大佬好!
最近使用uniapp开发了Android的App,上线时,漏洞扫描出现一些问题。查阅相关资料,参考社区文档后,部分漏洞得到了很好的处理,但是仍有几个问题无法解决,即使进行了多种方案的加固处理也无法解决,请大佬下场指点一下,感激不尽。简略信息见下面,详细信息见附件。
- 漏洞一
TITLE:Application vulnerable to Janus Vulnerability
SEVERITY:warning
DESCRIPTION:Application is signed with v1 signature scheme, making it vulnerable to Janus vulnerability on Android 5.0-8.0, if signed only with v1 signature scheme. Applications running on Android 5.0-7.0 signed with v1, and v2/v3 scheme is also vulnerable. - 漏洞二
TITLE:Clear text traffic is Enabled For App [android:usesCleartextTraffic=true]
SEVERITY:high
DESCRIPTION:The app intends to use cleartext network traffic, such as cleartext HTTP, FTP stacks, DownloadManager, and MediaPlayer. The default value for apps that target API level 27 or lower is "true". Apps that target API level 28 or higher default to "false". The key reason for avoiding cleartext traffic is the lack of confidentiality, authenticity, and protections against tampering; a network attacker can eavesdrop on transmitted data and also modify it without being detected.
