sgInnora/alipay-securityguard-analysis
Complete reverse engineering of Alipay SecurityGuard SDK — 9 CVEs (MITRE #2005801), AVMP VM bypass, 396/408 (97%) unprotected JSBridge APIs
alipayandroid-securitycvemobile-securitypayment-securityreverse-engineeringsecurity-researchvulnerability-research
First Claude commit: Mar 16, 2026Last Claude commit: 2mo agoDiscovered: Mar 18, 2026
Recent Claude Commits
fix: 3-round cross-verification corrections
41fa5c62mo agoco_authored_byenhance: fix precision claims + add rebuttal section
23d92b42mo agoco_authored_bysecurity: anonymize regulatory case numbers in article
52422512mo agoco_authored_byfix: remove last v1 fabrication from intro + fix conclusion
a7e882e2mo agoco_authored_byfix: corrected WiFi RTT article v3 — zero factual errors verified
b580cb72mo agoco_authored_byLOCAL: 111 findings — token in logcat, WebView JS injection, cookie via JSBridge, DeepLink hardcoded
bea852a2mo agoco_authored_byLOCAL: 165 findings — null IV, PatchProxy SSL kill-switch, cleartext login token, RSA PKCS1v1.5
9a179d92mo agoco_authored_byfeat: WiFi RTT indoor tracking analysis — code evidence + article
7ccd76f2mo agoco_authored_byAdd Batch-2 CVE form fill script — 3 new CVEs submitted 2026-03-20
3c5cc342mo agoco_authored_byLOCAL: 107 findings — payment HTTP endpoints(!), hardcoded IPs, WebView universal access, bio Math.random()
aee15472mo agoco_authored_byAdd: IACR ePrint publication — "Broken By Design" (2026/526)
af07ff12mo agoco_authored_byAdd: Complete app blacklist — 1,063 apps with Chinese names and categories
a12eea52mo agoco_authored_byAdd: UT Mini SDK data pipeline analysis — telemetry endpoints, PII fields, irrefutable code evidence
7217b722mo agoco_authored_byGitHub publish prep: security audit + README update + fair use headers
9224e282mo agoco_authored_byCVE-1 critical update sent: 396/408 (97%) JSBridge APIs unprotected
b2b1ca82mo agoco_authored_byMASSIVE: 396/408 (97%) BridgeExtensions have permit()=null
2456a072mo agoco_authored_byCVE-9 sent: opt-in verification design + insecure config transport (CVSS 8.6)
f8382152mo agoco_authored_byCRITICAL: SchemeNeedVerify is opt-in model, not boolean kill switch
1f2a7db2mo agoco_authored_byCVE-1 supplement sent: 10 bypass paths in SchemeLauncher
920d68f2mo agoco_authored_byBREAKTHROUGH: allowLaunch() fully decompiled via smali (704 lines)
0bad1312mo agoco_authored_byCORRECTION: v8000/v9000 both built 2026-01-26, pre-disclosure
da966ee2mo agoco_authored_byDeep analysis: DexAOP 976 method-level intercepts + FlowCustoms 4th bypass
fa3c46e2mo agoco_authored_byP2: libantuser auth (359 funcs, BlueShield crypto, 6 login modes)
731e1d42mo agoco_authored_byGitHub-ready cleanup: remove copyright material, add GPLv3 + new README
79b12442mo agoco_authored_byCVE-7/8 sent to MITRE #2005801 via mutt (10-round Opus+Gemini verified)
63cf49a2mo agoco_authored_byDraft CVE-7 (EmptyX509 CWE-295) + CVE-8 (AVMP Replay CWE-294) for MITRE #2005801
abc4c822mo agoco_authored_byStrategic plan v1: 4-LLM analysis (Opus+Gemini+Kimi+DeepSeek)
b0a96b12mo agoco_authored_byAdd Sonnet 4.6 and Gemini 2.5 Pro verification reports
a22a5222mo agoco_authored_by3-LLM cross-verification: 21/23 TRUE, 2 SUSPECT, 0 FALSE
3b6b0222mo agoco_authored_by*** BREAKTHROUGH: AVMP SIGNATURE CAPTURED — 336 bytes via custom C gadget ***
58ed8012mo agoco_authored_bystnel Python bindings: discovered, configured, Java bridge limitation documented
1ae112c2mo agoco_authored_byAVMP VM created: doCommand(70201) returns VM ID, 70202 pending JS type fix
4ccb86d2mo agoco_authored_byDEEP: Encryption working, simulator detection BYPASSED, x-sgext header captured
61c87702mo agoco_authored_byBREAKTHROUGH: Sign(10401) + Token(22302) commands captured dynamically
313f00a2mo agoco_authored_byRuntime: 174 SG classes enumerated, IRootDetect + ISimulatorDetect confirmed
257d2d32mo agoco_authored_bySTEALTH HOOK SUCCESS: Router.doCommand hooked, APSE bypassed
89dbb382mo agoco_authored_byxriver-core: 5 permission functions decompiled (3128 lines C pseudocode)
31ccb8f3mo agoco_authored_byMassive: 581 functions scanned, 55 interesting found, UVM bytecode interpreter identified
56e5a253mo agoco_authored_byNative analysis: 20 functions identified, ZIP unpacker found, command dispatch candidates
571df693mo agoco_authored_byBREAKTHROUGH: String decryption algorithm fully reversed (3 XOR variants)
8d4be1e3mo agoco_authored_byAudio recording forensic report: 14 AOP points, 25+ recording files, 3-LLM verified
5d6081a3mo agoco_authored_byComplete: Behavior monitoring system full teardown (22 events, 6 classes, 3 bypass)
eade8923mo agoco_authored_byNative SO decompiled: sgmain 3034 functions, top 20 to C pseudocode (1MB/30K lines)
e8ee8833mo agoco_authored_byFull verification: 19/19 claims verified against source code
7a4091a3mo agoco_authored_by3-LLM cross-verification: 3/5 CONFIRMED, 2 corrected, 1 hallucination caught
ffc0af13mo agoco_authored_byCRITICAL: sgmain SO code NOT encrypted — full static analysis possible
1a8b6423mo agoco_authored_byComplete: ALL 129 Java classes analyzed, zero unanalyzed remaining
798c3843mo agoco_authored_byComplete: SoftCert PKI, device fingerprint 29-item map, anti-tamper mechanisms
b68a0993mo agoco_authored_byDeep analysis: bypass techniques, complete component mapping, behavior monitoring
0059d503mo agoco_authored_byInitial release: SecurityGuard SDK complete reverse engineering
13b85693mo agoco_authored_by