1/62

Threat

sg.bigo.live

BIGO LIVE

Analyzed on 2021-10-22T03:18:44.864957

35

permissions

116

activities

24

services

15

receivers

66

domains

File sums

MD5 5ede36c3e21fce9c3e06e3268d1e32d7
SHA1 d6d265a4531a141f4f5573d497536ea0db792aea
SHA256 d00d96c5c8ba8df51ba67cc01f86fbc61f77b8c0195415426e2f343d2a2a2c2d
Size 37.18MB

APKiD

Information computed with APKiD.

/tmp/tmplk1da9oe!assets/jars/ipsdk-core.jar!classes.dex
compiler
  • dx
/tmp/tmplk1da9oe!assets/jars/ipsdk-lib.jar!classes.dex
anti_vm
  • Build.MANUFACTURER check
  • SIM operator check
compiler
  • dx
/tmp/tmplk1da9oe!assets/jars/ipsdk-upgrade.jar!classes.dex
compiler
  • dx
/tmp/tmplk1da9oe!classes.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • Build.HARDWARE check
  • Build.BOARD check
  • possible Build.SERIAL check
  • SIM operator check
  • network operator name check
  • device ID check
  • subscriber ID check
  • emulator file check
  • possible VM check
compiler
  • dx
/tmp/tmplk1da9oe!classes2.dex
anti_vm
  • Build.FINGERPRINT check
  • Build.MODEL check
  • Build.MANUFACTURER check
  • Build.PRODUCT check
  • Build.BOARD check
  • SIM operator check
  • device ID check
  • subscriber ID check
  • emulator file check
anti_debug
  • Debug.isDebuggerConnected() check
compiler
  • dx
/tmp/tmplk1da9oe!classes3.dex
anti_vm
  • Build.MANUFACTURER check
  • possible Build.SERIAL check
  • SIM operator check
compiler
  • dx

SSdeep

Information computed with ssdeep.

APK file 786432:B6zG6al6Ko5Gx316blPZpqA6bJJhc5mLwQzxsid2VFP2a:Bd6al6354Filf4zW5SzGi9a
Manifest 768:gCJgSplywA1rKT5fdQ3Y3dhtdZUXmNvZy7S6JVaHC4+gY83X0fm76jx1rBjxTkux:…
classes.dex 49152:70GKTyzVA0DS6cXuugiS0RmvkhrPcc609QnSDqU0OOJgC4GX+gK1+5zIh1tZqKJ…
classes2.dex 196608:tKvJ29eqAwzvvNta/MdiQZvIobDXDUDjwbu4oi9ATOCorke+bN/pJaxFvaNJwE…
classes3.dex 49152:1x8RJT0lxKmS7V1iOiLAn91SVZOEEIn7b:1aPAQiUkAib

Dexofuzzy

Information computed with Dexofuzzy.

APK file 12288:pQ7fFQzEXRyvI5wxtUxonofKIQjBIVdYI4DuRwW5BKCKTUJT89mpTa4hDrx2z9O…
classes.dex 6144:9jTf07zof3qfFQrZlY2LTR3rIfz4v8/YocRawDPIsGwxtNbWOuFxonoft8AI:pQ7…
classes2.dex 12288:8QjBIVdYI4DuRwW5BKCKTUJT89mpTa4hDrx2z9O//tSU0:DBrkwE2
classes3.dex 1536:nu/Ho3HLHTJZW3/40opK0O8JslSdmQnlRZ7wjQgVHimKoE/7ID/oa7Ze3UY+8:nu…

APK details

Information computed with AndroGuard and Pithus.

Package sg.bigo.live
App name BIGO LIVE
Version name 4.0.1
Version code 730
SDK 14 - 26
UAID 55dc39452e55f1f68a1224ac0122230b9b1a6fb6
Signature Signature V1 Signature V2
Frosting Not frosted
Blocks found within V2 signature:
  • 0x7109871a: Unknown

Certificate details

Information computed with AndroGuard.

MD5 860f539d9ca5baab36b94dce546ff08e
SHA1 e7c5e6b76bb14addd49c2b38cda2b1df6e5b0699
SHA256 5c333105423f4d1b074a8deb7e5a2c6e9b485cf47fd6fd5309778e8dc3629401
Issuer Common Name: bigo, Organizational Unit: bigo, Organization: bigo, Locality: SINGAPORE, State/Province: SINGAPORE, Country: SG
Not before 2014-10-28T02:17:10+00:00
Not after 2042-03-15T02:17:10+00:00

File Analysis

Information computed with MobSF.

Findings Files
Hardcoded Keystore found. assets/payment.bks
com/google/api/client/googleapis/google.jks

Manifest analysis

Information computed with MobSF.

High Launch Mode of Activity (sg.bigo.live.DeepLinkActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Activity (sg.bigo.live.DeepLinkActivity) is not Protected.An intent-filter exists.
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported.
High Launch Mode of Activity (sg.bigo.live.login.LoginActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Service (com.yy.sdk.service.CheckJobService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Service (sg.bigo.sdk.network.linkd.PushPingJobService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Launch Mode of Activity (com.yy.iheima.startup.TransparentInfoActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Broadcast Receiver (com.appsflyer.MultipleInstallBroadcastReceiver) is not Protected. [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Broadcast Receiver (com.yy.sdk.service.YYReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Launch Mode of Activity (sg.bigo.live.livevieweractivity.LiveVideoViewerActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Launch Mode of Activity (sg.bigo.live.LiveScreenOwnerActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Activity (sg.bigo.live.setting.WalletActivity) is not Protected.An intent-filter exists.
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported.
High Launch Mode of Activity (sg.bigo.live.imchat.ChatHistoryActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Launch Mode of Activity (sg.bigo.live.imchat.TimelineActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Launch Mode of Activity (sg.bigo.live.imchat.TimelineIntimacyActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Launch Mode of Activity (sg.bigo.live.imchat.TimelineIntimacyTutorialActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Launch Mode of Activity (sg.bigo.live.imchat.TempChatHistoryActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Activity (sg.bigo.live.community.mediashare.CommunityMsgChatActivity) is not Protected.An intent-filter exists.
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Activity is explicitly exported.
High Launch Mode of Activity (com.ninegame.payment.sdk.SDKActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Launch Mode of Activity (sg.bigo.live.hour.view.HappyHourListAnchorActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Launch Mode of Activity (sg.bigo.live.hour.view.HappyHourListAudienceActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Launch Mode of Activity (sg.bigo.live.randommatch.view.P2PRandomMatchActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Launch Mode of Activity (sg.bigo.live.randommatch.view.RandomMatchHistoryActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Service (sg.bigo.live.collocation.job.CollocationJobService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: android.permission.BIND_JOB_SERVICE [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Broadcast Receiver (com.google.android.gms.analytics.AnalyticsReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Content Provider (com.facebook.FacebookContentProvider) is not Protected. [android:exported=true]
A Content Provider is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Service (com.google.android.gms.auth.api.signin.RevocationBoundService) is Protected by a permission, but the protection level of the permission should be checked.
Permission: com.google.android.gms.auth.api.signin.permission.REVOCATION_NOTIFICATION [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Broadcast Receiver (sg.bigo.sdk.push.hwpush.HwPushMessageReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Broadcast Receiver (com.huawei.hms.support.api.push.PushEventReceiver) is not Protected.An intent-filter exists.
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Broadcast Receiver is explicitly exported.
High Service (com.xiaomi.mipush.sdk.PushMessageHandler) is not Protected. [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Service (com.xiaomi.mipush.sdk.MessageHandleService) is not Protected. [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Broadcast Receiver (com.xiaomi.push.service.receivers.NetworkStatusReceiver) is not Protected. [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Broadcast Receiver (sg.bigo.sdk.push.mipush.MiPushMessageReceiver) is not Protected. [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Service (sg.bigo.sdk.push.fcm.MyFirebaseMessagingService) is not Protected.An intent-filter exists.
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Service is explicitly exported.
High Service (sg.bigo.sdk.push.fcm.MyFirebaseInstanceIDService) is not Protected.An intent-filter exists.
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. The presence of intent-filter indicates that the Service is explicitly exported.
High Launch Mode of Activity (org.acra.dialog.CrashReportDialog) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Launch Mode of Activity (com.google.firebase.auth.internal.FederatedSignInActivity) is not standard.
An Activity should not be having the launch mode attribute set to "singleTask/singleInstance" as it becomes root Activity and it is possible for other applications to read the contents of the calling Intent. So it is required to use the "standard" launch mode attribute when sensitive information is included in an Intent.
High Activity (com.google.firebase.auth.internal.FederatedSignInActivity) is Protected by a permission, but the protection level of the permission should be checked.
Permission: com.google.firebase.auth.api.gms.permission.LAUNCH_FEDERATED_SIGN_IN [android:exported=true]
An Activity is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Service (com.google.firebase.messaging.FirebaseMessagingService) is not Protected. [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.
High Broadcast Receiver (com.google.firebase.iid.FirebaseInstanceIdReceiver) is Protected by a permission, but the protection level of the permission should be checked.
Permission: com.google.android.c2dm.permission.SEND [android:exported=true]
A Broadcast Receiver is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device. It is protected by a permission which is not defined in the analysed application. As a result, the protection level of the permission should be checked where it is defined. If it is set to normal or dangerous, a malicious application can request and obtain the permission and interact with the component. If it is set to signature, only applications signed with the same certificate can obtain the permission.
High Service (com.google.firebase.iid.FirebaseInstanceIdService) is not Protected. [android:exported=true]
A Service is found to be shared with other apps on the device therefore leaving it accessible to any other application on the device.

Browsable activities

Information computed with MobSF.

sg.bigo.live.DeepLinkActivity

Schemes: bigolive://

sg.bigo.live.setting.WalletActivity

Schemes: bigopayoneq://

Main Activity

Information computed with AndroGuard.

com.yy.iheima.MainActivity

Activities

Information computed with AndroGuard.

sg.bigo.live.DeepLinkActivity
com.yy.iheima.login.CountrySelectionActivity
sg.bigo.live.login.LoginActivity
com.yy.iheima.login.SignupProfileActivity
com.yy.iheima.MainActivity
com.yy.iheima.util.clipimage.ClipImageActivity
com.yy.iheima.settings.update.UpdateProgressActivity
com.yy.iheima.login.CommonFillPhoneNumberActivity
sg.bigo.live.ScanQRCodeActivity
com.yy.iheima.startup.TransparentInfoActivity
sg.bigo.live.livevieweractivity.LiveVideoViewerActivity
sg.bigo.live.LiveScreenOwnerActivity
sg.bigo.live.LiveCameraOwnerActivity
sg.bigo.live.themeroom.ThemeLiveVideoShowActivity
sg.bigo.live.user.UserInfoDetailActivity
sg.bigo.live.setting.WalletActivity
sg.bigo.live.setting.BigoProfileSettingActivity
sg.bigo.live.setting.AvatarSettingActivity
sg.bigo.live.contribution.GiftContributionListActivity
sg.bigo.live.setting.BigoLiveSettingActivity
sg.bigo.live.debugtool.setting.view.DebugToolsActivity
sg.bigo.live.alphatools.setting.view.AlphaToolsActivity
sg.bigo.live.alphatools.setting.ui.FeatureActivity
sg.bigo.live.setting.PushSettingActivity
sg.bigo.live.debugtool.view.NearbyLocationActivity
sg.bigo.live.debugtool.view.CASettingActivity
sg.bigo.live.setting.MessageNotificationActivity
sg.bigo.live.setting.BlacklistManagerActivity
sg.bigo.live.setting.VideoQualitySettingActivity
sg.bigo.live.SearchActivity
sg.bigo.live.ReminderActivity
sg.bigo.live.RecommendActivity
sg.bigo.live.web.WebProcessActivity
sg.bigo.live.web.WebPageForTwitterActivity
sg.bigo.live.setting.BigoLiveAccountActivity
sg.bigo.live.setting.BigoLiveAccountDeatilActivity
sg.bigo.live.setting.SchoolEditActivity
sg.bigo.live.setting.CompanyEditActivity
sg.bigo.live.FansActivity
sg.bigo.live.FollowActivity
sg.bigo.live.FriendsActivity
sg.bigo.live.dailycheckin.DailyCheckInActivity
sg.bigo.live.activities.MyActivitiesCenterActivity
sg.bigo.live.imchat.ChatHistoryActivity
sg.bigo.live.imchat.TimelineActivity
sg.bigo.live.imchat.TimelineIntimacyActivity
sg.bigo.live.imchat.TimelineIntimacyTutorialActivity
sg.bigo.live.imchat.NewFriendChatActivity
sg.bigo.live.imchat.NewFollowingChatActivity
sg.bigo.live.imchat.NewFansChatActivity
sg.bigo.live.imchat.TxtMsgShowActivity
sg.bigo.live.OtherRoomActivity
sg.bigo.live.PersonalActivity
sg.bigo.live.TabListActivity
sg.bigo.live.pay.GPayActivity
sg.bigo.live.pay.ucpay.UCPayActivity
sg.bigo.live.friends.FriendsListActivity
sg.bigo.live.friends.ThirdFriendImportActivity
sg.bigo.live.friends.FindFriendsActivity
sg.bigo.live.ranking.RankingActivity
sg.bigo.live.ranking.RankingRewardsActivity
sg.bigo.live.imchat.VideoPreviewActivity
com.yy.iheima.widget.picture.GalleryActivity
sg.bigo.live.user.RoomUserInfoDetailActivity
sg.bigo.live.list.GamePageActivity
sg.bigo.live.list.GameListActivity
sg.bigo.live.list.RecommendBroadcasterListActivity
sg.bigo.live.imchat.TempChatHistoryActivity
sg.bigo.live.list.CountryListActivity
sg.bigo.live.list.MultiCountryListActivity
sg.bigo.live.setting.LocationPrivateActivity
sg.bigo.live.WebLoginActivity
sg.bigo.live.imchat.picture.AllPicBrowserActivity
sg.bigo.live.imchat.PicturePreviewActivity
sg.bigo.live.share.VideoShareActivity
sg.bigo.live.community.mediashare.VideoDetailActivity
sg.bigo.live.community.mediashare.personalpage.VideoCommunityPersonalPageActivity
sg.bigo.live.community.mediashare.MediaSharePublishActivity
sg.bigo.live.community.mediashare.VideoRecordActivity
sg.bigo.live.community.mediashare.VideoEditActivity
sg.bigo.live.community.mediashare.FloatingEditActivity
sg.bigo.live.community.mediashare.VideoLikeListActivity
sg.bigo.live.community.mediashare.VideoLinkShareActivity
sg.bigo.live.community.mediashare.CommunityMsgChatActivity
sg.bigo.live.community.mediashare.videocut.VideoCutActivity
sg.bigo.live.community.mediashare.musiccut.LocalMusicCutActivity
sg.bigo.live.community.mediashare.musiccut.CloudMusicCutActivity
sg.bigo.live.component.StandardCoverDescActivity
sg.bigo.live.list.ImageTabActivity
sg.bigo.live.vip.VIPActivity
sg.bigo.live.gift.props.BaggageActivity
sg.bigo.live.gift.props.BaggageExpiredActivity
sg.bigo.live.P2pCallActivity
sg.bigo.live.gift.props.BaggagePreviewActivity
sg.bigo.live.community.mediashare.topic.VideoTopicActivity
com.ninegame.payment.sdk.SDKActivity
sg.bigo.live.hour.view.HappyHourListAnchorActivity
sg.bigo.live.hour.view.HappyHourListAudienceActivity
sg.bigo.live.hour.view.HappyHourProfileActivity
sg.bigo.live.randommatch.view.P2PRandomMatchActivity
sg.bigo.live.randommatch.view.RandomMatchHistoryActivity
sg.bigo.threeparty.common.WebPageForTwitterActivity
com.facebook.FacebookActivity
com.twitter.sdk.android.core.identity.OAuthActivity
com.vk.sdk.VKServiceActivity
sg.bigo.threeparty.common.BaseWebPageActivity
sg.bigo.threeparty.common.InstagramHandleTokenActivity
sg.bigo.threeparty.common.WebPageForInstagram
com.facebook.CustomTabMainActivity
com.twitter.sdk.android.tweetcomposer.ComposerActivity
com.google.android.gms.auth.api.signin.internal.SignInHubActivity
com.huawei.hms.activity.BridgeActivity
org.acra.dialog.CrashReportDialog
com.google.firebase.auth.internal.FederatedSignInActivity
com.google.android.gms.common.api.GoogleApiActivity
sg.bigo.config.debug.DebugActivity

Receivers

Information computed with AndroGuard.

com.appsflyer.MultipleInstallBroadcastReceiver
com.yy.iheima.PushReceiver
com.yy.sdk.service.YYReceiver
sg.bigo.live.community.mediashare.CommunityEventReceiver
sg.bigo.live.MessageReceiver
sg.bigo.live.gift.AccessCodeEventReceiver
com.google.android.gms.analytics.AnalyticsReceiver
sg.bigo.live.LinkdReceiver
sg.bigo.live.call.BgCallReceiver
sg.bigo.sdk.push.hwpush.HwPushMessageReceiver
com.huawei.hms.support.api.push.PushEventReceiver
com.xiaomi.push.service.receivers.NetworkStatusReceiver
com.xiaomi.push.service.receivers.PingReceiver
sg.bigo.sdk.push.mipush.MiPushMessageReceiver
com.google.firebase.iid.FirebaseInstanceIdReceiver

Services

Information computed with AndroGuard.

com.amap.api.location.APSService
com.yy.iheima.fgservice.FgWorkService
com.yy.sdk.service.YYService
com.yy.sdk.service.InnerService
com.yy.sdk.service.CheckJobService
sg.bigo.sdk.network.linkd.PushPingJobService
com.yysdk.mobile.mediasdk.YYMediaService
sg.bigo.live.livefloatwindow.LiveFloatWindowService
sg.bigo.live.game.LiveScreenService
com.ninegame.payment.service.SDKService
sg.bigo.live.collocation.job.CollocationJobService
com.google.android.gms.analytics.AnalyticsService
com.twitter.sdk.android.tweetcomposer.TweetUploadService
com.google.android.gms.auth.api.signin.RevocationBoundService
com.xiaomi.push.service.XMPushService
com.xiaomi.push.service.XMJobService
com.xiaomi.mipush.sdk.PushMessageHandler
com.xiaomi.mipush.sdk.MessageHandleService
sg.bigo.sdk.push.fcm.MyFirebaseMessagingService
sg.bigo.sdk.push.fcm.MyFirebaseInstanceIDService
sg.bigo.sdk.push.fcm.RegistrationIntentService
org.acra.sender.SenderService
com.google.firebase.messaging.FirebaseMessagingService
com.google.firebase.iid.FirebaseInstanceIdService

Sample timeline

Certificate valid not before Oct. 28, 2014, 2:17 a.m.
Oldest file found in APK June 11, 2018, 2:19 p.m.
Latest file found in APK June 11, 2018, 2:19 p.m.
First submission on VT June 11, 2018, 11:06 p.m.
Last submission on VT July 2, 2020, 12:32 p.m.
Upload on Pithus Oct. 22, 2021, 3:18 a.m.
Certificate valid not after March 15, 2042, 2:17 a.m.

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application invoke platform-provided DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application implement asymmetric key generation.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['network connectivity', 'camera', 'location', 'bluetooth', 'microphone'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to ['system logs', 'address book'].
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application implement functionality to encrypt sensitive data in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does encrypt some transmitted data with HTTPS/TLS/SSH between itself and another trusted IT product.
Protection of Data in Transit
FCS_RBG_EXT.2.1
FCS_RBG_EXT.2.2
The application perform all deterministic random bit generation (DRBG) services in accordance with NIST Special Publication 800-90A using Hash_DRBG. The deterministic RBG is seeded by an entropy source that accumulates entropy from a platform-based DRBG and a software-based noise source, with a minimum of 256 bits of entropy at least equal to the greatest security strength (according to NIST SP 800-57) of the keys and hashes that it will generate.
Random Bit Generation from Application
FCS_CKM.1.1(1) The application generate asymmetric cryptographic keys not in accordance with FCS_CKM.1.1(1) using key generation algorithm RSA schemes and cryptographic key sizes of 1024-bit or lower.
Cryptographic Asymmetric Key Generation
FCS_COP.1.1(1) The application perform encryption/decryption not in accordance with FCS_COP.1.1(1), AES-ECB mode is being used.
Cryptographic Operation - Encryption/Decryption
FCS_COP.1.1(2) The application perform cryptographic hashing services not in accordance with FCS_COP.1.1(2) and uses the cryptographic algorithm RC2/RC4/MD4/MD5.
Cryptographic Operation - Hashing
FCS_COP.1.1(3) The application perform cryptographic signature services (generation and verification) in accordance with a specified cryptographic algorithm RSA schemes using cryptographic key sizes of 2048-bit or greater.
Cryptographic Operation - Signing
FCS_COP.1.1(4) The application perform keyed-hash message authentication with cryptographic algorithm ['HMAC-SHA1'] .
Cryptographic Operation - Keyed-Hash Message Authentication
FCS_HTTPS_EXT.1.1 The application implement the HTTPS protocol that complies with RFC 2818.
HTTPS Protocol
FCS_HTTPS_EXT.1.2 The application implement HTTPS using TLS.
HTTPS Protocol
FCS_HTTPS_EXT.1.3 The application notify the user and not establish the connection or request application authorization to establish the connection if the peer certificate is deemed invalid.
HTTPS Protocol
FIA_X509_EXT.1.1 The application invoked platform-provided functionality to validate certificates in accordance with the following rules: ['The certificate path must terminate with a trusted CA certificate', 'The application validate the revocation status of the certificate using the Online Certificate Status Protocol (OCSP) as specified in RFC 2560 or a Certificate Revocation List (CRL) as specified in RFC 5759 or an OCSP TLS Status Request Extension (i.e., OCSP stapling) as specified in RFC 6066'].
X.509 Certificate Validation
FIA_X509_EXT.2.1 The application use X.509v3 certificates as defined by RFC 5280 to support authentication for HTTPS , TLS.
X.509 Certificate Authentication
FPT_TUD_EXT.2.1 The application shall be distributed using the format of the platform-supported package manager.
Integrity for Installation and Update
FCS_CKM.1.1(2) The application shall generate symmetric cryptographic keys using a Random Bit Generator as specified in FCS_RBG_EXT.1 and specified cryptographic key sizes 128 bit or 256 bit.
Cryptographic Symmetric Key Generation

Code analysis

Information computed with MobSF.

High
CVSS:7.5
The App uses an insecure Random Number Generator.
MASVS: MSTG-CRYPTO-6
CWE-330 Use of Insufficiently Random Values
M5: Insufficient Cryptography
Files:
 sg/bigo/live/user/ProfileVideoListFragment.java
com/ninegame/apmsdk/common/utils/LogUploadUtil.java
sg/bigo/live/community/mediashare/topic/list/y.java
sg/bigo/live/list/bi.java
com/yy/hiidostatis/api/HiidoSDK.java
sg/bigo/svcapi/flowcontrol/x.java
com/ninegame/apmsdk/common/security/M9Encrpt.java
sg/bigo/svcapi/w/v.java
sg/bigo/sdk/network/w/w.java
sg/bigo/live/community/mediashare/staggeredgridview/t.java
sg/bigo/live/widget/HappyHourTagLayout.java
sg/bigo/live/vs/view/PKMatchVsSettingDialog.java
sg/bigo/live/community/mediashare/viewmodel/v.java
sg/bigo/live/room/love/barrage/AbstractBarrageView.java
sg/bigo/live/community/mediashare/topic/list/u.java
sg/bigo/live/community/mediashare/bx.java
com/yy/hiidostatis/inner/util/hdid/DeviceManager.java
sg/bigo/svcapi/util/d.java
com/loc/cj.java
sg/bigo/sdk/stat/HistoryQueue.java
sg/bigo/live/community/mediashare/personalpage/g.java
sg/bigo/live/playcenter/multiplaycenter/roulette/n.java
sg/bigo/sdk/network/linkd/p.java
sg/bigo/live/community/mediashare/staggeredgridview/o.java
sg/bigo/sdk/network/z/f.java
sg/bigo/z/a.java
com/vk/sdk/w.java
com/yy/hiidostatis/inner/implementation/TaskDataSet.java
sg/bigo/z/j.java
sg/bigo/live/community/mediashare/staggeredgridview/r.java
sg/bigo/live/vs/view/VsSettingDialog.java
com/yy/hiidostatis/inner/util/g.java
com/appsflyer/q.java
com/yy/iheima/sharepreference/v.java
com/xiaomi/smack/w/w.java
sg/bigo/live/list/ba.java
com/xiaomi/channel/commonutils/a/w.java
sg/bigo/sdk/network/w/e.java
sg/bigo/live/widget/floatheart/x.java
com/yy/hiidostatis/inner/util/http/z.java
com/vk/sdk/api/httpClient/g.java
Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 com/ninegame/payment/sdk/SDKCore.java
com/yysdk/mobile/vpsdk/z/f.java
com/yy/iheima/cn.java
com/ninegame/apmsdk/common/utils/PackageUtil.java
sg/bigo/live/room/love/barrage/AbstractBarrageView.java
sg/bigo/threeparty/share/n.java
sg/bigo/threeparty/z/g.java
com/ninegame/apmsdk/common/dns/UCDNSHelper.java
sg/bigo/live/u/z/z.java
com/yysdk/mobile/vpsdk/z/e.java
com/xiaomi/smack/a.java
com/yysdk/mobile/vpsdk/z/h.java
sg/bigo/sdk/blivestat/z/x.java
com/sensetime/sensear/SenseArMaterialService.java
com/ninegame/payment/sdk/SDKUnityCore.java
sg/bigo/common/z/y.java
sg/bigo/live/room/love/letter/LoveNotifyPanel.java
sg/bigo/threeparty/z/e.java
com/davemorrissey/labs/subscaleview/SubsamplingScaleImageView.java
sg/bigo/live/image/YYCommonWrapperView.java
com/xiaomi/smack/w/z.java
com/xiaomi/y/z/z.java
com/ninegame/apmsdk/common/security/SecurityUtil.java
com/sensetime/sensear/x/z.java
sg/bigo/performance/monitor/y/z.java
sg/bigo/performance/monitor/w/z.java
com/yysdk/mobile/util/v.java
sg/bigo/threeparty/share/f.java
com/yysdk/mobile/util/Compress.java
com/sensetime/sensear/f.java
com/yy/hiidostatis/inner/util/z/x.java
sg/bigo/threeparty/z/c.java
sg/bigo/threeparty/share/l.java
com/yysdk/mobile/update/LibraryUpdater.java
com/sensetime/sensear/e.java
com/googlecode/mp4parser/boxes/microsoft/XtraBox.java
com/y/z/x/v.java
com/tencent/mars/xlog/Log.java
sg/bigo/framework/z/z/z/z.java
com/alibaba/android/arouter/w/x.java
com/xiaomi/channel/commonutils/w/w.java
com/ninegame/apmsdk/log/impl/LogcatAppender.java
com/yy/hiidostatis/inner/util/y/b.java
com/yysdk/mobile/vpsdk/z/v.java
com/ninegame/apmsdk/log/utils/LogUtil.java
com/yysdk/mobile/audio/c.java
sg/bigo/live/room/sensear/j.java
com/googlecode/mp4parser/x/z.java
sg/bigo/performance/monitor/w/y.java
com/yy/hiidostatis/inner/util/g.java
com/yysdk/mobile/vpsdk/z/g.java
com/googlecode/mp4parser/AbstractBox.java
com/yysdk/mobile/vpsdk/z/d.java
com/ninegame/payment/sdk/dex/DexLoader.java
com/yysdk/mobile/vpsdk/z/a.java
sg/bigo/threeparty/common/z.java
com/yysdk/mobile/localplayer/a.java
com/yysdk/mobile/video/proc/w.java
sg/bigo/common/permission/RxPermissionsFragment.java
com/yysdk/mobile/vpsdk/z/x.java
sg/bigo/threeparty/y/x.java
com/xiaomi/mipush/sdk/n.java
com/sensetime/sensear/h.java
sg/bigo/sdk/filetransfer/FileTransfer.java
sg/bigo/threeparty/y/w.java
com/yysdk/mobile/vpsdk/z/y.java
sg/bigo/threeparty/share/h.java
com/yysdk/mobile/vpsdk/z/b.java
com/coremedia/iso/boxes/sampleentry/AudioSampleEntry.java
com/fasterxml/jackson/core/util/x.java
sg/bigo/framework/z/z/y/w.java
sg/bigo/threeparty/z/v.java
sg/bigo/live/room/sensear/b.java
com/yy/iheima/startup/b.java
com/sensetime/sensear/utils/v.java
com/yy/hiidostatis/defs/handler/CrashHandler.java
com/wang/avi/AVLoadingIndicatorView.java
com/vk/sdk/payments/x.java
com/yysdk/mobile/vpsdk/z/w.java
com/huawei/hms/core/aidl/f.java
com/alibaba/android/arouter/w/z.java
sg/bigo/performance/monitor/u/w.java
com/yysdk/mobile/audio/b.java
com/yysdk/mobile/vpsdk/z/z.java
com/ninegame/payment/sdk/permission/PermissionsManager.java
sg/bigo/threeparty/z/y.java
org/acra/log/AndroidLogDelegate.java
com/yysdk/mobile/vpsdk/z/u.java
sg/bigo/common/x.java
com/yysdk/mobile/vpsdk/z/i.java
com/huawei/hms/support/log/a/a.java
com/yy/iheima/bm.java
rx/internal/util/d.java
com/yysdk/mobile/vpsdk/z/c.java
sg/bigo/threeparty/utils/RxPermissionsFragment.java
rx/x/x.java
com/yysdk/mobile/audio/d.java
com/ninegame/apmsdk/log/impl/FileAppender.java
sg/bigo/threeparty/share/y.java
sg/bigo/log/w.java
sg/bigo/threeparty/share/d.java
com/sensetime/sensear/g.java
sg/bigo/performance/monitor/y/y.java
com/huawei/hms/a/a.java
com/sensetime/sensear/SenseArPlay.java
com/yy/iheima/startup/d.java
com/yysdk/mobile/vpsdk/w.java
Medium
CVSS:4.3
IP Address disclosure
MASVS: MSTG-CODE-2
CWE-200 Information Exposure
Files:
 sg/bigo/live/room/bl.java
rcalc/x/y/j.java
com/xiaomi/push/service/XMPushService.java
com/yy/hiidostatis/inner/util/http/b.java
com/yy/x/z/x.java
com/ninegame/apmsdk/common/dns/RequestUCDNSAsyncTask.java
com/xiaomi/channel/commonutils/w/w.java
com/yy/hiidostatis/inner/util/http/u.java
sg/bigo/sdk/blivestat/a.java
com/yy/iheima/MyApplication.java
com/yy/hiidostatis/inner/util/http/x.java
com/yy/hiidostatis/inner/util/http/HIpConfig.java
com/yy/hiidostatis/inner/util/http/a.java
rcalc/z/y.java
com/xiaomi/channel/commonutils/x/x.java
com/ninegame/apmsdk/common/utils/NetWorkInfoUtil.java
com/appsflyer/t.java
com/loc/cy.java
com/loc/bf.java
sg/bigo/sdk/network/proxy/y.java
com/huawei/hms/update/a/o.java
sg/bigo/sdk/blivestat/z/b.java
com/ninegame/apmsdk/common/dns/UCDNSHelper.java
sg/bigo/live/advert/w.java
High
CVSS:5.9
App uses SQLite Database and execute raw SQL query. Untrusted user input in raw SQL queries can cause SQL Injection. Also sensitive information should be encrypted and written to the database.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
M7: Client Code Quality
Files:
 sg/bigo/live/database/z/x.java
com/loc/ca.java
com/xiaomi/push/service/at.java
sg/bigo/sdk/message/database/z/y.java
sg/bigo/live/database/z/u.java
com/vk/sdk/payments/z.java
com/sensetime/sensear/y/w.java
sg/bigo/live/database/z/g.java
com/loc/aj.java
com/yy/hiidostatis/inner/implementation/b.java
sg/bigo/live/database/y.java
sg/bigo/live/database/z/c.java
sg/bigo/live/database/z/y.java
com/loc/l.java
com/xiaomi/push/x/z.java
sg/bigo/live/database/z/v.java
sg/bigo/live/database/z/f.java
sg/bigo/live/database/z/e.java
sg/bigo/live/database/z/w.java
com/xiaomi/push/service/as.java
sg/bigo/live/database/z/z.java
sg/bigo/sdk/message/database/z/z.java
sg/bigo/live/database/z/b.java
com/xiaomi/push/service/ar.java
com/loc/bx.java
sg/bigo/sdk/push/database/y/z.java
sg/bigo/live/database/z/d.java
com/yy/hiidostatis/inner/implementation/a.java
sg/bigo/live/database/z/a.java
Info
CVSS:0
This App uses SSL certificate pinning to detect or prevent MITM attacks in secure communication channel.
MASVS: MSTG-NETWORK-4
Files:
 org/acra/util/HttpRequest.java
com/loc/ax.java
com/ninegame/apmsdk/common/webtools/HttpsRequest.java
High
CVSS:7.4
Files may contain hardcoded sensitive informations like usernames, passwords, keys etc.
MASVS: MSTG-STORAGE-14
CWE-312 Cleartext Storage of Sensitive Information
M9: Reverse Engineering
Files:
 sg/bigo/sdk/network/w/x/f.java
sg/bigo/sdk/message/z/p.java
com/yy/iheima/sharepreference/MultiprocessSharedPreferences.java
sg/bigo/live/protocol/payment/VGiftInfo.java
com/yy/sdk/protocol/chatroom/TabInfo.java
sg/bigo/live/gift/VGiftInfoBean.java
sg/bigo/live/imchat/TimelineActivity.java
sg/bigo/config/y/x.java
sg/bigo/live/WebLoginActivity.java
sg/bigo/live/protocol/z.java
sg/bigo/live/protocol/e/v.java
sg/bigo/live/protocol/room/RoomLiveTagInfo.java
sg/bigo/sdk/blivestat/info/StaticsInfo.java
com/yy/sdk/z/x.java
sg/bigo/live/component/hq/view/dialog/GameOverDialog.java
sg/bigo/sdk/alert/z.java
sg/bigo/live/room/proto/ao.java
sg/bigo/sdk/blivestat/info/BaseStaticsInfo.java
sg/bigo/sdk/message/z/v.java
sg/bigo/sdk/blivestat/base/generalstat/LikeCommonStats.java
sg/bigo/live/room/sensear/z/z.java
com/yy/hiidostatis/inner/util/hdid/DeviceManagerV2.java
com/huawei/hms/support/api/push/PushReceiver.java
sg/bigo/live/aidl/RoomStruct.java
com/sensetime/sensear/SenseArMaterialService.java
com/appsflyer/v.java
sg/bigo/live/protocol/payment/VGiftInfoV3.java
sg/bigo/config/v/y.java
sg/bigo/live/room/data/a.java
sg/bigo/live/protocol/liveroomsticker/StickerInfo.java
sg/bigo/live/ranking/j.java
sg/bigo/live/room/controllers/hq/f.java
sg/bigo/live/aidl/RecursiceTab.java
com/ninegame/payment/sdk/SDKProtocolKeys.java
sg/bigo/sdk/blivestat/base/generalstat/BigoCommonStats.java
sg/bigo/live/list/GamePageActivity.java
sg/bigo/sdk/network/a/x/z/g.java
sg/bigo/live/user/UserInfoDetailActivity.java
sg/bigo/live/protocol/activities/a.java
sg/bigo/live/AbstractVideoShowActivity.java
com/yysdk/mobile/audio/YYSdkDataVolInfo.java
sg/bigo/sdk/blivestat/base/generalstat/HelloCommonStats.java
sg/bigo/live/advert/w.java
High
CVSS:5.5
App can read/write to External Storage. Any App can read data written to External Storage.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 com/ninegame/apmsdk/log/info/RuntimeInfo.java
com/yy/iheima/util/u.java
com/xiaomi/push/z/x.java
com/ninegame/apmsdk/common/utils/StorageUtil.java
sg/bigo/live/imchat/fp.java
sg/bigo/live/share/ak.java
com/yy/iheima/util/ab.java
com/huawei/hms/update/a/f.java
sg/bigo/live/community/mediashare/utils/bk.java
sg/bigo/sdk/z/y.java
com/xiaomi/channel/commonutils/x/v.java
com/yy/iheima/util/au.java
com/yysdk/mobile/localplayer/LocalPlayerAudioPlayThread.java
sg/bigo/live/setting/profileAlbum/r.java
sg/bigo/live/setting/BigoProfileSettingActivity.java
sg/bigo/live/j/x.java
com/yy/hiidostatis/inner/util/hdid/DeviceManagerV2.java
com/yy/iheima/util/ExternalStorageUtil.java
sg/bigo/live/util/ab.java
sg/bigo/live/room/sensear/e.java
sg/bigo/threeparty/utils/z.java
sg/bigo/live/imchat/picture/AllPicBrowserActivity.java
sg/bigo/live/setting/profileAlbum/z.java
com/yy/hiidostatis/inner/util/z.java
sg/bigo/log/x.java
com/yysdk/mobile/mediasdk/YYMedia.java
com/yy/sdk/util/n.java
com/yysdk/mobile/audio/cap/AudioRecordThread.java
sg/bigo/live/advert/w.java
com/yysdk/mobile/audio/render/AudioPlayThread.java
com/huawei/hms/support/log/a/a.java
com/yy/iheima/bm.java
com/yy/iheima/util/aq.java
com/loc/cv.java
com/ninegame/apmsdk/log/LogConfig.java
sg/bigo/live/imchat/TimelineActivity.java
com/xiaomi/channel/commonutils/z/x.java
com/ninegame/apmsdk/log/info/BaseInfo.java
com/yy/hiidostatis/inner/util/hdid/DeviceManager.java
com/yy/iheima/login/SignupProfileActivity.java
com/xiaomi/push/z/z.java
com/ninegame/apmsdk/log/Logger.java
sg/bigo/svcapi/util/d.java
com/ninegame/apmsdk/log/LogContext.java
com/yy/hiidostatis/inner/util/hdid/b.java
com/loc/cj.java
sg/bigo/live/community/mediashare/utils/ap.java
com/ninegame/apmsdk/log/impl/FileAppender.java
com/yy/iheima/MyApplication.java
sg/bigo/live/a/z/l.java
com/yysdk/mobile/vpsdk/z.java
com/yy/hiidostatis/inner/util/y/b.java
sg/bigo/live/manager/w/b.java
com/yy/sdk/call/MediaSdkManager.java
com/yy/hiidostatis/inner/util/y/z.java
com/xiaomi/push/z/y.java
com/yy/hiidostatis/inner/util/hdid/z.java
com/sensetime/sensear/aa.java
com/loc/d.java
sg/bigo/live/interceptvideo/c.java
Low
CVSS:0
This App copies data to clipboard. Sensitive data should not be copied to clipboard as other applications can access it.
MASVS: MSTG-STORAGE-10
Files:
 sg/bigo/live/web/ab.java
sg/bigo/live/component/hq/view/dialog/LateDialog.java
sg/bigo/live/community/mediashare/bg.java
sg/bigo/live/component/hq/view/dialog/FailOutDialog.java
sg/bigo/live/component/hq/view/dialog/InviteFriendsDialog.java
sg/bigo/live/web/w.java
sg/bigo/live/share/an.java
sg/bigo/live/share/a.java
Medium
CVSS:8.8
Insecure WebView Implementation. Execution of user controlled code in WebView is a critical Security Hole.
MASVS: MSTG-PLATFORM-7
CWE-749 Exposed Dangerous Method or Function
M1: Improper Platform Usage
Files:
 sg/bigo/live/web/WebPageFragment.java
sg/bigo/live/ranking/RewardsWebFragment.java
sg/bigo/live/web/WebProcessActivity.java
sg/bigo/live/c/z.java
sg/bigo/live/micconnect/multi/dialog/CharmPrivilegeDialog.java
sg/bigo/live/room/activities/af.java
High
CVSS:5.9
SHA-1 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 com/y/z/x/w.java
sg/bigo/live/room/controllers/hq/e.java
com/xiaomi/channel/commonutils/android/d.java
com/xiaomi/channel/commonutils/a/w.java
com/appsflyer/p.java
com/yy/iheima/purchase/util/f.java
com/sensetime/sensear/x/x.java
com/loc/cs.java
com/xiaomi/channel/commonutils/a/y.java
High
CVSS:7.4
MD5 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 com/ninegame/payment/sdk/utils/SecurityUtil.java
com/appsflyer/p.java
com/ninegame/apmsdk/common/utils/FileUtil.java
com/xiaomi/channel/commonutils/a/x.java
com/loc/cx.java
sg/bigo/common/u.java
com/vk/sdk/z/x.java
rcalc/v/w.java
sg/bigo/sdk/blivestat/base/w.java
sg/bigo/config/z/z.java
com/yy/hiidostatis/inner/util/z/w.java
com/xiaomi/channel/commonutils/a/w.java
com/yysdk/mobile/update/LibraryUpdater.java
com/ninegame/apmsdk/common/security/SecurityUtil.java
com/yy/hiidostatis/inner/util/z/b.java
sg/bigo/svcapi/util/d.java
com/yy/sdk/util/n.java
High
CVSS:7.4
Insecure WebView Implementation. WebView ignores SSL Certificate errors and accept any SSL Certificate. This application is vulnerable to MITM attacks
MASVS: MSTG-NETWORK-3
CWE-295 Improper Certificate Validation
M3: Insecure Communication
Files:
 sg/bigo/live/web/g.java
sg/bigo/threeparty/common/x.java
High
CVSS:5.5
App creates temp file. Sensitive information should never be written into a temp file.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 com/sensetime/sensear/y/y.java
com/yy/sdk/http/b.java
com/vk/sdk/api/photo/VKUploadImage.java
Pygal China: 1200 Germany: 800 Hong Kong: 800 Korea, Republic of: 100 Netherlands: 500 Russian Federation: 200 Singapore: 600 United States: 1500

Map computed by Pithus.

Domains analysis

Information computed with MobSF.

US market.android.com 142.250.184.238
CN ip.taobao.com 203.119.169.89
CN data.hicloud.com 49.4.33.228
DE uc.bigo.tv 164.90.105.97
payment.9game.com
HK api.bigo.sg 169.136.79.64
HK www.baidu.com 103.235.46.39
CN log-ad-test.sensetime.com 175.102.178.133
DE hotroom.live.bigo.sg 164.90.105.128
hdcrash.hiido.com
DE query.hicloud.com 80.158.19.121
sdk.payment.9game.com
SG api.deep-ad.com 47.88.132.92
NL fs.calldev.bigo.sg 45.82.241.50
RU oauth.vk.com 87.240.129.181
NL snapshot.calldev.bigo.sg 45.82.241.50
US bigogithub.github.io 185.199.110.153
HK abroad.apilocate.amap.com 47.246.152.68
NL api.instagram.com 157.240.236.63
CN ylog.hiido.com 123.182.50.159
KR m.ahnlab.com 211.233.80.81
SG log.deep-ad.com 47.88.199.122
bigotest-mobile.bigo.tv
US cgicol.amap.com 198.11.146.6
US youtube.com 142.250.185.174
US www.instagram.com 185.60.216.174
US maps.googleapis.com 172.217.18.106
US www.googleapis.com 142.250.184.202
JP web-pay.line.me 203.104.137.133
DE esx.bigo.sg 128.1.78.67
SG crash.bigo.sg 169.136.181.5
CN config.hiido.com 121.11.220.194
SG protostats.bigo.sg 169.136.188.118
CN app.ad.sensetime.com 47.97.172.182
DE flag.bigo.sg 128.1.78.67
CN logs.amap.com 59.82.34.144
CN api-ad-test.sensetime.com 175.102.178.133
HK restapi.amap.com 47.246.109.112
CN api-ad.sensetime.com 120.55.16.65
US twitter.com 104.244.42.65
SG activity.bigo.tv 202.168.102.29
data.calldev.bigo.sg
DE www.bigo.tv 104.166.188.189
HK bggray-mobile.bigo.tv 169.136.79.32
NL fscalldev.bigolive.tv 45.82.241.50
schemas.android.com
NL instagram.com 157.240.229.174
CN weihuialert.yy.com 106.38.197.51
SG support0.bigo.sg 202.63.32.33
US play.google.com 142.250.74.206
US dl.dropboxusercontent.com 162.125.66.15
US www.jivesoftware.com 35.238.7.255
US www.bigo.sg 172.96.115.57
US xmlpull.org 74.50.62.60
HK apilocate.amap.com 47.246.152.69
US www.facebook.com 185.60.216.35
CN lbs.amap.com 59.82.29.232
HK bgtest-activity.bigo.tv 164.90.79.38
CN log-ad.sensetime.com 116.62.89.131
RU vk.com 87.240.137.158
ns.adobe.com
US bigolive-141810.firebaseio.com 35.201.97.85
HK svideo.bigo.sg 169.136.79.0
huidu-mobile.bigo.tv
DE resolver.msg.xiaomi.net 18.184.26.113
DE mobile.bigo.tv 164.90.105.97

URL analysis

Information computed with MobSF.

https://payment.9game.com/sdk/api.htm
http://sdk.payment.9game.com/sdk/logv3.htm
Defined in com/ninegame/payment/face/Prefs.java
https://payment.9game.com/sdk/api.htm
http://sdk.payment.9game.com/sdk/logv3.htm
Defined in com/ninegame/payment/face/Prefs.java
https://oauth.vk.com/blank.html
https://oauth.vk.com/authorize?client_id=%s&scope=%s&redirect_uri=%s&display=mobile&v=%s&response_type=token&revoke=%d
Defined in com/vk/sdk/dialogs/a.java
https://oauth.vk.com/blank.html
https://oauth.vk.com/authorize?client_id=%s&scope=%s&redirect_uri=%s&display=mobile&v=%s&response_type=token&revoke=%d
Defined in com/vk/sdk/dialogs/a.java
http://vk.com/images/camera_b.gif
http://vk.com/images/camera_a.gif
http://vk.com/images/camera_c.gif
Defined in com/vk/sdk/api/model/VKApiUser.java
http://vk.com/images/camera_b.gif
http://vk.com/images/camera_a.gif
http://vk.com/images/camera_c.gif
Defined in com/vk/sdk/api/model/VKApiUser.java
http://vk.com/images/camera_b.gif
http://vk.com/images/camera_a.gif
http://vk.com/images/camera_c.gif
Defined in com/vk/sdk/api/model/VKApiUser.java
http://vk.com/images/community_100.gif
http://vk.com/images/community_50.gif
Defined in com/vk/sdk/api/model/VKApiCommunity.java
http://vk.com/images/community_100.gif
http://vk.com/images/community_50.gif
Defined in com/vk/sdk/api/model/VKApiCommunity.java
http://vk.com/images/m_noalbum.png
http://vk.com/images/s_noalbum.png
http://vk.com/images/x_noalbum.png
Defined in com/vk/sdk/api/model/VKApiPhotoAlbum.java
http://vk.com/images/m_noalbum.png
http://vk.com/images/s_noalbum.png
http://vk.com/images/x_noalbum.png
Defined in com/vk/sdk/api/model/VKApiPhotoAlbum.java
http://vk.com/images/m_noalbum.png
http://vk.com/images/s_noalbum.png
http://vk.com/images/x_noalbum.png
Defined in com/vk/sdk/api/model/VKApiPhotoAlbum.java
https://api-ad.sensetime.com
https://api.deep-ad.com
https://api-ad-test.sensetime.com
https://log.deep-ad.com/sensear/logreport
https://log-ad-test.sensetime.com/sensear/logreport
https://log-ad.sensetime.com/sensear/logreport
Defined in com/sensetime/sensear/z/z.java
https://api-ad.sensetime.com
https://api.deep-ad.com
https://api-ad-test.sensetime.com
https://log.deep-ad.com/sensear/logreport
https://log-ad-test.sensetime.com/sensear/logreport
https://log-ad.sensetime.com/sensear/logreport
Defined in com/sensetime/sensear/z/z.java
https://api-ad.sensetime.com
https://api.deep-ad.com
https://api-ad-test.sensetime.com
https://log.deep-ad.com/sensear/logreport
https://log-ad-test.sensetime.com/sensear/logreport
https://log-ad.sensetime.com/sensear/logreport
Defined in com/sensetime/sensear/z/z.java
https://api-ad.sensetime.com
https://api.deep-ad.com
https://api-ad-test.sensetime.com
https://log.deep-ad.com/sensear/logreport
https://log-ad-test.sensetime.com/sensear/logreport
https://log-ad.sensetime.com/sensear/logreport
Defined in com/sensetime/sensear/z/z.java
https://api-ad.sensetime.com
https://api.deep-ad.com
https://api-ad-test.sensetime.com
https://log.deep-ad.com/sensear/logreport
https://log-ad-test.sensetime.com/sensear/logreport
https://log-ad.sensetime.com/sensear/logreport
Defined in com/sensetime/sensear/z/z.java
https://api-ad.sensetime.com
https://api.deep-ad.com
https://api-ad-test.sensetime.com
https://log.deep-ad.com/sensear/logreport
https://log-ad-test.sensetime.com/sensear/logreport
https://log-ad.sensetime.com/sensear/logreport
Defined in com/sensetime/sensear/z/z.java
http://data.hicloud.com:8089/sdkv2
Defined in com/y/z/y/z/z.java
http://xmlpull.org/v1/doc/features.html#process-namespaces
Defined in com/xiaomi/x/w.java
http://resolver.msg.xiaomi.net/psc/?t=a
Defined in com/xiaomi/push/service/q.java
http://xmlpull.org/v1/doc/features.html#process-namespaces
Defined in com/xiaomi/smack/a.java
http://www.jivesoftware.com/xmlns/xmpp/properties
Defined in com/xiaomi/smack/packet/w.java
http://xmlpull.org/v1/doc/features.html#process-namespaces
Defined in com/xiaomi/smack/x/x.java
http://xmlpull.org/v1/doc/features.html#process-namespaces
Defined in com/xiaomi/smack/w/z.java
http://lbs.amap.com/api/android-location-sdk/abouterrorcode/查看错误码说明.
Defined in com/amap/api/location/AMapLocation.java