# Hevy 状态:active Platform:android Package:com.hevy Version:3.0.15 Opportunity:2026-06-10-hevy ## 摘要 - 包类型:xapk,inner APK 数:20 - 引擎 / 框架:hermes, react_native - SDK 线索:branch, facebook, firebase, hermes, onesignal, react_native - Endpoint candidates:1 - 结论口径:本报告只基于静态 ZIP / Manifest / 字符串证据;不代表真实运行路径已验证。 ## 直接证据 - [high] Manifest package id is com.hevy(source: `AndroidManifest.xml`,status: `verified`) - [high] Manifest declares 34 permissions(source: `AndroidManifest.xml`,status: `verified`) - [high] Engine/framework markers: hermes, react_native(source: `APK file inventory`,status: `verified`) - [high] Static strings include 1 endpoint candidates(source: `Text/string scan`,status: `verified`) - [high] Package contains 30 native libraries(source: `APK file inventory`,status: `verified`) ## 推断 - [medium] SDK markers suggest: branch, facebook, firebase, hermes, onesignal, react_native(source: `Manifest, filenames, and text strings`,status: `inferred`) ## 权限和组件 ### 权限 - `android.permission.ACCESS_ADSERVICES_AD_ID` - `android.permission.ACCESS_ADSERVICES_ATTRIBUTION` - `android.permission.ACCESS_ADSERVICES_CUSTOM_AUDIENCE` - `android.permission.ACCESS_ADSERVICES_TOPICS` - `android.permission.ACCESS_NETWORK_STATE` - `android.permission.ACCESS_WIFI_STATE` - `android.permission.CAMERA` - `android.permission.DOWNLOAD_WITHOUT_NOTIFICATION` - `android.permission.FOREGROUND_SERVICE` - `android.permission.FOREGROUND_SERVICE_SPECIAL_USE` - `android.permission.INTERNET` - `android.permission.POST_NOTIFICATIONS` - `android.permission.READ_CONTACTS` - `android.permission.READ_EXTERNAL_STORAGE` - `android.permission.RECEIVE_BOOT_COMPLETED` - `android.permission.SCHEDULE_EXACT_ALARM` - `android.permission.USE_BIOMETRIC` - `android.permission.USE_FINGERPRINT` - `android.permission.VIBRATE` - `android.permission.WAKE_LOCK` - `android.permission.WRITE_EXTERNAL_STORAGE` - `android.permission.health.READ_BODY_FAT` - `android.permission.health.READ_WEIGHT` - `android.permission.health.WRITE_BODY_FAT` - `android.permission.health.WRITE_EXERCISE` - `android.permission.health.WRITE_HEART_RATE` - `android.permission.health.WRITE_TOTAL_CALORIES_BURNED` - `android.permission.health.WRITE_WEIGHT` - `com.android.vending.BILLING` - `com.google.android.c2dm.permission.RECEIVE` - `com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE` - `com.google.android.gms.permission.ACTIVITY_RECOGNITION` - `com.google.android.gms.permission.AD_ID` - `com.hevy.DYNAMIC_RECEIVER_NOT_EXPORTED_PERMISSION` ### 组件 - Activities:androidx.glance.appwidget.action.ActionTrampolineActivity, androidx.glance.appwidget.action.InvisibleActionTrampolineActivity, com.android.billingclient.api.ProxyBillingActivity, com.android.billingclient.api.ProxyBillingActivityV2, com.bytedance.sdk.open.tiktok.ui.TikTokWebAuthorizeActivity, com.facebook.CustomTabActivity, com.facebook.CustomTabMainActivity, com.facebook.FacebookActivity, com.google.android.gms.auth.api.signin.internal.SignInHubActivity, com.google.android.gms.common.api.GoogleApiActivity, com.google.android.play.core.common.PlayCoreDialogWrapperActivity, com.hevy.MainActivity, com.hevy.ViewPermissionUsageActivity, com.hevy.healthconnect.PermissionsRationaleActivity, com.hevy.widgets.chart.ChartWidgetConfigurationActivity, com.hevy.widgets.dayroutine.DayRoutineWidgetConfigurationActivity, com.hevy.widgets.lastroutines.LastRoutinesWidgetConfigurationActivity, com.hevy.widgets.quickaccess.QuickAccessWidgetConfigurationActivity, com.hevy.widgets.weeklystats.WeeklyStatsWidgetConfigurationActivity, com.revenuecat.purchases.amazon.purchasing.ProxyAmazonBillingActivity, ly.img.android.pesdk.ui.activity.CameraPreviewActivity, ly.img.android.pesdk.ui.activity.EditorActivity, ly.img.android.pesdk.ui.activity.PhotoEditorActivity, ly.img.android.pesdk.ui.activity.VideoEditorActivity, ly.img.react_native.pesdk.RNPhotoEditorSDKActivity, ly.img.react_native.vesdk.RNVideoEditorSDKActivity - Services:androidx.camera.core.impl.MetadataHolderService, androidx.core.widget.RemoteViewsCompatService, androidx.glance.appwidget.GlanceRemoteViewsService, androidx.health.platform.client.impl.sdkservice.HealthDataSdkService, androidx.room.MultiInstanceInvalidationService, androidx.work.impl.background.systemalarm.SystemAlarmService, androidx.work.impl.background.systemjob.SystemJobService, androidx.work.impl.foreground.SystemForegroundService, com.google.android.datatransport.runtime.backends.TransportBackendDiscovery, com.google.android.datatransport.runtime.scheduling.jobscheduling.JobInfoSchedulerService, com.google.android.gms.auth.api.signin.RevocationBoundService, com.google.firebase.components.ComponentDiscoveryService, com.google.firebase.messaging.FirebaseMessagingService, com.google.mlkit.common.internal.MlKitComponentDiscoveryService, com.hevy.notifications.HevyFirebaseMessagingService, com.hevy.services.TimerNotificationService, com.hevy.services.WearListenerService - Receivers:androidx.glance.appwidget.MyPackageReplacedReceiver, androidx.glance.appwidget.UnmanagedSessionReceiver, androidx.glance.appwidget.action.ActionCallbackBroadcastReceiver, androidx.profileinstaller.ProfileInstallReceiver, androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryChargingProxy, androidx.work.impl.background.systemalarm.ConstraintProxy$BatteryNotLowProxy, androidx.work.impl.background.systemalarm.ConstraintProxy$NetworkStateProxy, androidx.work.impl.background.systemalarm.ConstraintProxy$StorageNotLowProxy, androidx.work.impl.background.systemalarm.ConstraintProxyUpdateReceiver, androidx.work.impl.background.systemalarm.RescheduleReceiver, androidx.work.impl.diagnostics.DiagnosticsReceiver, androidx.work.impl.utils.ForceStopRunnable$BroadcastReceiver, com.adjust.sdk.AdjustReferrerReceiver, com.amazon.device.iap.ResponseReceiver, com.facebook.AuthenticationTokenManager$CurrentAuthenticationTokenChangedBroadcastReceiver, com.facebook.CurrentAccessTokenExpirationBroadcastReceiver, com.google.android.datatransport.runtime.scheduling.jobscheduling.AlarmManagerSchedulerBroadcastReceiver, com.google.firebase.iid.FirebaseInstanceIdReceiver, com.hevy.NotificationActionReceiver, com.hevy.TimerExpiredReceiver, com.hevy.notifications.HevyFirebaseMessagingReceiver, com.hevy.widgets.calendar.CalendarWidgetReceiver, com.hevy.widgets.calendarstats.CalendarStatsWidgetReceiver, com.hevy.widgets.chart.ChartWidgetReceiver, com.hevy.widgets.dayroutine.DayRoutineWidgetReceiver, com.hevy.widgets.lastroutines.LastRoutinesWidgetReceiver, com.hevy.widgets.lastworkouts.LastWorkoutsWidgetReceiver, com.hevy.widgets.quickaccess.QuickAccessWidgetReceiver, com.hevy.widgets.rest.RestWidgetReceiver, com.hevy.widgets.streak.StreakWidgetReceiver, com.hevy.widgets.weeklystats.WeeklyStatsWidgetReceiver - Providers:androidx.startup.InitializationProvider, cl.json.RNShareFileProvider, com.ReactNativeBlobUtil.Utils.FileProvider, com.adjust.sdk.SystemLifecycleContentProvider, com.facebook.FacebookContentProvider, com.facebook.internal.FacebookInitProvider, com.google.firebase.provider.FirebaseInitProvider, com.google.mlkit.common.internal.MlKitInitProvider, com.hevy.ShareStoriesFileProvider, com.imagepicker.ImagePickerProvider, com.reactnativecommunity.webview.RNCWebViewFileProvider, io.sentry.android.core.SentryInitProvider, io.sentry.android.core.SentryPerformanceProvider, ly.img.android.IMGLYAutoInit ## SDK / Endpoint ### SDK - `branch` - `facebook` - `firebase` - `hermes` - `onesignal` - `react_native` ### Endpoint candidates - http://www.apache.org/licenses/ ## Warnings - apktool manifest decode skipped 19 split APK(s) - binary AndroidManifest.xml decoded with apktool ## 下一步 - 真机/模拟器验证 onboarding、paywall、首个可感知价值和崩溃路径。 - 把 endpoint candidates 与 HAR / MITM / Frida 动态证据对齐,避免只凭静态字符串下结论。 - 多版本对比权限、SDK、endpoint、native libs 和资源路径变化。 - 联系人权限存在,后续需重点验证权限解释、备份、撤销和删除前确认。