mirror of
https://github.com/sgInnora/alipay-deeplink-research
synced 2026-06-27 05:34:17 +08:00
0f298946f4
Rounds 1-10: Per-page SEO (title/desc/schema optimization) Rounds 11-20: Content quality + cross-linking audit Rounds 21-30: Structural fixes (remove duplicate footers) Rounds 31-40: OG image + Twitter cards on all 7 sub-pages Rounds 41-50: Final verification (81/81 checks passed) Co-Authored-By: Claude <noreply@anthropic.com>
367 lines
34 KiB
HTML
367 lines
34 KiB
HTML
<!DOCTYPE html>
|
||
<html lang="zh-CN">
|
||
<head>
|
||
<meta charset="UTF-8">
|
||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||
<title>支付宝需要监控你的截屏、蓝牙和通话吗?— Innora AI Security Research</title>
|
||
<meta name="description" content="对支付宝APK 208个API拦截点、22个行为监控和97%无保护接口的完整逆向工程分析">
|
||
<meta property="og:title" content="支付宝需要监控你的截屏、蓝牙和通话吗?">
|
||
<meta property="og:description" content="208个API拦截、22个行为监控、97%内部接口无权限保护 — 代码级证据">
|
||
<meta property="og:url" content="https://innora.ai/zfb/privacy-analysis.html">
|
||
<style>body{margin:0;padding:20px;background:#fff;}</style>
|
||
|
||
<link rel="canonical" href="https://innora.ai/zfb/privacy-analysis.html" />
|
||
|
||
<link rel="alternate" hreflang="zh" href="https://innora.ai/zfb/privacy-analysis.html" />
|
||
<link rel="alternate" hreflang="en" href="https://innora.ai/zfb/privacy-analysis.html" />
|
||
<link rel="alternate" hreflang="x-default" href="https://innora.ai/zfb/privacy-analysis.html" />
|
||
|
||
<script type="application/ld+json">
|
||
{
|
||
"@context": "https://schema.org",
|
||
"@type": "TechArticle",
|
||
"headline": "支付宝需要监控你的截屏、蓝牙和通话吗?— Innora AI Security Research",
|
||
"datePublished": "2026-03-18T00:00:00+08:00",
|
||
"dateModified": "2026-03-25T00:00:00+08:00",
|
||
"author": {
|
||
"@type": "Person",
|
||
"name": "Jiqiang Feng"
|
||
},
|
||
"publisher": {
|
||
"@type": "Organization",
|
||
"name": "Innora AI Security Research",
|
||
"url": "https://innora.ai"
|
||
},
|
||
"description": "Alipay privacy analysis: 208 API interception categories, 22 hidden monitoring events, 29-point device fingerprinting. Full reverse engineering of surveillance capabilities.",
|
||
"mainEntityOfPage": {
|
||
"@type": "WebPage",
|
||
"@id": "https://innora.ai/zfb/privacy-analysis.html"
|
||
}
|
||
}
|
||
</script>
|
||
<meta property="og:image" content="https://innora.ai/zfb/og-image.png">
|
||
<meta property="og:image:width" content="1200">
|
||
<meta property="og:image:height" content="630">
|
||
<meta name="twitter:card" content="summary_large_image">
|
||
<meta name="twitter:image" content="https://innora.ai/zfb/og-image.png">
|
||
</head>
|
||
<body style="padding-top:76px;">
|
||
<!-- Innora Global Nav — bilingual -->
|
||
<style>
|
||
.innora-nav-wrap{position:fixed;top:0;left:0;width:100%;z-index:9999;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans SC",sans-serif}
|
||
.innora-nav{display:flex;justify-content:space-between;align-items:center;padding:0 20px;height:46px;background:rgba(18,18,26,.92);backdrop-filter:blur(10px);-webkit-backdrop-filter:blur(10px);border-bottom:1px solid rgba(255,255,255,.08)}
|
||
.innora-nav a.brand{color:#e0e0e8;text-decoration:none;font-weight:600;font-size:.95rem}
|
||
.innora-nav-links{display:flex;list-style:none;margin:0;padding:0;gap:12px;flex-wrap:wrap}
|
||
.innora-nav-links a{color:#9898a8;text-decoration:none;font-size:.8rem;transition:color .2s}
|
||
.innora-nav-links a:hover,.innora-nav-links a.active{color:#4488ff}
|
||
.innora-badge{display:flex;justify-content:center;align-items:center;gap:8px;height:26px;background:#000;font-size:.7rem;font-family:'SF Mono','Fira Code',monospace;border-bottom:1px solid rgba(255,255,255,.06)}
|
||
.innora-badge a{color:#44cc88;text-decoration:none}.innora-badge a:hover{text-decoration:underline}
|
||
.innora-badge span{color:#666}
|
||
.innora-hmb{display:none;cursor:pointer;background:none;border:none;padding:4px}
|
||
.innora-hmb i{display:block;width:20px;height:2px;margin:4px 0;background:#e0e0e8;transition:.3s}
|
||
@media(max-width:900px){
|
||
.innora-nav-links{display:none;position:absolute;top:46px;left:0;width:100%;flex-direction:column;background:rgba(18,18,26,.97);padding:8px 0;gap:0}
|
||
.innora-nav-links.open{display:flex}
|
||
.innora-nav-links li{text-align:center;padding:8px}
|
||
.innora-hmb{display:block}
|
||
}
|
||
</style>
|
||
<header class="innora-nav-wrap">
|
||
<nav class="innora-nav">
|
||
<a class="brand" href="/zfb/"><span class="zh">Innora AI — 支付宝安全研究</span><span class="en">Innora AI — Alipay Research</span></a>
|
||
<ul class="innora-nav-links" id="inav">
|
||
<li><a href="/zfb/"><span class="zh">首页</span><span class="en">Main</span></a></li>
|
||
<li><a href="/zfb/article_censorship.html"><span class="zh">审查记录</span><span class="en">Censorship</span></a></li>
|
||
<li><a href="/zfb/patchproxy-146k.html"><span class="zh">热修复146K</span><span class="en">PatchProxy</span></a></li>
|
||
<li><a href="/zfb/wifi-rtt-tracking.html"><span class="zh">WiFi定位追踪</span><span class="en">WiFi RTT</span></a></li>
|
||
<li><a href="/zfb/transport-encryption.html"><span class="zh">传输加密</span><span class="en">Encryption</span></a></li>
|
||
<li><a href="/zfb/privacy-analysis.html"><span class="zh">隐私分析</span><span class="en">Privacy</span></a></li>
|
||
<li><a href="/zfb/regulatory-complaint.html"><span class="zh">监管投诉</span><span class="en">Regulatory</span></a></li>
|
||
<li><a href="/zfb/rebuttal.html"><span class="zh">法律回应</span><span class="en">Rebuttal</span></a></li>
|
||
</ul>
|
||
<button class="innora-hmb" onclick="document.getElementById('inav').classList.toggle('open')"><i></i><i></i><i></i></button>
|
||
</nav>
|
||
<div class="innora-badge">
|
||
<span><span class="zh">验证:</span><span class="en">Verify:</span></span>
|
||
<a href="https://github.com/sgInnora/alipay-securityguard-analysis">Docker 37/37</a>
|
||
<span>|</span>
|
||
<a href="https://zenodo.org/records/19186848">Zenodo DOI</a>
|
||
<span>|</span>
|
||
<a href="https://eprint.iacr.org/2026/526">IACR 2026/526</a>
|
||
<span>|</span>
|
||
<a href="https://packetstormsecurity.com/files/217089/">Packet Storm</a>
|
||
</div>
|
||
</header>
|
||
<!-- /Innora Global Nav -->
|
||
<div style="text-align:center;padding:4px 0;background:rgba(10,10,15,.95);font-size:.7rem;color:#666;border-bottom:1px solid rgba(255,255,255,.04)"><span class="zh">最后更新: 2026-03-25</span><span class="en">Last updated: 2026-03-25</span></div>
|
||
|
||
|
||
|
||
<!-- Alipay Privacy Analysis | WeChat Public | 2026-03-17 --><section style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', 'PingFang SC', 'Hiragino Sans GB', 'Microsoft YaHei', 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 15px; line-height: 1.75; color: #2c3e50; text-align: justify; letter-spacing: 0.5px; padding: 0 6px"><h1 style="font-size: 22px; font-weight: bold; color: #1a252f; margin: 30px 0 15px; border-bottom: 2px solid #00d4aa; padding-bottom: 10px; line-height: 1.4; background: linear-gradient(90deg, rgba(0,212,170,0.1) 0%, transparent 100%); padding: 10px 0 10px 12px">支付宝需要监控你的截屏、蓝牙和通话吗?一次完整的逆向工程分析</h1>
|
||
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; margin: 25px 0 12px; padding-left: 12px; border-left: 4px solid #00d4aa; line-height: 1.4">对支付宝APK (v10.8.30) 208个API拦截点、22个行为监控和97%无保护接口的代码级分析</h2>
|
||
|
||
<blockquote style="margin: 20px 0; padding: 15px 20px; background: #f0f9ff; border-left: 4px solid #00d4aa; color: #666666; font-size: 15px; line-height: 1.6; border-radius: 0 4px 4px 0">
|
||
<p style="margin: 10px 0; line-height: 1.75; text-indent: 0"><strong style="font-weight: bold; color: #00d4aa">声明</strong>:本文基于对公开APK文件的静态反编译分析(工具:jadx、radare2、Ghidra),所有结论均有代码路径引用,可独立验证。研究已提交国际CVE数据库(9个漏洞,编号待分配),并被Packet Storm Security收录(Advisory #217089)。</p>
|
||
</blockquote>
|
||
|
||
<p style="margin: 20px 0; line-height: 1.75; text-indent: 0; font-size: 15px; font-weight: bold; color: #E06C75; border: 1px solid #E06C75; border-radius: 6px; padding: 15px 20px; background: rgba(224,108,117,0.05)">本文永久地址:https://innora.ai/zfb/privacy-analysis.html<br/>如果本文在任何平台被删除,请访问上述地址阅读完整版。</p>
|
||
|
||
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">当你打开支付宝扫码付款时,你可能不会想到:在你看不到的地方,支付宝正在监控你的截屏行为、剪贴板内容、蓝牙连接、通话状态,甚至你每一次切换页面的精确时间戳。</p>
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">这不是猜测。这是对支付宝APK文件进行完整逆向工程后,<strong style="font-weight: bold; color: #E06C75">从代码中直接提取的事实</strong>。</p>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">依据《个人信息保护法》第六条:"处理个人信息应当具有明确、合理的目的,并应当与处理目的直接相关,采取对个人权益影响最小的方式。"我们以此为分析框架,逐项审视支付宝的数据采集行为。</p>
|
||
|
||
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
|
||
|
||
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; margin: 25px 0 12px; padding-left: 12px; border-left: 4px solid #00d4aa; line-height: 1.4">01 208个API拦截点:你的手机被"透视"了</h2>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">支付宝内部存在一个名为<strong style="font-weight: bold; color: #00d4aa">DexAOP</strong>的字节码级拦截框架(代码路径:<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">com.alipay.dexaop</code>,1606个Java文件)。它在编译阶段将拦截代码注入到Android系统API调用链中——<strong style="font-weight: bold; color: #E06C75">976个代理类 + 180个回调桩 = 覆盖208个API类别</strong>。</p>
|
||
|
||
<div style="background: #f7f9fc; border-radius: 8px; padding: 20px; margin: 25px 0; border: 1px solid #e8e8e8">
|
||
<p style="margin: 8px 0; line-height: 1.8; text-indent: 0; font-weight: bold; color: #1a252f; font-size: 16px">DexAOP 拦截清单</p>
|
||
<table style="width: 100%; border-collapse: collapse; margin: 12px 0; font-size: 14px">
|
||
<thead>
|
||
<tr style="background: #1a1a2e; color: #a8b2d1">
|
||
<th style="padding: 10px 12px; text-align: left; border: 1px solid #333">类别</th>
|
||
<th style="padding: 10px 12px; text-align: center; border: 1px solid #333">API数</th>
|
||
<th style="padding: 10px 12px; text-align: left; border: 1px solid #333">你可能不知道的事</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8"><strong style="color: #E06C75">蓝牙</strong></td>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8">17</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">知道你连了什么蓝牙设备、什么时候连的</td>
|
||
</tr>
|
||
<tr style="background: #f0f0f0">
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8"><strong style="color: #E06C75">电话</strong></td>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8">17</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">通话状态、SIM卡信息、IMEI</td>
|
||
</tr>
|
||
<tr>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8"><strong style="color: #E06C75">通讯录</strong></td>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8">12</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">可读取你的完整通讯录</td>
|
||
</tr>
|
||
<tr style="background: #f0f0f0">
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8"><strong style="color: #E06C75">录音</strong></td>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8">9</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">拦截所有麦克风访问的完整链路</td>
|
||
</tr>
|
||
<tr>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8"><strong style="color: #E06C75">摄像头</strong></td>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8">5</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">Camera + Camera2 全部API + 预览帧</td>
|
||
</tr>
|
||
<tr style="background: #f0f0f0">
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8"><strong style="color: #E06C75">剪贴板</strong></td>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8">4</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">你复制的每一段文字</td>
|
||
</tr>
|
||
<tr>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">网络/WiFi/GPS/NFC等</td>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8">144</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">覆盖网络、存储、传感器、加密等</td>
|
||
</tr>
|
||
<tr style="background: #f0f0f0">
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8"><strong style="font-weight: bold; color: #00d4aa">合计</strong></td>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8; font-weight: bold; color: #E06C75">208</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8"></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">一个支付APP为什么要拦截<strong style="font-weight: bold; color: #E06C75">摄像头预览帧</strong>?扫码只需要最终识别结果。为什么要拦截<strong style="font-weight: bold; color: #E06C75">铃声管理器</strong>?为什么要监控Java层所有的<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">Cipher</code>、<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">Signature</code>和<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">MAC</code>加密操作?</p>
|
||
|
||
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
|
||
|
||
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; margin: 25px 0 12px; padding-left: 12px; border-left: 4px solid #00d4aa; line-height: 1.4">02 22个行为监控事件:3秒启动,10条一批上报</h2>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">代码中还有一个独立的<strong style="font-weight: bold; color: #00d4aa">行为监控系统</strong>(路径:<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">com.taobao.wireless.security.adapter.datacollection</code>),APP启动后<strong style="font-weight: bold; color: #E06C75">3秒延迟激活</strong>,每积攒10条事件批量上报服务器。</p>
|
||
|
||
<div style="background: #f7f9fc; border-radius: 8px; padding: 20px; margin: 25px 0; border: 1px solid #e8e8e8">
|
||
<p style="margin: 8px 0; line-height: 1.8; text-indent: 0; font-weight: bold; color: #1a252f; font-size: 16px">22个监控事件</p>
|
||
<table style="width: 100%; border-collapse: collapse; margin: 12px 0; font-size: 14px">
|
||
<thead>
|
||
<tr style="background: #1a1a2e; color: #a8b2d1">
|
||
<th style="padding: 10px 12px; text-align: center; border: 1px solid #333">编号</th>
|
||
<th style="padding: 10px 12px; text-align: left; border: 1px solid #333">监控内容</th>
|
||
<th style="padding: 10px 12px; text-align: left; border: 1px solid #333">意味着什么</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8">0-1</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">屏幕亮/灭</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">知道你什么时候看手机</td>
|
||
</tr>
|
||
<tr style="background: #f0f0f0">
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8">2-3</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">APP前/后台切换</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">知道你什么时候离开支付宝</td>
|
||
</tr>
|
||
<tr>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">6</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">截屏检测</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8; color: #E06C75">知道你截了支付页面的屏</td>
|
||
</tr>
|
||
<tr style="background: #f0f0f0">
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">7</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">录屏检测</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8; color: #E06C75">知道你是否在录屏</td>
|
||
</tr>
|
||
<tr>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8">8-10</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">蓝牙开关/连接/断开</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">追踪你的蓝牙外设</td>
|
||
</tr>
|
||
<tr style="background: #f0f0f0">
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">11</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">通话状态</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8; color: #E06C75">知道你什么时候接/打电话</td>
|
||
</tr>
|
||
<tr>
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">13</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8; color: #E06C75; font-weight: bold">剪贴板变化</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8; color: #E06C75">你复制的内容被记录</td>
|
||
</tr>
|
||
<tr style="background: #f0f0f0">
|
||
<td style="padding: 10px 12px; text-align: center; border: 1px solid #e8e8e8">15-21</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">Activity生命周期 x7</td>
|
||
<td style="padding: 10px 12px; border: 1px solid #e8e8e8">精确到每个页面的创建/暂停/销毁</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">代码中还存在一个<strong style="font-weight: bold; color: #E06C75">远程开关</strong>(OrangeConfig,key: <code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">132</code>)。默认值<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">"0"</code>,但服务器可以随时设为<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">"1"</code>来激活全部22个监控——<strong style="font-weight: bold; color: #E06C75">即使当前没开,服务器一个指令就能全部打开</strong>。</p>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">当你截屏保存一个转账记录——也许是为了留证据——支付宝会立即知道。问一个直接的问题:<strong style="font-weight: bold; color: #00d4aa">监控用户的截屏行为,合理的业务场景是什么?</strong></p>
|
||
|
||
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
|
||
|
||
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; margin: 25px 0 12px; padding-left: 12px; border-left: 4px solid #00d4aa; line-height: 1.4">03 29项设备指纹:卸载重装也逃不掉</h2>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">代码中的<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">DeviceInfoCapturerFull</code>类包含29项<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">switch</code>语句,收集:IMEI、OAID、WiFi MAC地址、MediaDrm ID、SIM序列号、音频路由、屏幕分辨率、已安装应用签名……这29项数据组合生成一个叫<strong style="font-weight: bold; color: #E06C75">UMID</strong>的跨安装持久化设备ID。</p>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">"跨安装持久化"意味着:<strong style="font-weight: bold; color: #E06C75">你卸载支付宝重装,它依然能识别出这是同一部手机</strong>。该ID存储在系统KeyStore中,不会被常规清理删除。数据定期上传服务器。</p>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">《个人信息保护法》第六条要求"最小必要"。<strong style="font-weight: bold; color: #00d4aa">29项设备信息 + 跨安装追踪 + 定期上传 = "最小必要"吗?</strong></p>
|
||
|
||
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
|
||
|
||
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; margin: 25px 0 12px; padding-left: 12px; border-left: 4px solid #00d4aa; line-height: 1.4">04 97%的内部接口没有权限保护</h2>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">这可能是最令人震惊的发现。</p>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">支付宝使用Ariver框架管理408个JSBridge接口——小程序和H5页面通过这些接口调用原生功能。我们扫描了全部<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">BridgeExtension</code>类的<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">permit()</code>方法:</p>
|
||
|
||
<div style="background: #282c34; border-radius: 6px;"><pre style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 13px; background: #282c34; color: #abb2bf; padding: 16px; border-radius: 6px; overflow-x: auto; white-space: pre-wrap; word-wrap: break-word; line-height: 1.6; margin: 20px 0"><code><span style="color: #98C379">有权限检查的接口: 12个 (2.9%)</span>
|
||
<span style="color: #E06C75">没有权限检查的接口: 396个 (97.1%)</span>
|
||
|
||
<span style="color: #7F848E">// DefaultAccessController.java:132</span>
|
||
<span style="color: #E5C07B">if</span> (guard2 != <span style="color: #D19A66">null</span> && guard2.<span style="color: #56B6C2">permit()</span> != <span style="color: #D19A66">null</span>) {
|
||
z = <span style="color: #E5C07B">this</span>.asyncInterceptJsapi(guard2.<span style="color: #56B6C2">permit()</span>, accessor);
|
||
}
|
||
<span style="color: #7F848E">// permit()返回null → 跳过ALL权限检查</span></code></pre></div>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">无保护的高危接口包括:<strong style="font-weight: bold; color: #E06C75">6个支付类</strong>(含数字人民币钱包DCEPWalletBridgeExtension)、<strong style="font-weight: bold; color: #E06C75">5个认证类</strong>、<strong style="font-weight: bold; color: #E06C75">3个NFC类</strong>、<strong style="font-weight: bold; color: #E06C75">6个文件操作类</strong>、<strong style="font-weight: bold; color: #E06C75">6个硬件类</strong>(摄像头、剪贴板、拨打电话)。</p>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">396个无保护接口意味着:<strong style="font-weight: bold; color: #E06C75">一旦攻击者找到入口,几乎可以调用支付宝的任何功能——包括支付、定位和通讯录</strong>。而入口确实存在(详见我们提交的9个CVE漏洞)。</p>
|
||
|
||
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
|
||
|
||
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; margin: 25px 0 12px; padding-left: 12px; border-left: 4px solid #00d4aa; line-height: 1.4">05 服务器可以远程修改你手机上的代码</h2>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">每个安全关键方法中都有一个<code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 14px; background: #e8f5e9; color: #2e7d32; padding: 2px 6px; border-radius: 4px; margin: 0 2px">ChangeQuickRedirect</code>字段——<strong style="font-weight: bold; color: #00d4aa">PatchProxy</strong>热修复框架。它允许蚂蚁集团的服务器在<strong style="font-weight: bold; color: #E06C75">不经过应用商店审核、不需要用户同意</strong>的情况下,远程修改支付宝在你手机上的运行行为。</p>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">被覆盖的方法包括:TLS证书验证(可远程关闭HTTPS安全检查)、权限检查、签名验证、支付校验。通俗理解:<strong style="font-weight: bold; color: #E06C75">你手机上支付宝的代码不是固定的——蚂蚁集团的服务器随时可以改</strong>。</p>
|
||
|
||
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
|
||
|
||
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; margin: 25px 0 12px; padding-left: 12px; border-left: 4px solid #00d4aa; line-height: 1.4">06 "说什么就推荐什么"的技术解释</h2>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">很多用户反映:和朋友聊天提到某商品,打开淘宝就看到推荐。</p>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0"><strong style="font-weight: bold; color: #00d4aa">我们的结论:有能力,但没有发现后台偷录证据。</strong></p>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">代码中存在完整录音基础设施(25+个文件、4种编码器、14个麦克风拦截点),但我们<strong style="font-weight: bold">没有找到后台静默录音的触发机制</strong>——没有隐藏的后台Service,没有独立的音频上传通道。这一结论经过了3个独立LLM的交叉验证。</p>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">更合理的技术解释:<strong style="font-weight: bold; color: #00d4aa">同一WiFi路由器</strong>→ 路由器MAC被共享 → 家庭级画像(家人搜了你也看到);<strong style="font-weight: bold; color: #00d4aa">跨APP设备指纹</strong>→ UMID/OAID在阿里系APP间共享;以及<strong style="font-weight: bold; color: #00d4aa">确认偏差</strong>——你只记住了"准"的那几次。</p>
|
||
|
||
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
|
||
|
||
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; margin: 25px 0 12px; padding-left: 12px; border-left: 4px solid #00d4aa; line-height: 1.4">07 厂商回应与后续</h2>
|
||
|
||
<blockquote style="margin: 20px 0; padding: 15px 20px; background: #1a1a2e; border-left: 4px solid #E06C75; color: #a8b2d1; font-size: 15px; line-height: 1.6; border-radius: 0 4px 4px 0">
|
||
<p style="margin: 10px 0; line-height: 1.75; text-indent: 0"><strong style="color: #E06C75">厂商回复原文</strong>:上述功能均属"<strong style="color: #E06C75">正常功能</strong>"。</p>
|
||
</blockquote>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">时间线:</p>
|
||
<p style="margin: 8px 0; line-height: 1.75; text-indent: 0">2026-03-07 — 向蚂蚁集团报告17个安全漏洞</p>
|
||
<p style="margin: 8px 0; line-height: 1.75; text-indent: 0">2026-03-10 — 蚂蚁集团回复"正常功能"</p>
|
||
<p style="margin: 8px 0; line-height: 1.75; text-indent: 0">2026-03-11 — 公开披露。<strong style="color: #E06C75">4小时后</strong>,北京格韵律师事务所发出删除投诉</p>
|
||
<p style="margin: 8px 0; line-height: 1.75; text-indent: 0">2026-03-15 — 微信公众号4篇文章<strong style="color: #E06C75">全部被删除</strong>,无任何事前通知</p>
|
||
<p style="margin: 8px 0; line-height: 1.75; text-indent: 0">2026-03-15 — 服务器端开始拦截PoC验证请求</p>
|
||
<p style="margin: 8px 0; line-height: 1.75; text-indent: 0">2026-03-17 — 9个漏洞提交国际CVE数据库,38个国家和地区机构已回应</p>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0">研究成果已被<strong style="font-weight: bold; color: #00d4aa">Packet Storm Security</strong>收录(Advisory #217089)。香港金管局、卢森堡CSSF、新加坡PDPC、英国FCA等机构已确认收到并启动处理。</p>
|
||
|
||
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
|
||
|
||
<h2 style="font-size: 20px; font-weight: bold; color: #1a252f; margin: 25px 0 12px; padding-left: 12px; border-left: 4px solid #00d4aa; line-height: 1.4">我们的问题</h2>
|
||
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0"><strong style="font-weight: bold; color: #00d4aa">1. 必要性</strong>:208个API拦截、22个行为监控、29项设备指纹——这些都符合"最小必要"原则吗?</p>
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0"><strong style="font-weight: bold; color: #00d4aa">2. 知情权</strong>:隐私政策中是否逐项列明了截屏监控、剪贴板监控、通话状态监控?</p>
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0"><strong style="font-weight: bold; color: #00d4aa">3. 安全性</strong>:97%的内部接口没有权限保护,这符合安全开发最佳实践吗?</p>
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0"><strong style="font-weight: bold; color: #00d4aa">4. 远程控制</strong>:服务器可以远程修改安全验证逻辑——用户是否应有知情权?</p>
|
||
<p style="margin: 16px 0; line-height: 1.75; text-indent: 0"><strong style="font-weight: bold; color: #00d4aa">5. 全生态</strong>:这个安全SDK被阿里系多款APP共享——10亿+用户是否意识到这一点?</p>
|
||
|
||
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
|
||
|
||
<blockquote style="margin: 20px 0; padding: 15px 20px; background: #f0f9ff; border-left: 4px solid #00d4aa; color: #666666; font-size: 14px; line-height: 1.6; border-radius: 0 4px 4px 0">
|
||
<p style="margin: 8px 0; line-height: 1.75; text-indent: 0"><strong style="color: #00d4aa">如何自行验证</strong>:下载APK (APKPure, v10.8.30.8000) → <code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 13px; background: #e8f5e9; color: #2e7d32; padding: 2px 4px; border-radius: 3px">jadx -d output Alipay.apk</code> → 搜索 <code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 13px; background: #e8f5e9; color: #2e7d32; padding: 2px 4px; border-radius: 3px">com.alipay.dexaop</code> 和 <code style="font-family: 'Fira Code', Consolas, Monaco, 'Courier New', monospace; font-size: 13px; background: #e8f5e9; color: #2e7d32; padding: 2px 4px; border-radius: 3px">permit()</code></p>
|
||
</blockquote>
|
||
|
||
<hr style="border: none; border-top: 1px solid #e8e8e8; margin: 30px 0"/>
|
||
|
||
<div style="background: #f7f9fc; border-radius: 8px; padding: 20px; margin: 30px 0; border: 1px solid #e8e8e8">
|
||
<p style="margin: 8px 0; font-weight: bold; color: #1a252f; font-size: 16px">关于作者</p>
|
||
<p style="margin: 8px 0; line-height: 1.75"><strong style="font-weight: bold">Jiqiang Feng</strong></p>
|
||
<p style="margin: 8px 0; line-height: 1.75"><strong style="font-weight: bold; color: #00d4aa">Innora AI Security Research</strong></p>
|
||
<p style="margin: 8px 0; line-height: 1.75">联系:feng@innora.ai</p>
|
||
<p style="margin: 8px 0; line-height: 1.75">完整报告:<a style="color: #1890ff">https://innora.ai/zfb/</a></p>
|
||
<p style="margin: 8px 0; line-height: 1.75">代码与工具:<a style="color: #1890ff">https://github.com/sgInnora/alipay-securityguard-analysis</a></p>
|
||
</div>
|
||
|
||
<div style="background: linear-gradient(135deg, #f0fff9, #e6fff7); border-radius: 8px; padding: 20px; margin: 30px 0; border: 1px solid #91d5c8">
|
||
<p style="margin: 8px 0; font-weight: bold; color: #1a252f; font-size: 16px">如果你在意自己的数据权利</p>
|
||
<p style="margin: 8px 0; line-height: 1.75; color: #2c3e50">请将本文转发给关心数字安全的朋友。</p>
|
||
<p style="margin: 8px 0; line-height: 1.75; color: #2c3e50">进入手机 <strong style="color: #00d4aa">设置 → 隐私 → 应用权限</strong>,检查并撤销非必要权限。</p>
|
||
<p style="margin: 8px 0; line-height: 1.75; color: #2c3e50">关注公众号 <strong style="color: #00d4aa">AI-security-innora</strong>,获取后续研究进展。</p>
|
||
</div>
|
||
|
||
<section style="font-size: 14px; color: #888888; border-top: 1px solid #e8e8e8; padding-top: 15px; margin-top: 40px">
|
||
<p style="margin: 6px 0; font-size: 13px; color: #999">本文基于v10.8.30.8000版本静态分析。厂商可能已通过服务器端热修复修改了部分行为,但客户端代码中的架构和能力仍然存在。</p>
|
||
<p style="margin: 10px 0; font-size: 13px; color: #666; font-weight: bold">本文永久地址:https://innora.ai/zfb/privacy-analysis.html</p>
|
||
<p style="margin: 6px 0; font-size: 13px; color: #666">如果本文在任何平台被删除,请访问上述地址。这也是为什么我们需要一个不受单一平台审查的互联网。</p>
|
||
</section>
|
||
|
||
</section>
|
||
<footer style="text-align:center;padding:20px 16px;margin-top:40px;border-top:1px solid rgba(255,255,255,.08);color:#666;font-size:.85rem;background:rgba(10,10,15,.95)">
|
||
<p style="margin:4px 0"><span class="zh">© 2026 Innora AI 安全研究</span><span class="en">© 2026 Innora AI Security Research</span></p>
|
||
<p style="margin:4px 0;font-size:.75rem">
|
||
<a href="/zfb/" style="color:#4488ff"><span class="zh">首页</span><span class="en">Home</span></a> ·
|
||
<a href="https://github.com/sgInnora/alipay-securityguard-analysis" style="color:#4488ff">GitHub</a> ·
|
||
<a href="https://zenodo.org/records/19186848" style="color:#4488ff">Zenodo</a> ·
|
||
<a href="https://eprint.iacr.org/2026/526" style="color:#4488ff">IACR</a> ·
|
||
<a href="https://packetstormsecurity.com/files/217089/" style="color:#4488ff">Packet Storm</a>
|
||
</p>
|
||
</footer>
|
||
<script>document.addEventListener('DOMContentLoaded',function(){var p=location.pathname;document.querySelectorAll('.innora-nav-links a').forEach(function(a){if(p.endsWith(a.getAttribute('href').replace('/zfb/',''))||((p.endsWith('/zfb/')||p.endsWith('/zfb'))&&a.getAttribute('href')=='/zfb/'))a.style.color='#4488ff';a.style.fontWeight='bold'});var b=document.getElementById('btt');if(b)window.addEventListener('scroll',function(){b.style.display=window.scrollY>400?'block':'none'})});</script>
|
||
<a id="btt" href="#" style="position:fixed;bottom:20px;right:20px;display:none;width:36px;height:36px;background:rgba(68,136,255,.85);color:#fff;text-align:center;line-height:36px;font-size:20px;border-radius:50%;text-decoration:none;z-index:9998" title="Top">↑</a>
|
||
</body></html>
|