icybear/alipay-deeplink-research
1
0
Fork 0
mirror of https://github.com/sgInnora/alipay-deeplink-research synced 2026-06-27 05:34:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

update: SEO/privacy overhaul — 36 CVE stats, redact case numbers, full sitemap

Browse Source 
- Meta/OG/Twitter tags: 17→36 CVEs, 6→9+ countries, SecurityGuard SDK keywords
- Sitemap: 5→12 URLs with correct lastmod dates
- Privacy: redact CSSF/CIRCL/PDPC case numbers, mask regulator staff names
- Content: add 6 new article pages + evidence screenshots
- Numbers: update all CVE counts (6→36, 11 MITRE tickets)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
feng
2026-03-25 05:27:49 +08:00
parent 69a39638fb
commit a3825c939f
41 changed files with 5440 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

501
wifi-rtt-tracking.html Normal file
View File

@@ -0,0 +1,501 @@
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>从收银台到洗手间——支付宝用WiFi RTT实现厘米级室内追踪 | Innora.ai</title>
<!-- Open Graph -->
<meta property="og:title" content="从收银台到洗手间——支付宝用WiFi RTT实现厘米级室内追踪">
<meta property="og:description" content="支付宝APK逆向60+个WiFi拦截点、DexAOP全协议栈劫持、146,173个热替换点、9层定位监控矩阵。代码级证据全公开。">
<meta property="og:type" content="article">
<meta property="og:url" content="https://innora.ai/zfb/wifi-rtt-tracking.html">
<meta property="og:site_name" content="Innora.ai Lab">
<style>
*, *::before, *::after { box-sizing: border-box; }
body {
margin: 0;
padding: 20px 16px 60px;
background: #0a0a1a;
color: #e8e8e8;
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'PingFang SC',
'Hiragino Sans GB', 'Microsoft YaHei', 'Helvetica Neue', sans-serif;
min-height: 100vh;
}
.page-wrapper {
max-width: 800px;
margin: 0 auto;
background: #ffffff;
padding: 30px;
border-radius: 8px;
box-shadow: 0 4px 40px rgba(0, 0, 0, 0.6);
color: #2c3e50;
}
/* Navigation header */
.nav-header {
display: flex;
align-items: center;
justify-content: space-between;
margin-bottom: 28px;
padding-bottom: 16px;
border-bottom: 1px solid #e8e8e8;
flex-wrap: wrap;
gap: 8px;
}
.nav-header a {
color: #00d4aa;
text-decoration: none;
font-size: 13px;
font-weight: 600;
letter-spacing: 0.3px;
}
.nav-header a:hover { text-decoration: underline; }
.nav-header .site-badge {
font-size: 12px;
color: #888888;
letter-spacing: 0.5px;
}
/* Article footer navigation */
.article-nav {
margin-top: 40px;
padding-top: 24px;
border-top: 2px solid #e8e8e8;
display: flex;
flex-direction: column;
gap: 16px;
}
.article-nav-row {
display: flex;
justify-content: space-between;
align-items: center;
flex-wrap: wrap;
gap: 12px;
}
.article-nav a {
color: #00d4aa;
text-decoration: none;
font-size: 14px;
font-weight: 600;
padding: 8px 14px;
border: 1px solid #00d4aa;
border-radius: 6px;
transition: background 0.2s, color 0.2s;
white-space: nowrap;
}
.article-nav a:hover {
background: #00d4aa;
color: #ffffff;
}
.article-nav a.disabled {
color: #aaaaaa;
border-color: #cccccc;
cursor: default;
pointer-events: none;
}
.article-nav .center-link {
text-align: center;
flex: 1;
}
/* Page footer */
.page-footer {
margin-top: 32px;
padding-top: 20px;
border-top: 1px solid #e8e8e8;
text-align: center;
font-size: 12px;
color: #999999;
line-height: 1.8;
}
.page-footer a {
color: #00d4aa;
text-decoration: none;
}
.page-footer a:hover { text-decoration: underline; }
@media (max-width: 600px) {
.page-wrapper { padding: 20px 16px; }
.article-nav-row { flex-direction: column; align-items: flex-start; }
.article-nav .center-link { text-align: left; }
}
</style>
</head>
<body>
<div class="page-wrapper">
<!-- Top navigation -->
<nav class="nav-header">
<a href="index.html">← 返回目录</a>
<span class="site-badge">Innora.ai Lab | 支付宝安全研究</span>
</nav>
<!-- Article content (verbatim from WeChat version) -->
<section style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'PingFang SC', 'Hiragino Sans GB', 'Microsoft YaHei', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 1.75; color: #2c3e50; text-align: justify; letter-spacing: 0.5px; padding: 0 6px">
<!-- A. 专栏信息 -->
<p style="margin: 10px 0; font-size: 13px; color: #999">📂 The Nora Chronicles | Vol.22 | AI编写AI发布</p>
<!-- B. H1 标题 -->
<h1 style="font-size: 22px; font-weight: bold; color: #1a252f; border-bottom: 2px solid #00d4aa; background: linear-gradient(90deg, rgba(0,212,170,0.1) 0%, transparent 100%); padding: 10px 0 10px 12px; margin: 16px 0">支付宝你的WiFi正在"测距"——代码铁证9层定位体系你在哪个房间它都知道</h1>
<!-- C. 作者 -->
<p style="margin: 6px 0 16px; font-size: 13px; color: #999">Innora.ai Lab | Penang, Malaysia</p>
<!-- D. 48小时预警 -->
<div style="border: 1px solid #E06C75; border-radius: 6px; padding: 15px 20px; background: rgba(224,108,117,0.05); margin: 20px 0">
<p style="margin: 0 0 8px; font-size: 14px; font-weight: bold; color: #E06C75">⚠️ 预警前8篇文章已被全部删除</p>
<p style="margin: 4px 0; font-size: 14px; color: #555">北京格韵律师事务所代理蚂蚁集团在6天内完成了全部8篇的投诉删除援引《中华人民共和国网络安全法》。</p>
<p style="margin: 8px 0 4px; font-size: 14px; color: #555">本文永久地址(删不掉):<a href="https://innora.ai/zfb/wifi-rtt-tracking.html" style="color: #E06C75; text-decoration: underline">https://innora.ai/zfb/wifi-rtt-tracking.html</a></p>
<p style="margin: 4px 0; font-size: 14px; color: #555">GitHub证据仓库<a href="https://github.com/sgInnora/alipay-securityguard-analysis" style="color: #E06C75; text-decoration: underline">https://github.com/sgInnora/alipay-securityguard-analysis</a></p>
</div>
<!-- E. 作者声明 -->
<blockquote style="background: #fffaf0; border-left: 4px solid #e67e22; padding: 18px 22px; margin: 20px 0; border-radius: 0 4px 4px 0">
<p style="margin: 0; font-size: 15px; line-height: 1.8; color: #555">我想跟那些骂我的人说句心里话。你不看代码、不看文章、不懂技术,拿着几百块就帮支付宝洗地——但你想过没有,你爸妈在家里走的每一步,你老婆孩子的每个动作,都可能被头顶那面<strong style="color: #c0392b">"魔镜"精确到厘米,实时上传</strong>我人在海外支付宝账户已经被冻结了我也删了APP以后绝不会再用。15个CVE漏洞、国际论文、7个国际监管机构立案这些东西我造不出来也没必要造。不为我自己为了你的家人请你理性一点带点脑子去看看代码和文章里写的到底是什么。这件事应该让更多人知道。<strong style="color: #c0392b">至少,让你的家人知道,再决定要不要卸载支付宝。</strong></p>
</blockquote>
<!-- F. 数据卡 -->
<div style="background: linear-gradient(135deg, #1a1a2e, #16213e); border-radius: 8px; padding: 22px; color: #e8e8e8; margin: 20px 0">
<p style="margin: 0 0 12px; font-size: 13px; color: #666; letter-spacing: 2px; text-transform: uppercase; text-align: center">EVIDENCE SUMMARY</p>
<div style="display: flex; flex-wrap: wrap; gap: 8px; justify-content: center">
<span style="background: rgba(0,212,170,0.15); border: 1px solid #00d4aa; border-radius: 4px; padding: 4px 10px; font-size: 13px; color: #00d4aa">165项铁证</span>
<span style="background: rgba(0,212,170,0.1); border: 1px solid #333; border-radius: 4px; padding: 4px 10px; font-size: 13px; color: #a8b2d1">WiFi定位 60+</span>
<span style="background: rgba(0,212,170,0.1); border: 1px solid #333; border-radius: 4px; padding: 4px 10px; font-size: 13px; color: #a8b2d1">iBeacon 2套</span>
<span style="background: rgba(0,212,170,0.1); border: 1px solid #333; border-radius: 4px; padding: 4px 10px; font-size: 13px; color: #a8b2d1">蓝牙 160</span>
<span style="background: rgba(224,108,117,0.15); border: 1px solid #E06C75; border-radius: 4px; padding: 4px 10px; font-size: 13px; color: #E06C75">PatchProxy 146,173</span>
<span style="background: rgba(0,212,170,0.1); border: 1px solid #333; border-radius: 4px; padding: 4px 10px; font-size: 13px; color: #a8b2d1">DexAOP 1,834</span>
<span style="background: rgba(0,212,170,0.15); border: 1px solid #00d4aa; border-radius: 4px; padding: 4px 10px; font-size: 13px; color: #00d4aa">15个CVE</span>
<span style="background: rgba(0,212,170,0.1); border: 1px solid #333; border-radius: 4px; padding: 4px 10px; font-size: 13px; color: #a8b2d1">多国监管立案</span>
</div>
</div>
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
<!-- G. 正文 -->
<!-- 引言 -->
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; padding-left: 12px; border-left: 4px solid #00d4aa; margin: 25px 0 12px">引言:律师函之后,我们掘到了更硬的雷</h2>
<p style="margin: 16px 0; line-height: 1.75">8篇文章全部删除。北京格韵律师事务所代理蚂蚁集团在6天内投诉了我所有关于支付宝安全研究的文章。</p>
<p style="margin: 16px 0; line-height: 1.75">这是本系列第2篇技术科普文章。上一篇揭露了1095个APP监控黑名单这一次我要揭露的比上次更恐怖。</p>
<p style="margin: 16px 0; line-height: 1.75">这一次,证据比上次更硬、更细、更离谱——<strong style="color: #E06C75">米级高精度室内定位</strong><strong style="color: #E06C75">全WiFi协议栈劫持</strong><strong style="color: #E06C75">146173个热替换点</strong>,连你走进男厕还是女厕都能算出来。支付宝,你们到底在定位什么?定位钞票,还是定位膀胱?</p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">灵魂拷问一</strong>当Apple的"App跟踪透明度"让用户选择Google的《位置信息记录》可一键清空时支付宝的"科技向善",是把<strong style="color: #E06C75">9层定位监控</strong>焊死在用户的手机里?</p>
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
<!-- 01 -->
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; padding-left: 12px; border-left: 4px solid #00d4aa; margin: 25px 0 12px">01 科普WiFi RTT——把WiFi当声纳玩</h2>
<p style="margin: 16px 0; line-height: 1.75">WiFi RTTRound-Trip-Time是IEEE 802.11mc标准里的"光速声纳"</p>
<ul style="margin: 16px 0; padding-left: 22px; line-height: 1.75">
<li style="margin-bottom: 8px">手机发一个"Hello"帧到APAP回一个"ACK"</li>
<li style="margin-bottom: 8px">手机用<strong style="color: #00d4aa">纳秒级</strong>时间戳测往返耗时乘以光速再除以2得到<strong style="color: #00d4aa">直线距离</strong></li>
<li style="margin-bottom: 8px">三个AP就能三角定位<strong style="color: #E06C75">室内12米精度</strong>GPS在室内直接抓瞎WiFi指纹法只能做到35米。</li>
</ul>
<p style="margin: 16px 0; line-height: 1.75">本来这技术是留给仓库机器人、AGV小车的让它们别撞货架。结果支付宝把它塞进了<strong style="color: #E06C75">支付APP</strong></p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">灵魂拷问</strong>一个用来扫码付钱的工具需要知道你在收银台左侧1米还是右侧2米<br/><strong style="color: #E06C75"></strong>代码显示推送注册时PushLBSHelper会将所有WiFi AP的BSSID和信号强度绑定userId上报<code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">pushInit.lbsInfo = b</code>RegisterTask.java:97。至于这些数据被用于什么目的支付宝隐私政策未明确说明。</p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">灵魂拷问二</strong>为什么一家金融科技公司对室内米级精确定位的渴望超过了所有地图和导航APP的总和</p>
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
<!-- 02 代码证据 -->
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; padding-left: 12px; border-left: 4px solid #00d4aa; margin: 25px 0 12px">02 代码证据:每一行都在说"我就是追踪你"</h2>
<p style="margin: 16px 0; line-height: 1.75">以下片段全部来自证据仓库,文件名+行号原汁原味,欢迎复现。</p>
<h3 style="font-size: 17px; font-weight: bold; color: #1a252f; margin: 22px 0 10px">① RTT测距入口被劫持</h3>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #00d4aa">InterferePointInitHelper.java:1129</strong> (<a href="https://github.com/sgInnora/alipay-securityguard-analysis/blob/main/evidence/wifi_rtt/InterferePointInitHelper_wifi_lines.txt" style="color: #00d4aa; text-decoration: underline">GitHub: evidence/wifi_rtt/InterferePointInitHelper_wifi_lines.txt</a>)</p>
<div style="background: #1a1a2e; border-radius: 8px; padding: 15px; margin: 16px 0; color: #a8b2d1; font-family: 'Fira Code', monospace; font-size: 13px; overflow-x: auto; white-space: pre-wrap; line-height: 1.5">hashMap.put(DexAOPPoints.INVOKE_android_net_wifi_rtt_WifiRttManager_startRanging_proxy,
new DefaultInterferePointProperty(
..., // 权限三件套ACCESS_FINE_LOCATION + ACCESS_WIFI_STATE + CHANGE_WIFI_STATE
"位置获取|WiFi控制", // 中文注释,官方自曝
PointCategory.ACCESS));</div>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #E06C75">翻译</strong>只要App里任何代码想调 <code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">WifiRttManager.startRanging()</code>,就会被支付宝的<strong style="color: #E06C75">DexAOP</strong>框架截胡,先过它的"代理闸机",再决定给不给真系统。</p>
<h3 style="font-size: 17px; font-weight: bold; color: #1a252f; margin: 22px 0 10px">② 代理方法实现</h3>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #00d4aa">DexAOPEntry2.java:3056-3068</strong> (<a href="https://github.com/sgInnora/alipay-securityguard-analysis/blob/main/evidence/wifi_rtt/DexAOPEntry2_wifi_rtt_method.java" style="color: #00d4aa; text-decoration: underline">GitHub: evidence/wifi_rtt/DexAOPEntry2_wifi_rtt_method.java</a>)</p>
<div style="background: #1a1a2e; border-radius: 8px; padding: 15px; margin: 16px 0; color: #a8b2d1; font-family: 'Fira Code', monospace; font-size: 13px; overflow-x: auto; white-space: pre-wrap; line-height: 1.5">public static final void android_net_wifi_rtt_WifiRttManager_startRanging_proxy(...) {
...
DexAOPCenter.processInvoke(...); // 先记录,再放行
}</div>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #E06C75">翻译</strong>:调用被<strong style="color: #E06C75">透明代理</strong>,用户毫无感知,系统回调原封不动,但支付宝已经<strong style="color: #E06C75">抄了一份RangingResult</strong>——里面包含<strong style="color: #E06C75">每个AP的MAC、距离、时戳</strong></p>
<h3 style="font-size: 17px; font-weight: bold; color: #1a252f; margin: 22px 0 10px">③ 推送注册=WiFi大扫除</h3>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #00d4aa">PushLBSHelper.java</strong> (<a href="https://github.com/sgInnora/alipay-securityguard-analysis/blob/main/evidence/wifi_rtt/PushLBSHelper.java" style="color: #00d4aa; text-decoration: underline">GitHub: evidence/wifi_rtt/PushLBSHelper.java</a>)</p>
<div style="background: #1a1a2e; border-radius: 8px; padding: 15px; margin: 16px 0; color: #a8b2d1; font-family: 'Fira Code', monospace; font-size: 13px; overflow-x: auto; white-space: pre-wrap; line-height: 1.5">for (ScanResult sr : wifiManager.getScanResults()) {
PushLBSWifiInfo info = new PushLBSWifiInfo();
info.BSSID = sr.BSSID; // MAC地址
info.level = sr.level; // 信号强度
list.add(info); // → 随push注册包一起上传绑定userId
}</div>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #E06C75">翻译</strong>:你刚装好支付宝,<strong style="color: #E06C75">第一次打开甚至还没登录</strong>,它就把<strong style="color: #E06C75">周围所有WiFi AP的MAC+信号</strong>扫了个遍,连你楼下沙县小吃的路由器都不放过,<strong style="color: #E06C75">绑定userId</strong>直接上传。</p>
<h3 style="font-size: 17px; font-weight: bold; color: #1a252f; margin: 22px 0 10px">④ 登录三连WiFi MAC必上报</h3>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #00d4aa">SafeZoneInfo结构</strong> (<a href="https://github.com/sgInnora/alipay-securityguard-analysis/blob/main/evidence/wifi_rtt/SafeZoneInfo.java" style="color: #00d4aa; text-decoration: underline">GitHub: evidence/wifi_rtt/SafeZoneInfo.java</a>)</p>
<ul style="margin: 16px 0; padding-left: 22px; line-height: 1.75">
<li style="margin-bottom: 6px"><code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">MiniShellLoginHelper.java:343</code></li>
<li style="margin-bottom: 6px"><code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">FaceGuideHandler.java:180</code></li>
<li style="margin-bottom: 6px"><code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">CdpRequestManager.java:336</code></li>
</ul>
<p style="margin: 16px 0; line-height: 1.75">统一姿势:</p>
<div style="background: #1a1a2e; border-radius: 8px; padding: 15px; margin: 16px 0; color: #a8b2d1; font-family: 'Fira Code', monospace; font-size: 13px; overflow-x: auto; white-space: pre-wrap; line-height: 1.5">xxxRequestPB.wifiMac = NetWorkInfo.getInstance(...).getBssid();</div>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #E06C75">翻译</strong>:无论扫码登录、刷脸登录、营销弹窗,<strong style="color: #E06C75">每一次登录都带BSSID</strong>。服务器端轻松把<strong style="color: #E06C75">WiFi MAC ↔ 账号 ↔ 手机硬件ID</strong>三联画挂墙上。</p>
<h3 style="font-size: 17px; font-weight: bold; color: #1a252f; margin: 22px 0 10px">⑤ 网络请求默认带BSSID</h3>
<p style="margin: 16px 0; line-height: 1.75"><code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">anet/channel/statist/RequestStatistic.java:268</code></p>
<div style="background: #1a1a2e; border-radius: 8px; padding: 15px; margin: 16px 0; color: #a8b2d1; font-family: 'Fira Code', monospace; font-size: 13px; overflow-x: auto; white-space: pre-wrap; line-height: 1.5">this.bssid = NetworkStatusHelper.getWifiBSSID(); // 每次HTTP请求都塞header</div>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #E06C75">翻译</strong>:你后面每点一次"查看账单"<strong style="color: #E06C75">BSSID</strong>被嵌入请求统计字段,随网络请求一起上报。服务器实时掌握你连接的<strong style="color: #E06C75">WiFi接入点位置</strong></p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">灵魂拷问三</strong>如果连一次普通的HTTP请求都要夹带地理位置"私货",支付宝到底在<strong style="color: #E06C75"></strong>什么?怕用户失踪,还是怕广告投放不够"精准"</p>
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
<!-- 03 -->
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; padding-left: 12px; border-left: 4px solid #00d4aa; margin: 25px 0 12px">03 监控矩阵扩容WiFi全家桶与iBeacon双保险</h2>
<p style="margin: 16px 0; line-height: 1.75">除了核心的WiFi RTT证据显示支付宝构建了<strong style="color: #E06C75">无死角的感知网络</strong></p>
<h3 style="font-size: 17px; font-weight: bold; color: #1a252f; margin: 22px 0 10px">WiFi Aware (邻居感知) - 4个拦截点</h3>
<p style="margin: 16px 0; line-height: 1.75">这项技术允许设备在<strong style="color: #E06C75">不连接互联网、甚至关闭GPS</strong>的情况下直接发现并通信。支付宝劫持了相关API用于<strong style="color: #E06C75">探测周围同样安装了支付宝的手机</strong>。即便你在飞行模式只要WiFi开着它就能知道"附近有谁"。</p>
<h3 style="font-size: 17px; font-weight: bold; color: #1a252f; margin: 22px 0 10px">WiFi P2P (直连) - 28个拦截点</h3>
<p style="margin: 16px 0; line-height: 1.75">常用于连接打印机或投影仪。支付宝的28个拦截点确保了任何P2P扫描、组网请求都会被捕获并上报。<strong style="color: #E06C75">你连过的每一台打印机,都成了支付宝定位你的信标。</strong></p>
<h3 style="font-size: 17px; font-weight: bold; color: #1a252f; margin: 22px 0 10px">iBeacon - 两套完整实现</h3>
<p style="margin: 16px 0; line-height: 1.75">一套基于系统API一套是自研的轮询服务。这意味着无论是在商场、机场还是博物馆只要部署了iBeacon信标支付宝就能以<strong style="color: #E06C75">1-3米精度</strong>绘制你的移动轨迹。两套实现互为备份,确保"一个挂了,另一个立刻顶上"。</p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">灵魂拷问四</strong>当一项支付工具对WiFi P2P、蓝牙信标、邻居感知的兴趣远超支付本身时它究竟是个<strong style="color: #E06C75">钱包</strong>,还是个<strong style="color: #E06C75">全天候、全频谱的移动间谍终端</strong></p>
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
<!-- 04 完整监控矩阵 -->
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; padding-left: 12px; border-left: 4px solid #00d4aa; margin: 25px 0 12px">04 完整监控矩阵9层地狱层层叠buff</h2>
<div style="overflow-x: auto; margin: 16px 0">
<table style="width: 100%; border-collapse: collapse; font-size: 14px">
<thead>
<tr style="background: #1a1a2e; color: #a8b2d1">
<th style="padding: 10px 12px; text-align: left; border: 1px solid #333; white-space: nowrap">层级</th>
<th style="padding: 10px 12px; text-align: left; border: 1px solid #333; white-space: nowrap">技术</th>
<th style="padding: 10px 12px; text-align: left; border: 1px solid #333; white-space: nowrap">拦截点</th>
<th style="padding: 10px 12px; text-align: left; border: 1px solid #333; white-space: nowrap">精度</th>
<th style="padding: 10px 12px; text-align: left; border: 1px solid #333">备注</th>
</tr>
</thead>
<tbody>
<tr>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">L1</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">WiFi RTT</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">1</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">12 m</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; font-size: 13px; color: #666">需要Android 9+,硬件支持</td>
</tr>
<tr style="background: #fafafa">
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">L2</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">WiFi指纹</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">27+</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">35 m</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; font-size: 13px; color: #666">扫光所有BSSID+RSS</td>
</tr>
<tr>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">L3</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">WiFi Aware</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">4</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">Peer-to-peer</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; font-size: 13px; color: #666"><strong style="color: #E06C75">GPS关闭时仍可工作</strong>,发现附近手机</td>
</tr>
<tr style="background: #fafafa">
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">L4</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">WiFi P2P</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">28</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">Peer-to-peer</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; font-size: 13px; color: #666">连打印机都不放过</td>
</tr>
<tr>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">L5</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">iBeacon</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">2套实现</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">13 m</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; font-size: 13px; color: #666">商场里布100个Beacon就能画轨迹</td>
</tr>
<tr style="background: #fafafa">
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">L6</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">室内定位(IndoorLocationService)</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">全方法PatchProxy</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">融合精度</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; font-size: 13px; color: #666">可远程热补丁</td>
</tr>
<tr>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">L7</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">地理围栏(Geofence)</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8"></td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">3050 m</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; font-size: 13px; color: #666">进出事件实时推</td>
</tr>
<tr style="background: #fafafa">
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">L8</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">GPS</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">46</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">510 m</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; font-size: 13px; color: #666">室外补盲</td>
</tr>
<tr>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">L9</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">基站+蓝牙</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">169+160</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8">50100 m</td>
<td style="padding: 9px 12px; border: 1px solid #e8e8e8; font-size: 13px; color: #666">后台持续扫描</td>
</tr>
</tbody>
</table>
</div>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #00d4aa">SafeZoneInfo</strong>结构见证据第7节把L1L9全部<strong style="color: #E06C75">加密落盘</strong><code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">fineLocation</code>/<code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">wifiInfo</code>/<code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">cellInfo</code>/<code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">crossLocation</code> 各带独立<strong style="color: #E06C75">key</strong>,服务器想解就解,想扔机器学习就扔。</p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #E06C75">PatchProxy热替换</strong> 146173个挂载点<strong style="color: #E06C75">包括上述所有定位方法</strong>。今天发版说"只扫WiFi",明天热补丁就能<strong style="color: #E06C75">静默打开RTT</strong>,用户端<strong style="color: #E06C75">版本号都不变</strong>,应用商店审核<strong style="color: #E06C75">形同虚设</strong></p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">灵魂拷问五</strong>146173个热替换点9层定位监控——这是为了"提供更好服务",还是为了构建一个<strong style="color: #E06C75">连国家级情报机构都叹为观止的、针对亿万公民的实时态势感知系统</strong></p>
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
<!-- 05 法律分析 -->
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; padding-left: 12px; border-left: 4px solid #00d4aa; margin: 25px 0 12px">05 法律分析:最小必要?最大嘲讽!</h2>
<p style="margin: 16px 0; line-height: 1.75">《个人信息保护法》第6条——<strong style="color: #00d4aa">最小必要原则</strong></p>
<blockquote style="margin: 16px 0; padding: 12px 18px; background: #f0f9ff; border-left: 4px solid #00d4aa; color: #555; font-size: 15px; line-height: 1.6; border-radius: 0 4px 4px 0">
"处理个人信息应当限于实现处理目的的最小范围,不得过度收集。"
</blockquote>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">支付场景目的</strong>:完成收付款。</p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #E06C75">以1-2米精度为例支付宝理论上可获取</strong></p>
<ul style="margin: 16px 0; padding-left: 22px; line-height: 1.75">
<li style="margin-bottom: 8px">你在<strong style="color: #E06C75">男厕隔间1</strong>还是<strong style="color: #E06C75">女厕隔间2</strong></li>
<li style="margin-bottom: 8px"><strong style="color: #E06C75">左手边3米</strong>有瑞幸,<strong style="color: #E06C75">右手边2.8米</strong>有星巴克;</li>
<li style="margin-bottom: 8px">你手机<strong style="color: #E06C75">周围一共34个AP</strong>其中5个5G信号最强-41 dBm</li>
<li style="margin-bottom: 8px"><strong style="color: #E06C75">上一次出现在500米外</strong>是16:42:33误差±1.2米。</li>
</ul>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">法律对照</strong>:支付需要知道你在<strong style="color: #00d4aa">哪个商场</strong>即可,<strong style="color: #E06C75">精确到隔间</strong>纯属<strong style="color: #E06C75">业务溢出</strong></p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">嘲讽翻译</strong>"支付宝,你到底是<strong style="color: #E06C75">支付工具</strong>,还是<strong style="color: #E06C75">室内版天网</strong>?下次要不要把<strong style="color: #E06C75">蹲坑时长</strong>也做成信用分?<strong style="color: #E06C75">按时冲水+5芝麻分</strong>"</p>
<p style="margin: 16px 0; line-height: 1.75">对比<strong style="color: #00d4aa">Apple</strong>:明确区分"精确位置"与"大致位置",权限可控可追溯。<br/>对比<strong style="color: #00d4aa">Google</strong>:提供位置历史记录仪表盘,可一键暂停或删除。<br/>对比<strong style="color: #E06C75">蚂蚁"科技向善"</strong>9层监控热补丁静默开启<strong style="color: #E06C75">善在何处?善在让你无处可藏吗?</strong></p>
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
<!-- 争议回应 -->
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; padding-left: 12px; border-left: 4px solid #00d4aa; margin: 25px 0 12px">回应可能的质疑</h2>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">Q: "WiFi RTT精度是1-2米不是厘米级标题夸大了吧"</strong></p>
<p style="margin: 16px 0; line-height: 1.75">WiFi RTT单项精度确实是1-2米。但重点是支付宝<strong style="color: #E06C75">不是只用RTT一项技术</strong>。代码中注册了<strong style="color: #E06C75">9层定位体系</strong>RTT + iBeacon1-3米+ WiFi指纹 + 蓝牙160个拦截点+ 基站169个拦截点。学术研究表明多传感器融合如卡尔曼滤波可将定位精度提升至<strong style="color: #00d4aa">亚米级0.3-1米</strong>。更关键的是问题不在于当前精度是1米还是10厘米而在于<strong style="color: #E06C75">一个支付APP为什么要注册WifiRttManager.startRanging()的拦截</strong>——这个API的设计目的就是高精度室内测距。</p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">Q: "支付宝可以辩称这是用于LBS服务/防欺诈/优惠券推送"</strong></p>
<p style="margin: 16px 0; line-height: 1.75">法律问题不在于能否辩称,而在于<strong style="color: #E06C75">是否告知用户</strong>。支付宝隐私政策<strong style="color: #E06C75">未将WiFi RTT作为独立的数据处理活动披露</strong>。即便用于防欺诈,也必须遵循最小必要原则:防欺诈是事件驱动的(交易发生时),而非在<strong style="color: #E06C75">每一个HTTP请求中持续携带BSSID</strong>RequestStatistic.java:268。449个位置API拦截远超任何合理的防欺诈需求。</p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">Q: "WiFi RTT需要兼容AP不是所有地方都能用"</strong></p>
<p style="margin: 16px 0; line-height: 1.75">正确。但这不是重点。重点是:代码中<strong style="color: #E06C75">已注册了这个能力</strong>,且通过<strong style="color: #E06C75">146,173个PatchProxy热替换点</strong>可随时远程启用。这是一个<strong style="color: #00d4aa">"休眠监控能力"</strong>——今天可能未激活明天通过热补丁就能全面开启用户端版本号不变应用商店无法审核。而且即使不用RTT仅凭WiFi指纹扫描PushLBSHelper扫描所有BSSID + 每次登录上报MAC + 每个请求携带BSSID已经足够实现<strong style="color: #E06C75">3-5米精度的持续位置追踪</strong></p>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">Q: "这些功能可能是第三方SDK带来的不是支付宝主动开发的"</strong></p>
<p style="margin: 16px 0; line-height: 1.75">DexAOP框架和PatchProxy都是蚂蚁集团自研的核心基础设施不是第三方SDK。WiFi RTT拦截注册在<code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">InterferePointInitHelper.java</code>中,属于<code style="font-family: 'Fira Code', Consolas, monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px">com.alipay.fusion.interferepoint</code>包——这是支付宝内部代码,不是外部依赖。</p>
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
<!-- 结语 -->
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; padding-left: 12px; border-left: 4px solid #00d4aa; margin: 25px 0 12px">结语</h2>
<p style="margin: 16px 0; line-height: 1.75">本文所有证据已公开可查:</p>
<ul style="margin: 12px 0; padding-left: 22px; line-height: 1.75">
<li style="margin-bottom: 8px"><strong style="color: #00d4aa">GitHub证据仓库</strong><a href="https://github.com/sgInnora/alipay-securityguard-analysis" style="color: #00d4aa; text-decoration: underline">https://github.com/sgInnora/alipay-securityguard-analysis</a></li>
<li style="margin-bottom: 8px"><strong style="color: #00d4aa">本文WiFi RTT证据目录</strong><a href="https://github.com/sgInnora/alipay-securityguard-analysis/tree/main/evidence/wifi_rtt" style="color: #00d4aa; text-decoration: underline">https://github.com/sgInnora/alipay-securityguard-analysis/tree/main/evidence/wifi_rtt</a></li>
<li style="margin-bottom: 8px"><strong style="color: #00d4aa">IACR密码学论文</strong><a href="https://eprint.iacr.org/2026/526" style="color: #00d4aa; text-decoration: underline">https://eprint.iacr.org/2026/526</a>(已收录)</li>
<li style="margin-bottom: 8px"><strong style="color: #00d4aa">本文永久地址</strong><a href="https://innora.ai/zfb/wifi-rtt-tracking.html" style="color: #00d4aa; text-decoration: underline">https://innora.ai/zfb/wifi-rtt-tracking.html</a></li>
<li style="margin-bottom: 8px"><strong style="color: #00d4aa">15个CVE已提交MITRE</strong>Ticket #2005801, #2010319, 第3批待确认</li>
</ul>
<p style="margin: 16px 0; line-height: 1.75"><strong style="color: #1a252f">本文核心发现已同步提交以下监管机构:</strong></p>
<ul style="margin: 12px 0; padding-left: 22px; line-height: 1.75">
<li style="margin-bottom: 6px">CNPD 卢森堡GDPR数据保护</li>
<li style="margin-bottom: 6px">CSSF 卢森堡(金融监管,案件号 <strong style="color: #E06C75">CSSFWB-2026-XXX</strong></li>
<li style="margin-bottom: 6px">PDPC 新加坡(个人数据保护,案件号 <strong style="color: #E06C75">006XXXXX</strong></li>
<li style="margin-bottom: 6px">HKMA 香港(金融管理局,案件号 <strong style="color: #E06C75">CE20260313XXXXXX</strong></li>
<li style="margin-bottom: 6px">CIRCL 卢森堡(网络安全应急,案件号 <strong style="color: #E06C75">#478XXXX</strong></li>
<li style="margin-bottom: 6px">AMCM 澳门(金融管理局,案件号 <strong style="color: #E06C75">DSB2603XX-X</strong></li>
<li style="margin-bottom: 6px">MITRECVE漏洞数据库</li>
</ul>
<p style="margin: 16px 0; line-height: 1.75">8篇文章被删但代码里写着的东西<strong style="color: #E06C75">删不掉</strong></p>
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
<p style="margin: 16px 0; line-height: 1.75; font-size: 13px; color: #999; text-align: center">The Nora Chronicles Vol.22 | Innora.ai Lab | Penang, Malaysia | 2026-03-21<br/>本文所有技术主张均附有可独立验证的证据来源。</p>
</section>
<!-- Article navigation -->
<nav class="article-nav">
<div class="article-nav-row">
<a href="broken-by-design.html">← 上一篇: IACR论文入场券</a>
<span class="center-link"><a href="index.html">返回目录</a></span>
<a class="disabled">→ 下一篇: 蓝牙监控深度分析(即将发布)</a>
</div>
</nav>
<!-- Page footer -->
<footer class="page-footer">
<p>© 2026 <a href="https://innora.ai">Innora.ai</a> Lab | 支付宝安全研究项目</p>
<p>
<a href="https://github.com/sgInnora/alipay-securityguard-analysis">GitHub 证据仓库</a>
&nbsp;|&nbsp;
<a href="https://eprint.iacr.org/2026/526">IACR 2026/526</a>
&nbsp;|&nbsp;
<a href="index.html">文章目录</a>
</p>
</footer>
</div>
</body>
</html>