检测报告原文是这样的:
Base64 加密字符串风险
- 问题描述:发现 12 个 Base64 编码字符串,可能包含敏感信息(如 URL、密钥等)。
- 典型示例:
aHR0cHM6Ly9jci5kY2xvdWQubmV0LmNuLw==(解码为https://cr.dcloud.net.cn/)
em1rZ3psTWZrenF4fGFnZlpte2d9emttew==(复杂字符串,可能为加密资源路径) - 影响:若字符串包含敏感数据(如 API 密钥),可能被解密后滥用。
- 修复建议:对 Base64 字符串进行安全评估,敏感数据改用更安全的加密方式(如 AES)。
检测公司是使用了 AndroBugs Framework进行的扫描,以下是我用相同软件进行的扫描结果,所有的来源都是io.dcloud。大部分base64解码后得到的确为复杂字符串,无法明确用途
[Critical] <Hacker> Base64 String Encryption:
Found Base64 encoding "String(s)" (Total: 12). We cannot guarantee all of the Strings are Base64 encoding and also we will not
show you the decoded binary file:
https://cr.dcloud.net.cn/
->Original Encoding String: aHR0cHM6Ly9jci5kY2xvdWQubmV0LmNuLw==
->From class: Lio/dcloud/common/adapter/util/UEH$3;->run()V
zmkgzlMfkzqx|agfZm{g}zkm{
->Original Encoding String: em1rZ3psTWZrenF4fGFnZlpte2d9emttew==
->From class: Lio/dcloud/p/i0;->recordEncryptionResources(Ljava/lang/String; Lorg/json/JSONObject;)V
om|Mfkzqx|agfAfx}|[|zmie
->Original Encoding String: b218TWZrenF4fGFnZkFmeH18W3x6bWll
->From class: Lio/dcloud/p/i0;->getEncryptionInputStream(Ljava/lang/String;
Lio/dcloud/common/DHInterface/IApp;)Ljava/io/InputStream;
ifldmMfkzqx|agf ->Original Encoding String: YGlmbGRtTWZrenF4fGFnZg== ->From class: Lio/dcloud/p/i0;->handleEncryption(Landroid/content/Context; [B)Ljava/lang/String; iflzgalWal ->Original Encoding String: aWZsemdhbFdhbA== ->From class: Lio/dcloud/common/util/TelephonyUtil;->getAId(Landroid/content/Context;)Ljava/lang/String; jl-golvg-lnnlm-p-GO6a3d88fa-4ba0-479f-9422-e5aabe15897b67
->Original Encoding String: amwtZ2BvbHZnLWBsbm5sbS1gcC1HTyo2YTNkODhmYS00YmEwLTQ3OWYtOTQyMi1lNWFhYmUxNTg5N2I2Nw==
->From class: Lio/dcloud/p/i0;->b()Ljava/lang/String;
Z[I'MKJ'XCK[9Xillafo
->Original Encoding String: WltJJ01LSidYQ0tbOVhpbGxhZm8=
->From class: Lio/dcloud/p/s;->a([B Ljava/security/Key;)[B
yo~Kffe}_dc|oxykfKiioyyLxegLcfo_XFy6a3d88fa-4ba0-479f-9422-e5aabe15897b74
->Original Encoding String:
eW9+S2ZmZX1fZGN8b3h5a2ZLaWlveXlMeGVnTGNmb19YRnkqNmEzZDg4ZmEtNGJhMC00NzlmLTk0MjItZTVhYWJlMTU4OTdiNzQ=
->From class: Lio/dcloud/common/adapter/ui/webview/WebViewFactory;->setFileAccess(Ljava/lang/Object;
Lio/dcloud/common/DHInterface/IApp; Z)V
android.app.ActivityThread
->Original Encoding String: YW5kcm9pZC5hcHAuQWN0aXZpdHlUaHJlYWQ=
->From class: Lio/dcloud/common/util/PdrUtil;->closeAndroidPDialog()V
om|[}j{kzajmzAl
->Original Encoding String: b218W31qe2t6YWptekFs
->From class: Lio/dcloud/common/util/TelephonyUtil;->getAPSubId(Landroid/content/Context;)Ljava/lang/String;
->From class: Lio/dcloud/common/util/TelephonyUtil;->getPhoneInfo(I Landroid/content/Context;)Ljava/lang/Object;
{m|Bi~i[kzax|Mfijdml
->Original Encoding String: e218Qml+aVtremF4fE1maWpkbWw=
->From class: Lio/dcloud/common/adapter/ui/webview/WebViewFactory;->openJSEnabled(Ljava/lang/Object;
Lio/dcloud/common/DHInterface/IApp;)V
jl-golvg-efbwvqf-e-`EfbwvqfJnso*6a3d88fa-4ba0-479f-9422-e5aabe15897b67
->Original Encoding String:
amwtZ2BvbHZnLWVmYnd2cWYtYGUtYEVmYnd2cWZKbnNvKjZhM2Q4OGZhLTRiYTAtNDc5Zi05NDIyLWU1YWFiZTE1ODk3YjY3
->From class: Lio/dcloud/p/i0;->a()Ljava/lang/String;
1 个回复
DCloud_App_Array
Base64 加密的字符串不是敏感信息,部分敏感信息转换为base64之前已经做过加密处理。