了android.intent.category.BROWSABLE属性。
com.yxcorp.gifshow.camera.ktv.tune.list.category.detail.KtvCategoryDetailActivity
com.yxcorp.gifshow.camera.ktv.record.KtvSchemeDispatchActivity
com.yxcorp.gifshow.camera.ktv.tune.KtvTuneActivity
com.yxcorp.gifshow.record.album.LocalAlbumActivity
com.yxcorp.gifshow.ad.webview.CommercialWebActivity
com.yxcorp.gifshow.camera.record.CameraActivity
com.yxcorp.gifshow.music.rank.MusicRankActivity
com.kuaishou.gamezone.gamecategory.GzoneGameCategoriesActivity
com.kuaishou.gamezone.GzoneRouterActivity
com.yxcorp.plugin.live.LivePlayActivity
com.yxcorp.plugin.payment.activity.MyWalletActivity
com.yxcorp.plugin.payment.activity.RechargeKwaiCoinListActivity
com.yxcorp.plugin.payment.activity.KwaiPayActivity
com.yxcrop.plugin.relation.ShareDetailActivity
com.yxcorp.plugin.message.MessageActivity
com.yxcorp.gifshow.profile.activity.MyProfileActivity
com.yxcorp.gifshow.profile.activity.UserProfileActivity
com.yxcorp.gifshow.profile.activity.MomentListActivity
com.yxcorp.gifshow.profile.activity.ShareMultiPhotoDetailActivity
com.yxcorp.gifshow.story.StoryRouterActivity
com.yxcorp.gifshow.gamecenter.H5GameWebViewActivity
com.yxcorp.login.userlogin.QuickLoginActivity
com.yxcorp.login.userlogin.AccountSecurityActivity
com.yxcorp.gifshow.tube.latest.TubeLatestActivity
com.yxcorp.gifshow.tube.rank.TubeRankActivity
com.yxcorp.gifshow.tube.feed.TubeFeedActivity
com.yxcorp.gifshow.tube.series.TubeSeriesActivity
com.yxcorp.gifshow.tube.slideplay.TubeDetailActivity
com.tencent.tauth.AuthActivity
com.yxcorp.gifshow.users.UserListActivity
com.yxcorp.gifshow.users.FollowingFriendActivity
com.yxcorp.gifshow.activity.ExploreFriendActivity
com.kuaishou.merchant.detail.MerchantDetailActivity
com.kuaishou.merchant.selfbuild.SelfBuildDetailActivity
com.yxcorp.gifshow.activity.UriRouterActivity
com.yxcorp.plugin.search.SearchActivity
com.yxcorp.plugin.setting.activity.SettingsActivity
com.yxcorp.map.local.RoamCityActivity
com.yxcorp.cobra.activity.CobraConnectActivity
com.yxcorp.plugin.tag.music.TagMusicActivity
com.yxcorp.plugin.tag.sameframe.TagSameFrameActivity
com.yxcorp.plugin.tag.chorus.TagChorusActivity
com.yxcorp.plugin.tag.detail.TagDetailActivity
com.yxcorp.plugin.tag.magicface.TagMagicFaceActivity
com.yxcorp.plugin.tag.music.creationchallenge.CreationChallengeActivity
com.yxcorp.gifshow.activity.TXKingCardActivity
com.yxcorp.gifshow.activity.TXKingCardActivity2
com.yxcorp.gifshow.detail.PhotoDetailActivity
com.yxcorp.gifshow.aggregate.AggregateActivity
com.yxcorp.gifshow.activity.UserInfoEditActivity
com.yxcorp.gifshow.activity.ContactsListActivity
com.yxcorp.gifshow.activity.ReminderActivity
com.yxcorp.gifshow.v3.editor.sticker.vote.VoteDetailActivity
com.yxcorp.gifshow.authorization.AuthActivity
com.yxcorp.gifshow.activity.PromotionRouterActivity
com.yxcorp.gifshow.activity.SchemeActivity
com.yxcorp.gifshow.webview.KwaiWebViewActivity
com.yxcorp.gateway.pay.activity.GatewayPayActivity


在AndroidManifest文件中定义了android.intent.category.BROWSABLE属性的组件,可以通过浏览器唤起,这会导致远程命令执行漏洞攻击。建议:
(1)APP中任何接收外部输入数据的地方都是潜在的攻击点,过滤检查来自网页的参数。
(2)不要通过网页传输敏感信息,有的网站为了引导已经登录的用户到APP上使用,会使用脚本动态的生成URL Scheme的参数,其中包括了用户名、密码或者登录态token等敏感信息,让用户打开APP直接就登录了。恶意应用也可以注册相同的URL Sechme来截取这些敏感信息。Android系统会让用户选择使用哪个应用打开链接,但是如果用户不注意,就会使用恶意应用打开,导致敏感信息泄露或者其他风险。

參考案例:
http://www.wooyun.org/bugs/wooyun-2014-073875
http://www.wooyun.org/bugs/wooyun-2014-067798

参考资料:
http://wolfeye.baidu.com/blog/intent-scheme-url/
http://www.jssec.org/dl/android_securecoding_en.pdf
http://drops.wooyun.org/mobile/15202
http://blog.csdn.net/l173864930/article/details/36951805
http://drops.wooyun.org/papers/2893

警告

检测到17潜在的XSS漏洞。

位置: classes.dex
com.alipay.sdk.util.k;->a(Landroid.app.Activity; Ljava.lang.String; Ljava.lang.String;)Landroid.webkit.WebView;
com.tencent.bugly.crashreport.CrashReport$1;->setJavaScriptEnabled(Z)V

位置: classes4.dex
com.tencent.bugly.webank.crashreport.CrashReport;->setJavascriptMonitor(Landroid.webkit.WebView; Z Z)Z
com.tencent.connect.auth.a;->d()V
com.webank.facelight.ui.FaceProtocalActivity;->onCreate(Landroid.os.Bundle;)V
com.yxcorp.gateway.pay.webview.PayWebView;->(Landroid.content.Context; Landroid.util.AttributeSet; I)V
com.kwad.sdk.widget.KsAdWebView;->c()V
com.kwad.sdk.widget.KsAdWebView;->c()V
com.sina.weibo.sdk.component.WeiboSdkBrowser;->onCreate(Landroid.os.Bundle;)V
com.tencent.open.SocialApiIml;->writeEncryToken(Landroid.content.Context;)V
com.tencent.open.TDialog;->b()V
com.tencent.open.c;->c()V
com.kwai.kwapp.a.d;->onCreateView(Landroid.view.LayoutInflater; Landroid.view.ViewGroup; Landroid.os.Bundle;)Landroid.view.View;
com.yxcorp.gateway.pay.activity.GatewayH5PayActivity;->initWebViewSettings()V

位置: classes5.dex
com.yxcorp.gifshow.gamecenter.view.GameCenterWebView;->(Landroid.content.Context; Landroid.util.AttributeSet; I)V

位置: classes6.dex
com.yxcorp.gifshow.webview.view.KwaiWebView;->(Landroid.content.Context; Landroid.util.AttributeSet; I)V

位置: classes7.dex
com.yxcorp.plugin.live.music.bgm.importmusic.LiveBgmAnchorImportMusicGuideFragment;->onCreateView(Landroid.view.LayoutInflater; Landroid.view.ViewGroup; Landroid.os.Bundle;)Landroid.view.View;

允许WebView执行JavaScript(setJavaScriptEnabled),有可能导致XSS攻击。建议尽量避免使用。
(1)API等于高高于17的Android系统。出于安全考虑,为了防止Java层的函数被随意调用,Google在4.2版本之后,规定允许被调用的函数必须以@JavascriptInterface进行注解。
(2)API等于高高于17的Android系统。建议不要使用addJavascriptInterface接口,以免带来不必要的安全隐患,如果一定要使用该接口,建议使用证书校验。
u(3)使用removeJavascriptInterface移除Android系统内部的默认内置接口:searchBoxJavaBridge_、accessibility、accessibilityTraversal。

参考案例:
www.wooyun.org/bugs/wooyun-2015-0140708
www.wooyun.org/bugs/wooyun-2016-0188252

参考资料:
http://jaq.alibaba.com/blog.htm?id=48
http://blog.nsfocus.net/android-webview-remote-code-execution-vulnerability-analysis

警告

检测到45处IvParameterSpec的使用。

位置: classes.dex
c.t.m.g.cu;->b([B Ljava.lang.String;)[B
c.t.m.g.cy;->a([B Ljava.lang.String; I)[B
com.alipay.b.a.a.a.a.c;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.b.a.a.a.a.c;->a([B [B)[B
com.alipay.b.a.a.a.a.c;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.b.a.a.a.a.c;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.alipay.sdk.c.e;->a(Ljava.lang.String; [B)[B
com.alipay.sdk.c.e;->b(Ljava.lang.String; [B)[B
com.baidu.android.bbalbs.common.a.a;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.baidu.android.bbalbs.common.a.a;->b(Ljava.lang.String; Ljava.lang.String; [B)[B
com.tencent.bugly.proguard.z;->a(I [B [B)[B
com.yxcorp.utility.r;->a([B [B Ljava.lang.String;)[B
com.tencent.bugly.proguard.ah;->a([B)[B
com.tencent.bugly.proguard.ah;->b([B)[B
com.tencent.bugly.proguard.ai;->a([B)[B
com.tencent.bugly.proguard.ai;->b([B)[B

位置: classes2.dex
com.c.a.b.a.b;->a(Ljava.lang.String; [B)[B
com.cmic.sso.sdk.d.a;->a([B Ljava.lang.String;)Ljava.lang.String;
com.cmic.sso.sdk.d.a;->b([B Ljava.lang.String;)Ljava.lang.String;
com.huawei.hms.support.api.push.a.a.b.a;->a(Ljava.lang.String; [B)Ljava.lang.String;
com.huawei.hms.support.api.push.a.a.b.a;->b(Ljava.lang.String; [B)Ljava.lang.String;

位置: classes3.dex
com.kuaishou.common.encryption.a;->a([B Ljava.lang.String; [B I)[B
com.kuaishou.dfp.b.c;->a([B [B)[B
com.kuaishou.dfp.b.c;->a([B [B Z)[B

位置: classes4.dex
com.kwad.sdk.protocol.c.b;->a([B [B Ljava.lang.String;)[B
com.kwai.chat.kwailink.e.b.a;->a([B [B)[B
com.kwai.chat.kwailink.e.b.a;->b([B [B)[B
com.meizu.cloud.pushsdk.a.a.a;->a([B)[B
com.sijla.e.b;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.sijla.e.b;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.ta.utdid2.a.a.a;->a([B [B)[B
com.ta.utdid2.a.a.a;->b([B [B)[B
com.tencent.bugly.webank.proguard.a;->a(I [B [B)[B
com.tencent.open.utils.d;->a(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.tencent.open.utils.d;->b(Ljava.lang.String; Ljava.lang.String;)Ljava.lang.String;
com.umeng.analytics.pro.ar;->a([B [B)[B
com.umeng.analytics.pro.ar;->b([B [B)[B
com.vivo.push.cache.c;->updateDataToSP(Ljava.util.Set;)Ljava.lang.String;
com.vivo.push.util.g;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.webank.normal.tools.secure.a;->a(Ljava.lang.String; Ljava.lang.String; [B)[B
com.xiaomi.push.fw;->a([B I)Ljavax.crypto.Cipher;
com.tencent.bugly.webank.proguard.ae;->a([B)[B
com.tencent.bugly.webank.proguard.ae;->b([B)[B
com.tencent.bugly.webank.proguard.af;->a([B)[B
com.tencent.bugly.webank.proguard.af;->b([B)[B

使用IVParameterSpec函数,如果使用了固定的初始化向量,那么密码文本可预测性高得多,容易受到字典攻击等。建议禁止使用常量初始化矢量构造IVParameterSpec,使用聚安全提供的安全组件。

参考资料:
http://drops.wooyun.org/tips/15870
https://developer.android.com/training/articles/keystore.html
http://wolfeye.baidu.com/blog/weak-encryption/
http://www.freebuf.com/articles/terminal/99868.html

警告

检测到2处调用不安全的方法:SSLCertificateSocketFactory#getInsecure。

位置: classes.dex
Lc.t.m.g.am;->createSocket

位置: classes4.dex
Lcom.tencent.open.utils.j;->


SSLCertificateSocketFactory#getInsecure方法无法执行SSL验证检查,使得网络通信遭受中间人攻击。建议:
移除SSLCertificateSocketFactory#getInsecure方法。

参考资料:
https://developer.android.com/reference/android/net/SSLCertificateSocketFactory.html
http://developer.android.com/reference/android/net/SSLCertificateSocketFactory.html#getInsecure(int, android.net.SSLSessionCache)

警告

检测到2个导出的组件存在Intent不安全反射风险。


位置: classes2.dex
com.huawei.hms.update.e.o;->b

位置: classes4.dex
com.yxcorp.gateway.pay.activity.GatewayPayActivity;->onCreate

建议:
(1)不要通过Intent接收的Extra传播的反射函数
(2)将接受反射的组件设置为非导出组件。

警告

检测到6处provider的grantUriPermissions设置为true。
com.yxcorp.gifshow.util.KwaiPreferenceProvider
com.yxcorp.gifshow.activity.share.ShareAuthProvider
android.support.v4.content.FileProvider
com.kwai.kwapp.KwaiAppFileProvider
com.huawei.hms.update.provider.UpdateProvider
com.yxcorp.gifshow.push.PushProvider


grant-uri-permission若设置为true,可被其它程序员通过uri访问到content provider的内容,容易造成信息泄露。

参考资料:
https://security.tencent.com/index.php/blog/msg/6

警告

检测到1处socket通信。

位置: classes2.dex
Lcom.eclipsesource.v8.debug.V8DebugServer;->

Android应用通常使用PF_UNIX、PF_INET、PF_NETLINK等不同domain的socket来进行本地IPC或者远程网络通信,这些暴露的socket代表了潜在的本地或远程攻击面,历史上也出现过不少利用socket进行拒绝服务、root提权或者远程命令执行的案例特别是PF_INET类型的网络socket,可以通过网络与Android应用通信,其原本用于linux环境下开放网络服务,由于缺乏对网络调用者身份或者本地调用者id、permission等细粒度的安全检查机制,在实现不当的情况下,可以突破Android的沙箱限制,以被攻击应用的权限执行命令,通常出现比较严重的漏洞

参考案例:
http://www.wooyun.org/bugs/wooyun-2015-0148406
http://www.wooyun.org/bugs/wooyun-2015-0145365

参考资料:
http://wolfeye.baidu.com/blog/open-listen-port
http://blog.csdn.net/jltxgcy/article/details/50686858
https://www.bigniu.com/article/view/10
http://drops.wooyun.org/mobile/6973

警告

这个app应该声明permission的"android:protectionLevel"属性值为"signature"或者"signatureOrSystem",保证其他app无法注册或者从这个app接收消息。有安全隐患的permission如下:
com.yxcorp.gifshow.thirdparty.auth.read normal

警告

检测到 4处url没有使用安全的https链接。

位置: classes.dex
http://m.alipay.com/
http://mobilegw-1-64.test.alipay.net/
http://mobilegw.aaa.alipay.net/
http://mobilegw.stable.alipay.net/

参考资料:
https://jaq.alibaba.com/blog.htm?id=60
https://developer.android.com/training/articles/security-ssl.html


动态扫描发现风险点

风险等级 风险名称

服务端分析

风险等级 风险名称

警告

检测到?处XSS漏洞。
开发中...

警告

检测到?处XSS跨站漏洞。
开发中...

应用证书