Moderate Risk

Threat level

com.bl.locker2019

ANIOT

Analyzed on 2021-06-22T19:00:11.281497

22

permissions

77

activities

6

services

3

receivers

36

domains

File sums

MD5 c98c02a9d2e394418efc68c4e31ddf72
SHA1 94cd9d03b4efc98d127a041ac6d64f9fc9ecfc89
SHA256 2f64274c93b32b98a358593d548364f6b4e5012f9030f459fe8bab3cc0877aae
Size 34.76MB

APKiD

Information computed with APKiD.

/tmp/tmp71nu9omr!classes.dex
anti_vm
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • possible Build.SERIAL check
  • SIM operator check
  • network operator name check
  • subscriber ID check
compiler
  • r8 without marker (suspicious)
/tmp/tmp71nu9omr!classes2.dex
anti_vm
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • possible Build.SERIAL check
  • Build.TAGS check
  • SIM operator check
  • network operator name check
  • subscriber ID check
  • possible ro.secure check
compiler
  • r8 without marker (suspicious)
/tmp/tmp71nu9omr!lib/arm64-v8a/libJni_wgs2gcj.so
obfuscator
  • Obfuscator-LLVM version 3.6.1
/tmp/tmp71nu9omr!lib/armeabi/libJni_wgs2gcj.so
obfuscator
  • Obfuscator-LLVM version 3.6.1

SSdeep

Information computed with ssdeep.

APK file 786432:VgumkuIDnIUbzZhiIHoxKhDIKGW5mEl8I4PFyV//u8mY4:VHmtIDnXb1h0wGYEC/m8t4
Manifest 768:i/ZHEh2gp6R8zpE4VKtoT7S6ZobQOpLoi33lITy5Ua90pcKVhnDmBA1ThjHXLsMV:…
classes.dex 98304:ftogbDcKDDXj7/TxW2CK62CTkCJnkpTXcBqa:logDciHhFGTZqa
classes2.dex 49152:ToMlZvvf/vYhEJCZo1NuX1lfUqzx973uU3UVrJIpZ3XkUgvxjlBAnWEeYvcRSOo…

Dexofuzzy

Information computed with Dexofuzzy.

APK file 12288:/ydacp1eAx5/6B/GIFpRzjrOYjQqSKA1sYSSvk:GVyJGIdOYPSKA1sYSB
classes.dex 3072:XuXk7NMNKP1BzjqLxkpu4tWBYGNA3xlyheceInkazw6IDlTkcqHijrIF7ZWrtu8K…
classes2.dex 6144:XJvr1x7uKDuLeEHIIIInpZ+QFukMrIyJ2f9HDgZ4/rnjrVmu7qzYwwQqSg/gbgCI…

APK details

Information computed with AndroGuard and Pithus.

Package com.bl.locker2019
App name ANIOT
Version name 2.1.7
Version code 50
SDK 21 - 28
UAID a67cc8730150682d4e29988c355d4403f563c169
Signature Signature V1
Frosting Not frosted

Certificate details

Information computed with AndroGuard.

MD5 8842112549100c64bfb4e5d4674c1752
SHA1 d3a2b26b3313b074f229444c2960715016dd0ce1
SHA256 2556e462d876c4b5380207356b6e8746faa775cd43e29811ac3ebb9c89205f7e
Issuer Common Name: x
Not before 2019-10-14T04:44:02+00:00
Not after 2044-10-07T04:44:02+00:00

Manifest analysis

Information computed with MobSF.

High Clear text traffic is Enabled For App[android:usesCleartextTraffic=true]
The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.
Medium Application Data can be Backed up[android:allowBackup=true]
This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.
High TaskAffinity is set for Activity
(com.igexin.sdk.PushActivity)
If taskAffinity is set, then other application could read the Intents sent to Activities belonging to another task. Always use the default setting keeping the affinity as the package name in order to prevent sensitive information inside sent or received Intents from being read by another application.
High TaskAffinity is set for Activity
(com.igexin.sdk.GActivity)
If taskAffinity is set, then other application could read the Intents sent to Activities belonging to another task. Always use the default setting keeping the affinity as the package name in order to prevent sensitive information inside sent or received Intents from being read by another application.
High Activity (com.igexin.sdk.GActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (com.bl.locker2019.wxapi.WXEntryActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (com.bl.locker2019.wxapi.WXPayEntryActivity) is not Protected. [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Activity (com.bl.locker2019.activity.lock.LockNfcInfoActivity) is not Protected.An intent-filter exists.
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported.
High Content Provider (com.igexin.download.DownloadProvider) is not Protected. [android:exported=true]
A Content Provider is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Broadcast Receiver (com.igexin.sdk.PushReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (com.igexin.download.DownloadReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Service (com.igexin.sdk.PushService) is not Protected. [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Service (com.bl.locker2019.service.GTPushService) is not Protected. [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Service (com.bl.blelibrary.BLEService) is not Protected. [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.

Main Activity

Information computed with AndroGuard.

['com.bl.locker2019.activity.lock.ModeActivity', 'com.bl.locker2019.activity.lock.LockSettingActivity', 'com.bl.locker2019.activity.lock.NFCLabelActivity', 'com.bl.locker2019.activity.lock.InkScreenActivity', 'com.bl.locker2019.activity.lock.nfc.AddWifiActivity', 'com.theartofdev.edmodo.cropper.CropImageActivity', 'com.igexin.sdk.PushActivity', 'com.igexin.sdk.GActivity', 'com.bl.locker2019.activity.welcome.WelcomeActivity', 'com.bl.locker2019.activity.MainActivity', 'com.bl.locker2019.activity.lock.LockInfoActivity', 'com.bl.locker2019.activity.login.LoginActivity', 'com.bl.locker2019.activity.lock.serch.SearchTipsActivity', 'com.bl.locker2019.activity.lock.serch.SearchDeviceActivity', 'zxing.android.view.QrCodeActivity', 'com.bl.locker2019.activity.user.set.SettingActivity', 'com.bl.locker2019.activity.user.QrActivity', 'com.bl.locker2019.activity.log.LogActivity', 'com.bl.locker2019.activity.friend.list.FriendListActivity', 'com.bl.locker2019.activity.friend.info.FriendInfoActivity', 'com.bl.locker2019.activity.friend.find.NumberActivity', 'com.bl.locker2019.activity.friend.request.FriendRequestActivity', 'com.bl.locker2019.activity.friend.auth.FriendAuthListActivity', 'com.bl.locker2019.activity.lock.auth.LockAuthActivity', 'com.bl.locker2019.activity.lock.auth.LockAuthBatchActivity', 'com.bl.locker2019.activity.user.set.about.AboutActivity', 'com.bl.locker2019.base.BaseH5Activity', 'com.bl.locker2019.activity.login.register.RegisterActivity', 'com.bl.locker2019.activity.login.forget.ForgetActivity', 'com.bl.locker2019.activity.lock.password.ChangePasswordActivity', 'com.bl.locker2019.activity.lock.password.key.ChangeKeyPasswordActivity', 'com.bl.locker2019.activity.lock.safe.PasswordNumberActivity', 'com.bl.locker2019.activity.lock.fingerprint.AddFingerprintActivity', 'com.bl.locker2019.activity.lock.fingerprint.FingerprintSettingActivity', 'com.bl.locker2019.activity.welcome.GuideActivity', 'com.bl.locker2019.activity.lock.safe.LockSafeActivity', 'com.bl.locker2019.activity.lock.wifi.LockWifiActivity', 'com.bl.locker2019.activity.lock.password.PasswordActivity', 'com.bl.locker2019.activity.lock.password.add.AddPasswordActivity', 'com.bl.locker2019.activity.lock.password.DynamicPasswordActivity', 'com.bl.locker2019.activity.lock.card.CardListActivity', 'com.bl.locker2019.activity.lock.card.add.CardAddByLockActivity', 'com.bl.locker2019.activity.home.search.SearchDeviceActivity', 'com.bl.locker2019.wxapi.WXEntryActivity', 'com.bl.locker2019.activity.user.info.UserInfoActivity', 'com.bl.locker2019.activity.lock.fingerprint.FingerprintListActivity', 'com.bl.locker2019.activity.friend.send.SendMessageActivity', 'com.bl.locker2019.activity.shop.info.ShopInfoActivity', 'com.bl.locker2019.activity.shop.buy.BuyOrderActivity', 'com.bl.locker2019.activity.shop.address.MyAddressActivity', 'com.bl.locker2019.activity.shop.address.add.AddressAddActivity', 'com.bl.locker2019.activity.friend.circle.CircleActivity', 'com.bl.locker2019.wxapi.WXPayEntryActivity', 'com.bl.locker2019.activity.user.myorder.MyOrderActivity', 'com.bl.locker2019.activity.friend.release.ReleaseActivity', 'com.bl.locker2019.activity.user.collection.CollectionActivity', 'com.bl.locker2019.activity.lock.nfc.NFCUnlockActivity', 'com.bl.locker2019.activity.lock.nfc.NFCUnlockActivity2', 'com.bl.locker2019.activity.lock.nfc.NFCUnlockActivity3', 'com.bl.locker2019.activity.lock.nfc.NFCUnlockActivity4', 'com.bl.locker2019.activity.friend.authRequest.AuthRequestActivity', 'com.bl.locker2019.activity.lock.nfc.NFCAddActivity', 'com.bl.locker2019.activity.lock.nfc.NfcLabelCertificationActivity', 'com.bl.locker2019.activity.lock.LockNfcInfoActivity', 'com.bl.locker2019.activity.lock.AddDeviceActivity', 'com.bl.locker2019.activity.lock.auth.LockAuthInfoActivity', 'com.bl.locker2019.activity.log.TobaccoLogActivity', 'com.bl.locker2019.activity.lock.wifi.AppPackageActivity', 'com.bl.locker2019.activity.lock.TextActivity', 'com.bl.locker2019.activity.lock.PhotoActivity', 'com.luck.picture.lib.PictureSelectorActivity', 'com.luck.picture.lib.PicturePreviewActivity', 'com.luck.picture.lib.PictureVideoPlayActivity', 'com.luck.picture.lib.PictureExternalPreviewActivity', 'com.yalantis.ucrop.UCropActivity', 'com.yalantis.ucrop.PictureMultiCuttingActivity', 'com.luck.picture.lib.PicturePlayAudioActivity']

Activities

Information computed with AndroGuard.

com.bl.locker2019.activity.lock.ModeActivity
com.bl.locker2019.activity.lock.LockSettingActivity
com.bl.locker2019.activity.lock.NFCLabelActivity
com.bl.locker2019.activity.lock.InkScreenActivity
com.bl.locker2019.activity.lock.nfc.AddWifiActivity
com.theartofdev.edmodo.cropper.CropImageActivity
com.igexin.sdk.PushActivity
com.igexin.sdk.GActivity
com.bl.locker2019.activity.welcome.WelcomeActivity
com.bl.locker2019.activity.MainActivity
com.bl.locker2019.activity.lock.LockInfoActivity
com.bl.locker2019.activity.login.LoginActivity
com.bl.locker2019.activity.lock.serch.SearchTipsActivity
com.bl.locker2019.activity.lock.serch.SearchDeviceActivity
zxing.android.view.QrCodeActivity
com.bl.locker2019.activity.user.set.SettingActivity
com.bl.locker2019.activity.user.QrActivity
com.bl.locker2019.activity.log.LogActivity
com.bl.locker2019.activity.friend.list.FriendListActivity
com.bl.locker2019.activity.friend.info.FriendInfoActivity
com.bl.locker2019.activity.friend.find.NumberActivity
com.bl.locker2019.activity.friend.request.FriendRequestActivity
com.bl.locker2019.activity.friend.auth.FriendAuthListActivity
com.bl.locker2019.activity.lock.auth.LockAuthActivity
com.bl.locker2019.activity.lock.auth.LockAuthBatchActivity
com.bl.locker2019.activity.user.set.about.AboutActivity
com.bl.locker2019.base.BaseH5Activity
com.bl.locker2019.activity.login.register.RegisterActivity
com.bl.locker2019.activity.login.forget.ForgetActivity
com.bl.locker2019.activity.lock.password.ChangePasswordActivity
com.bl.locker2019.activity.lock.password.key.ChangeKeyPasswordActivity
com.bl.locker2019.activity.lock.safe.PasswordNumberActivity
com.bl.locker2019.activity.lock.fingerprint.AddFingerprintActivity
com.bl.locker2019.activity.lock.fingerprint.FingerprintSettingActivity
com.bl.locker2019.activity.welcome.GuideActivity
com.bl.locker2019.activity.lock.safe.LockSafeActivity
com.bl.locker2019.activity.lock.wifi.LockWifiActivity
com.bl.locker2019.activity.lock.password.PasswordActivity
com.bl.locker2019.activity.lock.password.add.AddPasswordActivity
com.bl.locker2019.activity.lock.password.DynamicPasswordActivity
com.bl.locker2019.activity.lock.card.CardListActivity
com.bl.locker2019.activity.lock.card.add.CardAddByLockActivity
com.bl.locker2019.activity.home.search.SearchDeviceActivity
com.bl.locker2019.wxapi.WXEntryActivity
com.bl.locker2019.activity.user.info.UserInfoActivity
com.bl.locker2019.activity.lock.fingerprint.FingerprintListActivity
com.bl.locker2019.activity.friend.send.SendMessageActivity
com.bl.locker2019.activity.shop.info.ShopInfoActivity
com.bl.locker2019.activity.shop.buy.BuyOrderActivity
com.bl.locker2019.activity.shop.address.MyAddressActivity
com.bl.locker2019.activity.shop.address.add.AddressAddActivity
com.bl.locker2019.activity.friend.circle.CircleActivity
com.bl.locker2019.wxapi.WXPayEntryActivity
com.bl.locker2019.activity.user.myorder.MyOrderActivity
com.bl.locker2019.activity.friend.release.ReleaseActivity
com.bl.locker2019.activity.user.collection.CollectionActivity
com.bl.locker2019.activity.lock.nfc.NFCUnlockActivity
com.bl.locker2019.activity.lock.nfc.NFCUnlockActivity2
com.bl.locker2019.activity.lock.nfc.NFCUnlockActivity3
com.bl.locker2019.activity.lock.nfc.NFCUnlockActivity4
com.bl.locker2019.activity.friend.authRequest.AuthRequestActivity
com.bl.locker2019.activity.lock.nfc.NFCAddActivity
com.bl.locker2019.activity.lock.nfc.NfcLabelCertificationActivity
com.bl.locker2019.activity.lock.LockNfcInfoActivity
com.bl.locker2019.activity.lock.AddDeviceActivity
com.bl.locker2019.activity.lock.auth.LockAuthInfoActivity
com.bl.locker2019.activity.log.TobaccoLogActivity
com.bl.locker2019.activity.lock.wifi.AppPackageActivity
com.bl.locker2019.activity.lock.TextActivity
com.bl.locker2019.activity.lock.PhotoActivity
com.luck.picture.lib.PictureSelectorActivity
com.luck.picture.lib.PicturePreviewActivity
com.luck.picture.lib.PictureVideoPlayActivity
com.luck.picture.lib.PictureExternalPreviewActivity
com.yalantis.ucrop.UCropActivity
com.yalantis.ucrop.PictureMultiCuttingActivity
com.luck.picture.lib.PicturePlayAudioActivity

Receivers

Information computed with AndroGuard.

com.igexin.sdk.PushReceiver
com.igexin.download.DownloadReceiver
com.bl.locker2019.utils.DownLoadCompleteReceiver

Services

Information computed with AndroGuard.

com.amap.api.location.APSService
com.igexin.sdk.PushService
com.igexin.download.DownloadService
com.bl.locker2019.service.GTPushService
com.bl.locker2019.service.GTPullIntentService
com.bl.blelibrary.BLEService

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application invoke platform-provided DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application implement asymmetric key generation.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['bluetooth', 'location', 'network connectivity', 'NFC', 'USB', 'camera'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application implement functionality to encrypt sensitive data in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit
FCS_RBG_EXT.2.1
FCS_RBG_EXT.2.2
The application perform all deterministic random bit generation (DRBG) services in accordance with NIST Special Publication 800-90A using Hash_DRBG. The deterministic RBG is seeded by an entropy source that accumulates entropy from a platform-based DRBG and a software-based noise source, with a minimum of 256 bits of entropy at least equal to the greatest security strength (according to NIST SP 800-57) of the keys and hashes that it will generate.
Random Bit Generation from Application
FCS_CKM.1.1(1) The application generate asymmetric cryptographic keys not in accordance with FCS_CKM.1.1(1) using key generation algorithm RSA schemes and cryptographic key sizes of 1024-bit or lower.
Cryptographic Asymmetric Key Generation
FCS_CKM.1.1(3)
FCS_CKM.1.2(3)
A password/passphrase shall perform [Password-based Key Derivation Functions] in accordance with a specified cryptographic algorithm..
Password Conditioning
FCS_COP.1.1(1) The application perform encryption/decryption not in accordance with FCS_COP.1.1(1), AES-ECB mode is being used.
Cryptographic Operation - Encryption/Decryption
FCS_COP.1.1(2) The application perform cryptographic hashing services not in accordance with FCS_COP.1.1(2) and uses the cryptographic algorithm RC2/RC4/MD4/MD5.
Cryptographic Operation - Hashing
FCS_COP.1.1(3) The application perform cryptographic signature services (generation and verification) in accordance with a specified cryptographic algorithm RSA schemes using cryptographic key sizes of 2048-bit or greater.
Cryptographic Operation - Signing
FCS_COP.1.1(4) The application perform keyed-hash message authentication with cryptographic algorithm ['HMAC-SHA1'] .
Cryptographic Operation - Keyed-Hash Message Authentication
FCS_HTTPS_EXT.1.1 The application implement the HTTPS protocol that complies with RFC 2818.
HTTPS Protocol
FCS_HTTPS_EXT.1.2 The application implement HTTPS using TLS.
HTTPS Protocol
FCS_HTTPS_EXT.1.3 The application notify the user and not establish the connection or request application authorization to establish the connection if the peer certificate is deemed invalid.
HTTPS Protocol
FIA_X509_EXT.1.1 The application invoked platform-provided functionality to validate certificates in accordance with the following rules: ['The certificate path must terminate with a trusted CA certificate', 'The application validate the revocation status of the certificate using the Online Certificate Status Protocol (OCSP) as specified in RFC 2560 or a Certificate Revocation List (CRL) as specified in RFC 5759 or an OCSP TLS Status Request Extension (i.e., OCSP stapling) as specified in RFC 6066', 'RFC 5280 certificate validation and certificate path validation'].
X.509 Certificate Validation
FIA_X509_EXT.2.1 The application use X.509v3 certificates as defined by RFC 5280 to support authentication for HTTPS , TLS.
X.509 Certificate Authentication
FCS_CKM.1.1(2) The application shall generate symmetric cryptographic keys using a Random Bit Generator as specified in FCS_RBG_EXT.1 and specified cryptographic key sizes 128 bit or 256 bit.
Cryptographic Symmetric Key Generation

Code analysis

Information computed with MobSF.

Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 com/whty/audio/config/II/DovilaConfig.java
com/tencent/mm/opensdk/diffdev/a/e.java
com/whty/audio/driver/core/VI/b/h.java
com/whty/audio/driver/I/DovilaSDKInterface.java
com/tencent/mm/opensdk/modelmsg/GetMessageFromWX.java
org/greenrobot/greendao/async/AsyncOperationExecutor.java
com/tencent/mm/opensdk/modelbiz/JumpToBizTempSession.java
com/luck/picture/lib/permissions/RxPermissionsFragment.java
com/tencent/mm/opensdk/modelmsg/WXImageObject.java
com/igexin/push/extension/mod/SecurityUtils.java
jonelo/jacksum/ui/CheckFile.java
jp/co/cyberagent/android/gpuimage/GLTextureView.java
com/bl/locker2019/activity/user/info/UserInfoActivity.java
com/tencent/mm/opensdk/openapi/WXAPIFactory.java
com/whty/audio/manage/util/Utils.java
com/whty/device/inter/AndroidDeviceApi.java
com/chingtech/jdaddressselector/DbUtils.java
com/tencent/mm/opensdk/modelmsg/WXGameVideoFileObject.java
com/bl/locker2019/activity/lock/LockInfoPresenter.java
com/whty/audio/driver/core/V/a/b.java
com/bl/locker2019/activity/lock/safe/PasswordNumberActivity.java
com/whty/tyblelib/DeviceBLEApi.java
com/bumptech/glide/Glide.java
com/tencent/mm/opensdk/modelmsg/WXMiniProgramObject.java
com/whty/audio/driver/core/IV/a/b.java
com/bl/locker2019/activity/shop/item/ShopItemFragment.java
com/bumptech/glide/load/data/mediastore/ThumbnailStreamOpener.java
com/bumptech/glide/load/model/StreamEncoder.java
jonelo/jacksum/ui/MetaInfo.java
com/bl/locker2019/activity/login/forget/ForgetPresenter.java
org/greenrobot/greendao/internal/LongHashMap.java
com/whty/audio/driver/IV/b.java
com/whty/bluetoothsdk/util/CCID.java
com/bl/locker2019/activity/log/ShareLogFragment.java
jp/co/cyberagent/android/gpuimage/util/OpenGlUtils.java
com/whty/util/image/a.java
jp/co/cyberagent/android/gpuimage/PixelBuffer.java
com/whty/tymposapi/DeviceApi.java
org/greenrobot/greendao/DbUtils.java
com/amap/location/security/Core.java
com/bumptech/glide/load/engine/GlideException.java
com/yalantis/ucrop/util/EglUtils.java
com/tencent/mm/opensdk/modelmsg/LaunchFromWX.java
com/whty/audio/config/V/DovilaConfig.java
com/whty/audio/driver/core/II/b/h.java
jonelo/jacksum/ui/Summary.java
com/tencent/bugly/b.java
com/whty/audio/driver/core/II/e/g.java
com/wkq/library/utils/DialogLoading.java
com/tencent/mm/opensdk/diffdev/a/a.java
com/bl/locker2019/activity/friend/release/ReleaseActivity.java
com/whty/usb/util/ReflectUtils.java
com/bumptech/glide/load/resource/bitmap/Downsampler.java
com/whty/bluetooth/manage/util/XmlUtil.java
com/tencent/bugly/Bugly.java
com/bl/locker2019/activity/friend/circle/item/CircleItemFragment.java
com/luck/picture/lib/compress/Luban.java
com/whty/audio/driver/II/DovilaSDKInterface.java
com/whty/audio/driver/core/IV/e/f.java
com/lidroid/xutils/util/LogUtils.java
com/bl/locker2019/activity/login/register/RegisterPresenter.java
freemarker/ext/dom/Transform.java
zxing/android/camera/PreviewCallback.java
com/bl/locker2019/utils/Constant.java
com/whty/audio/manage/AudioManager_ICBC.java
com/bl/blelibrary/WLSAPI.java
com/whty/audio/driver/core/III/a/b.java
com/whty/tyblelib/d.java
com/yalantis/ucrop/task/BitmapLoadTask.java
com/bl/locker2019/activity/friend/list/FriendListActivity.java
com/bumptech/glide/load/model/ByteBufferEncoder.java
com/whty/audio/config/D/a.java
com/whty/adiplugins/e.java
com/fitsleep/sunshinelibrary/utils/ImageUtils.java
com/bumptech/glide/load/resource/bitmap/TransformationUtils.java
com/whty/device/facade/DeviceTotalAbility.java
com/tencent/mm/opensdk/diffdev/DiffDevOAuthFactory.java
com/bumptech/glide/manager/RequestManagerRetriever.java
com/bumptech/glide/manager/RequestManagerFragment.java
freemarker/template/utility/ToCanonical.java
com/whty/adiplugins/ADIPlugin.java
com/bumptech/glide/load/resource/bitmap/BitmapEncoder.java
com/whty/audio/manage/util/BeanUtil.java
com/igexin/push/util/a.java
jonelo/jacksum/cli/Jacksum.java
com/igexin/push/core/a.java
com/whty/audio/manage/AudioAgent.java
com/eidlink/wfty/util/L.java
com/bumptech/glide/load/data/LocalUriFetcher.java
com/bl/locker2019/activity/lock/card/CardListActivity.java
com/bl/locker2019/activity/lock/NFCLabelActivity.java
com/whty/audio/driver/core/V/b/h.java
com/bumptech/glide/load/engine/cache/MemorySizeCalculator.java
com/bumptech/glide/request/SingleRequest.java
com/bl/locker2019/activity/friend/FriendFragment.java
com/whty/audio/manage/AudioManager.java
com/zhy/http/okhttp/cookie/store/PersistentCookieStore.java
com/bumptech/glide/manager/SupportRequestManagerFragment.java
com/igexin/sdk/PushService.java
com/bumptech/glide/load/engine/SourceGenerator.java
com/whty/bluetooth/util/ConfigUtils.java
com/fitsleep/sunshinelibrary/utils/FileUtils.java
com/yalantis/ucrop/view/TransformImageView.java
com/bumptech/glide/load/engine/Engine.java
com/whty/audio/driver/core/V/e/g.java
com/theartofdev/edmodo/cropper/CropOverlayView.java
com/igexin/sdk/GTIntentService.java
com/tencent/bugly/crashreport/BuglyLog.java
org/greenrobot/greendao/AbstractDao.java
com/tencent/mm/opensdk/channel/MMessageActV2.java
com/bl/locker2019/activity/lock/auth/LockAuthAdapter.java
com/fitsleep/sunshinelibrary/utils/KeyboardUtils.java
com/tencent/mm/opensdk/channel/a/a.java
com/bl/locker2019/activity/lock/InkScreenActivity.java
com/jni/tfsoft/a/i.java
com/amap/openapi/u.java
com/igexin/b/a/c/b.java
com/whty/audio/driver/core/I/b/h.java
com/bl/locker2019/activity/log/LockLogFragment.java
com/bl/locker2019/activity/home/HomeFragment.java
com/tencent/mm/opensdk/modelbiz/ChooseCardFromWXCardPackage.java
com/bl/locker2019/activity/lock/nfc/NFCUnlockActivity3.java
com/bumptech/glide/load/model/ResourceLoader.java
org/greenrobot/greendao/generator/DaoGenerator.java
com/yalantis/ucrop/PictureMultiCuttingActivity.java
com/whty/audio/driver/core/II/a/b.java
org/greenrobot/greendao/test/AbstractDaoTest.java
com/luck/picture/lib/PictureSelectorActivity.java
com/bumptech/glide/load/engine/prefill/BitmapPreFillRunner.java
jonelo/jacksum/util/Service.java
com/bumptech/glide/util/pool/FactoryPools.java
com/fitsleep/sunshinelibrary/utils/SizeUtils.java
com/whty/device/utils/a.java
com/tencent/mm/opensdk/modelmsg/WXVideoFileObject.java
com/luck/picture/lib/tools/PictureFileUtils.java
com/bl/locker2019/activity/lock/auth/LockAuthInfoActivity.java
com/bumptech/glide/request/target/ViewTarget.java
com/whty/audio/config/I/DovilaConfig.java
com/whty/audio/driver/core/D/b/e.java
com/tencent/mm/opensdk/modelmsg/WXDesignerSharedObject.java
com/igexin/sdk/PushManager.java
com/amap/location/common/log/a.java
org/greenrobot/greendao/test/AbstractDaoTestLongPk.java
com/loc/j.java
com/bl/locker2019/activity/friend/info/FriendInfoActivity.java
com/whty/audio/driver/core/VI/e/g.java
org/greenrobot/greendao/query/QueryBuilder.java
com/bumptech/glide/load/data/AssetPathFetcher.java
jonelo/jacksum/cli/JacksumHelp.java
com/tencent/mm/opensdk/modelmsg/WXAppExtendObject.java
com/whty/audio/driver/core/V/e/f.java
com/tencent/mm/opensdk/modelmsg/WXEmojiObject.java
com/tencent/mm/opensdk/modelbiz/JumpToBizProfile.java
com/whty/audio/driver/I/b.java
com/whty/audio/driver/core/I/e/g.java
org/greenrobot/greendao/test/DbTest.java
com/whty/adiplugins/f.java
com/loc/dk.java
com/bl/nokeiotlibrary/utils/Logger.java
com/whty/audio/driver/IV/DovilaSDKInterface.java
com/whty/audio/driver/VI/DovilaSDKInterface.java
com/whty/audio/driver/core/II/e/f.java
com/bl/locker2019/activity/friend/list/FriendListFragment.java
com/whty/tyblelib/e.java
com/tencent/mm/opensdk/modelmsg/WXTextObject.java
com/tencent/mm/opensdk/diffdev/a/f.java
com/bl/locker2019/activity/log/LogActivity.java
com/bl/locker2019/wxapi/WXEntryActivity.java
com/bl/locker2019/activity/lock/InkScreenPresenter.java
com/bumptech/glide/load/model/FileLoader.java
com/whty/audio/driver/III/DovilaSDKInterface.java
com/whty/usb/manage/USBManage.java
zxing/android/decode/CaptureActivityHandler.java
com/whty/bluetoothsdk/connect/CommThread.java
com/amap/location/common/log/ALLog.java
com/tencent/mm/opensdk/utils/a.java
com/whty/usb/util/USBUtil.java
com/whty/audio/config/III/DovilaConfig.java
org/greenrobot/greendao/DaoLog.java
com/fitsleep/sunshinelibrary/utils/PhoneUtils.java
com/bumptech/glide/signature/ApplicationVersionSignature.java
com/bl/locker2019/activity/lock/LockNfcInfoActivity.java
com/whty/audio/driver/core/I/e/f.java
com/bumptech/glide/load/engine/DecodeJob.java
com/yalantis/ucrop/UCropActivity.java
com/bumptech/glide/load/resource/gif/StreamGifDecoder.java
com/fitsleep/sunshinelibrary/utils/Logger.java
com/whty/audio/driver/core/D/a/b.java
com/qiniu/android/common/FixedZone.java
com/bumptech/glide/load/resource/gif/GifDrawableEncoder.java
com/whty/audio/driver/V/b.java
com/bumptech/glide/load/data/mediastore/ThumbFetcher.java
com/tencent/mm/opensdk/modelmsg/WXEmojiSharedObject.java
com/igexin/push/extension/mod/a.java
com/yalantis/ucrop/util/FileUtils.java
com/whty/audio/driver/D/b.java
com/sunshine/dao/db/DaoMaster.java
com/loc/dm.java
com/yalantis/ucrop/util/BitmapLoadUtils.java
com/bl/locker2019/view/CharacterParser.java
com/whty/audio/manage/util/AgentUtil.java
com/whty/audio/driver/core/I/a/b.java
com/whty/device/utils/TLVParser.java
com/bl/locker2019/activity/user/myorder/item/MyOrderItemFragment.java
com/whty/audio/driver/core/D/b/l.java
jonelo/sugar/util/Base32.java
com/tencent/mm/opensdk/utils/c.java
com/bl/locker2019/activity/login/LoginPresenter.java
com/bumptech/glide/load/resource/bitmap/HardwareConfigState.java
com/bumptech/glide/load/model/ByteBufferFileLoader.java
com/whty/audio/driver/core/D/e/f.java
freemarker/core/CommandLine.java
com/theartofdev/edmodo/cropper/BitmapUtils.java
com/tencent/mm/opensdk/modelmsg/SendMessageToWX.java
com/whty/bluetooth/manage/util/BlueToothReceiver.java
com/whty/audio/config/IV/DovilaConfig.java
com/whty/audio/driver/core/VI/e/f.java
com/whty/tyblelib/utils/f.java
com/bumptech/glide/load/resource/gif/ByteBufferGifDecoder.java
com/wkq/library/base/RxBaseActivity.java
com/aofei/nfc/TagUtil.java
zxing/android/camera/CameraConfigurationManager.java
com/bumptech/glide/manager/DefaultConnectivityMonitor.java
com/whty/usb/util/USBReceiver.java
com/whty/audio/driver/V/DovilaSDKInterface.java
com/tencent/mm/opensdk/modelmsg/WXWebpageObject.java
com/whty/bluetooth/manage/BlueToothManage.java
com/tencent/bugly/crashreport/CrashReport.java
com/bumptech/glide/load/engine/bitmap_recycle/LruArrayPool.java
com/tencent/mm/opensdk/diffdev/a/d.java
com/bl/blelibrary/mode/ShangHaiTxOrder.java
com/whty/audio/driver/VI/b.java
zxing/android/view/QrCodeActivity.java
com/yalantis/ucrop/task/BitmapCropTask.java
com/chingtech/jdaddressselector/DBManager.java
com/whty/audio/driver/core/III/e/f.java
com/whty/device/utils/GPMethods.java
com/bumptech/glide/load/resource/bitmap/DrawableToBitmapConverter.java
com/whty/device/utils/LogManager.java
com/bl/blelibrary/utils/Logger.java
com/tencent/mm/opensdk/openapi/WXApiImplV10.java
com/whty/audio/driver/core/VI/a/b.java
com/bumptech/glide/load/engine/cache/DiskLruCacheWrapper.java
com/whty/audio/manage/util/ReflectUtils.java
com/bl/locker2019/activity/log/LocalLockLogFragment.java
com/whty/audio/driver/III/b.java
com/whty/bluetoothsdk/util/Protocols.java
com/wkq/library/utils/Logger.java
com/loc/ad.java
com/whty/usbsdk/util/CCID.java
com/tencent/mm/opensdk/modelbiz/AddCardToWXCardPackage.java
com/luck/picture/lib/widget/longimage/SubsamplingScaleImageView.java
com/tencent/mm/opensdk/modelbiz/JumpToBizWebview.java
com/jzxiang/pickerview/adapters/AbstractWheelTextAdapter.java
com/bumptech/glide/load/data/HttpUrlFetcher.java
com/whty/audio/driver/core/D/b/i.java
com/whty/audio/manage/util/XmlUtil.java
com/bl/locker2019/activity/log/TobaccoLogActivity.java
com/igexin/sdk/b.java
com/whty/audio/driver/core/III/e/g.java
com/whty/audio/config/VI/DovilaConfig.java
com/bumptech/glide/load/engine/DecodePath.java
com/bumptech/glide/gifdecoder/GifHeaderParser.java
com/whty/bluetooth/manage/util/ReflectUtils.java
com/tencent/mm/opensdk/modelmsg/WXFileObject.java
com/wang/avi/AVLoadingIndicatorView.java
org/greenrobot/greendao/DaoException.java
zxing/android/camera/AutoFocusCallback.java
butterknife/ButterKnife.java
com/bl/locker2019/activity/log/WarnLogFragment.java
com/whty/tyblelib/utils/HexBytesUtils.java
com/yalantis/ucrop/util/ImageHeaderParser.java
com/qiniu/android/storage/UploadOptions.java
com/tencent/mm/opensdk/utils/Log.java
com/bl/locker2019/activity/friend/send/SendMessagePresenter.java
com/whty/audio/driver/core/III/b/h.java
com/tencent/mm/opensdk/modelmsg/WXEmojiPageSharedObject.java
com/bumptech/glide/module/ManifestParser.java
com/tencent/mm/opensdk/modelmsg/SendAuth.java
com/zhy/http/okhttp/log/LoggerInterceptor.java
com/whty/audio/driver/core/IV/e/g.java
com/qiniu/android/storage/FormUploader.java
com/whty/audio/config/D/DovilaConfig.java
com/igexin/assist/action/MessageManger.java
com/whty/tyblelib/utils/d.java
com/tencent/mm/opensdk/modelbiz/SubscribeMessage.java
com/bumptech/glide/load/engine/executor/GlideExecutor.java
com/whty/usbsdk/USBApi.java
com/bumptech/glide/load/resource/bitmap/DefaultImageHeaderParser.java
com/tencent/mm/opensdk/modelmsg/WXMediaMessage.java
com/whty/bluetoothsdk/connect/ConnectCallable.java
com/tencent/mm/opensdk/diffdev/a/b.java
com/tencent/mm/opensdk/modelpay/PayReq.java
com/whty/audio/driver/core/D/e/g.java
com/bumptech/glide/gifdecoder/StandardGifDecoder.java
com/theartofdev/edmodo/cropper/CropImageActivity.java
com/tencent/mm/opensdk/modelmsg/WXMusicObject.java
com/zhy/http/okhttp/utils/L.java
com/bl/locker2019/base/BaseBleActivity.java
com/bumptech/glide/manager/DefaultConnectivityMonitorFactory.java
com/bl/blelibrary/utils/CMDUtils.java
com/bumptech/glide/load/engine/bitmap_recycle/LruBitmapPool.java
com/whty/audio/driver/core/IV/b/h.java
com/tencent/mm/opensdk/openapi/WXApiImplComm.java
com/igexin/push/core/a/a/l.java
com/noke/locksdk/Utils/ByteUtil.java
com/tencent/mm/opensdk/modelmsg/WXVideoObject.java
com/tencent/bugly/proguard/x.java
com/whty/audio/driver/II/b.java
com/tencent/mm/opensdk/openapi/MMSharedPreferences.java
com/bumptech/glide/util/ContentLengthInputStream.java
com/whty/audio/driver/D/DovilaSDKInterface.java
com/amap/openapi/cc.java
com/bl/blelibrary/utils/ParseLeAdvData.java
High
CVSS:7.4
Files may contain hardcoded sensitive informations like usernames, passwords, keys etc.
MASVS: MSTG-STORAGE-14
CWE-312 Cleartext Storage of Sensitive Information
M9: Reverse Engineering
Files:
 com/bumptech/glide/manager/RequestManagerRetriever.java
com/bl/locker2019/utils/Config.java
freemarker/core/BuiltinVariable.java
com/bl/locker2019/bean/LockPasswordBean.java
com/igexin/assist/sdk/AssistPushConsts.java
com/zhy/http/okhttp/builder/PostFormBuilder.java
com/bumptech/glide/load/engine/ResourceCacheKey.java
com/tencent/mm/opensdk/constants/ConstantsAPI.java
rx/internal/schedulers/NewThreadWorker.java
com/bumptech/glide/load/engine/DataCacheKey.java
io/reactivex/internal/schedulers/SchedulerPoolFactory.java
com/whty/device/command/IAbilityCommand.java
com/alibaba/fastjson/JSON.java
freemarker/core/Configurable.java
com/bl/blelibrary/WLSAPI.java
com/bumptech/glide/load/Option.java
com/loc/a.java
com/bl/locker2019/utils/WifiKit.java
com/whty/device/delegate/ErrorFactory.java
com/fitsleep/sunshinelibrary/utils/ConstUtils.java
freemarker/template/Configuration.java
com/bumptech/glide/load/engine/EngineResource.java
freemarker/template/utility/StandardCompress.java
High
CVSS:7.4
MD5 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 com/sun/crypto/provider/TlsMasterSecretGenerator.java
com/loc/dn.java
com/fitsleep/sunshinelibrary/utils/EncryptUtils.java
com/sun/crypto/provider/HmacMD5.java
com/lidroid/xutils/cache/MD5FileNameGenerator.java
com/whty/device/utils/GPMethods.java
com/igexin/assist/util/a.java
com/igexin/sdk/PushManager.java
com/sun/crypto/provider/TlsPrfGenerator.java
com/sun/crypto/provider/TlsKeyMaterialGenerator.java
com/tencent/mm/opensdk/utils/b.java
com/igexin/b/b/a.java
com/igexin/push/util/EncryptUtils.java
com/tencent/bugly/crashreport/common/info/AppInfo.java
com/loc/i.java
com/sun/crypto/provider/SunJCE_ab.java
com/loc/aa.java
High
CVSS:5.9
SHA-1 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 com/loc/dn.java
com/loc/cz.java
com/amap/openapi/e.java
com/sun/crypto/provider/PKCS12PBECipherCore.java
com/sun/crypto/provider/HmacSHA1.java
com/whty/device/utils/GPMethods.java
com/bl/locker2019/utils/LinAuthenication.java
com/loc/u.java
com/sun/crypto/provider/DESedeWrapCipher.java
com/igexin/b/a/c/a.java
com/sun/crypto/provider/TlsPrfGenerator.java
com/sun/crypto/provider/TlsKeyMaterialGenerator.java
com/amap/openapi/bb.java
com/tencent/bugly/crashreport/common/info/AppInfo.java
com/sun/crypto/provider/HmacPKCS12PBESHA1.java
com/loc/ds.java
com/amap/openapi/aw.java
High
CVSS:5.5
App can read/write to External Storage. Any App can read data written to External Storage.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 com/loc/x.java
com/tencent/bugly/crashreport/common/info/b.java
com/igexin/push/core/b.java
com/luck/picture/lib/tools/PictureFileUtils.java
com/fitsleep/sunshinelibrary/utils/FileUtils.java
com/wkq/library/utils/Utils.java
com/igexin/push/core/f.java
com/lidroid/xutils/util/OtherUtils.java
com/fitsleep/sunshinelibrary/utils/SDCardUtils.java
com/igexin/push/g/a.java
jp/co/cyberagent/android/gpuimage/GPUImage.java
com/loc/dz.java
jp/co/cyberagent/android/gpuimage/GPUImageView.java
com/tencent/mm/opensdk/diffdev/a/d.java
com/yalantis/ucrop/util/FileUtils.java
com/amap/location/common/util/FileUtil.java
com/bl/nokeiotlibrary/utils/Utils.java
High
CVSS:7.5
The App uses an insecure Random Number Generator.
MASVS: MSTG-CRYPTO-6
CWE-330 Use of Insufficiently Random Values
M5: Insufficient Cryptography
Files:
 com/bl/blelibrary/mode/SetWifiName.java
com/bl/blelibrary/mode/DeletePasswordTxOrder.java
com/igexin/push/core/a/a/g.java
com/whty/device/utils/GPMethods.java
com/bl/blelibrary/mode/BaseTxOrder.java
com/loc/fa.java
com/loc/br.java
freemarker/debug/impl/DebuggerServer.java
com/bl/blelibrary/mode/GetTokenTxOrder.java
com/igexin/b/b/a.java
com/igexin/push/d/a.java
com/bl/blelibrary/mode/SetTemporaryPasswordTxOrder.java
com/tencent/bugly/proguard/s.java
com/lidroid/xutils/http/client/multipart/MultipartEntity.java
com/eidlink/wfty/util/EidLinkSEUtil.java
com/igexin/push/core/b/h.java
com/whty/audio/manage/util/Utils.java
com/igexin/push/core/n.java
com/loc/cz.java
com/igexin/push/util/k.java
okio/Options.java
com/loc/da.java
com/bl/blelibrary/mode/SetWifiPassword.java
com/loc/dv.java
com/bl/blelibrary/mode/TxOrder.java
butterknife/internal/ImmutableList.java
com/alibaba/fastjson/JSONArray.java
com/bl/blelibrary/mode/SetPasswordTxOrder.java
com/bl/blelibrary/mode/ShangHaiTxOrder.java
com/qiniu/android/http/UserAgent.java
org/greenrobot/greendao/test/DbTest.java
High
CVSS:5.9
The App uses ECB mode in Cryptographic encryption algorithm. ECB mode is known to be weak as it results in the same ciphertext for identical blocks of plaintext.
MASVS: MSTG-CRYPTO-2
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 com/fitsleep/sunshinelibrary/utils/EncryptUtils.java
com/bl/blelibrary/utils/CMDUtils.java
High
CVSS:5.9
App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
M7: Client Code Quality
Files:
 com/igexin/push/config/a.java
com/amap/openapi/u.java
com/amap/openapi/cm.java
com/amap/openapi/ca.java
com/loc/ei.java
com/amap/openapi/Cdo.java
org/greenrobot/greendao/DbUtils.java
com/loc/fa.java
com/sunshine/dao/db/AddressBeanDao.java
com/amap/location/uptunnel/core/db/a.java
com/amap/openapi/bw.java
com/igexin/push/core/b/h.java
com/amap/openapi/bz.java
com/amap/openapi/ee.java
com/sunshine/dao/db/DeviceListBeanDao.java
com/igexin/push/b/b.java
com/tencent/bugly/a.java
com/chingtech/jdaddressselector/DbUtils.java
com/loc/az.java
com/igexin/push/core/b/d.java
com/amap/openapi/bv.java
com/sunshine/dao/db/MessageBeanDao.java
com/sunshine/dao/db/OpenLockTypeDao.java
org/greenrobot/greendao/AbstractDao.java
com/sunshine/dao/db/UserBeanDao.java
com/tencent/bugly/proguard/q.java
org/greenrobot/greendao/database/StandardDatabase.java
com/loc/ek.java
com/lidroid/xutils/DbUtils.java
Medium
CVSS:4.3
IP Address disclosure
MASVS: MSTG-CODE-2
CWE-200 Information Exposure
Files:
 com/whty/adiplugins/e.java
com/sun/crypto/provider/SunJCE_z.java
com/whty/device/facade/AbsDeviceTotalAbility.java
com/igexin/sdk/PushBuildConfig.java
com/sun/crypto/provider/SunJCE.java
com/whty/adiplugins/ADIPlugin.java
com/igexin/push/config/SDKUrlConfig.java
com/whty/adiplugins/f.java
com/loc/dq.java
High
CVSS:7.4
Insecure Implementation of SSL. Trusting all the certificates or accepting self signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks
MASVS: MSTG-NETWORK-3
CWE-295 Improper Certificate Validation
M3: Insecure Communication
Files:
 com/lidroid/xutils/http/client/DefaultSSLSocketFactory.java
com/lidroid/xutils/util/OtherUtils.java
Info
CVSS:0
This App uses SSL certificate pinning to detect or prevent MITM attacks in secure communication channel.
MASVS: MSTG-NETWORK-4
Files:
 com/zhy/http/okhttp/https/HttpsUtils.java
com/bl/nokeiotlibrary/http/ServerAPIClient.java
com/loc/bi.java
com/wkq/library/http/ServerAPIClient.java
Info
CVSS:0
This App may have root detection capabilities.
MASVS: MSTG-RESILIENCE-1
Files:
 com/tencent/bugly/crashreport/common/info/b.java
High
CVSS:5.5
App creates temp file. Sensitive information should never be written into a temp file.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 com/theartofdev/edmodo/cropper/CropImageActivity.java
com/theartofdev/edmodo/cropper/BitmapUtils.java
Medium
CVSS:8.8
Insecure WebView Implementation. Execution of user controlled code in WebView is a critical Security Hole.
MASVS: MSTG-PLATFORM-7
CWE-749 Exposed Dangerous Method or Function
M1: Improper Platform Usage
Files:
 com/tencent/bugly/crashreport/CrashReport.java
com/bl/locker2019/activity/shop/info/ShopInfoActivity.java
com/loc/q.java
High
CVSS:7.4
Weak Hash algorithm used
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 jonelo/jacksum/algorithm/Edonkey.java
Low
CVSS:0
This App uses SQL Cipher. SQLCipher provides 256-bit AES encryption to sqlite database files.
MASVS: MSTG-CRYPTO-1
Files:
 org/greenrobot/greendao/database/DatabaseOpenHelper.java
Pygal China: 2100 Germany: 500 Hong Kong: 400 United States: 500

Map computed by Pithus.

Domains analysis

Information computed with MobSF.

CN adiu.amap.com 203.119.207.56
CN 59.173.2.76 59.173.2.76
DE uplog.qbox.me 47.246.43.230
HK abroad.apilocate.amap.com 47.246.152.2
CN nokeiot.com 47.101.140.60
CN oj6zjwfmk.bkt.clouddn.com 120.221.62.214
CN rqd.uu.qq.com 203.205.239.188
CN pipeline.qiniu.com 180.97.147.243
HK android.bugly.qq.com 129.226.103.217
HK apilocate.amap.com 47.246.152.0
DE uc.qbox.me 47.246.43.230
CN www.nokelock.com 120.76.101.2
DE www.jonelo.de 81.169.145.157
CN api.weixin.qq.com 203.205.239.82
CN res.nokeiot.com 47.101.140.60
CN 203.107.1.1 203.107.1.1
US www.w3.org 128.30.52.100
US cgicol.amap.com 198.11.146.6
CN app.nokeiot.com 120.79.8.194
DE www.qq.com 104.111.239.81
CN long.open.weixin.qq.com 203.205.234.140
HK restapi.amap.com 47.246.109.112
CN www.nokeiot.com 47.101.140.60
CN aps.testing.amap.com 140.205.69.9
CN lbs.amap.com 203.119.169.44
US freemarker.org 192.64.119.217
US xmlpull.org 74.50.62.60
US jacksum.sourceforge.net 216.105.38.10
DE java.sun.com 2.16.186.122
CN c-hzgt2.getui.com 183.131.7.108
CN openapi.nokeiot.com 47.101.140.60
CN offline.aps.amap.com 59.82.31.99
CN adash.man.aliyuncs.com 106.11.249.129
CN open.weixin.qq.com 203.205.232.110
CN control.aps.amap.com 203.119.211.251
schemas.android.com

URL analysis

Information computed with MobSF.

http://freemarker.org/docs/ref_builtins.html;
Defined in freemarker/core/BuiltIn.java
http://freemarker.org/docs/ref_directive_list.html).
http://freemarker.org/docs/ref_directive_alphaidx.html;
Defined in freemarker/core/FMParserTokenManager.java
http://freemarker.org/
Defined in freemarker/core/CommandLine.java
http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd
http://java.sun.com/j2ee/dtds/web-jsptaglibrary_1_1.dtd
http://java.sun.com/dtd/web-app_2_3.dtd
http://java.sun.com/j2ee/dtds/web-app_2_2.dtd
Defined in freemarker/ext/jsp/TaglibFactory.java
http://www.w3.org/XML/1998/namespace
Defined in freemarker/ext/xml/Namespaces.java
http://localhost/
Defined in retrofit2/Response.java
http://www.
https://www.
ftp://anonymous:anonymous@
ftp://ftp.
Defined in com/aofei/nfc/RtdUrlRecord.java
http://59.173.2.76:5001/DeviceConfigsServer/queryParam
Defined in com/whty/device/facade/AbsDeviceTotalAbility.java
http://59.173.2.76:5001/DeviceConfigsServer/uploadUnsupportPhone
Defined in com/whty/adiplugins/e.java
http://59.173.2.76:5001/DeviceConfigsServer/uploadConnFailedPhone
http://59.173.2.76:5001/DeviceConfigsServer/uploadLowSuccessPhone
http://59.173.2.76:5001/DeviceConfigsServer/queryBtParam
Defined in com/whty/adiplugins/f.java
http://59.173.2.76:5001/DeviceConfigsServer/queryParam
Defined in com/whty/adiplugins/ADIPlugin.java
file:///android_asset/
Defined in com/luck/picture/lib/widget/longimage/SkiaImageDecoder.java
file:///android_asset/
Defined in com/luck/picture/lib/widget/longimage/SkiaImageRegionDecoder.java
file:///
file:///android_asset/
Defined in com/luck/picture/lib/widget/longimage/SubsamplingScaleImageView.java
file:///android_asset/
file:///
Defined in com/luck/picture/lib/widget/longimage/ImageSource.java
data:image
Defined in com/bumptech/glide/load/model/DataUrlLoader.java
file:///android_asset/
Defined in com/bumptech/glide/load/model/AssetUriLoader.java
http://aps.testing.amap.com/conf/r?type=3&mid=300&sver=140
http://control.aps.amap.com/conf/r?type=3&mid=300&sver=140
Defined in com/amap/openapi/c.java
http://aps.testing.amap.com/dataPipeline/uploadData
http://cgicol.amap.com/dataPipeline/uploadData
Defined in com/amap/openapi/dt.java
http://aps.testing.amap.com/LoadOfflineData/repeatData
http://offline.aps.amap.com/LoadOfflineData/repeatData
Defined in com/amap/openapi/cd.java
http://aps.testing.amap.com/collection/collectData?src=baseCol&ver=v74&
http://cgicol.amap.com/collection/collectData?src=baseCol&ver=v74&
http://aps.testing.amap.com/collection/collectData?src=extCol&ver=v74&
http://cgicol.amap.com/collection/collectData?src=extCol&ver=v74&
Defined in com/amap/openapi/av.java
http://lbs.amap.com/api/android-location-sdk/guide/utilities/errorcode/查看错误码说明
Defined in com/amap/api/location/AMapLocation.java
https://%s
http://%s
Defined in com/qiniu/android/common/Zone.java
https://uc.qbox.me
Defined in com/qiniu/android/common/AutoZone.java
https://uplog.qbox.me/log/3
Defined in com/qiniu/android/collect/Config.java
https://pipeline.qiniu.com
Defined in com/qiniu/android/bigdata/Configuration.java
http://c-hzgt2.getui.com/api.php
Defined in com/igexin/push/config/SDKUrlConfig.java
http://www.nokeiot.com/agreement.html?language=zh
http://www.nokeiot.com/agreement.html?language=en
Defined in com/bl/locker2019/activity/login/LoginActivity.java
javascript:Obtain(
Defined in com/bl/locker2019/activity/shop/info/ShopInfoActivity.java
http://www.
https://www.
Defined in com/bl/locker2019/activity/lock/NFCLabelActivity.java
http://www.nokeiot.com
Defined in com/bl/locker2019/activity/lock/ModeActivity.java
http://www.nokeiot.com/instructions.html?language=zh
http://www.nokeiot.com/instructions.html?language=en
Defined in com/bl/locker2019/activity/user/UserFragment.java
http://www.nokelock.com?id=
Defined in com/bl/locker2019/activity/user/QrActivity.java
http://www.nokeiot.com?id=
Defined in com/bl/locker2019/activity/user/info/UserInfoActivity.java
https://api.weixin.qq.com/sns/userinfo?access_token=
https://api.weixin.qq.com/sns/oauth2/access_token?appid=wxd95d0ee56700dc80&secret=79c23f9791ad0896c9b9eb0f39771c7c&code=
Defined in com/bl/locker2019/wxapi/WXEntryActivity.java
https://app.nokeiot.com/
Defined in com/bl/locker2019/app/App.java
http://www.nokelock.com/grapp/fond_device.html
http://www.nokeiot.com/instructions.html?language=
http://nokeiot.com/ditushow.html?lat=%s&lng=%s&type=%s&name=%s&time=%s
http://res.nokeiot.com/app.html
http://www.nokeiot.com/agreement.html?language=
Defined in com/bl/locker2019/utils/Config.java
http://oj6zjwfmk.bkt.clouddn.com/1220180611153417.png
Defined in com/bl/locker2019/utils/Constant.java
https://openapi.nokeiot.com/
Defined in com/bl/nokeiotlibrary/http/ServerAPIClient.java
file:///
Defined in com/fitsleep/sunshinelibrary/utils/DialogUtils.java
http://restapi.amap.com
Defined in com/loc/ab.java
http://restapi.amap.com/v3/place/text?
http://restapi.amap.com/v3/place/around?
http://restapi.amap.com/v3/config/district?
Defined in com/loc/j.java
http://abroad.apilocate.amap.com/mobile/binary
Defined in com/loc/ey.java
https://adiu.amap.com/ws/device/adius
Defined in com/loc/bf.java
http://xmlpull.org/v1/doc/features.html#indent-output
Defined in com/loc/ea.java
http://control.aps.amap.com/conf/r?type=3&mid=300&sver=140
http://offline.aps.amap.com/LoadOfflineData/repeatData
http://apilocate.amap.com/offline/down
http://cgicol.amap.com/dataPipeline/uploadData
http://apilocate.amap.com/offline/up
Defined in com/loc/cr.java
http://restapi.amap.com/v3/geocode/regeo
Defined in com/loc/en.java
http://abroad.apilocate.amap.com/mobile/binary
Defined in com/loc/el.java
https://restapi.amap.com/v3/iasdkauth
http://restapi.amap.com/v3/iasdkauth
Defined in com/loc/v.java
http://apilocate.amap.com/mobile/binary
http://abroad.apilocate.amap.com/mobile/binary
Defined in com/loc/es.java
http://xmlpull.org/v1/doc/features.html#indent-output
Defined in com/loc/dx.java
http://adash.man.aliyuncs.com:80/man/api?ak=23356390&s=
Defined in com/loc/dl.java
http://203.107.1.1:80/
Defined in com/loc/dq.java
http://www.qq.com/s?
Defined in com/tencent/mm/opensdk/openapi/WXApiImplV10.java
https://long.open.weixin.qq.com/connect/l/qrconnect?f=json&uuid=%s
Defined in com/tencent/mm/opensdk/diffdev/a/f.java
http://open.weixin.qq.com/connect/sdk/qrconnect?appid=%s&noncestr=%s&timestamp=%s&scope=%s&signature=%s
Defined in com/tencent/mm/opensdk/diffdev/a/d.java
http://rqd.uu.qq.com/rqd/sync
http://android.bugly.qq.com/rqd/async
Defined in com/tencent/bugly/crashreport/common/strategy/StrategyBean.java
http://schemas.android.com/apk/res/android
Defined in pl/droidsonroids/gif/GifViewUtils.java
http://schemas.android.com/apk/res/android
Defined in pl/droidsonroids/gif/GifTextureView.java
http://schemas.android.com/apk/res/android
Defined in pl/droidsonroids/gif/GifTextView.java
http://www.jonelo.de/java/jacksum/index.html
Defined in jonelo/jacksum/cli/JacksumHelp.java
http://jacksum.sourceforge.net
Defined in jonelo/jacksum/ui/MetaInfo.java

Permissions analysis

Information computed with MobSF.

High android.permission.READ_PHONE_STATE read phone state and identity
Allows the application to access the phone features of the device. An application with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and so on.
High android.permission.GET_ACCOUNTS list accounts
Allows access to the list of accounts in the Accounts Service.
High android.permission.ACCESS_FINE_LOCATION fine (GPS) location
Access fine location sources, such as the Global Positioning System on the phone, where available. Malicious applications can use this to determine where you are and may consume additional battery power.
High android.permission.ACCESS_COARSE_LOCATION coarse (network-based) location
Access coarse location sources, such as the mobile network database, to determine an approximate phone location, where available. Malicious applications can use this to determine approximately where you are.
High android.permission.CAMERA take pictures and videos
Allows application to take pictures and videos with the camera. This allows the application to collect images that the camera is seeing at any time.
High android.permission.WRITE_EXTERNAL_STORAGE read/modify/delete external storage contents
Allows an application to write to external storage.
High android.permission.REQUEST_INSTALL_PACKAGES Allows an application to request installing packages.
Malicious applications can use this to try and trick users into installing additional malicious packages.
High android.permission.READ_EXTERNAL_STORAGE read external storage contents
Allows an application to read from external storage.
High android.permission.GET_TASKS retrieve running applications
Allows application to retrieve information about currently and recently running tasks. May allow malicious applications to discover private information about other applications.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.
Low android.permission.ACCESS_WIFI_STATE view Wi-Fi status
Allows an application to view the information about the status of Wi-Fi.
Low android.permission.CHANGE_WIFI_STATE change Wi-Fi status
Allows an application to connect to and disconnect from Wi-Fi access points and to make changes to configured Wi-Fi networks.
Low android.permission.ACCESS_LOCATION_EXTRA_COMMANDS access extra location provider commands
Access extra location provider commands. Malicious applications could use this to interfere with the operation of the GPS or other location sources.
Low android.permission.ACCESS_NETWORK_STATE view network status
Allows an application to view the status of all networks.
Low android.permission.VIBRATE control vibrator
Allows the application to control the vibrator.
Low android.permission.USE_FINGERPRINT allow use of fingerprint
This constant was deprecated in API level 28. Applications should request USE_BIOMETRIC instead
Low android.permission.NFC control Near-Field Communication
Allows an application to communicate with Near-Field Communication (NFC) tags, cards and readers.
Low android.permission.WAKE_LOCK prevent phone from sleeping
Allows an application to prevent the phone from going to sleep.
Low android.permission.BLUETOOTH_ADMIN bluetooth administration
Allows applications to discover and pair bluetooth devices.
Low android.permission.BLUETOOTH create Bluetooth connections
Allows applications to connect to paired bluetooth devices.
android.permission.DOWNLOAD_WITHOUT_NOTIFICATION Unknown permission
Unknown permission from android reference
com.android.browser.permission.READ_HISTORY_BOOKMARKS Unknown permission
Unknown permission from android reference

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Start another application from current application
Confidence:
100%
Load external class
Confidence:
100%
Query the current data network type
Confidence:
100%
Run shell script programmably
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.)
Confidence:
100%
Query the list of the installed packages
Confidence:
100%
Get absolute path of file and put it to JSON object
Confidence:
100%
Find a method from given class name, usually for reflection
Confidence:
100%
Get location info of the device and put it to JSON object
Confidence:
100%
Connect to a URL and receive input stream from the server
Confidence:
100%
Modify voice volume
Confidence:
100%
Method reflection
Confidence:
100%
Install other APKs from file
Confidence:
100%
Get the network operator name
Confidence:
100%
Connect to a URL and read data from it
Confidence:
100%
Load class from given class name
Confidence:
100%
Retrieve data from broadcast
Confidence:
100%
Get declared method from given method name
Confidence:
100%
Read sensitive data(SMS, CALLLOG, etc)
Confidence:
100%
Open a file from given absolute path of the file
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.) via setData
Confidence:
100%
Connect to a URL and get the response code
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Get Location of the device and append this info to a string
Confidence:
100%
Get absolute path of the file and store in string
Confidence:
100%
Query the IMSI number
Confidence:
100%
Query The ISO country code
Confidence:
100%
Read file from assets directory
Confidence:
100%
Get last known location of the device
Confidence:
100%
Get the current WIFI information
Confidence:
100%
Query the ICCID number
Confidence:
100%
Get the current WiFi information and put it into JSON
Confidence:
100%
Get location of the device
Confidence:
100%
Query the IMEI number
Confidence:
100%
Method reflection
Confidence:
100%
Get the country code of the SIM card provider
Confidence:
100%
Connect to the remote server through the given URL
Confidence:
100%
Query WiFi information and WiFi Mac Address
Confidence:
100%
Query data from URI (SMS, CALLLOGS)
Confidence:
100%
Read file into a stream and put it into a JSON object
Confidence:
100%
Query the phone number
Confidence:
100%
Get the time of current location
Confidence:
100%
Get the current WiFi MAC address and put it into JSON
Confidence:
100%
Initialize class object dynamically
Confidence:
100%
Read the input stream f