跳转至
Documentation
Recorded calls to TLS API
English
Français
Español
日本語
简体中文
正在初始化搜索引擎
Login
Demo
主页
快速入门
Copilot
扫描
攻击面
策略与修复
集成与 API
组织
计划
安全与隐私
常见问题
Documentation
主页
快速入门
快速入门
快速入门
仪表板
仪表板
概览
扫描与风险
修复
资产与攻击面
修复日历
Copilot
Copilot
Copilot
Copilot 示例
Copilot 常见问题
扫描
扫描
扫描配置文件
扫描配置文件
概览
移动扫描配置文件
Web 扫描配置文件
网络扫描配置文件
自动发现扫描配置文件
运行扫描
运行扫描
从应用商店扫描移动应用
从文件扫描移动应用
使用 TestFlight 扫描 iOS 移动应用
Mobile Deep Agentic Scan
移动屏蔽扫描
移动扫描中的域名白名单
扫描 Web 应用
经过身份验证的 Web 应用扫描
Web Deep Agentic Scan
经过身份验证的扫描
使用 SBOM 或 Lockfile 的扫描
扫描网络
从资产清单扫描资产
使用自定义配置扫描
使用 Chrome Recorder Puppeteer 脚本扫描 Web 应用
使用额外的自定义代理扫描
使用 UI 提示扫描
移动扫描先决条件
如何添加带有私有存储库的新代理
扫描内部 Web 应用
AI Pentest 提示指南
经过身份验证扫描的 2FA
管理扫描
管理扫描
停止扫描
归档扫描
报告
报告
生成 PDF 报告
风险评级
更改风险评级
分享扫描报告
分析
分析
IDE
检查调用覆盖率
AI Pentest
监控
监控
监控
创建监控规则
在移动应用监控规则中将域名列入白名单
本地扫描仪
本地扫描仪
运行扫描
BYOK
BYOK
生成 BYOK 扫描密钥
在扫描配置文件中使用 BYOK 扫描密钥
推荐的 BYOK 模型
网络模型
网络模型
概览
购买代币
在扫描中使用预付费代币
攻击面
攻击面
发现
AI 代理攻击面发现
数据
监控
搜索和导航
资产清单
资产清单
添加资产
发现资产
编辑潜在所有者
批量导入资产
编辑资产
删除资产
按资产筛选
排除资产
高级搜索语法
图表
图表
分享图表
位置
位置
添加位置
所有者
所有者
添加所有者
策略与修复
策略与修复
修复
修复
工单管理
工单管理
指南
创建工单
在工单上发表评论
向工单添加检查清单
配置补丁策略
漏洞和工单管理
从工单中识别漏洞的位置
工单聚合
工单聚合
如何工作?
基于平台配置聚合
基于应用 ID 配置聚合
视图
视图
时间线
策略
策略
自动化规则
集成与 API
集成与 API
集成
集成
CI/CD
CI/CD
GitHub
GitLab
Jenkins
Azure DevOps
App Center
CircleCI
Bitbucket
GoCD
TeamCity
Slack
Vanta
Bitrise
Harness
工单管理
工单管理
Jira
ServiceNow
SSO
SSO
指南
通过 Azure Active Directory 的 SAML
通过 Google Workspace 的 SAML
通过 Okta 的 SAML
通过 OneLogin 的 SAML
API
API
GraphQL API
组织
组织
设置
设置
创建组织
用户
用户
用户角色
添加用户
切换组织
修改用户权限
禁用电子邮件通知
设置
设置
向您的帐户添加双因素认证设备
添加组织标签
基于所有者的 RBAC 功能
访问权限
访问权限
管理访问权限和攻击面审计员所有者
计划
计划
添加计划
转移计划
安全与隐私
安全与隐私
检查清单
检查清单
移动应用安全检查清单
iOS 应用安全检查清单
Android 应用安全检查清单
Flutter 应用安全检查清单
安全
安全
移动应用安全测试
使用 Ostorlab 简化 SDLC 中的移动应用安全
检测
平台支持
Ostorlab 的安全性
漏洞披露
用于扫描和集成的网络 IP
隐私
隐私
隐私策略分析
Knowledge Base
Knowledge Base
ALPACA Attack in SSL/TLS
APK attack surface
APK files list
Abuse of mobile network connection
Account Takeover Vulnerability
Address Space Layout Randomization (ASLR) not enforced
Alias Overloading in GraphQL API
Android Class Load Hijacking
Android Class Loading Hijacking
Android Manifest
Android Obfuscation Detected
Android Obfuscation Not Detected
Android Package Context created without security restrictions
Android Sensitive data stored in keyboard cache
Anonymous unauthenticated server accepted
App Usage Data Collection Disclosed in Privacy Policy
App Usage Data Collection Not Disclosed in Privacy Policy
Application certificate information
Application checks rooted device
Application code not obfuscated
Application implements anti-debug techniques
Application prevents taking screenshots
Application signed with an expired certificate
Array-Based Batch Queries
Assign a unique name and/or number for identifying and tracking user identity
Attribute hasFragileUserData not set
Attribute requestLegacyExternalStorage set
Attribute usesCleartextTraffic set
Automatic Reference Counting (ARC) not enforced
BEAST Attack on TLS 1.0/SSL 3.0
BREACH Attack on HTTP Compression
Backdoored Cryptographic Algorithms in SSL
Backup mode disabled
Backup mode enabled
Biometric Authentication Bypass
Biometric Authentication Without Cryptographic Binding
Biometric Data Collection Disclosed in Privacy Policy
Biometric Data Collection Not Disclosed in Privacy Policy
Bleichenbacher Attack on RSA Encryption
Broadcast receiver dynamic registration
Browsing Activity Collection Disclosed in Privacy Policy
Browsing Activity Collection Not Disclosed in Privacy Policy
Brute Force Login Using Alias Batching in GraphQL API
CCS Injection Attack on OpenSSL
CERTIFICATE_EXPIRED
CORS Misconfiguration Vulnerability
CRIME Attack on TLS Compression
CRLF Injection
Call to Android Security API
Call to Bluetooth and BLE API
Call to Crypto API
Call to External Storage API
Call to Inter-Process-Communication (IPC) API
Call to Random API
Call to Reflection API
Call to SQLite query API
Call to Socket API
Call to TLS API
Call to XML parsing API
Call to ZIP API
Call to command execution API
Call to dangerous WebView settings API
Call to delete file API
Call to dynamic code loading API
Call to logging API
Call to native methods
Calls to Privacy API
Circular Fragment in GraphQL
Classes list
Clear text HTTP request
Code Injection
Collection of Device Identifier
Collection of Users' Crash Logs without Consent
Collection of Users' Purchase History in Privacy Policy
Collection of Users' Text Messages in Privacy Policy
Command Injection
Contact Information Present in Privacy Policy
Contact Information missing in Privacy Policy
Contacts Data Type Declaration Match
Contacts Data Type Declaration Mismatch
Continuous collection of GPS location
Cookie missing security attributes
Cordova Cross-Site Scripting (XSS)
Cordova debug mode enabled
Credentials exposed in URLs
Credentials exposed in logs
Criminal Record Information Collection Disclosed in Privacy Policy
Criminal Record Information Collection Not Disclosed in Privacy Policy
Cross-Site Scripting (XSS)
Cryptographic Vulnerability: Hardcoded Key
Cryptographic Vulnerability: Insecure Algorithm
Cryptographic Vulnerability: Insecure mode
Cryptographic Vulnerability: Weak Hashing Algorithm
Current Precise Location Data Collection Disclosed in Privacy Policy
Current Precise Location Data Collection Not Disclosed in Privacy Policy
DNS Check: SPF, DKIM, DMARC, and BIMI Validation
DNS High TTL Values
DNS Information Disclosure
DNS MX Record Misconfiguration
DNS Vulnerability: Dangling Domain Records
DNS Vulnerability: Malicious Content in TXT Records
DROWN Attack on SSLv2/TLS
Debug Symbols Present in the Android Application
Debug Symbols Present in the IOS Application
Debug mode disabled
Debug mode enabled
Debuggable Flag Detection Implemented
Declaration of Approximate Location Collection in Privacy Policy
Declaration of Contact Collection in Privacy Policy
Declaration of Device or Other IDs Collection in Privacy Policy
Declaration of Email Address Collection in Privacy Policy
Declaration of Email Collection in Privacy Policy
Declaration of Health Info Collection in Privacy Policy
Declaration of Installed Apps Collection in Privacy Policy
Declaration of Phone Number Collection in Privacy Policy
Declaration of Photo Collection in Privacy Policy
Declaration of Precise Location Collection in Privacy Policy
Declaration of User Files Collection in Privacy Policy
Declaration of Video Collection in Privacy Policy
Declaration of Voice or Sound Recording Collection in Privacy Policy
Declaration of Web Browsing History Collection in Privacy Policy
Declared permissions list
Dependency Confusion
Deprecated Minimum iOS Version
Deprecated Target API Version
Device ID Data Type Declaration Match
Device ID Data Type Declaration Mismatch
Device and Network Information Collection Disclosed in Privacy Policy
Device and Network Information Collection Not Disclosed in Privacy Policy
Directive Overloading in GraphQL API
Django Debug Mode Enabled
Domain name and IP address reputation report
ELF binaries do not enforce secure binary properties
Email Address Collection Disclosed in Privacy Policy
Email Address Collection Not Disclosed in Privacy Policy
Enforcer proper authentication
Expansion APK enabled
Exported activities, services and broadcast receivers list
Expression Language (EL) Injection
External Account Information Collection Disclosed in Privacy Policy
External Account Information Collection Not Disclosed in Privacy Policy
External DNS interaction
FREAK Attack on Export-Grade RSA
Facebook React development settings exposed
Facebook SDK debug mode enabled
Field Duplication in GraphQL API
File Path Traversal
File inclusion vulnerability
Format String Vulnerability
Forward Secrecy Not Implemented
Frida Instrumentation Detection Implemented
GDPR Rights Reference Present in Privacy Policy
Gender Identity Collection Disclosed in Privacy Policy
Gender Identity Collection Not Disclosed in Privacy Policy
Generic Web Entry
Genetic Data Collection Disclosed in Privacy Policy
Genetic Data Collection Not Disclosed in Privacy Policy
GraphQL Authorization Misconfiguration
GraphQL Circular References
GraphQL Debug Mode Enabled
GraphQL Schema Traversal Paths
GraphQL Tracing Enabled
HTML Injection Vulnerability
HTTP Host Header Poisoning
HTTP Method Manipulation in GraphQL
Hardcoded SQL queries list
Hardcoded strings list
Hardcoded urls list
Health and Biometric Data Type Declaration Match
Health and Biometric Data Type Declaration Mismatch
Health and Fitness Data Collection Disclosed in Privacy Policy
Health and Fitness Data Collection Not Disclosed in Privacy Policy
Heartbleed (CVE-2014-0160)
IPA Frameworks list
IPA Plist files
IPA contains only bitcode
IPA files list
IPA symbol table
Identity Verification Information Collection Disclosed in Privacy Policy
Identity Verification Information Collection Not Disclosed in Privacy Policy
Implementation of a FileObserver
Implementation of a WebViewClient
Implicit PendingIntent
In-App Search History Collection in Privacy Policy
In-App Search Queries Collection Disclosed in Privacy Policy
In-App Search Queries Collection Not Disclosed in Privacy Policy
Information Concerning Sex Life Collection Disclosed in Privacy Policy
Information Concerning Sex Life Collection Not Disclosed in Privacy Policy
Insecure Access Control
Insecure App Transport Security (ATS) Settings
Insecure Authorization Restriction
Insecure Cross-Origin Resource Sharing (CORS) policy
Insecure Direct Object Reference
Insecure Dynamic Library Loading
Insecure File Provider Paths Setting
Insecure Filesystem Access
Insecure HTTP Header Setting
Insecure HTTP Header Setting: Content Security Policy (CSP)
Insecure HTTP Header Setting: Content-Type
Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS)
Insecure HTTP Header Setting: Insecure Referrer Policy
Insecure HTTP Header Setting: X-Frame-Options
Insecure HTTP Header Setting: X-XSS-Protection Header
Insecure JWT Signature Validation
Insecure Keychain Storage
Insecure Network Configuration Settings
Insecure Object Serialization
Insecure Random Seed
Insecure Register Receiver Flag
Insecure Shared Preferences Permissions
Insecure Storage of Application Data
Insecure TLS Certificate Validation
Insecure TLS Ciphers supported
Insecure TLS Renegotiation (CVE-2009-3555)
Insecure TLS certificate domain name validation
Insecure TLS certificate validation (accept self-signed certificate)
Insecure hostname validation check
Insecure password storage
Insecure whitelist
Insecure whitelist configuration
Intent Redirection
Intent Spoofing
Interesting response
LDAP Injection
LOGJAM Attack on Diffie-Hellman
LOGJAM Common Prime Vulnerability
Legal Basis Present in Privacy Policy
List of JNI methods
List of calls to dangerous low-level C functions
Location History Collection Disclosed in Privacy Policy
Location History Collection Not Disclosed in Privacy Policy
Lucky Thirteen Vulnerability in SSL/TLS
MTA-STS Misconfiguration
Mach-O encrypted
Mach-O entitlements
Malformed ATS Configuration
Malicious Package: com.outsystems.plugins.fileviewer
Memory Leak
Mention of User Data Access in Privacy Policy
Mention of User Data Correction Rights in Privacy Policy
Mention of User Data Deletion in Privacy Policy
Mention of Users' Right to Know in Privacy Policy
Missing Debuggable Flag Detection
Missing Declaration of Approximate Location Collection in Privacy Policy
Missing Declaration of Contact Collection in Privacy Policy
Missing Declaration of Device or Other IDs Collection in Privacy Policy
Missing Declaration of Email Address Collection in Privacy Policy
Missing Declaration of Email Collection in Privacy Policy
Missing Declaration of Health Info Collection in Privacy Policy
Missing Declaration of Installed Apps Collection in Privacy Policy
Missing Declaration of Phone Number Collection in Privacy Policy
Missing Declaration of Photo Collection in Privacy Policy
Missing Declaration of Precise Location Collection in Privacy Policy
Missing Declaration of User Files Collection in Privacy Policy
Missing Declaration of Video Collection in Privacy Policy
Missing Declaration of Voice or Sound Recording Collection in Privacy Policy
Missing Declaration of Web Browsing History Collection in Privacy Policy
Missing Frida Instrumentation Detection
Missing GDPR Rights Reference in Privacy Policy
Missing Legal Basis in Privacy Policy
Missing Mention of User Data Access in Privacy Policy
Missing Mention of User Data Correction Rights in Privacy Policy
Missing Mention of User Data Deletion in Privacy Policy
Missing Mention of Users' Right to Know in Privacy Policy
Missing Opt-out Information in Privacy Policy
Missing Privacy Policy Disclosure for Calendar Events Collection
Missing Privacy Policy Disclosure for Fitness Info Collection
Missing Privacy Policy Link
Missing Root/Jailbreak Detection
Missing Sideloading Detection
Missing Signature Verification
Missing Third-Party Sharing Information in Privacy Policy
Missing iOS Frida Instrumentation Detection
Missing or misconfigured DNSSEC
Missing privacy manifest file
Mobile SQL Injection Vulnerability
Mobile WiFi API Personal Identifiable Information concerns
Network Port Scan
No sensitive data stored outside App
NoSQL Injection
Notification Spoofing
OAuth Account Takeover by hijacking custom schemes
Obfuscated Flutter code
Obfuscated methods
Object Limit Overriding in GraphQL
Opt-out Information Present in Privacy Policy
Outdated SSL/TLS Protocols Supported
PII Categories Data Type Declaration Match
PII Categories Data Type Declaration Mismatch
PII Data Type Declaration Match
PII Data Type Declaration Mismatch
POODLE Attack on SSL 3.0
Path Traversal
Payment and Financial Information Collection Disclosed in Privacy Policy
Payment and Financial Information Collection Not Disclosed in Privacy Policy
Personal Identifiers Collection Disclosed in Privacy Policy
Personal Identifiers Collection Not Disclosed in Privacy Policy
Personally Identifiable Information (PII) Leakage
Philosophical Beliefs Collection Disclosed in Privacy Policy
Philosophical Beliefs Collection Not Disclosed in Privacy Policy
Phone Number Data Type Declaration Match
Phone Number Data Type Declaration Mismatch
Political Affiliations Collection Disclosed in Privacy Policy
Political Affiliations Collection Not Disclosed in Privacy Policy
Port open on device
Precise Location Data Type Declaration Match
Precise Location Data Type Declaration Mismatch
Privacy Policy CCPA Rights Reference are Present
Privacy Policy CCPA Rights Reference missing
Privacy Policy Data Retention Description
Privacy Policy Disclosure for Calendar Events Collection is Present
Privacy Policy Disclosure for Fitness Info Collection is Present
Privacy Policy Link is Present
Privacy Policy Personal Data Categories Disclosure match
Privacy Policy Personal Data Categories Disclosure mismatch
Privacy manifest files
Process crashes
Proper Privacy Policy Data Retention Description
Protected Against GraphQL Alias Brute Forcing
Protected Against GraphQL Alias Overloading
Protected Against GraphQL Batch Query Attacks
Protected Against GraphQL Circular Fragments
Protected Against GraphQL Circular References
Protected Against GraphQL Debug Mode Risks
Protected Against GraphQL Directive Overloading
Protected Against GraphQL Field Duplication
Protected Against GraphQL Object Limit Overriding
Protected Against GraphQL Tracing Risks
Protected Against HTTP Method Manipulation
Public AWS S3 bucket with file listing enabled
Publicly exposed Firebase Database
Raccoon Attack on SSL/TLS
Racial or Ethnic Origin Information Collection Disclosed in Privacy Policy
Racial or Ethnic Origin Information Collection Not Disclosed in Privacy Policy
Recorded calls to Crypto API
Recorded calls to FileSystem API
Recorded calls to HTTP API
Recorded calls to Hash API
Recorded calls to Intent API
Recorded calls to Inter-Process-Communication (IPC) API
Recorded calls to Process API
Recorded calls to SQLite query API
Recorded calls to Serialization API
Recorded calls to Shared Preferences API
Recorded calls to TLS API
Recorded calls to TLS API
目录
记录的TLS API调用
描述
建议
链接
Recorded calls to TLS Pinning API
Recorded calls to command execution API
Recorded calls to dangerous WebView settings API
Recorded calls to dynamic code loading API
Recorded calls to logging API
Redis Library detected
Regular expression denial of service
Religious Beliefs Collection Disclosed in Privacy Policy
Religious Beliefs Collection Not Disclosed in Privacy Policy
Remote Command Execution
Root/Jailbreak Detection Implemented
SQL injection
SSL Extension Bleed Vulnerability
SSL/TLS Certificate Hostname Mismatch
SSL/TLS Certificate Pinning Not Implemented
SSL/TLS Certificates Expiring Soon
SSL/TLS Pinning Detected
SWEET32 Attack on 64-bit Block Ciphers
Secret information stored in the application
Secret information transmitted over the network
Secure Collection of Users' Crash Logs without Consent
Secure Collection of Users' Purchase History in Privacy Policy
Secure Collection of Users' Text Messages in Privacy Policy
Secure Content Security Policy
Secure Cookie Implementation
Secure Cross-Origin Resource Sharing (CORS) Policy
Secure Firebase Database Permissions
Secure HTTP Header Setting: Secure Referrer Policy
Secure HTTP Header Settings
Secure HTTP Strict Transport Security (HSTS) Implementation
Secure In-App Search History Collection in Privacy Policy
Secure Network Configuration Settings
Secure TLS certificate validation
Secure User ID Collection in Privacy Policy
Secure Virustotal malware analysis (MD5 based search)
Secure domain name and IP address reputation report
Sensitive Information Data Type Declaration is Present
Sensitive Information Data Type Declaration missing
Server Side Inclusion
Server-side template injection (SSTI)
Services declared without permissions
Sexual Orientation Information Collection Disclosed in Privacy Policy
Sexual Orientation Information Collection Not Disclosed in Privacy Policy
Sideloading Detection Implemented
Signature Verification Implemented
Source Map Code Leak
Source to Sink
Stack smashing protection not enforced
Static Anti-Tampering Mechanisms Detected
Static Anti-Tampering Techniques Not Implemented
Strict-Transport-Security (HSTS) not enforced
Strings Bplist files
Subdomain Takeover
TLS Client-Initiated Renegotiation DoS Vulnerability
TLS/SSL Server Configuration Settings
TLS_FALLBACK_SCSV Not Supported
Tapjacking Vulnerability
Task Hijacking
Template Injection
Text Messages Data Type Declaration Match
Text Messages Data Type Declaration Mismatch
Third-Party Sharing Information in Privacy Policy is Present
Ticketbleed Memory Disclosure in F5 BIG-IP
Trade Union Membership Information Collection Disclosed in Privacy Policy
Trade Union Membership Information Collection Not Disclosed in Privacy Policy
URL Manipulation
URL Scheme list
Unclaimed Cocoapods Vulnerability
Undeclared Permissions
Unrestricted DNS Zone Transfers
Unrestricted file upload
Unused permissions (overprivileged)
Use non-random initialization vector (IV)
Use of Deprecated Component
Use of Outdated Vulnerable Component
Use of an insecure Bluetooth connection
Use of deprecated TLS/SSL protocol version
User Account Info Data Type Declaration Match
User Account Info Data Type Declaration Mismatch
User Credentials Handling Disclosed in Privacy Policy
User Credentials Handling Not Clearly Disclosed in Privacy Policy
User ID Collection in Privacy Policy
User Photos and Media Collection Disclosed in Privacy Policy
User Photos and Media Collection Not Disclosed in Privacy Policy
Username enumeration
VirusTotal scan flagged malicious asset(s) (MD5 based search)
Voice Data Collection Disclosed in Privacy Policy
Voice Data Collection Not Disclosed in Privacy Policy
Weak Cipher Suites Supported
Weak Cryptographic Key and Signature Algorithm in SSL/TLS Certificate
Weak Message Authentication Code (MAC) Algorithms Supported
Web XML Injection
Webview Remote Debugging Enabled
Webview loadurl injection
XML External Entity (XXE) Injection
XML Injection
XPath Injection
XPath Injection Vulnerability
ZIP Vulnerabilities: Path Traversal, Zip Symbolic Link, and Zip Extension Spoofing
addJavaScriptInterface Remote Code Execution.
iOS Anti-Tampering Detected
iOS Anti-Tampering Not Detected
iOS Frida Instrumentation Detection Implemented
iOS Obfuscation Detected
iOS Obfuscation Not Detected
iOS Sensitive data stored in keyboard cache
iOS URL Scheme Hijacking
iOS URL Scheme Injection
iTunes UI File Sharing Enabled
Knowledge Base
Knowledge Base
ALPACA Attack in SSL/TLS
APK attack surface
APK files list
Abuse of mobile network connection
Account Takeover Vulnerability
Address Space Layout Randomization (ASLR) not enforced
Alias Overloading in GraphQL API
Android Class Load Hijacking
Android Class Loading Hijacking
Android Manifest
Android Obfuscation Detected
Android Obfuscation Not Detected
Android Package Context created without security restrictions
Android Sensitive data stored in keyboard cache
Anonymous unauthenticated server accepted
App Usage Data Collection Disclosed in Privacy Policy
App Usage Data Collection Not Disclosed in Privacy Policy
Application certificate information
Application checks rooted device
Application code not obfuscated
Application implements anti-debug techniques
Application prevents taking screenshots
Application signed with an expired certificate
Array-Based Batch Queries
Assign a unique name and/or number for identifying and tracking user identity
Attribute hasFragileUserData not set
Attribute requestLegacyExternalStorage set
Attribute usesCleartextTraffic set
Automatic Reference Counting (ARC) not enforced
BEAST Attack on TLS 1.0/SSL 3.0
BREACH Attack on HTTP Compression
Backdoored Cryptographic Algorithms in SSL
Backup mode disabled
Backup mode enabled
Biometric Authentication Bypass
Biometric Authentication Without Cryptographic Binding
Biometric Data Collection Disclosed in Privacy Policy
Biometric Data Collection Not Disclosed in Privacy Policy
Bleichenbacher Attack on RSA Encryption
Broadcast receiver dynamic registration
Browsing Activity Collection Disclosed in Privacy Policy
Browsing Activity Collection Not Disclosed in Privacy Policy
Brute Force Login Using Alias Batching in GraphQL API
CCS Injection Attack on OpenSSL
CERTIFICATE_EXPIRED
CORS Misconfiguration Vulnerability
CRIME Attack on TLS Compression
CRLF Injection
Call to Android Security API
Call to Bluetooth and BLE API
Call to Crypto API
Call to External Storage API
Call to Inter-Process-Communication (IPC) API
Call to Random API
Call to Reflection API
Call to SQLite query API
Call to Socket API
Call to TLS API
Call to XML parsing API
Call to ZIP API
Call to command execution API
Call to dangerous WebView settings API
Call to delete file API
Call to dynamic code loading API
Call to logging API
Call to native methods
Calls to Privacy API
Circular Fragment in GraphQL
Classes list
Clear text HTTP request
Code Injection
Collection of Device Identifier
Collection of Users' Crash Logs without Consent
Collection of Users' Purchase History in Privacy Policy
Collection of Users' Text Messages in Privacy Policy
Command Injection
Contact Information Present in Privacy Policy
Contact Information missing in Privacy Policy
Contacts Data Type Declaration Match
Contacts Data Type Declaration Mismatch
Continuous collection of GPS location
Cookie missing security attributes
Cordova Cross-Site Scripting (XSS)
Cordova debug mode enabled
Credentials exposed in URLs
Credentials exposed in logs
Criminal Record Information Collection Disclosed in Privacy Policy
Criminal Record Information Collection Not Disclosed in Privacy Policy
Cross-Site Scripting (XSS)
Cryptographic Vulnerability: Hardcoded Key
Cryptographic Vulnerability: Insecure Algorithm
Cryptographic Vulnerability: Insecure mode
Cryptographic Vulnerability: Weak Hashing Algorithm
Current Precise Location Data Collection Disclosed in Privacy Policy
Current Precise Location Data Collection Not Disclosed in Privacy Policy
DNS Check: SPF, DKIM, DMARC, and BIMI Validation
DNS High TTL Values
DNS Information Disclosure
DNS MX Record Misconfiguration
DNS Vulnerability: Dangling Domain Records
DNS Vulnerability: Malicious Content in TXT Records
DROWN Attack on SSLv2/TLS
Debug Symbols Present in the Android Application
Debug Symbols Present in the IOS Application
Debug mode disabled
Debug mode enabled
Debuggable Flag Detection Implemented
Declaration of Approximate Location Collection in Privacy Policy
Declaration of Contact Collection in Privacy Policy
Declaration of Device or Other IDs Collection in Privacy Policy
Declaration of Email Address Collection in Privacy Policy
Declaration of Email Collection in Privacy Policy
Declaration of Health Info Collection in Privacy Policy
Declaration of Installed Apps Collection in Privacy Policy
Declaration of Phone Number Collection in Privacy Policy
Declaration of Photo Collection in Privacy Policy
Declaration of Precise Location Collection in Privacy Policy
Declaration of User Files Collection in Privacy Policy
Declaration of Video Collection in Privacy Policy
Declaration of Voice or Sound Recording Collection in Privacy Policy
Declaration of Web Browsing History Collection in Privacy Policy
Declared permissions list
Dependency Confusion
Deprecated Minimum iOS Version
Deprecated Target API Version
Device ID Data Type Declaration Match
Device ID Data Type Declaration Mismatch
Device and Network Information Collection Disclosed in Privacy Policy
Device and Network Information Collection Not Disclosed in Privacy Policy
Directive Overloading in GraphQL API
Django Debug Mode Enabled
Domain name and IP address reputation report
ELF binaries do not enforce secure binary properties
Email Address Collection Disclosed in Privacy Policy
Email Address Collection Not Disclosed in Privacy Policy
Enforcer proper authentication
Expansion APK enabled
Exported activities, services and broadcast receivers list
Expression Language (EL) Injection
External Account Information Collection Disclosed in Privacy Policy
External Account Information Collection Not Disclosed in Privacy Policy
External DNS interaction
FREAK Attack on Export-Grade RSA
Facebook React development settings exposed
Facebook SDK debug mode enabled
Field Duplication in GraphQL API
File Path Traversal
File inclusion vulnerability
Format String Vulnerability
Forward Secrecy Not Implemented
Frida Instrumentation Detection Implemented
GDPR Rights Reference Present in Privacy Policy
Gender Identity Collection Disclosed in Privacy Policy
Gender Identity Collection Not Disclosed in Privacy Policy
Generic Web Entry
Genetic Data Collection Disclosed in Privacy Policy
Genetic Data Collection Not Disclosed in Privacy Policy
GraphQL Authorization Misconfiguration
GraphQL Circular References
GraphQL Debug Mode Enabled
GraphQL Schema Traversal Paths
GraphQL Tracing Enabled
HTML Injection Vulnerability
HTTP Host Header Poisoning
HTTP Method Manipulation in GraphQL
Hardcoded SQL queries list
Hardcoded strings list
Hardcoded urls list
Health and Biometric Data Type Declaration Match
Health and Biometric Data Type Declaration Mismatch
Health and Fitness Data Collection Disclosed in Privacy Policy
Health and Fitness Data Collection Not Disclosed in Privacy Policy
Heartbleed (CVE-2014-0160)
IPA Frameworks list
IPA Plist files
IPA contains only bitcode
IPA files list
IPA symbol table
Identity Verification Information Collection Disclosed in Privacy Policy
Identity Verification Information Collection Not Disclosed in Privacy Policy
Implementation of a FileObserver
Implementation of a WebViewClient
Implicit PendingIntent
In-App Search History Collection in Privacy Policy
In-App Search Queries Collection Disclosed in Privacy Policy
In-App Search Queries Collection Not Disclosed in Privacy Policy
Information Concerning Sex Life Collection Disclosed in Privacy Policy
Information Concerning Sex Life Collection Not Disclosed in Privacy Policy
Insecure Access Control
Insecure App Transport Security (ATS) Settings
Insecure Authorization Restriction
Insecure Cross-Origin Resource Sharing (CORS) policy
Insecure Direct Object Reference
Insecure Dynamic Library Loading
Insecure File Provider Paths Setting
Insecure Filesystem Access
Insecure HTTP Header Setting
Insecure HTTP Header Setting: Content Security Policy (CSP)
Insecure HTTP Header Setting: Content-Type
Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS)
Insecure HTTP Header Setting: Insecure Referrer Policy
Insecure HTTP Header Setting: X-Frame-Options
Insecure HTTP Header Setting: X-XSS-Protection Header
Insecure JWT Signature Validation
Insecure Keychain Storage
Insecure Network Configuration Settings
Insecure Object Serialization
Insecure Random Seed
Insecure Register Receiver Flag
Insecure Shared Preferences Permissions
Insecure Storage of Application Data
Insecure TLS Certificate Validation
Insecure TLS Ciphers supported
Insecure TLS Renegotiation (CVE-2009-3555)
Insecure TLS certificate domain name validation
Insecure TLS certificate validation (accept self-signed certificate)
Insecure hostname validation check
Insecure password storage
Insecure whitelist
Insecure whitelist configuration
Intent Redirection
Intent Spoofing
Interesting response
LDAP Injection
LOGJAM Attack on Diffie-Hellman
LOGJAM Common Prime Vulnerability
Legal Basis Present in Privacy Policy
List of JNI methods
List of calls to dangerous low-level C functions
Location History Collection Disclosed in Privacy Policy
Location History Collection Not Disclosed in Privacy Policy
Lucky Thirteen Vulnerability in SSL/TLS
MTA-STS Misconfiguration
Mach-O encrypted
Mach-O entitlements
Malformed ATS Configuration
Malicious Package: com.outsystems.plugins.fileviewer
Memory Leak
Mention of User Data Access in Privacy Policy
Mention of User Data Correction Rights in Privacy Policy
Mention of User Data Deletion in Privacy Policy
Mention of Users' Right to Know in Privacy Policy
Missing Debuggable Flag Detection
Missing Declaration of Approximate Location Collection in Privacy Policy
Missing Declaration of Contact Collection in Privacy Policy
Missing Declaration of Device or Other IDs Collection in Privacy Policy
Missing Declaration of Email Address Collection in Privacy Policy
Missing Declaration of Email Collection in Privacy Policy
Missing Declaration of Health Info Collection in Privacy Policy
Missing Declaration of Installed Apps Collection in Privacy Policy
Missing Declaration of Phone Number Collection in Privacy Policy
Missing Declaration of Photo Collection in Privacy Policy
Missing Declaration of Precise Location Collection in Privacy Policy
Missing Declaration of User Files Collection in Privacy Policy
Missing Declaration of Video Collection in Privacy Policy
Missing Declaration of Voice or Sound Recording Collection in Privacy Policy
Missing Declaration of Web Browsing History Collection in Privacy Policy
Missing Frida Instrumentation Detection
Missing GDPR Rights Reference in Privacy Policy
Missing Legal Basis in Privacy Policy
Missing Mention of User Data Access in Privacy Policy
Missing Mention of User Data Correction Rights in Privacy Policy
Missing Mention of User Data Deletion in Privacy Policy
Missing Mention of Users' Right to Know in Privacy Policy
Missing Opt-out Information in Privacy Policy
Missing Privacy Policy Disclosure for Calendar Events Collection
Missing Privacy Policy Disclosure for Fitness Info Collection
Missing Privacy Policy Link
Missing Root/Jailbreak Detection
Missing Sideloading Detection
Missing Signature Verification
Missing Third-Party Sharing Information in Privacy Policy
Missing iOS Frida Instrumentation Detection
Missing or misconfigured DNSSEC
Missing privacy manifest file
Mobile SQL Injection Vulnerability
Mobile WiFi API Personal Identifiable Information concerns
Network Port Scan
No sensitive data stored outside App
NoSQL Injection
Notification Spoofing
OAuth Account Takeover by hijacking custom schemes
Obfuscated Flutter code
Obfuscated methods
Object Limit Overriding in GraphQL
Opt-out Information Present in Privacy Policy
Outdated SSL/TLS Protocols Supported
PII Categories Data Type Declaration Match
PII Categories Data Type Declaration Mismatch
PII Data Type Declaration Match
PII Data Type Declaration Mismatch
POODLE Attack on SSL 3.0
Path Traversal
Payment and Financial Information Collection Disclosed in Privacy Policy
Payment and Financial Information Collection Not Disclosed in Privacy Policy
Personal Identifiers Collection Disclosed in Privacy Policy
Personal Identifiers Collection Not Disclosed in Privacy Policy
Personally Identifiable Information (PII) Leakage
Philosophical Beliefs Collection Disclosed in Privacy Policy
Philosophical Beliefs Collection Not Disclosed in Privacy Policy
Phone Number Data Type Declaration Match
Phone Number Data Type Declaration Mismatch
Political Affiliations Collection Disclosed in Privacy Policy
Political Affiliations Collection Not Disclosed in Privacy Policy
Port open on device
Precise Location Data Type Declaration Match
Precise Location Data Type Declaration Mismatch
Privacy Policy CCPA Rights Reference are Present
Privacy Policy CCPA Rights Reference missing
Privacy Policy Data Retention Description
Privacy Policy Disclosure for Calendar Events Collection is Present
Privacy Policy Disclosure for Fitness Info Collection is Present
Privacy Policy Link is Present
Privacy Policy Personal Data Categories Disclosure match
Privacy Policy Personal Data Categories Disclosure mismatch
Privacy manifest files
Process crashes
Proper Privacy Policy Data Retention Description
Protected Against GraphQL Alias Brute Forcing
Protected Against GraphQL Alias Overloading
Protected Against GraphQL Batch Query Attacks
Protected Against GraphQL Circular Fragments
Protected Against GraphQL Circular References
Protected Against GraphQL Debug Mode Risks
Protected Against GraphQL Directive Overloading
Protected Against GraphQL Field Duplication
Protected Against GraphQL Object Limit Overriding
Protected Against GraphQL Tracing Risks
Protected Against HTTP Method Manipulation
Public AWS S3 bucket with file listing enabled
Publicly exposed Firebase Database
Raccoon Attack on SSL/TLS
Racial or Ethnic Origin Information Collection Disclosed in Privacy Policy
Racial or Ethnic Origin Information Collection Not Disclosed in Privacy Policy
Recorded calls to Crypto API
Recorded calls to FileSystem API
Recorded calls to HTTP API
Recorded calls to Hash API
Recorded calls to Intent API
Recorded calls to Inter-Process-Communication (IPC) API
Recorded calls to Process API
Recorded calls to SQLite query API
Recorded calls to Serialization API
Recorded calls to Shared Preferences API
Recorded calls to TLS API
Recorded calls to TLS API
目录
记录的TLS API调用
描述
建议
链接
Recorded calls to TLS Pinning API
Recorded calls to command execution API
Recorded calls to dangerous WebView settings API
Recorded calls to dynamic code loading API
Recorded calls to logging API
Redis Library detected
Regular expression denial of service
Religious Beliefs Collection Disclosed in Privacy Policy
Religious Beliefs Collection Not Disclosed in Privacy Policy
Remote Command Execution
Root/Jailbreak Detection Implemented
SQL injection
SSL Extension Bleed Vulnerability
SSL/TLS Certificate Hostname Mismatch
SSL/TLS Certificate Pinning Not Implemented
SSL/TLS Certificates Expiring Soon
SSL/TLS Pinning Detected
SWEET32 Attack on 64-bit Block Ciphers
Secret information stored in the application
Secret information transmitted over the network
Secure Collection of Users' Crash Logs without Consent
Secure Collection of Users' Purchase History in Privacy Policy
Secure Collection of Users' Text Messages in Privacy Policy
Secure Content Security Policy
Secure Cookie Implementation
Secure Cross-Origin Resource Sharing (CORS) Policy
Secure Firebase Database Permissions
Secure HTTP Header Setting: Secure Referrer Policy
Secure HTTP Header Settings
Secure HTTP Strict Transport Security (HSTS) Implementation
Secure In-App Search History Collection in Privacy Policy
Secure Network Configuration Settings
Secure TLS certificate validation
Secure User ID Collection in Privacy Policy
Secure Virustotal malware analysis (MD5 based search)
Secure domain name and IP address reputation report
Sensitive Information Data Type Declaration is Present
Sensitive Information Data Type Declaration missing
Server Side Inclusion
Server-side template injection (SSTI)
Services declared without permissions
Sexual Orientation Information Collection Disclosed in Privacy Policy
Sexual Orientation Information Collection Not Disclosed in Privacy Policy
Sideloading Detection Implemented
Signature Verification Implemented
Source Map Code Leak
Source to Sink
Stack smashing protection not enforced
Static Anti-Tampering Mechanisms Detected
Static Anti-Tampering Techniques Not Implemented
Strict-Transport-Security (HSTS) not enforced
Strings Bplist files
Subdomain Takeover
TLS Client-Initiated Renegotiation DoS Vulnerability
TLS/SSL Server Configuration Settings
TLS_FALLBACK_SCSV Not Supported
Tapjacking Vulnerability
Task Hijacking
Template Injection
Text Messages Data Type Declaration Match
Text Messages Data Type Declaration Mismatch
Third-Party Sharing Information in Privacy Policy is Present
Ticketbleed Memory Disclosure in F5 BIG-IP
Trade Union Membership Information Collection Disclosed in Privacy Policy
Trade Union Membership Information Collection Not Disclosed in Privacy Policy
URL Manipulation
URL Scheme list
Unclaimed Cocoapods Vulnerability
Undeclared Permissions
Unrestricted DNS Zone Transfers
Unrestricted file upload
Unused permissions (overprivileged)
Use non-random initialization vector (IV)
Use of Deprecated Component
Use of Outdated Vulnerable Component
Use of an insecure Bluetooth connection
Use of deprecated TLS/SSL protocol version
User Account Info Data Type Declaration Match
User Account Info Data Type Declaration Mismatch
User Credentials Handling Disclosed in Privacy Policy
User Credentials Handling Not Clearly Disclosed in Privacy Policy
User ID Collection in Privacy Policy
User Photos and Media Collection Disclosed in Privacy Policy
User Photos and Media Collection Not Disclosed in Privacy Policy
Username enumeration
VirusTotal scan flagged malicious asset(s) (MD5 based search)
Voice Data Collection Disclosed in Privacy Policy
Voice Data Collection Not Disclosed in Privacy Policy
Weak Cipher Suites Supported
Weak Cryptographic Key and Signature Algorithm in SSL/TLS Certificate
Weak Message Authentication Code (MAC) Algorithms Supported
Web XML Injection
Webview Remote Debugging Enabled
Webview loadurl injection
XML External Entity (XXE) Injection
XML Injection
XPath Injection
XPath Injection Vulnerability
ZIP Vulnerabilities: Path Traversal, Zip Symbolic Link, and Zip Extension Spoofing
addJavaScriptInterface Remote Code Execution.
iOS Anti-Tampering Detected
iOS Anti-Tampering Not Detected
iOS Frida Instrumentation Detection Implemented
iOS Obfuscation Detected
iOS Obfuscation Not Detected
iOS Sensitive data stored in keyboard cache
iOS URL Scheme Hijacking
iOS URL Scheme Injection
iTunes UI File Sharing Enabled
Knowledge Base
Knowledge Base
ALPACA Attack in SSL/TLS
APK attack surface
APK files list
Abuse of mobile network connection
Account Takeover Vulnerability
Address Space Layout Randomization (ASLR) not enforced
Alias Overloading in GraphQL API
Android Class Load Hijacking
Android Class Loading Hijacking
Android Manifest
Android Obfuscation Detected
Android Obfuscation Not Detected
Android Package Context created without security restrictions
Android Sensitive data stored in keyboard cache
Anonymous unauthenticated server accepted
App Usage Data Collection Disclosed in Privacy Policy
App Usage Data Collection Not Disclosed in Privacy Policy
Application certificate information
Application checks rooted device
Application code not obfuscated
Application implements anti-debug techniques
Application prevents taking screenshots
Application signed with an expired certificate
Array-Based Batch Queries
Assign a unique name and/or number for identifying and tracking user identity
Attribute hasFragileUserData not set
Attribute requestLegacyExternalStorage set
Attribute usesCleartextTraffic set
Automatic Reference Counting (ARC) not enforced
BEAST Attack on TLS 1.0/SSL 3.0
BREACH Attack on HTTP Compression
Backdoored Cryptographic Algorithms in SSL
Backup mode disabled
Backup mode enabled
Biometric Authentication Bypass
Biometric Authentication Without Cryptographic Binding
Biometric Data Collection Disclosed in Privacy Policy
Biometric Data Collection Not Disclosed in Privacy Policy
Bleichenbacher Attack on RSA Encryption
Broadcast receiver dynamic registration
Browsing Activity Collection Disclosed in Privacy Policy
Browsing Activity Collection Not Disclosed in Privacy Policy
Brute Force Login Using Alias Batching in GraphQL API
CCS Injection Attack on OpenSSL
CERTIFICATE_EXPIRED
CORS Misconfiguration Vulnerability
CRIME Attack on TLS Compression
CRLF Injection
Call to Android Security API
Call to Bluetooth and BLE API
Call to Crypto API
Call to External Storage API
Call to Inter-Process-Communication (IPC) API
Call to Random API
Call to Reflection API
Call to SQLite query API
Call to Socket API
Call to TLS API
Call to XML parsing API
Call to ZIP API
Call to command execution API
Call to dangerous WebView settings API
Call to delete file API
Call to dynamic code loading API
Call to logging API
Call to native methods
Calls to Privacy API
Circular Fragment in GraphQL
Classes list
Clear text HTTP request
Code Injection
Collection of Device Identifier
Collection of Users' Crash Logs without Consent
Collection of Users' Purchase History in Privacy Policy
Collection of Users' Text Messages in Privacy Policy
Command Injection
Contact Information Present in Privacy Policy
Contact Information missing in Privacy Policy
Contacts Data Type Declaration Match
Contacts Data Type Declaration Mismatch
Continuous collection of GPS location
Cookie missing security attributes
Cordova Cross-Site Scripting (XSS)
Cordova debug mode enabled
Credentials exposed in URLs
Credentials exposed in logs
Criminal Record Information Collection Disclosed in Privacy Policy
Criminal Record Information Collection Not Disclosed in Privacy Policy
Cross-Site Scripting (XSS)
Cryptographic Vulnerability: Hardcoded Key
Cryptographic Vulnerability: Insecure Algorithm
Cryptographic Vulnerability: Insecure mode
Cryptographic Vulnerability: Weak Hashing Algorithm
Current Precise Location Data Collection Disclosed in Privacy Policy
Current Precise Location Data Collection Not Disclosed in Privacy Policy
DNS Check: SPF, DKIM, DMARC, and BIMI Validation
DNS High TTL Values
DNS Information Disclosure
DNS MX Record Misconfiguration
DNS Vulnerability: Dangling Domain Records
DNS Vulnerability: Malicious Content in TXT Records
DROWN Attack on SSLv2/TLS
Debug Symbols Present in the Android Application
Debug Symbols Present in the IOS Application
Debug mode disabled
Debug mode enabled
Debuggable Flag Detection Implemented
Declaration of Approximate Location Collection in Privacy Policy
Declaration of Contact Collection in Privacy Policy
Declaration of Device or Other IDs Collection in Privacy Policy
Declaration of Email Address Collection in Privacy Policy
Declaration of Email Collection in Privacy Policy
Declaration of Health Info Collection in Privacy Policy
Declaration of Installed Apps Collection in Privacy Policy
Declaration of Phone Number Collection in Privacy Policy
Declaration of Photo Collection in Privacy Policy
Declaration of Precise Location Collection in Privacy Policy
Declaration of User Files Collection in Privacy Policy
Declaration of Video Collection in Privacy Policy
Declaration of Voice or Sound Recording Collection in Privacy Policy
Declaration of Web Browsing History Collection in Privacy Policy
Declared permissions list
Dependency Confusion
Deprecated Minimum iOS Version
Deprecated Target API Version
Device ID Data Type Declaration Match
Device ID Data Type Declaration Mismatch
Device and Network Information Collection Disclosed in Privacy Policy
Device and Network Information Collection Not Disclosed in Privacy Policy
Directive Overloading in GraphQL API
Django Debug Mode Enabled
Domain name and IP address reputation report
ELF binaries do not enforce secure binary properties
Email Address Collection Disclosed in Privacy Policy
Email Address Collection Not Disclosed in Privacy Policy
Enforcer proper authentication
Expansion APK enabled
Exported activities, services and broadcast receivers list
Expression Language (EL) Injection
External Account Information Collection Disclosed in Privacy Policy
External Account Information Collection Not Disclosed in Privacy Policy
External DNS interaction
FREAK Attack on Export-Grade RSA
Facebook React development settings exposed
Facebook SDK debug mode enabled
Field Duplication in GraphQL API
File Path Traversal
File inclusion vulnerability
Format String Vulnerability
Forward Secrecy Not Implemented
Frida Instrumentation Detection Implemented
GDPR Rights Reference Present in Privacy Policy
Gender Identity Collection Disclosed in Privacy Policy
Gender Identity Collection Not Disclosed in Privacy Policy
Generic Web Entry
Genetic Data Collection Disclosed in Privacy Policy
Genetic Data Collection Not Disclosed in Privacy Policy
GraphQL Authorization Misconfiguration
GraphQL Circular References
GraphQL Debug Mode Enabled
GraphQL Schema Traversal Paths
GraphQL Tracing Enabled
HTML Injection Vulnerability
HTTP Host Header Poisoning
HTTP Method Manipulation in GraphQL
Hardcoded SQL queries list
Hardcoded strings list
Hardcoded urls list
Health and Biometric Data Type Declaration Match
Health and Biometric Data Type Declaration Mismatch
Health and Fitness Data Collection Disclosed in Privacy Policy
Health and Fitness Data Collection Not Disclosed in Privacy Policy
Heartbleed (CVE-2014-0160)
IPA Frameworks list
IPA Plist files
IPA contains only bitcode
IPA files list
IPA symbol table
Identity Verification Information Collection Disclosed in Privacy Policy
Identity Verification Information Collection Not Disclosed in Privacy Policy
Implementation of a FileObserver
Implementation of a WebViewClient
Implicit PendingIntent
In-App Search History Collection in Privacy Policy
In-App Search Queries Collection Disclosed in Privacy Policy
In-App Search Queries Collection Not Disclosed in Privacy Policy
Information Concerning Sex Life Collection Disclosed in Privacy Policy
Information Concerning Sex Life Collection Not Disclosed in Privacy Policy
Insecure Access Control
Insecure App Transport Security (ATS) Settings
Insecure Authorization Restriction
Insecure Cross-Origin Resource Sharing (CORS) policy
Insecure Direct Object Reference
Insecure Dynamic Library Loading
Insecure File Provider Paths Setting
Insecure Filesystem Access
Insecure HTTP Header Setting
Insecure HTTP Header Setting: Content Security Policy (CSP)
Insecure HTTP Header Setting: Content-Type
Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS)
Insecure HTTP Header Setting: Insecure Referrer Policy
Insecure HTTP Header Setting: X-Frame-Options
Insecure HTTP Header Setting: X-XSS-Protection Header
Insecure JWT Signature Validation
Insecure Keychain Storage
Insecure Network Configuration Settings
Insecure Object Serialization
Insecure Random Seed
Insecure Register Receiver Flag
Insecure Shared Preferences Permissions
Insecure Storage of Application Data
Insecure TLS Certificate Validation
Insecure TLS Ciphers supported
Insecure TLS Renegotiation (CVE-2009-3555)
Insecure TLS certificate domain name validation
Insecure TLS certificate validation (accept self-signed certificate)
Insecure hostname validation check
Insecure password storage
Insecure whitelist
Insecure whitelist configuration
Intent Redirection
Intent Spoofing
Interesting response
LDAP Injection
LOGJAM Attack on Diffie-Hellman
LOGJAM Common Prime Vulnerability
Legal Basis Present in Privacy Policy
List of JNI methods
List of calls to dangerous low-level C functions
Location History Collection Disclosed in Privacy Policy
Location History Collection Not Disclosed in Privacy Policy
Lucky Thirteen Vulnerability in SSL/TLS
MTA-STS Misconfiguration
Mach-O encrypted
Mach-O entitlements
Malformed ATS Configuration
Malicious Package: com.outsystems.plugins.fileviewer
Memory Leak
Mention of User Data Access in Privacy Policy
Mention of User Data Correction Rights in Privacy Policy
Mention of User Data Deletion in Privacy Policy
Mention of Users' Right to Know in Privacy Policy
Missing Debuggable Flag Detection
Missing Declaration of Approximate Location Collection in Privacy Policy
Missing Declaration of Contact Collection in Privacy Policy
Missing Declaration of Device or Other IDs Collection in Privacy Policy
Missing Declaration of Email Address Collection in Privacy Policy
Missing Declaration of Email Collection in Privacy Policy
Missing Declaration of Health Info Collection in Privacy Policy
Missing Declaration of Installed Apps Collection in Privacy Policy
Missing Declaration of Phone Number Collection in Privacy Policy
Missing Declaration of Photo Collection in Privacy Policy
Missing Declaration of Precise Location Collection in Privacy Policy
Missing Declaration of User Files Collection in Privacy Policy
Missing Declaration of Video Collection in Privacy Policy
Missing Declaration of Voice or Sound Recording Collection in Privacy Policy
Missing Declaration of Web Browsing History Collection in Privacy Policy
Missing Frida Instrumentation Detection
Missing GDPR Rights Reference in Privacy Policy
Missing Legal Basis in Privacy Policy
Missing Mention of User Data Access in Privacy Policy
Missing Mention of User Data Correction Rights in Privacy Policy
Missing Mention of User Data Deletion in Privacy Policy
Missing Mention of Users' Right to Know in Privacy Policy
Missing Opt-out Information in Privacy Policy
Missing Privacy Policy Disclosure for Calendar Events Collection
Missing Privacy Policy Disclosure for Fitness Info Collection
Missing Privacy Policy Link
Missing Root/Jailbreak Detection
Missing Sideloading Detection
Missing Signature Verification
Missing Third-Party Sharing Information in Privacy Policy
Missing iOS Frida Instrumentation Detection
Missing or misconfigured DNSSEC
Missing privacy manifest file
Mobile SQL Injection Vulnerability
Mobile WiFi API Personal Identifiable Information concerns
Network Port Scan
No sensitive data stored outside App
NoSQL Injection
Notification Spoofing
OAuth Account Takeover by hijacking custom schemes
Obfuscated Flutter code
Obfuscated methods
Object Limit Overriding in GraphQL
Opt-out Information Present in Privacy Policy
Outdated SSL/TLS Protocols Supported
PII Categories Data Type Declaration Match
PII Categories Data Type Declaration Mismatch
PII Data Type Declaration Match
PII Data Type Declaration Mismatch
POODLE Attack on SSL 3.0
Path Traversal
Payment and Financial Information Collection Disclosed in Privacy Policy
Payment and Financial Information Collection Not Disclosed in Privacy Policy
Personal Identifiers Collection Disclosed in Privacy Policy
Personal Identifiers Collection Not Disclosed in Privacy Policy
Personally Identifiable Information (PII) Leakage
Philosophical Beliefs Collection Disclosed in Privacy Policy
Philosophical Beliefs Collection Not Disclosed in Privacy Policy
Phone Number Data Type Declaration Match
Phone Number Data Type Declaration Mismatch
Political Affiliations Collection Disclosed in Privacy Policy
Political Affiliations Collection Not Disclosed in Privacy Policy
Port open on device
Precise Location Data Type Declaration Match
Precise Location Data Type Declaration Mismatch
Privacy Policy CCPA Rights Reference are Present
Privacy Policy CCPA Rights Reference missing
Privacy Policy Data Retention Description
Privacy Policy Disclosure for Calendar Events Collection is Present
Privacy Policy Disclosure for Fitness Info Collection is Present
Privacy Policy Link is Present
Privacy Policy Personal Data Categories Disclosure match
Privacy Policy Personal Data Categories Disclosure mismatch
Privacy manifest files
Process crashes
Proper Privacy Policy Data Retention Description
Protected Against GraphQL Alias Brute Forcing
Protected Against GraphQL Alias Overloading
Protected Against GraphQL Batch Query Attacks
Protected Against GraphQL Circular Fragments
Protected Against GraphQL Circular References
Protected Against GraphQL Debug Mode Risks
Protected Against GraphQL Directive Overloading
Protected Against GraphQL Field Duplication
Protected Against GraphQL Object Limit Overriding
Protected Against GraphQL Tracing Risks
Protected Against HTTP Method Manipulation
Public AWS S3 bucket with file listing enabled
Publicly exposed Firebase Database
Raccoon Attack on SSL/TLS
Racial or Ethnic Origin Information Collection Disclosed in Privacy Policy
Racial or Ethnic Origin Information Collection Not Disclosed in Privacy Policy
Recorded calls to Crypto API
Recorded calls to FileSystem API
Recorded calls to HTTP API
Recorded calls to Hash API
Recorded calls to Intent API
Recorded calls to Inter-Process-Communication (IPC) API
Recorded calls to Process API
Recorded calls to SQLite query API
Recorded calls to Serialization API
Recorded calls to Shared Preferences API
Recorded calls to TLS API
Recorded calls to TLS API
目录
记录的TLS API调用
描述
建议
链接
Recorded calls to TLS Pinning API
Recorded calls to command execution API
Recorded calls to dangerous WebView settings API
Recorded calls to dynamic code loading API
Recorded calls to logging API
Redis Library detected
Regular expression denial of service
Religious Beliefs Collection Disclosed in Privacy Policy
Religious Beliefs Collection Not Disclosed in Privacy Policy
Remote Command Execution
Root/Jailbreak Detection Implemented
SQL injection
SSL Extension Bleed Vulnerability
SSL/TLS Certificate Hostname Mismatch
SSL/TLS Certificate Pinning Not Implemented
SSL/TLS Certificates Expiring Soon
SSL/TLS Pinning Detected
SWEET32 Attack on 64-bit Block Ciphers
Secret information stored in the application
Secret information transmitted over the network
Secure Collection of Users' Crash Logs without Consent
Secure Collection of Users' Purchase History in Privacy Policy
Secure Collection of Users' Text Messages in Privacy Policy
Secure Content Security Policy
Secure Cookie Implementation
Secure Cross-Origin Resource Sharing (CORS) Policy
Secure Firebase Database Permissions
Secure HTTP Header Setting: Secure Referrer Policy
Secure HTTP Header Settings
Secure HTTP Strict Transport Security (HSTS) Implementation
Secure In-App Search History Collection in Privacy Policy
Secure Network Configuration Settings
Secure TLS certificate validation
Secure User ID Collection in Privacy Policy
Secure Virustotal malware analysis (MD5 based search)
Secure domain name and IP address reputation report
Sensitive Information Data Type Declaration is Present
Sensitive Information Data Type Declaration missing
Server Side Inclusion
Server-side template injection (SSTI)
Services declared without permissions
Sexual Orientation Information Collection Disclosed in Privacy Policy
Sexual Orientation Information Collection Not Disclosed in Privacy Policy
Sideloading Detection Implemented
Signature Verification Implemented
Source Map Code Leak
Source to Sink
Stack smashing protection not enforced
Static Anti-Tampering Mechanisms Detected
Static Anti-Tampering Techniques Not Implemented
Strict-Transport-Security (HSTS) not enforced
Strings Bplist files
Subdomain Takeover
TLS Client-Initiated Renegotiation DoS Vulnerability
TLS/SSL Server Configuration Settings
TLS_FALLBACK_SCSV Not Supported
Tapjacking Vulnerability
Task Hijacking
Template Injection
Text Messages Data Type Declaration Match
Text Messages Data Type Declaration Mismatch
Third-Party Sharing Information in Privacy Policy is Present
Ticketbleed Memory Disclosure in F5 BIG-IP
Trade Union Membership Information Collection Disclosed in Privacy Policy
Trade Union Membership Information Collection Not Disclosed in Privacy Policy
URL Manipulation
URL Scheme list
Unclaimed Cocoapods Vulnerability
Undeclared Permissions
Unrestricted DNS Zone Transfers
Unrestricted file upload
Unused permissions (overprivileged)
Use non-random initialization vector (IV)
Use of Deprecated Component
Use of Outdated Vulnerable Component
Use of an insecure Bluetooth connection
Use of deprecated TLS/SSL protocol version
User Account Info Data Type Declaration Match
User Account Info Data Type Declaration Mismatch
User Credentials Handling Disclosed in Privacy Policy
User Credentials Handling Not Clearly Disclosed in Privacy Policy
User ID Collection in Privacy Policy
User Photos and Media Collection Disclosed in Privacy Policy
User Photos and Media Collection Not Disclosed in Privacy Policy
Username enumeration
VirusTotal scan flagged malicious asset(s) (MD5 based search)
Voice Data Collection Disclosed in Privacy Policy
Voice Data Collection Not Disclosed in Privacy Policy
Weak Cipher Suites Supported
Weak Cryptographic Key and Signature Algorithm in SSL/TLS Certificate
Weak Message Authentication Code (MAC) Algorithms Supported
Web XML Injection
Webview Remote Debugging Enabled
Webview loadurl injection
XML External Entity (XXE) Injection
XML Injection
XPath Injection
XPath Injection Vulnerability
ZIP Vulnerabilities: Path Traversal, Zip Symbolic Link, and Zip Extension Spoofing
addJavaScriptInterface Remote Code Execution.
iOS Anti-Tampering Detected
iOS Anti-Tampering Not Detected
iOS Frida Instrumentation Detection Implemented
iOS Obfuscation Detected
iOS Obfuscation Not Detected
iOS Sensitive data stored in keyboard cache
iOS URL Scheme Hijacking
iOS URL Scheme Injection
iTunes UI File Sharing Enabled
Knowledge Base
Knowledge Base
ALPACA Attack in SSL/TLS
APK attack surface
APK files list
Abuse of mobile network connection
Account Takeover Vulnerability
Address Space Layout Randomization (ASLR) not enforced
Alias Overloading in GraphQL API
Android Class Load Hijacking
Android Class Loading Hijacking
Android Manifest
Android Obfuscation Detected
Android Obfuscation Not Detected
Android Package Context created without security restrictions
Android Sensitive data stored in keyboard cache
Anonymous unauthenticated server accepted
App Usage Data Collection Disclosed in Privacy Policy
App Usage Data Collection Not Disclosed in Privacy Policy
Application certificate information
Application checks rooted device
Application code not obfuscated
Application implements anti-debug techniques
Application prevents taking screenshots
Application signed with an expired certificate
Array-Based Batch Queries
Assign a unique name and/or number for identifying and tracking user identity
Attribute hasFragileUserData not set
Attribute requestLegacyExternalStorage set
Attribute usesCleartextTraffic set
Automatic Reference Counting (ARC) not enforced
BEAST Attack on TLS 1.0/SSL 3.0
BREACH Attack on HTTP Compression
Backdoored Cryptographic Algorithms in SSL
Backup mode disabled
Backup mode enabled
Biometric Authentication Bypass
Biometric Authentication Without Cryptographic Binding
Biometric Data Collection Disclosed in Privacy Policy
Biometric Data Collection Not Disclosed in Privacy Policy
Bleichenbacher Attack on RSA Encryption
Broadcast receiver dynamic registration
Browsing Activity Collection Disclosed in Privacy Policy
Browsing Activity Collection Not Disclosed in Privacy Policy
Brute Force Login Using Alias Batching in GraphQL API
CCS Injection Attack on OpenSSL
CERTIFICATE_EXPIRED
CORS Misconfiguration Vulnerability
CRIME Attack on TLS Compression
CRLF Injection
Call to Android Security API
Call to Bluetooth and BLE API
Call to Crypto API
Call to External Storage API
Call to Inter-Process-Communication (IPC) API
Call to Random API
Call to Reflection API
Call to SQLite query API
Call to Socket API
Call to TLS API
Call to XML parsing API
Call to ZIP API
Call to command execution API
Call to dangerous WebView settings API
Call to delete file API
Call to dynamic code loading API
Call to logging API
Call to native methods
Calls to Privacy API
Circular Fragment in GraphQL
Classes list
Clear text HTTP request
Code Injection
Collection of Device Identifier
Collection of Users' Crash Logs without Consent
Collection of Users' Purchase History in Privacy Policy
Collection of Users' Text Messages in Privacy Policy
Command Injection
Contact Information Present in Privacy Policy
Contact Information missing in Privacy Policy
Contacts Data Type Declaration Match
Contacts Data Type Declaration Mismatch
Continuous collection of GPS location
Cookie missing security attributes
Cordova Cross-Site Scripting (XSS)
Cordova debug mode enabled
Credentials exposed in URLs
Credentials exposed in logs
Criminal Record Information Collection Disclosed in Privacy Policy
Criminal Record Information Collection Not Disclosed in Privacy Policy
Cross-Site Scripting (XSS)
Cryptographic Vulnerability: Hardcoded Key
Cryptographic Vulnerability: Insecure Algorithm
Cryptographic Vulnerability: Insecure mode
Cryptographic Vulnerability: Weak Hashing Algorithm
Current Precise Location Data Collection Disclosed in Privacy Policy
Current Precise Location Data Collection Not Disclosed in Privacy Policy
DNS Check: SPF, DKIM, DMARC, and BIMI Validation
DNS High TTL Values
DNS Information Disclosure
DNS MX Record Misconfiguration
DNS Vulnerability: Dangling Domain Records
DNS Vulnerability: Malicious Content in TXT Records
DROWN Attack on SSLv2/TLS
Debug Symbols Present in the Android Application
Debug Symbols Present in the IOS Application
Debug mode disabled
Debug mode enabled
Debuggable Flag Detection Implemented
Declaration of Approximate Location Collection in Privacy Policy
Declaration of Contact Collection in Privacy Policy
Declaration of Device or Other IDs Collection in Privacy Policy
Declaration of Email Address Collection in Privacy Policy
Declaration of Email Collection in Privacy Policy
Declaration of Health Info Collection in Privacy Policy
Declaration of Installed Apps Collection in Privacy Policy
Declaration of Phone Number Collection in Privacy Policy
Declaration of Photo Collection in Privacy Policy
Declaration of Precise Location Collection in Privacy Policy
Declaration of User Files Collection in Privacy Policy
Declaration of Video Collection in Privacy Policy
Declaration of Voice or Sound Recording Collection in Privacy Policy
Declaration of Web Browsing History Collection in Privacy Policy
Declared permissions list
Dependency Confusion
Deprecated Minimum iOS Version
Deprecated Target API Version
Device ID Data Type Declaration Match
Device ID Data Type Declaration Mismatch
Device and Network Information Collection Disclosed in Privacy Policy
Device and Network Information Collection Not Disclosed in Privacy Policy
Directive Overloading in GraphQL API
Django Debug Mode Enabled
Domain name and IP address reputation report
ELF binaries do not enforce secure binary properties
Email Address Collection Disclosed in Privacy Policy
Email Address Collection Not Disclosed in Privacy Policy
Enforcer proper authentication
Expansion APK enabled
Exported activities, services and broadcast receivers list
Expression Language (EL) Injection
External Account Information Collection Disclosed in Privacy Policy
External Account Information Collection Not Disclosed in Privacy Policy
External DNS interaction
FREAK Attack on Export-Grade RSA
Facebook React development settings exposed
Facebook SDK debug mode enabled
Field Duplication in GraphQL API
File Path Traversal
File inclusion vulnerability
Format String Vulnerability
Forward Secrecy Not Implemented
Frida Instrumentation Detection Implemented
GDPR Rights Reference Present in Privacy Policy
Gender Identity Collection Disclosed in Privacy Policy
Gender Identity Collection Not Disclosed in Privacy Policy
Generic Web Entry
Genetic Data Collection Disclosed in Privacy Policy
Genetic Data Collection Not Disclosed in Privacy Policy
GraphQL Authorization Misconfiguration
GraphQL Circular References
GraphQL Debug Mode Enabled
GraphQL Schema Traversal Paths
GraphQL Tracing Enabled
HTML Injection Vulnerability
HTTP Host Header Poisoning
HTTP Method Manipulation in GraphQL
Hardcoded SQL queries list
Hardcoded strings list
Hardcoded urls list
Health and Biometric Data Type Declaration Match
Health and Biometric Data Type Declaration Mismatch
Health and Fitness Data Collection Disclosed in Privacy Policy
Health and Fitness Data Collection Not Disclosed in Privacy Policy
Heartbleed (CVE-2014-0160)
IPA Frameworks list
IPA Plist files
IPA contains only bitcode
IPA files list
IPA symbol table
Identity Verification Information Collection Disclosed in Privacy Policy
Identity Verification Information Collection Not Disclosed in Privacy Policy
Implementation of a FileObserver
Implementation of a WebViewClient
Implicit PendingIntent
In-App Search History Collection in Privacy Policy
In-App Search Queries Collection Disclosed in Privacy Policy
In-App Search Queries Collection Not Disclosed in Privacy Policy
Information Concerning Sex Life Collection Disclosed in Privacy Policy
Information Concerning Sex Life Collection Not Disclosed in Privacy Policy
Insecure Access Control
Insecure App Transport Security (ATS) Settings
Insecure Authorization Restriction
Insecure Cross-Origin Resource Sharing (CORS) policy
Insecure Direct Object Reference
Insecure Dynamic Library Loading
Insecure File Provider Paths Setting
Insecure Filesystem Access
Insecure HTTP Header Setting
Insecure HTTP Header Setting: Content Security Policy (CSP)
Insecure HTTP Header Setting: Content-Type
Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS)
Insecure HTTP Header Setting: Insecure Referrer Policy
Insecure HTTP Header Setting: X-Frame-Options
Insecure HTTP Header Setting: X-XSS-Protection Header
Insecure JWT Signature Validation
Insecure Keychain Storage
Insecure Network Configuration Settings
Insecure Object Serialization
Insecure Random Seed
Insecure Register Receiver Flag
Insecure Shared Preferences Permissions
Insecure Storage of Application Data
Insecure TLS Certificate Validation
Insecure TLS Ciphers supported
Insecure TLS Renegotiation (CVE-2009-3555)
Insecure TLS certificate domain name validation
Insecure TLS certificate validation (accept self-signed certificate)
Insecure hostname validation check
Insecure password storage
Insecure whitelist
Insecure whitelist configuration
Intent Redirection
Intent Spoofing
Interesting response
LDAP Injection
LOGJAM Attack on Diffie-Hellman
LOGJAM Common Prime Vulnerability
Legal Basis Present in Privacy Policy
List of JNI methods
List of calls to dangerous low-level C functions
Location History Collection Disclosed in Privacy Policy
Location History Collection Not Disclosed in Privacy Policy
Lucky Thirteen Vulnerability in SSL/TLS
MTA-STS Misconfiguration
Mach-O encrypted
Mach-O entitlements
Malformed ATS Configuration
Malicious Package: com.outsystems.plugins.fileviewer
Memory Leak
Mention of User Data Access in Privacy Policy
Mention of User Data Correction Rights in Privacy Policy
Mention of User Data Deletion in Privacy Policy
Mention of Users' Right to Know in Privacy Policy
Missing Debuggable Flag Detection
Missing Declaration of Approximate Location Collection in Privacy Policy
Missing Declaration of Contact Collection in Privacy Policy
Missing Declaration of Device or Other IDs Collection in Privacy Policy
Missing Declaration of Email Address Collection in Privacy Policy
Missing Declaration of Email Collection in Privacy Policy
Missing Declaration of Health Info Collection in Privacy Policy
Missing Declaration of Installed Apps Collection in Privacy Policy
Missing Declaration of Phone Number Collection in Privacy Policy
Missing Declaration of Photo Collection in Privacy Policy
Missing Declaration of Precise Location Collection in Privacy Policy
Missing Declaration of User Files Collection in Privacy Policy
Missing Declaration of Video Collection in Privacy Policy
Missing Declaration of Voice or Sound Recording Collection in Privacy Policy
Missing Declaration of Web Browsing History Collection in Privacy Policy
Missing Frida Instrumentation Detection
Missing GDPR Rights Reference in Privacy Policy
Missing Legal Basis in Privacy Policy
Missing Mention of User Data Access in Privacy Policy
Missing Mention of User Data Correction Rights in Privacy Policy
Missing Mention of User Data Deletion in Privacy Policy
Missing Mention of Users' Right to Know in Privacy Policy
Missing Opt-out Information in Privacy Policy
Missing Privacy Policy Disclosure for Calendar Events Collection
Missing Privacy Policy Disclosure for Fitness Info Collection
Missing Privacy Policy Link
Missing Root/Jailbreak Detection
Missing Sideloading Detection
Missing Signature Verification
Missing Third-Party Sharing Information in Privacy Policy
Missing iOS Frida Instrumentation Detection
Missing or misconfigured DNSSEC
Missing privacy manifest file
Mobile SQL Injection Vulnerability
Mobile WiFi API Personal Identifiable Information concerns
Network Port Scan
No sensitive data stored outside App
NoSQL Injection
Notification Spoofing
OAuth Account Takeover by hijacking custom schemes
Obfuscated Flutter code
Obfuscated methods
Object Limit Overriding in GraphQL
Opt-out Information Present in Privacy Policy
Outdated SSL/TLS Protocols Supported
PII Categories Data Type Declaration Match
PII Categories Data Type Declaration Mismatch
PII Data Type Declaration Match
PII Data Type Declaration Mismatch
POODLE Attack on SSL 3.0
Path Traversal
Payment and Financial Information Collection Disclosed in Privacy Policy
Payment and Financial Information Collection Not Disclosed in Privacy Policy
Personal Identifiers Collection Disclosed in Privacy Policy
Personal Identifiers Collection Not Disclosed in Privacy Policy
Personally Identifiable Information (PII) Leakage
Philosophical Beliefs Collection Disclosed in Privacy Policy
Philosophical Beliefs Collection Not Disclosed in Privacy Policy
Phone Number Data Type Declaration Match
Phone Number Data Type Declaration Mismatch
Political Affiliations Collection Disclosed in Privacy Policy
Political Affiliations Collection Not Disclosed in Privacy Policy
Port open on device
Precise Location Data Type Declaration Match
Precise Location Data Type Declaration Mismatch
Privacy Policy CCPA Rights Reference are Present
Privacy Policy CCPA Rights Reference missing
Privacy Policy Data Retention Description
Privacy Policy Disclosure for Calendar Events Collection is Present
Privacy Policy Disclosure for Fitness Info Collection is Present
Privacy Policy Link is Present
Privacy Policy Personal Data Categories Disclosure match
Privacy Policy Personal Data Categories Disclosure mismatch
Privacy manifest files
Process crashes
Proper Privacy Policy Data Retention Description
Protected Against GraphQL Alias Brute Forcing
Protected Against GraphQL Alias Overloading
Protected Against GraphQL Batch Query Attacks
Protected Against GraphQL Circular Fragments
Protected Against GraphQL Circular References
Protected Against GraphQL Debug Mode Risks
Protected Against GraphQL Directive Overloading
Protected Against GraphQL Field Duplication
Protected Against GraphQL Object Limit Overriding
Protected Against GraphQL Tracing Risks
Protected Against HTTP Method Manipulation
Public AWS S3 bucket with file listing enabled
Publicly exposed Firebase Database
Raccoon Attack on SSL/TLS
Racial or Ethnic Origin Information Collection Disclosed in Privacy Policy
Racial or Ethnic Origin Information Collection Not Disclosed in Privacy Policy
Recorded calls to Crypto API
Recorded calls to FileSystem API
Recorded calls to HTTP API
Recorded calls to Hash API
Recorded calls to Intent API
Recorded calls to Inter-Process-Communication (IPC) API
Recorded calls to Process API
Recorded calls to SQLite query API
Recorded calls to Serialization API
Recorded calls to Shared Preferences API
Recorded calls to TLS API
Recorded calls to TLS API
目录
记录的TLS API调用
描述
建议
链接
Recorded calls to TLS Pinning API
Recorded calls to command execution API
Recorded calls to dangerous WebView settings API
Recorded calls to dynamic code loading API
Recorded calls to logging API
Redis Library detected
Regular expression denial of service
Religious Beliefs Collection Disclosed in Privacy Policy
Religious Beliefs Collection Not Disclosed in Privacy Policy
Remote Command Execution
Root/Jailbreak Detection Implemented
SQL injection
SSL Extension Bleed Vulnerability
SSL/TLS Certificate Hostname Mismatch
SSL/TLS Certificate Pinning Not Implemented
SSL/TLS Certificates Expiring Soon
SSL/TLS Pinning Detected
SWEET32 Attack on 64-bit Block Ciphers
Secret information stored in the application
Secret information transmitted over the network
Secure Collection of Users' Crash Logs without Consent
Secure Collection of Users' Purchase History in Privacy Policy
Secure Collection of Users' Text Messages in Privacy Policy
Secure Content Security Policy
Secure Cookie Implementation
Secure Cross-Origin Resource Sharing (CORS) Policy
Secure Firebase Database Permissions
Secure HTTP Header Setting: Secure Referrer Policy
Secure HTTP Header Settings
Secure HTTP Strict Transport Security (HSTS) Implementation
Secure In-App Search History Collection in Privacy Policy
Secure Network Configuration Settings
Secure TLS certificate validation
Secure User ID Collection in Privacy Policy
Secure Virustotal malware analysis (MD5 based search)
Secure domain name and IP address reputation report
Sensitive Information Data Type Declaration is Present
Sensitive Information Data Type Declaration missing
Server Side Inclusion
Server-side template injection (SSTI)
Services declared without permissions
Sexual Orientation Information Collection Disclosed in Privacy Policy
Sexual Orientation Information Collection Not Disclosed in Privacy Policy
Sideloading Detection Implemented
Signature Verification Implemented
Source Map Code Leak
Source to Sink
Stack smashing protection not enforced
Static Anti-Tampering Mechanisms Detected
Static Anti-Tampering Techniques Not Implemented
Strict-Transport-Security (HSTS) not enforced
Strings Bplist files
Subdomain Takeover
TLS Client-Initiated Renegotiation DoS Vulnerability
TLS/SSL Server Configuration Settings
TLS_FALLBACK_SCSV Not Supported
Tapjacking Vulnerability
Task Hijacking
Template Injection
Text Messages Data Type Declaration Match
Text Messages Data Type Declaration Mismatch
Third-Party Sharing Information in Privacy Policy is Present
Ticketbleed Memory Disclosure in F5 BIG-IP
Trade Union Membership Information Collection Disclosed in Privacy Policy
Trade Union Membership Information Collection Not Disclosed in Privacy Policy
URL Manipulation
URL Scheme list
Unclaimed Cocoapods Vulnerability
Undeclared Permissions
Unrestricted DNS Zone Transfers
Unrestricted file upload
Unused permissions (overprivileged)
Use non-random initialization vector (IV)
Use of Deprecated Component
Use of Outdated Vulnerable Component
Use of an insecure Bluetooth connection
Use of deprecated TLS/SSL protocol version
User Account Info Data Type Declaration Match
User Account Info Data Type Declaration Mismatch
User Credentials Handling Disclosed in Privacy Policy
User Credentials Handling Not Clearly Disclosed in Privacy Policy
User ID Collection in Privacy Policy
User Photos and Media Collection Disclosed in Privacy Policy
User Photos and Media Collection Not Disclosed in Privacy Policy
Username enumeration
VirusTotal scan flagged malicious asset(s) (MD5 based search)
Voice Data Collection Disclosed in Privacy Policy
Voice Data Collection Not Disclosed in Privacy Policy
Weak Cipher Suites Supported
Weak Cryptographic Key and Signature Algorithm in SSL/TLS Certificate
Weak Message Authentication Code (MAC) Algorithms Supported
Web XML Injection
Webview Remote Debugging Enabled
Webview loadurl injection
XML External Entity (XXE) Injection
XML Injection
XPath Injection
XPath Injection Vulnerability
ZIP Vulnerabilities: Path Traversal, Zip Symbolic Link, and Zip Extension Spoofing
addJavaScriptInterface Remote Code Execution.
iOS Anti-Tampering Detected
iOS Anti-Tampering Not Detected
iOS Frida Instrumentation Detection Implemented
iOS Obfuscation Detected
iOS Obfuscation Not Detected
iOS Sensitive data stored in keyboard cache
iOS URL Scheme Hijacking
iOS URL Scheme Injection
iTunes UI File Sharing Enabled
Knowledge Base
Knowledge Base
ALPACA Attack in SSL/TLS
APK attack surface
APK files list
Abuse of mobile network connection
Account Takeover Vulnerability
Address Space Layout Randomization (ASLR) not enforced
Alias Overloading in GraphQL API
Android Class Load Hijacking
Android Class Loading Hijacking
Android Manifest
Android Obfuscation Detected
Android Obfuscation Not Detected
Android Package Context created without security restrictions
Android Sensitive data stored in keyboard cache
Anonymous unauthenticated server accepted
App Usage Data Collection Disclosed in Privacy Policy
App Usage Data Collection Not Disclosed in Privacy Policy
Application certificate information
Application checks rooted device
Application code not obfuscated
Application implements anti-debug techniques
Application prevents taking screenshots
Application signed with an expired certificate
Array-Based Batch Queries
Assign a unique name and/or number for identifying and tracking user identity
Attribute hasFragileUserData not set
Attribute requestLegacyExternalStorage set
Attribute usesCleartextTraffic set
Automatic Reference Counting (ARC) not enforced
BEAST Attack on TLS 1.0/SSL 3.0
BREACH Attack on HTTP Compression
Backdoored Cryptographic Algorithms in SSL
Backup mode disabled
Backup mode enabled
Biometric Authentication Bypass
Biometric Authentication Without Cryptographic Binding
Biometric Data Collection Disclosed in Privacy Policy
Biometric Data Collection Not Disclosed in Privacy Policy
Bleichenbacher Attack on RSA Encryption
Broadcast receiver dynamic registration
Browsing Activity Collection Disclosed in Privacy Policy
Browsing Activity Collection Not Disclosed in Privacy Policy
Brute Force Login Using Alias Batching in GraphQL API
CCS Injection Attack on OpenSSL
CERTIFICATE_EXPIRED
CORS Misconfiguration Vulnerability
CRIME Attack on TLS Compression
CRLF Injection
Call to Android Security API
Call to Bluetooth and BLE API
Call to Crypto API
Call to External Storage API
Call to Inter-Process-Communication (IPC) API
Call to Random API
Call to Reflection API
Call to SQLite query API
Call to Socket API
Call to TLS API
Call to XML parsing API
Call to ZIP API
Call to command execution API
Call to dangerous WebView settings API
Call to delete file API
Call to dynamic code loading API
Call to logging API
Call to native methods
Calls to Privacy API
Circular Fragment in GraphQL
Classes list
Clear text HTTP request
Code Injection
Collection of Device Identifier
Collection of Users' Crash Logs without Consent
Collection of Users' Purchase History in Privacy Policy
Collection of Users' Text Messages in Privacy Policy
Command Injection
Contact Information Present in Privacy Policy
Contact Information missing in Privacy Policy
Contacts Data Type Declaration Match
Contacts Data Type Declaration Mismatch
Continuous collection of GPS location
Cookie missing security attributes
Cordova Cross-Site Scripting (XSS)
Cordova debug mode enabled
Credentials exposed in URLs
Credentials exposed in logs
Criminal Record Information Collection Disclosed in Privacy Policy
Criminal Record Information Collection Not Disclosed in Privacy Policy
Cross-Site Scripting (XSS)
Cryptographic Vulnerability: Hardcoded Key
Cryptographic Vulnerability: Insecure Algorithm
Cryptographic Vulnerability: Insecure mode
Cryptographic Vulnerability: Weak Hashing Algorithm
Current Precise Location Data Collection Disclosed in Privacy Policy
Current Precise Location Data Collection Not Disclosed in Privacy Policy
DNS Check: SPF, DKIM, DMARC, and BIMI Validation
DNS High TTL Values
DNS Information Disclosure
DNS MX Record Misconfiguration
DNS Vulnerability: Dangling Domain Records
DNS Vulnerability: Malicious Content in TXT Records
DROWN Attack on SSLv2/TLS
Debug Symbols Present in the Android Application
Debug Symbols Present in the IOS Application
Debug mode disabled
Debug mode enabled
Debuggable Flag Detection Implemented
Declaration of Approximate Location Collection in Privacy Policy
Declaration of Contact Collection in Privacy Policy
Declaration of Device or Other IDs Collection in Privacy Policy
Declaration of Email Address Collection in Privacy Policy
Declaration of Email Collection in Privacy Policy
Declaration of Health Info Collection in Privacy Policy
Declaration of Installed Apps Collection in Privacy Policy
Declaration of Phone Number Collection in Privacy Policy
Declaration of Photo Collection in Privacy Policy
Declaration of Precise Location Collection in Privacy Policy
Declaration of User Files Collection in Privacy Policy
Declaration of Video Collection in Privacy Policy
Declaration of Voice or Sound Recording Collection in Privacy Policy
Declaration of Web Browsing History Collection in Privacy Policy
Declared permissions list
Dependency Confusion
Deprecated Minimum iOS Version
Deprecated Target API Version
Device ID Data Type Declaration Match
Device ID Data Type Declaration Mismatch
Device and Network Information Collection Disclosed in Privacy Policy
Device and Network Information Collection Not Disclosed in Privacy Policy
Directive Overloading in GraphQL API
Django Debug Mode Enabled
Domain name and IP address reputation report
ELF binaries do not enforce secure binary properties
Email Address Collection Disclosed in Privacy Policy
Email Address Collection Not Disclosed in Privacy Policy
Enforcer proper authentication
Expansion APK enabled
Exported activities, services and broadcast receivers list
Expression Language (EL) Injection
External Account Information Collection Disclosed in Privacy Policy
External Account Information Collection Not Disclosed in Privacy Policy
External DNS interaction
FREAK Attack on Export-Grade RSA
Facebook React development settings exposed
Facebook SDK debug mode enabled
Field Duplication in GraphQL API
File Path Traversal
File inclusion vulnerability
Format String Vulnerability
Forward Secrecy Not Implemented
Frida Instrumentation Detection Implemented
GDPR Rights Reference Present in Privacy Policy
Gender Identity Collection Disclosed in Privacy Policy
Gender Identity Collection Not Disclosed in Privacy Policy
Generic Web Entry
Genetic Data Collection Disclosed in Privacy Policy
Genetic Data Collection Not Disclosed in Privacy Policy
GraphQL Authorization Misconfiguration
GraphQL Circular References
GraphQL Debug Mode Enabled
GraphQL Schema Traversal Paths
GraphQL Tracing Enabled
HTML Injection Vulnerability
HTTP Host Header Poisoning
HTTP Method Manipulation in GraphQL
Hardcoded SQL queries list
Hardcoded strings list
Hardcoded urls list
Health and Biometric Data Type Declaration Match
Health and Biometric Data Type Declaration Mismatch
Health and Fitness Data Collection Disclosed in Privacy Policy
Health and Fitness Data Collection Not Disclosed in Privacy Policy
Heartbleed (CVE-2014-0160)
IPA Frameworks list
IPA Plist files
IPA contains only bitcode
IPA files list
IPA symbol table
Identity Verification Information Collection Disclosed in Privacy Policy
Identity Verification Information Collection Not Disclosed in Privacy Policy
Implementation of a FileObserver
Implementation of a WebViewClient
Implicit PendingIntent
In-App Search History Collection in Privacy Policy
In-App Search Queries Collection Disclosed in Privacy Policy
In-App Search Queries Collection Not Disclosed in Privacy Policy
Information Concerning Sex Life Collection Disclosed in Privacy Policy
Information Concerning Sex Life Collection Not Disclosed in Privacy Policy
Insecure Access Control
Insecure App Transport Security (ATS) Settings
Insecure Authorization Restriction
Insecure Cross-Origin Resource Sharing (CORS) policy
Insecure Direct Object Reference
Insecure Dynamic Library Loading
Insecure File Provider Paths Setting
Insecure Filesystem Access
Insecure HTTP Header Setting
Insecure HTTP Header Setting: Content Security Policy (CSP)
Insecure HTTP Header Setting: Content-Type
Insecure HTTP Header Setting: HTTP Strict Transport Security (HSTS)
Insecure HTTP Header Setting: Insecure Referrer Policy
Insecure HTTP Header Setting: X-Frame-Options
Insecure HTTP Header Setting: X-XSS-Protection Header
Insecure JWT Signature Validation
Insecure Keychain Storage
Insecure Network Configuration Settings
Insecure Object Serialization
Insecure Random Seed
Insecure Register Receiver Flag
Insecure Shared Preferences Permissions
Insecure Storage of Application Data
Insecure TLS Certificate Validation
Insecure TLS Ciphers supported
Insecure TLS Renegotiation (CVE-2009-3555)
Insecure TLS certificate domain name validation
Insecure TLS certificate validation (accept self-signed certificate)
Insecure hostname validation check
Insecure password storage
Insecure whitelist
Insecure whitelist configuration
Intent Redirection
Intent Spoofing
Interesting response
LDAP Injection
LOGJAM Attack on Diffie-Hellman
LOGJAM Common Prime Vulnerability
Legal Basis Present in Privacy Policy
List of JNI methods
List of calls to dangerous low-level C functions
Location History Collection Disclosed in Privacy Policy
Location History Collection Not Disclosed in Privacy Policy
Lucky Thirteen Vulnerability in SSL/TLS
MTA-STS Misconfiguration
Mach-O encrypted
Mach-O entitlements
Malformed ATS Configuration
Malicious Package: com.outsystems.plugins.fileviewer
Memory Leak
Mention of User Data Access in Privacy Policy
Mention of User Data Correction Rights in Privacy Policy
Mention of User Data Deletion in Privacy Policy
Mention of Users' Right to Know in Privacy Policy
Missing Debuggable Flag Detection
Missing Declaration of Approximate Location Collection in Privacy Policy
Missing Declaration of Contact Collection in Privacy Policy
Missing Declaration of Device or Other IDs Collection in Privacy Policy
Missing Declaration of Email Address Collection in Privacy Policy
Missing Declaration of Email Collection in Privacy Policy
Missing Declaration of Health Info Collection in Privacy Policy
Missing Declaration of Installed Apps Collection in Privacy Policy
Missing Declaration of Phone Number Collection in Privacy Policy
Missing Declaration of Photo Collection in Privacy Policy
Missing Declaration of Precise Location Collection in Privacy Policy
Missing Declaration of User Files Collection in Privacy Policy
Missing Declaration of Video Collection in Privacy Policy
Missing Declaration of Voice or Sound Recording Collection in Privacy Policy
Missing Declaration of Web Browsing History Collection in Privacy Policy
Missing Frida Instrumentation Detection
Missing GDPR Rights Reference in Privacy Policy
Missing Legal Basis in Privacy Policy
Missing Mention of User Data Access in Privacy Policy
Missing Mention of User Data Correction Rights in Privacy Policy
Missing Mention of User Data Deletion in Privacy Policy
Missing Mention of Users' Right to Know in Privacy Policy
Missing Opt-out Information in Privacy Policy
Missing Privacy Policy Disclosure for Calendar Events Collection
Missing Privacy Policy Disclosure for Fitness Info Collection
Missing Privacy Policy Link
Missing Root/Jailbreak Detection
Missing Sideloading Detection
Missing Signature Verification
Missing Third-Party Sharing Information in Privacy Policy
Missing iOS Frida Instrumentation Detection
Missing or misconfigured DNSSEC
Missing privacy manifest file
Mobile SQL Injection Vulnerability
Mobile WiFi API Personal Identifiable Information concerns
Network Port Scan
No sensitive data stored outside App
NoSQL Injection
Notification Spoofing
OAuth Account Takeover by hijacking custom schemes
Obfuscated Flutter code
Obfuscated methods
Object Limit Overriding in GraphQL
Opt-out Information Present in Privacy Policy
Outdated SSL/TLS Protocols Supported
PII Categories Data Type Declaration Match
PII Categories Data Type Declaration Mismatch
PII Data Type Declaration Match
PII Data Type Declaration Mismatch
POODLE Attack on SSL 3.0
Path Traversal
Payment and Financial Information Collection Disclosed in Privacy Policy
Payment and Financial Information Collection Not Disclosed in Privacy Policy
Personal Identifiers Collection Disclosed in Privacy Policy
Personal Identifiers Collection Not Disclosed in Privacy Policy
Personally Identifiable Information (PII) Leakage
Philosophical Beliefs Collection Disclosed in Privacy Policy
Philosophical Beliefs Collection Not Disclosed in Privacy Policy
Phone Number Data Type Declaration Match
Phone Number Data Type Declaration Mismatch
Political Affiliations Collection Disclosed in Privacy Policy
Political Affiliations Collection Not Disclosed in Privacy Policy
Port open on device
Precise Location Data Type Declaration Match
Precise Location Data Type Declaration Mismatch
Privacy Policy CCPA Rights Reference are Present
Privacy Policy CCPA Rights Reference missing
Privacy Policy Data Retention Description
Privacy Policy Disclosure for Calendar Events Collection is Present
Privacy Policy Disclosure for Fitness Info Collection is Present
Privacy Policy Link is Present
Privacy Policy Personal Data Categories Disclosure match
Privacy Policy Personal Data Categories Disclosure mismatch
Privacy manifest files
Process crashes
Proper Privacy Policy Data Retention Description
Protected Against GraphQL Alias Brute Forcing
Protected Against GraphQL Alias Overloading
Protected Against GraphQL Batch Query Attacks
Protected Against GraphQL Circular Fragments
Protected Against GraphQL Circular References
Protected Against GraphQL Debug Mode Risks
Protected Against GraphQL Directive Overloading
Protected Against GraphQL Field Duplication
Protected Against GraphQL Object Limit Overriding
Protected Against GraphQL Tracing Risks
Protected Against HTTP Method Manipulation
Public AWS S3 bucket with file listing enabled
Publicly exposed Firebase Database
Raccoon Attack on SSL/TLS
Racial or Ethnic Origin Information Collection Disclosed in Privacy Policy
Racial or Ethnic Origin Information Collection Not Disclosed in Privacy Policy
Recorded calls to Crypto API
Recorded calls to FileSystem API
Recorded calls to HTTP API
Recorded calls to Hash API
Recorded calls to Intent API
Recorded calls to Inter-Process-Communication (IPC) API
Recorded calls to Process API
Recorded calls to SQLite query API
Recorded calls to Serialization API
Recorded calls to Shared Preferences API
Recorded calls to TLS API
Recorded calls to TLS API
目录
记录的TLS API调用
描述
建议
链接
Recorded calls to TLS Pinning API
Recorded calls to command execution API
Recorded calls to dangerous WebView settings API
Recorded calls to dynamic code loading API
Recorded calls to logging API
Redis Library detected
Regular expression denial of service
Religious Beliefs Collection Disclosed in Privacy Policy
Religious Beliefs Collection Not Disclosed in Privacy Policy
Remote Command Execution
Root/Jailbreak Detection Implemented
SQL injection
SSL Extension Bleed Vulnerability
SSL/TLS Certificate Hostname Mismatch
SSL/TLS Certificate Pinning Not Implemented
SSL/TLS Certificates Expiring Soon
SSL/TLS Pinning Detected
SWEET32 Attack on 64-bit Block Ciphers
Secret information stored in the application
Secret information transmitted over the network
Secure Collection of Users' Crash Logs without Consent
Secure Collection of Users' Purchase History in Privacy Policy
Secure Collection of Users' Text Messages in Privacy Policy
Secure Content Security Policy
Secure Cookie Implementation
Secure Cross-Origin Resource Sharing (CORS) Policy
Secure Firebase Database Permissions
Secure HTTP Header Setting: Secure Referrer Policy
Secure HTTP Header Settings
Secure HTTP Strict Transport Security (HSTS) Implementation
Secure In-App Search History Collection in Privacy Policy
Secure Network Configuration Settings
Secure TLS certificate validation
Secure User ID Collection in Privacy Policy
Secure Virustotal malware analysis (MD5 based search)
Secure domain name and IP address reputation report
Sensitive Information Data Type Declaration is Present
Sensitive Information Data Type Declaration missing
Server Side Inclusion
Server-side template injection (SSTI)
Services declared without permissions
Sexual Orientation Information Collection Disclosed in Privacy Policy
Sexual Orientation Information Collection Not Disclosed in Privacy Policy
Sideloading Detection Implemented
Signature Verification Implemented
Source Map Code Leak
Source to Sink
Stack smashing protection not enforced
Static Anti-Tampering Mechanisms Detected
Static Anti-Tampering Techniques Not Implemented
Strict-Transport-Security (HSTS) not enforced
Strings Bplist files
Subdomain Takeover
TLS Client-Initiated Renegotiation DoS Vulnerability
TLS/SSL Server Configuration Settings
TLS_FALLBACK_SCSV Not Supported
Tapjacking Vulnerability
Task Hijacking
Template Injection
Text Messages Data Type Declaration Match
Text Messages Data Type Declaration Mismatch
Third-Party Sharing Information in Privacy Policy is Present
Ticketbleed Memory Disclosure in F5 BIG-IP
Trade Union Membership Information Collection Disclosed in Privacy Policy
Trade Union Membership Information Collection Not Disclosed in Privacy Policy
URL Manipulation
URL Scheme list
Unclaimed Cocoapods Vulnerability
Undeclared Permissions
Unrestricted DNS Zone Transfers
Unrestricted file upload
Unused permissions (overprivileged)
Use non-random initialization vector (IV)
Use of Deprecated Component
Use of Outdated Vulnerable Component
Use of an insecure Bluetooth connection
Use of deprecated TLS/SSL protocol version
User Account Info Data Type Declaration Match
User Account Info Data Type Declaration Mismatch
User Credentials Handling Disclosed in Privacy Policy
User Credentials Handling Not Clearly Disclosed in Privacy Policy
User ID Collection in Privacy Policy
User Photos and Media Collection Disclosed in Privacy Policy
User Photos and Media Collection Not Disclosed in Privacy Policy
Username enumeration
VirusTotal scan flagged malicious asset(s) (MD5 based search)
Voice Data Collection Disclosed in Privacy Policy
Voice Data Collection Not Disclosed in Privacy Policy
Weak Cipher Suites Supported
Weak Cryptographic Key and Signature Algorithm in SSL/TLS Certificate
Weak Message Authentication Code (MAC) Algorithms Supported
Web XML Injection
Webview Remote Debugging Enabled
Webview loadurl injection
XML External Entity (XXE) Injection
XML Injection
XPath Injection
XPath Injection Vulnerability
ZIP Vulnerabilities: Path Traversal, Zip Symbolic Link, and Zip Extension Spoofing
addJavaScriptInterface Remote Code Execution.
iOS Anti-Tampering Detected
iOS Anti-Tampering Not Detected
iOS Frida Instrumentation Detection Implemented
iOS Obfuscation Detected
iOS Obfuscation Not Detected
iOS Sensitive data stored in keyboard cache
iOS URL Scheme Hijacking
iOS URL Scheme Injection
iTunes UI File Sharing Enabled
常见问题
目录
记录的TLS API调用
描述
建议
链接
Recorded calls to TLS API
记录的TLS API调用
Risk:
info
描述
应用程序中使用的所有TLS方法的列表。
建议
此条目仅供参考,没有适用的建议。
链接