+
+
+
+
+
+
+ 内容标识 / Content Notice:
+ 本页面内容基于可核实的客观事实记录,所有时间节点均有文件或公开记录作为来源。部分文本整理使用了 AI 辅助。
+ This page documents verifiable, objective events only. All timestamps are sourced from contemporaneous records or public archives. Text editing assisted by AI.
+
+
+
+
+
+
+
+
+
+
Q1 – Q2 2024
+
启动对 SecurityGuard v2 SDK 的初步分析
+
Initial discovery and analysis of SecurityGuard v2 SDK
+
+ 通过公开渠道获取的支付宝 APK(Android 版本),对内嵌的 SecurityGuard v2 SDK 进行初步静态分析,识别关键组件与架构模式。
+ Began static analysis of SecurityGuard v2 SDK embedded in publicly available Alipay APK builds. Identified key components and architectural patterns.
+ Analysis
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Q3 – Q4 2025
+
深入分析加密实现、原生代码与隐私机制
+
Deep analysis of cryptographic implementations, native code, and privacy mechanisms
+
+ 系统性分析 SDK 的密码学实现、热修复机制(PatchProxy / AVMP)、网络通信层及数据收集行为。研究范围扩展至原生 .so 库与 JNI 层。
+ Systematic analysis of cryptographic implementations, hot-patch mechanisms (PatchProxy / AVMP), network communication layers, and data collection behaviors. Scope extended to native .so libraries and JNI layer.
+ Deep Dive
+
+
+
+
+
+
+
+
+
+
+
+
+
+
Feb 25, 2026
+
通过 AntSRC 向厂商提交漏洞报告
+
Vulnerability report submitted to vendor via AntSRC
+
+ 通过蚂蚁集团官方安全漏洞响应渠道(AntSRC / security@antgroup.com)提交详细技术报告,启动负责任披露流程。
+ Detailed technical report submitted via Ant Group's official security vulnerability response channel (AntSRC / security@antgroup.com), initiating the responsible disclosure process.
+ Vendor Contact
+
+
+
+
+
+
+
Mar 10, 2026
+
厂商回复:认定为"正常功能"
+
Vendor responds: classified as "normal function"
+
+ 蚂蚁集团通过 AntSRC 渠道回复,将报告中涉及的技术行为定性为"正常功能",未提出修复计划。
+ Ant Group replied via AntSRC, classifying the reported technical behaviors as "normal function" with no remediation plan indicated.
+ Vendor Response
+
+
+
+
+
+
+
Mar 12, 2026
+
向 MITRE 提交首批 CVE 报告(Ticket #2005801,9 份 CVE)
+
First MITRE CVE submission — Ticket #2005801, 9 CVE reports
+
+ 鉴于厂商回复不认可,依据 MITRE CVE 提交流程,正式向 MITRE 提交首批 CVE 报告,覆盖密码学、热修复与隐私等多个技术领域。
+ Following the vendor's non-acknowledgment, formally submitted the first batch of CVE reports to MITRE covering cryptography, hot-patch, and privacy domains.
+ CVE Submission
+
+
+
+
+
+
+
Mar 12 – Mar 22, 2026
+
8 篇技术分析文章在微信公众号发布
+
8 technical analysis articles published on WeChat Official Account
+
+ 以中文撰写并发布 8 篇系列技术分析文章("The Nora Chronicles"),涵盖 PatchProxy 机制、加密降级、隐私分析、DeepLink 攻击面等专题。
+ Published 8 technical analysis articles in Chinese ("The Nora Chronicles") covering PatchProxy, encryption downgrade, privacy analysis, DeepLink attack surface, and related topics.
+ Published
+
+
+
+
+
+
+
Mar 17, 2026
+
GitHub 代码库公开发布
+
GitHub repository published
+
+ 正式公开 GitHub 证据仓库,包含技术报告、反编译代码片段(jadx)、脚本及 Docker 验证环境说明。
+ Publicly released GitHub evidence repository containing technical reports, decompiled code excerpts (jadx), scripts, and Docker verification environment documentation.
+ Published
+ github.com/sgInnora/alipay-securityguard-analysis
+
+
+
+
+
+
+
Mar 19, 2026
+
IACR ePrint 论文发布(编号 2026/526)
+
IACR ePrint paper published — 2026/526
+
+ 在国际密码学研究协会(IACR)ePrint 服务器发布预印本研究论文,题目:"Broken by Design: A Static Analysis of Alipay's SecurityGuard SDK"。注:ePrint 为预印本服务,不属于同行评审出版物。
+ Published preprint research paper on the IACR ePrint server: "Broken by Design: A Static Analysis of Alipay's SecurityGuard SDK." Note: ePrint is a preprint service, not a peer-reviewed publication.
+ Academic Record
+ eprint.iacr.org/2026/526
+
+
+
+
+
+
+
Mar 19, 2026
+
Packet Storm Security 收录(编号 #217089)
+
Packet Storm Security publication — #217089
+
+ 安全漏洞信息聚合平台 Packet Storm Security 收录本研究,进一步扩大技术社区的可见度。
+ Research indexed by Packet Storm Security, a widely referenced security advisory aggregation platform.
+ Published
+ packetstormsecurity.com/files/217089
+
+
+
+
+
+
+
Mar 19 – Mar 23, 2026
+
后续 MITRE CVE 提交(Batch 1–4,累计 36 份 CVE,11 个工单)
+
Additional MITRE submissions — Batches 1–4, total 36 CVE reports across 11 tickets
+
+ 在初始提交基础上,分四批次陆续向 MITRE 提交补充 CVE 报告,覆盖认证机制、JSBridge 授权、Wi-Fi 追踪、弱随机数等新发现领域。
+ Submitted four additional batches of CVE reports to MITRE covering authentication mechanisms, JSBridge authorization, Wi-Fi tracking, weak random number generation, and other newly documented areas.
+ 36 CVE Reports
+ 11 Tickets
+
+
+
+
+
+
+
Mar 22, 2026
+
8 篇微信文章因厂商投诉被移除
+
8 WeChat articles removed following vendor complaint
+
+ 微信平台依据蚂蚁集团经代理律师事务所提出的投诉,将前期发布的 8 篇技术分析文章下架。各文章已同步存档于 innora.ai/zfb/ 永久保存。
+ WeChat platform removed the 8 previously published technical analysis articles following a complaint filed by Ant Group through a proxy law firm. All articles are permanently archived at innora.ai/zfb/.
+ Platform Removal
+
+
+
+
+
+
+
Mar 22, 2026
+
创建 Mastodon 账号(infosec.exchange/@Innora)
+
Mastodon account created — infosec.exchange/@Innora
+
+ 在去中心化社交平台 Mastodon 的 infosec.exchange 实例创建账号,建立独立于平台审查的技术社区沟通渠道。
+ Created account on infosec.exchange Mastodon instance to establish a communication channel independent of centralized platform moderation.
+ Platform
+
+
+
+
+
+
+
Mar 23, 2026
+
Zenodo 永久学术存档(DOI: 10.5281/zenodo.19186848)
+
Zenodo permanent academic archive — DOI: 10.5281/zenodo.19186848
+
+ 在欧洲核子研究中心(CERN)运营的 Zenodo 平台完成研究材料的永久学术存档,获得不可删除的 DOI,确保数字内容长期可访问性。
+ Completed permanent academic archival of research materials on Zenodo (operated by CERN), obtaining a non-revocable DOI ensuring long-term digital accessibility.
+ Permanent Archive
+ doi.org/10.5281/zenodo.19186848
+
+
+
+
+
+
+
Mar 23, 2026
+
Docker 验证环境发布(37/37 测试通过)
+
Docker verification environment published — 37/37 tests pass
+
+ 发布完整的 Docker 化验证环境,使第三方研究人员可独立复现全部 37 项技术发现,所有测试 100% 通过。验证脚本与 Dockerfile 均已包含在 GitHub 仓库中。
+ Published complete Dockerized verification environment enabling independent third-party reproduction of all 37 technical findings with 100% test pass rate. Verification scripts and Dockerfile included in GitHub repository.
+ Reproducible
+ 37 / 37 Tests Pass
+
+
+
+
+
+
+
Mar 13 – Mar 25, 2026
+
已向 9+ 国家/地区的监管机构通报
+
Regulatory authorities in 9+ countries/regions briefed
+
+ 依据各机构的管辖范围,向多个国家和地区的监管机构提交技术简报,涵盖金融监管、数据保护、网络安全应急响应等职能类型。
+ Technical briefings submitted to regulatory authorities across multiple jurisdictions based on their respective mandates, covering financial regulation, data protection, and cybersecurity incident response functions.
+ Regulatory
+ 9+ Jurisdictions
+
+
+
+
+
+
+
+
+
关键资源 / Key Resources
+
+
+
+
+
+
+
+
+