sgInnora/alipay-securityguard-analysis
Complete reverse engineering of Alipay SecurityGuard SDK — 9 CVEs (MITRE #2005801), AVMP VM bypass, 396/408 (97%) unprotected JSBridge APIs
alipayandroid-securitycvemobile-securitypayment-securityreverse-engineeringsecurity-researchvulnerability-research
First Claude commit: Mar 16, 2026Last Claude commit: 1mo agoDiscovered: Mar 18, 2026
Recent Claude Commits
fix: 3-round cross-verification corrections
41fa5c61mo agoco_authored_byenhance: fix precision claims + add rebuttal section
23d92b41mo agoco_authored_bysecurity: anonymize regulatory case numbers in article
52422511mo agoco_authored_byfix: remove last v1 fabrication from intro + fix conclusion
a7e882e1mo agoco_authored_byfix: corrected WiFi RTT article v3 — zero factual errors verified
b580cb71mo agoco_authored_byLOCAL: 111 findings — token in logcat, WebView JS injection, cookie via JSBridge, DeepLink hardcoded
bea852a1mo agoco_authored_byLOCAL: 165 findings — null IV, PatchProxy SSL kill-switch, cleartext login token, RSA PKCS1v1.5
9a179d91mo agoco_authored_byfeat: WiFi RTT indoor tracking analysis — code evidence + article
7ccd76f1mo agoco_authored_byAdd Batch-2 CVE form fill script — 3 new CVEs submitted 2026-03-20
3c5cc341mo agoco_authored_byLOCAL: 107 findings — payment HTTP endpoints(!), hardcoded IPs, WebView universal access, bio Math.random()
aee15471mo agoco_authored_byAdd: IACR ePrint publication — "Broken By Design" (2026/526)
af07ff11mo agoco_authored_byAdd: Complete app blacklist — 1,063 apps with Chinese names and categories
a12eea51mo agoco_authored_byAdd: UT Mini SDK data pipeline analysis — telemetry endpoints, PII fields, irrefutable code evidence
7217b721mo agoco_authored_byGitHub publish prep: security audit + README update + fair use headers
9224e281mo agoco_authored_byCVE-1 critical update sent: 396/408 (97%) JSBridge APIs unprotected
b2b1ca81mo agoco_authored_byMASSIVE: 396/408 (97%) BridgeExtensions have permit()=null
2456a071mo agoco_authored_byCVE-9 sent: opt-in verification design + insecure config transport (CVSS 8.6)
f8382151mo agoco_authored_byCRITICAL: SchemeNeedVerify is opt-in model, not boolean kill switch
1f2a7db1mo agoco_authored_byCVE-1 supplement sent: 10 bypass paths in SchemeLauncher
920d68f1mo agoco_authored_byBREAKTHROUGH: allowLaunch() fully decompiled via smali (704 lines)
0bad1311mo agoco_authored_byCORRECTION: v8000/v9000 both built 2026-01-26, pre-disclosure
da966ee1mo agoco_authored_byDeep analysis: DexAOP 976 method-level intercepts + FlowCustoms 4th bypass
fa3c46e1mo agoco_authored_byP2: libantuser auth (359 funcs, BlueShield crypto, 6 login modes)
731e1d41mo agoco_authored_byGitHub-ready cleanup: remove copyright material, add GPLv3 + new README
79b12441mo agoco_authored_byCVE-7/8 sent to MITRE #2005801 via mutt (10-round Opus+Gemini verified)
63cf49a1mo agoco_authored_byDraft CVE-7 (EmptyX509 CWE-295) + CVE-8 (AVMP Replay CWE-294) for MITRE #2005801
abc4c821mo agoco_authored_byStrategic plan v1: 4-LLM analysis (Opus+Gemini+Kimi+DeepSeek)
b0a96b11mo agoco_authored_byAdd Sonnet 4.6 and Gemini 2.5 Pro verification reports
a22a5221mo agoco_authored_by3-LLM cross-verification: 21/23 TRUE, 2 SUSPECT, 0 FALSE
3b6b0221mo agoco_authored_by*** BREAKTHROUGH: AVMP SIGNATURE CAPTURED — 336 bytes via custom C gadget ***
58ed8011mo agoco_authored_bystnel Python bindings: discovered, configured, Java bridge limitation documented
1ae112c1mo agoco_authored_byAVMP VM created: doCommand(70201) returns VM ID, 70202 pending JS type fix
4ccb86d1mo agoco_authored_byDEEP: Encryption working, simulator detection BYPASSED, x-sgext header captured
61c87701mo agoco_authored_byBREAKTHROUGH: Sign(10401) + Token(22302) commands captured dynamically
313f00a1mo agoco_authored_byRuntime: 174 SG classes enumerated, IRootDetect + ISimulatorDetect confirmed
257d2d31mo agoco_authored_bySTEALTH HOOK SUCCESS: Router.doCommand hooked, APSE bypassed
89dbb381mo agoco_authored_byxriver-core: 5 permission functions decompiled (3128 lines C pseudocode)
31ccb8f1mo agoco_authored_byMassive: 581 functions scanned, 55 interesting found, UVM bytecode interpreter identified
56e5a251mo agoco_authored_byNative analysis: 20 functions identified, ZIP unpacker found, command dispatch candidates
571df691mo agoco_authored_byBREAKTHROUGH: String decryption algorithm fully reversed (3 XOR variants)
8d4be1e1mo agoco_authored_byAudio recording forensic report: 14 AOP points, 25+ recording files, 3-LLM verified
5d6081a1mo agoco_authored_byComplete: Behavior monitoring system full teardown (22 events, 6 classes, 3 bypass)
eade8921mo agoco_authored_byNative SO decompiled: sgmain 3034 functions, top 20 to C pseudocode (1MB/30K lines)
e8ee8831mo agoco_authored_byFull verification: 19/19 claims verified against source code
7a4091a1mo agoco_authored_by3-LLM cross-verification: 3/5 CONFIRMED, 2 corrected, 1 hallucination caught
ffc0af11mo agoco_authored_byCRITICAL: sgmain SO code NOT encrypted — full static analysis possible
1a8b6421mo agoco_authored_byComplete: ALL 129 Java classes analyzed, zero unanalyzed remaining
798c3841mo agoco_authored_byComplete: SoftCert PKI, device fingerprint 29-item map, anti-tamper mechanisms
b68a0991mo agoco_authored_byDeep analysis: bypass techniques, complete component mapping, behavior monitoring
0059d501mo agoco_authored_byInitial release: SecurityGuard SDK complete reverse engineering
13b85691mo agoco_authored_by