Qark 报告了 java 个文件的 PendingIntent 安全问题:zzaup、zzst、zze、MediaButtonReceiver、TaskStackBuilder
Qark reports a PendingIntent security issue on java files: zzaup, zzst, zze, MediaButtonReceiver, TaskStackBuilder
我正在开发一个已经存在的应用程序,我必须使用 QARK(快速 Android 审查工具包)测试代码安全漏洞。
当我 运行 使用此工具时,它会报告与未决意图相关的问题:
在这些 Java 类:
- myApp/classes_dex2jar/com/google/android/gms/internal/zzaup.java
- myApp/classes_dex2jar/com/google/android/gms/internal/zzst.java
- myApp/classes_dex2jar/com/google/android/gms/common/zze.java
- myApp/classes_dex2jar/android/support/v4/media/session/MediaButtonReceiver.java
- myApp/classes_dex2jar/android/support/v4/app/TaskStackBuilder.java
具有相同的警告:
Implicit Intent: localIntent used to create instance of PendingIntent. A malicious application could potentially intercept, redirect and/or modify (in a limited manner) this Intent. Pending Intents retain the UID of your application and all related permissions, allowing another application to act as yours.
File: myApp/classes_dex2jar/[folder structure for each java class listed above].java
More details: https://www.securecoding.cert.org/confluence/display/android/DRD21-J.+Always+pass+explicit+intents+to+a+PendingIntent
我真的不知道该怎么办。
在我的代码中没有这些 类,也没有 PendingIntent。
(只有 1 个隐式意图在浏览器中打开一个简单的 link,没有别的!)
有什么建议吗???
我自己回答,以便以后能帮助到需要的人
简单地说,给我的报告是用 旧 版本的 QARK 生成的(7 月初 2018,版本 1.2,当前为4.0.)
在互联网上搜索我发现 this issue(现已关闭),其中说:
"The blog posts are old and use the release version of QARK. In the newer version (with more checks, faster execution, and less false positives) we have a simple report for now. [...]".
祝大家好运,发展顺利!
我正在开发一个已经存在的应用程序,我必须使用 QARK(快速 Android 审查工具包)测试代码安全漏洞。
当我 运行 使用此工具时,它会报告与未决意图相关的问题:
在这些 Java 类:
- myApp/classes_dex2jar/com/google/android/gms/internal/zzaup.java
- myApp/classes_dex2jar/com/google/android/gms/internal/zzst.java
- myApp/classes_dex2jar/com/google/android/gms/common/zze.java
- myApp/classes_dex2jar/android/support/v4/media/session/MediaButtonReceiver.java
- myApp/classes_dex2jar/android/support/v4/app/TaskStackBuilder.java
具有相同的警告:
Implicit Intent: localIntent used to create instance of PendingIntent. A malicious application could potentially intercept, redirect and/or modify (in a limited manner) this Intent. Pending Intents retain the UID of your application and all related permissions, allowing another application to act as yours.
File: myApp/classes_dex2jar/[folder structure for each java class listed above].java
More details: https://www.securecoding.cert.org/confluence/display/android/DRD21-J.+Always+pass+explicit+intents+to+a+PendingIntent
我真的不知道该怎么办。
在我的代码中没有这些 类,也没有 PendingIntent。
(只有 1 个隐式意图在浏览器中打开一个简单的 link,没有别的!)
有什么建议吗???
我自己回答,以便以后能帮助到需要的人
简单地说,给我的报告是用 旧 版本的 QARK 生成的(7 月初 2018,版本 1.2,当前为4.0.)
在互联网上搜索我发现 this issue(现已关闭),其中说:
"The blog posts are old and use the release version of QARK. In the newer version (with more checks, faster execution, and less false positives) we have a simple report for now. [...]".
祝大家好运,发展顺利!