# Calm 状态:active Platform:android Package:com.calm.android Version:6.97 Opportunity:2026-06-10-calm ## 摘要 - 包类型:xapk,inner APK 数:3 - 引擎 / 框架:native - SDK 线索:amplitude, appsflyer, firebase, revenuecat - Endpoint candidates:80 - 结论口径:本报告只基于静态 ZIP / Manifest / 字符串证据;不代表真实运行路径已验证。 ## 直接证据 - [high] Manifest package id is com.calm.android(source: `AndroidManifest.xml`,status: `verified`) - [high] Manifest declares 30 permissions(source: `AndroidManifest.xml`,status: `verified`) - [high] Engine/framework markers: native(source: `APK file inventory`,status: `verified`) - [high] Static strings include 80 endpoint candidates(source: `Text/string scan`,status: `verified`) - [high] Package contains 5 native libraries(source: `APK file inventory`,status: `verified`) ## 推断 - [medium] SDK markers suggest: amplitude, appsflyer, firebase, revenuecat(source: `Manifest, filenames, and text strings`,status: `inferred`) ## 权限和组件 ### 权限 - `android.permission.ACCESS_ADSERVICES_AD_ID` - `android.permission.ACCESS_ADSERVICES_ATTRIBUTION` - `android.permission.ACCESS_NETWORK_STATE` - `android.permission.ACCESS_NOTIFICATION_POLICY` - `android.permission.ACCESS_WIFI_STATE` - `android.permission.BLUETOOTH` - `android.permission.BROADCAST_CLOSE_SYSTEM_DIALOGS` - `android.permission.FOREGROUND_SERVICE` - `android.permission.FOREGROUND_SERVICE_MEDIA_PLAYBACK` - `android.permission.INTERNET` - `android.permission.POST_NOTIFICATIONS` - `android.permission.READ_CONTACTS` - `android.permission.READ_EXTERNAL_STORAGE` - `android.permission.RECEIVE_BOOT_COMPLETED` - `android.permission.SCHEDULE_EXACT_ALARM` - `android.permission.USE_BIOMETRIC` - `android.permission.USE_FINGERPRINT` - `android.permission.VIBRATE` - `android.permission.WAKE_LOCK` - `android.permission.WRITE_EXTERNAL_STORAGE` - `android.permission.health.WRITE_EXERCISE` - `android.permission.health.WRITE_MINDFULNESS` - `com.android.vending.BILLING` - `com.android.vending.CHECK_LICENSE` - `com.calm.android.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION` - `com.google.android.c2dm.permission.RECEIVE` - `com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE` - `com.google.android.gms.permission.AD_ID` - `com.huawei.appmarket.service.commondata.permission.GET_COMMON_DATA` - `com.samsung.android.mapsagent.permission.READ_APP_INFO` ### 组件 - Activities:androidx.activity.ComponentActivity, androidx.compose.ui.tooling.PreviewActivity, androidx.credentials.playservices.HiddenActivity, com.android.billingclient.api.ProxyBillingActivity, com.android.billingclient.api.ProxyBillingActivityV2, com.auth0.android.provider.AuthenticationActivity, com.auth0.android.provider.RedirectActivity, com.calm.android.ViewPermissionUsageActivity, com.calm.android.debug.DebugActivity, com.calm.android.feat.healthconnect.activity.HealthConnectPermissionsRationaleActivity, com.calm.android.ui.home.MainActivity, com.calm.android.ui.intro.OnboardingActivity, com.calm.android.ui.login.LoginActivity, com.calm.android.ui.misc.ModalActivity, com.calm.android.ui.mood.MoodActivity, com.calm.android.ui.onboarding.familyplan.FamilyPlanOnboardingActivity, com.calm.android.ui.player.VideoPlayerActivity, com.calm.android.ui.player.overlays.SessionPlayerOverlayActivity, com.calm.android.ui.profile.ManualSessionActivity, com.calm.android.ui.profile.WebSubscriptionActivity, com.calm.android.ui.reminders.RemindersActivity, com.calm.android.ui.scenes.ScenesActivity, com.calm.android.ui.splash.SplashActivity, com.calm.android.ui.webview.WebviewActivity, com.facebook.CustomTabActivity, com.facebook.CustomTabMainActivity, com.facebook.FacebookActivity, com.google.android.gms.auth.api.signin.internal.SignInHubActivity, com.google.android.gms.common.api.GoogleApiActivity, com.google.android.play.core.common.PlayCoreDialogWrapperActivity, com.iterable.iterableapi.IterableTrampolineActivity, com.jakewharton.processphoenix.PhoenixActivity, com.perimeterx.msdk.internal.enforcers.BlockActivity, com.perimeterx.msdk.internal.enforcers.CaptchaActivity, com.stripe.android.customersheet.CustomerSheetActivity, com.stripe.android.googlepaylauncher.GooglePayLauncherActivity, com.stripe.android.googlepaylauncher.GooglePayPaymentMethodLauncherActivity, com.stripe.android.link.LinkActivity, com.stripe.android.link.LinkForegroundActivity, com.stripe.android.link.LinkRedirectHandlerActivity, com.stripe.android.payments.StripeBrowserLauncherActivity, com.stripe.android.payments.StripeBrowserProxyReturnActivity, com.stripe.android.payments.bankaccount.ui.CollectBankAccountActivity, com.stripe.android.payments.core.authentication.threeds2.Stripe3ds2TransactionActivity, com.stripe.android.payments.paymentlauncher.PaymentLauncherConfirmationActivity, com.stripe.android.paymentsheet.ExternalPaymentMethodProxyActivity, com.stripe.android.paymentsheet.PaymentOptionsActivity, com.stripe.android.paymentsheet.PaymentSheetActivity, com.stripe.android.paymentsheet.addresselement.AddressElementActivity, com.stripe.android.paymentsheet.paymentdatacollection.bacs.BacsMandateConfirmationActivity, com.stripe.android.paymentsheet.paymentdatacollection.cvcrecollection.CvcRecollectionActivity, com.stripe.android.paymentsheet.paymentdatacollection.polling.PollingActivity, com.stripe.android.paymentsheet.ui.SepaMandateActivity, com.stripe.android.stripe3ds2.views.ChallengeActivity, com.stripe.android.ui.core.cardscan.CardScanActivity, com.stripe.android.view.PaymentAuthWebViewActivity, com.stripe.android.view.PaymentRelayActivity - Services:androidx.credentials.playservices.CredentialProviderMetadataHolder, androidx.health.platform.client.impl.sdkservice.HealthDataSdkService, androidx.room.MultiInstanceInvalidationService, androidx.work.impl.background.systemalarm.SystemAlarmService, androidx.work.impl.background.systemjob.SystemJobService, androidx.work.impl.foreground.SystemForegroundService, com.calm.android.services.AudioService, com.calm.android.services.WearListenerService, com.calm.android.util.CalmFirebaseService, com.calm.android.widgets.DailyCalmWidget$UpdaterService, com.calm.android.widgets.DailyCalmWidgetUpdateJob, com.calm.android.widgets.RecommendedSleepStoryWidget$UpdaterService, com.calm.android.widgets.SleepStoryWidgetUpdateJob, com.google.android.datatransport.runtime.backends.TransportBackendDiscovery, com.google.android.datatransport.runtime.scheduling.jobscheduling.JobInfoSchedulerService, com.google.android.gms.auth.api.signin.RevocationBoundService, com.google.android.gms.cast.framework.ReconnectionService, com.google.android.gms.measurement.AppMeasurementJobService, com.google.android.gms.measurement.AppMeasurementService, com.google.firebase.components.ComponentDiscoveryService, com.google.firebase.messaging.FirebaseMessagingService, com.iterable.iterableapi.IterableFirebaseMessagingService, com.jakewharton.processphoenix.PhoenixService - Receivers:androidx.profileinstaller.ProfileInstallReceiver, androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy, androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy, androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy, androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy, androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver, androidx.work.impl.background.systemalarm.RescheduleReceiver, androidx.work.impl.diagnostics.DiagnosticsReceiver, androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver, com.appsflyer.SingleInstallBroadcastReceiver, com.calm.android.util.BootCompletedReceiver, com.calm.android.util.ShareBroadcastReceiver, com.calm.android.util.UpgradeReceiver, com.calm.android.util.reminders.RemindersAlarmReceiver, com.calm.android.util.reminders.trial.TrialReminderAlarmReceiver, com.calm.android.widgets.DailyCalmWidget, com.calm.android.widgets.RecommendedSleepStoryWidget, com.facebook.AuthenticationTokenManager$CurrentAuthenticationTokenChangedBroadcastReceiver, com.facebook.CurrentAccessTokenExpirationBroadcastReceiver, com.google.android.datatransport.runtime.scheduling.jobscheduling.AlarmManagerSchedulerBroadcastReceiver, com.google.android.gms.cast.framework.media.MediaIntentReceiver, com.google.android.gms.measurement.AppMeasurementReceiver, com.google.firebase.iid.FirebaseInstanceIdReceiver, com.iterable.iterableapi.IterablePushActionReceiver - Providers:androidx.core.content.FileProvider, androidx.startup.InitializationProvider, com.datadog.android.rum.DdRumContentProvider, com.facebook.internal.FacebookInitProvider, com.google.firebase.provider.FirebaseInitProvider, com.squareup.picasso.PicassoProvider ## SDK / Endpoint ### SDK - `amplitude` - `appsflyer` - `firebase` - `revenuecat` ### Endpoint candidates - http://www.apache.org/licenses/ - https://assets.calm.com/b9038c8088eeaecf73ad1041deaa33df.jpeg - https://assets.calm.com/a830a974a976c5d12287bd3f882b7087.jpeg - https://assets.calm.com/e7f113b62c6ed74f3c71a634f9e126c3.oga - https://assets-videos.calm.com/hls/fc953e0da669bf35ec732bb43fe618a7/hls-fc953e0da669bf35ec732bb43fe618a7.m3u8 - https://assets-videos.calm.com/hls/fc953e0da669bf35ec732bb43fe618a7/fc953e0da669bf35ec732bb43fe618a7.mp4 - https://assets.calm.com/ea6c314c39e8f8cf0f4570940f4425d4.jpeg - https://assets.calm.com/6b6fe2ad865c042ab9fb40e4770b8cab.oga - https://assets-videos.calm.com/hls/242532719766acf3bc5a207acdf4433b/hls.m3u8 - https://assets-videos.calm.com/hls/242532719766acf3bc5a207acdf4433b/242532719766acf3bc5a207acdf4433b.mp4 - https://assets.calm.com/8b578d79c0d7c8d64295a68fade93ad4.jpeg - https://assets.calm.com/59f8560ceb17bc98bc64c2eb407572da.oga - https://assets.calm.com/ec430076eb0ac1b7d31d0770246eb1d1.mp4 - https://assets.calm.com/24ed1d7cbb2e851c23ba62a84efb59ee.jpeg - https://assets.calm.com/cb653fa17a049676e92e56edbfdc0709.oga - https://assets.calm.com/fea14a3cf74fe19bdaf09150bde4a66e.mp4 - https://assets.calm.com/7a9c94baa00d9f12af1e889a191b1f18.jpeg - https://assets.calm.com/233bfefed5545e6702fc499d18ce65fd.oga - https://assets.calm.com/4b3796aa0f8910e8931a57b98ad7a637.mp4 - https://assets.calm.com/a9fded8a7e6d0d2156a3305f1288ee94.jpeg - https://assets.calm.com/7d7633212b688364715c11104df909f8.oga - https://assets.calm.com/2678a058d47b4dbda7d940399595ae20.mp4 - https://assets.calm.com/17d3fcab159cb1d9a783eff722127877.jpeg - https://assets.calm.com/4803f425a66065359fac56ecf53d034c.oga - https://assets.calm.com/401efc763dd4d038d7ed56f7490b4860.mp4 - https://assets.calm.com/21ae2030efa4173823b771035e980320.jpeg - https://assets.calm.com/5f6e2307d927779104939ce4625e7607.oga - https://assets.calm.com/e243d4fa58b322425d75ed51e436a37d.mp4 - https://assets.calm.com/5fbdf532b7167f8ce18db5352b8ce0d5.jpeg - https://assets.calm.com/132eeefda701166cbf93d2505294fc23.oga - https://assets.calm.com/02468a3ae77a0cd4b8104fda6b0164e8.mp4 - https://assets.calm.com/d995cc99bdd9c0d2e5c3280b25fe9a79.jpeg - https://assets.calm.com/fe9c6bfa9d24b44102a050d96c2bae60.oga - https://assets.calm.com/2498f45646c88f9f75f7d82df91eaec0.mp4 - https://assets.calm.com/bd70683ace698e815bccc1c34d2cdce9.jpeg - https://assets.calm.com/8baf5f4df601030753631386b6642579.oga - https://assets.calm.com/37289cd9608459d504e741f4aeed5064.mp4 - https://assets.calm.com/75ea50a5470f3fca483d3e1f4596dbb5.jpeg - https://assets.calm.com/db646cdd01564536aad2508e34777f4a.oga - https://assets.calm.com/78cf24ca014688aef7f54b68127ce443.mp4 ## Warnings - apktool manifest decode skipped 2 split APK(s) - binary AndroidManifest.xml decoded with apktool ## 下一步 - 真机/模拟器验证 onboarding、paywall、首个可感知价值和崩溃路径。 - 把 endpoint candidates 与 HAR / MITM / Frida 动态证据对齐,避免只凭静态字符串下结论。 - 多版本对比权限、SDK、endpoint、native libs 和资源路径变化。 - 联系人权限存在,后续需重点验证权限解释、备份、撤销和删除前确认。 - 订阅/广告 SDK 线索存在,后续需拆 paywall、free trial、退款和广告频率。