# ChatOn

状态：active
Platform：android
Package：ai.chat.gpt.bot
Version：1.100.795-867
Opportunity：2026-06-10-chaton-ai

## 摘要

- 包类型：xapk，inner APK 数：3
- 引擎 / 框架：native
- SDK 线索：amplitude, appsflyer, firebase, revenuecat
- Endpoint candidates：76
- 结论口径：本报告只基于静态 ZIP / Manifest / 字符串证据；不代表真实运行路径已验证。

## 直接证据

- [high] Manifest package id is ai.chat.gpt.bot（source: `AndroidManifest.xml`，status: `verified`）
- [high] Manifest declares 21 permissions（source: `AndroidManifest.xml`，status: `verified`）
- [high] Engine/framework markers: native（source: `APK file inventory`，status: `verified`）
- [high] Static strings include 76 endpoint candidates（source: `Text/string scan`，status: `verified`）
- [high] Package contains 8 native libraries（source: `APK file inventory`，status: `verified`）

## 推断

- [medium] SDK markers suggest: amplitude, appsflyer, firebase, revenuecat（source: `Manifest, filenames, and text strings`，status: `inferred`）

## 权限和组件

### 权限

- `ai.chat.gpt.bot.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION`
- `android.permission.ACCESS_ADSERVICES_AD_ID`
- `android.permission.ACCESS_ADSERVICES_ATTRIBUTION`
- `android.permission.ACCESS_NETWORK_STATE`
- `android.permission.ACCESS_WIFI_STATE`
- `android.permission.FOREGROUND_SERVICE`
- `android.permission.FOREGROUND_SERVICE_DATA_SYNC`
- `android.permission.INTERNET`
- `android.permission.POST_NOTIFICATIONS`
- `android.permission.READ_EXTERNAL_STORAGE`
- `android.permission.RECEIVE_BOOT_COMPLETED`
- `android.permission.RECORD_AUDIO`
- `android.permission.USE_BIOMETRIC`
- `android.permission.USE_FINGERPRINT`
- `android.permission.WAKE_LOCK`
- `android.permission.WRITE_EXTERNAL_STORAGE`
- `com.android.vending.BILLING`
- `com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE`
- `com.google.android.gms.permission.AD_ID`
- `com.google.android.providers.gsf.permission.READ_GSERVICES`
- `com.huawei.appmarket.service.commondata.permission.GET_COMMON_DATA`

### 组件

- Activities：androidx.credentials.playservices.HiddenActivity, androidx.credentials.playservices.IdentityCredentialApiHiddenActivity, com.aiby.chat.MainActivity, com.android.billingclient.api.ProxyBillingActivity, com.android.billingclient.api.ProxyBillingActivityV2, com.google.android.gms.auth.api.signin.internal.SignInHubActivity, com.google.android.gms.common.api.GoogleApiActivity, com.google.android.play.core.common.PlayCoreDialogWrapperActivity, com.google.firebase.auth.internal.GenericIdpActivity, com.google.firebase.auth.internal.RecaptchaActivity
- Services：androidx.credentials.playservices.CredentialProviderMetadataHolder, androidx.room.MultiInstanceInvalidationService, androidx.work.impl.background.systemalarm.SystemAlarmService, androidx.work.impl.background.systemjob.SystemJobService, androidx.work.impl.foreground.SystemForegroundService, com.aiby.feature_chat.service.ChatForegroundService, com.aiby.feature_html_banners.service.DownloadHTMLsService, com.google.android.datatransport.runtime.backends.TransportBackendDiscovery, com.google.android.datatransport.runtime.scheduling.jobscheduling.JobInfoSchedulerService, com.google.android.gms.auth.api.signin.RevocationBoundService, com.google.android.gms.measurement.AppMeasurementJobService, com.google.android.gms.measurement.AppMeasurementService, com.google.firebase.components.ComponentDiscoveryService, com.google.mlkit.common.internal.MlKitComponentDiscoveryService
- Receivers：androidx.profileinstaller.ProfileInstallReceiver, androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy, androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy, androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy, androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy, androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver, androidx.work.impl.background.systemalarm.RescheduleReceiver, androidx.work.impl.diagnostics.DiagnosticsReceiver, androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver, com.aiby.feature_widgets.ChatOnAppWidgetProviderBig, com.aiby.feature_widgets.ChatOnAppWidgetProviderSmall, com.appsflyer.SingleInstallBroadcastReceiver, com.google.android.datatransport.runtime.scheduling.jobscheduling.AlarmManagerSchedulerBroadcastReceiver, com.google.android.gms.measurement.AppMeasurementReceiver
- Providers：androidx.startup.InitializationProvider, com.aiby.lib_platform.providers.ChatFileProvider, com.google.firebase.provider.FirebaseInitProvider, com.google.mlkit.common.internal.MlKitInitProvider, org.jetbrains.compose.resources.AndroidContextProvider

## SDK / Endpoint

### SDK

- `amplitude`
- `appsflyer`
- `firebase`
- `revenuecat`

### Endpoint candidates

- http://www.apache.org/licenses/LICENSE-2.0
- https://msdn.microsoft.com/en-us/en-en/library/windows/desktop/dd317756(v=vs.85).aspx
- https://docs.oracle.com/javase/8/docs/technotes/guides/intl/encoding.doc.html
- http://www.apache.org/licenses/
- http://www.unicode.org/terms_of_use.html
- http://www.unicode.org/reports/tr44/
- http://www.unicode.org/reports/tr24/
- http://www.unicode.org/reports/tr24/#Assignment_Script_Values
- http://www.unicode.org/reports/tr24/#Assignment_ScriptX_Values
- http://sourceforge.net/adobe/aglfn/
- http://www.unicode.org/unicode/reports/tr9/
- http://www.gust.org.pl
- http://www.gust.org.pl/fonts/licenses/GUST-FONT-LICENSE.txt
- http://tug.org/fonts/licenses/GUST-FONT-LICENSE.txt
- http://www.latex-project.org/lppl.txt
- http://scripts.sil.org/OFL
- http://www.gust.org.pl/projects/e-foundry/latin-modern
- http://en.wikipedia.org/wiki/AMS_Euler
- http://www.tug.org/texlive/Contents/live/texmf-dist/doc/latex/bbold/bbold.pdf
- http://www.gust.org.pl/projects/e-foundry/tex-gyre/
- http://www.peter-wiegel.de/Leipzig.html
- http://www.gust.org.pl/projects/e-foundry/tex-gyre/heros
- http://www.gust.org.pl/projects/e-foundry/tex-gyre/cursor
- https://callback.io/close
- http://callquietly.io/url/open?path=%24%7BencodeURI%28a%29%7D%60%29%7D%29%7D%29%7Dfunction
- http://callback.io/sign_in
- https://fonts.googleapis.com/css2?family=Roboto+Slab%3Awght%40900&display=swap
- https://fonts.googleapis.com/css2?family=Roboto%3Aital%2Cwght%400%2C100..900%3B1%2C100..900&display=swap
- https://aiby.mobi/chat_android/support/
- https://amplitude.com/privacy
- https://console.anthropic.com/legal/privacy
- https://console.anthropic.com/legal/terms
- https://www.applovin.com/privacy/
- https://www.appsflyer.com/legal/services-privacy-policy/
- https://policies.google.com/privacy
- https://firebase.google.com/support/privacy?hl=en
- https://fireworks.ai/privacy-policy
- https://fireworks.ai/terms-of-service
- https://privacy.microsoft.com/en-us/privacystatement
- https://openai.com/privacy/

## Warnings

- apktool manifest decode skipped 2 split APK(s)
- binary AndroidManifest.xml decoded with apktool

## 下一步

- 真机/模拟器验证 onboarding、paywall、首个可感知价值和崩溃路径。
- 把 endpoint candidates 与 HAR / MITM / Frida 动态证据对齐，避免只凭静态字符串下结论。
- 多版本对比权限、SDK、endpoint、native libs 和资源路径变化。
- 订阅/广告 SDK 线索存在，后续需拆 paywall、free trial、退款和广告频率。