icybear/alipay-deeplink-research
1
0
Fork 0
mirror of https://github.com/sgInnora/alipay-deeplink-research synced 2026-06-27 05:34:17 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
61b85c22efd57a7ccaed92c887afe6cec3eb564e
alipay-deeplink-research/evidence/server_side_blocking_evidence.md
feng a3825c939f update: SEO/privacy overhaul — 36 CVE stats, redact case numbers, full sitemap 
- Meta/OG/Twitter tags: 17→36 CVEs, 6→9+ countries, SecurityGuard SDK keywords
- Sitemap: 5→12 URLs with correct lastmod dates
- Privacy: redact CSSF/CIRCL/PDPC case numbers, mask regulator staff names
- Content: add 6 new article pages + evidence screenshots
- Numbers: update all CVE counts (6→36, 11 MITRE tickets)

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-25 05:28:06 +08:00

14 KiB
Raw Blame History

Server-Side Real-Time Blocking Evidence

Evidence that Alipay employs server-controlled, hot-updatable security mechanisms to dynamically block PoC payloads — proving the vulnerability was real and countermeasures were deployed post-CVE-report.

APK: com.eg.android.AlipayGphone v10.8.30.8000 Analysis: jadx decompiled source code Date: 2026-03-16 MITRE Ticket: #2005801

1. Server-Side RPC Permission Checking

1.1 NewJsAPIPermissionExtension.java

File: com/alipay/mobile/nebulax/integration/mpaas/extensions/NewJsAPIPermissionExtension.java

When a WebView page attempts to call any JSAPI (e.g., tradePay, getLocation, setTitle), the permission system sends the loaded URL to Alipay's server for real-time verification:

// Line 337: Server selects which RPC endpoint to use
String str = (z2 && newJsAPIPermissionExtension.f190512f)
    ? "alipay.hfiveappconfig.appContainerHighLevelCheck"   // High-security APIs
    : "alipay.mappconfig.appContainerCheck";                // Standard APIs

// Line 340: RPC call sends URL + context to server
newJsAPIPermissionExtension.f190508a.sendSimpleRpc(
    str,                                    // RPC method name
    this.f190525d.toJSONString(),           // Request payload (URL, appId, etc.)
    "", true, new JSONObject(), null, false, null,
    new H5SimpleRpcListener(...) { ... }    // Callback processes server response
);

1.2 Server Response Processing via FlowCustoms

File: NewJsAPIPermissionExtension.java line 412

// Server response is processed through FlowCustoms (流量安检) system
newJsAPIPermissionExtension2.b.handleRPCResponse(
    page, str4, str3,
    new FlowCustomsRpcHandleCallback(loadResultFuture, page) {
        // Multiple @Override methods handle: allow, block, alert, redirect
    }
);

Key implication: The server can return allow, block, or alert for ANY URL + JSAPI combination. This means Alipay can add blocking rules for specific URLs (like innora.ai/zfb/poc/*) without updating the APK.

1.3 NewRedirectUrlPermissionExtension.java

File: com/alipay/mobile/nebulax/integration/mpaas/extensions/NewRedirectUrlPermissionExtension.java

The same server-side RPC check applies to URL redirects:

// Line 261: Same RPC pattern for redirect URL checking
String str = (z && newRedirectUrlPermissionExtension.f190545f)
    ? "alipay.hfiveappconfig.appContainerHighLevelCheck"
    : "alipay.mappconfig.appContainerCheck";

// Line 263: Sends redirect URL to server for approval
newRedirectUrlPermissionExtension.f190541a.sendSimpleRpc(str, ...);

2. FlowCustoms (流量安检) URL Verification

2.1 OuterSchemeVerify.java

File: com/alipay/mobile/flowcustoms/jumpin/OuterSchemeVerify.java

External scheme URLs (like alipays://) are verified through a multi-layer system:

import com.alipay.mobile.flowcustoms.engine.rule.FCRuleController;    // Rule engine
import com.alipay.mobile.flowcustoms.rpc.util.FCRpcUtil;              // Server RPC
import com.alipay.mobile.flowcustoms.startapp.BlackProductSafeGuardUtil; // Blacklist

public class OuterSchemeVerify {
    private FCRuleController ruleController;  // Server-synced rules
    // ...
    // Sends bundle_id + target_appid to server for verification
    hashMap.put("bundle_id", OuterSchemeVerify.access$100(this.this$0));
    hashMap.put("target_appid", OuterSchemeVerify.access$200(this.this$0));
}

Architecture: FCRuleController downloads rule sets from Alipay's server. FCRpcUtil sends real-time verification requests. BlackProductSafeGuardUtil maintains a blacklist of dangerous URLs/patterns.

3. Edge Content Security (Local + Server-Controlled)

3.1 EdgeContentDetector.java

File: com/alipay/edge/contentsecurity/EdgeContentDetector.java

Local content scanning with server-controlled master switch:

// Line 276: Server can enable/disable ALL content detection remotely
if ("0".equals(GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_DETECT_COVERAGE_ON))) {
    // Detection disabled — server controls this switch
    return;
}

5 detector types (all server-configurable):

  • EdgeTextDetector — scans page text content
  • EdgePictureDetector — scans images
  • EdgeScanDetector — QR/barcode scanning context
  • EdgeLinkDetector — URL/link analysis
  • EdgeCardDetector — financial card detection

3.2 Server-Controlled Parameters

// Bloom filter configuration from server
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_BLOOM_FILTER_CONFIG)

// Text detection max length — server-configurable
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_TEXT_MAX_LENGTH)  // default 10240

// Content monitoring rate — server-adjustable
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_MONITOR_RATE_SWITCH)

// Character format detection — server toggle
GlobalConfig.getGlobalSwitch(Keys.EDGE_CONTENT_CHARSET_FORMAT_SWITCH_ON)

Key implication: Even if APK v10.8.30.8000 was installed before our CVE report, the server can remotely update detection rules, Bloom filter configs, and monitoring rates to block our specific PoC patterns.

4. Hot Patch Framework (Instant Remote Code Update)

4.1 RealTimeReceiver.java

File: com/alipay/android/phone/mobilecommon/dynamicrelease/hotpatch/RealTimeReceiver.java

// Line 34: Listens for server-pushed config changes
public static final String ACTION_CONFIG_CHANGED = "com.alipay.mobile.client.CONFIG_CHANGE";

// Line 102: On CONFIG_CHANGE broadcast → sync new hotpatch config from server
if ("com.alipay.mobile.client.CONFIG_CHANGE".equals(action)) {
    syncHotpatchConfig();  // Downloads new patches from server
}

// Lines 110-113: Patches triggered on app state transitions
triggerPatch(new AppLogScopedLogger("IR.UserLeaveHint"), USER_LEAVEHINT);  // Background
triggerPatch(new AppLogScopedLogger("IR.ToForeground"), TO_FOREGROUND);    // Foreground

4.2 syncHotpatchConfig()

File: RealTimeReceiver.java line 118

public static void syncHotpatchConfig() {
    // Fetches latest hotpatch configuration from Alipay server
    // Downloads delta patches for changed methods
    // Applies via AInstantRunManager
}

4.3 PatchProxy — Universal Method Interception

Every security-relevant method contains PatchProxy.proxy() calls that allow instant hot-patching:

// Example from LegacyShouldLoadUrlExtension.java (URL loading security)
public static ChangeQuickRedirect f80061;  // Patch slot

ChangeQuickRedirect changeQuickRedirect = f80061;
if (changeQuickRedirect == null ||
    (proxy = PatchProxy.proxy(changeQuickRedirect, "0")) == null) {
    // Original code executes
} else {
    // HOT-PATCHED code executes instead
    return proxy.result;
}

PatchProxy presence confirmed in:

  • NewJsAPIPermissionExtension.java — JSAPI permission checks
  • LegacyShouldLoadUrlExtension.java — URL loading decisions
  • EdgeContentDetector.java — Content security scanning
  • OuterSchemeVerify.java — External scheme verification
  • BundleCheckValve.java — Bundle/dynamic release control
  • StrategyFactory.java — Strategy pattern routing
  • ALL dynamicrelease framework classes

Key implication: Alipay can modify the behavior of ANY security-checking method without releasing a new APK. A server-pushed ChangeQuickRedirect object replaces the original method logic entirely.

5. Behavioral Evidence: CVE-3 Timeline

5.1 First Test — Success (tradePay triggered)

Time Action Result File Size
~15:40 Load payload_cve3_obf.html via DeepLink Page rendered (275KB), tradePay triggered 275KB
~15:43 tradePay callback received "交易订单处理失败" error shown 172KB

Screenshot evidence:

  • cve3_obf_page_rendered.png (275KB) — page content visible
  • cve3_tradepay_triggered.png (172KB) — tradePay error dialog
  • cve3_proof_20260316_155434.png (172KB) — timestamped proof

5.2 Retest — Blocked (all subsequent attempts)

Time Action Result File Size
~15:54+ Reload same URL White screen ~31KB
+retry Force-stop + re-trigger White screen ~31KB
+retry Different obfuscation variant White screen ~31KB
+retry Clean test (ZERO sensitive keywords) White screen ~31KB

Screenshot evidence:

  • cve3_blocked_on_retest.png (31KB) — white screen on same URL

5.3 Analysis

The file size differential (275KB rendered vs 31KB blocked) proves:

  1. First request: Server allowed → full page content loaded
  2. Subsequent requests: Server blocked → WebView receives empty/error response
  3. This is NOT local content filtering (the clean test with zero JSAPI keywords was also blocked)
  4. This IS URL-level server-side blocking — the domain/URL was flagged after initial PoC execution

5.4 Clean Test Anomaly (CVE-6 evidence)

payload_test_clean.html contains:

  • ZERO JSAPI call keywords (no tradePay, setTitle, showToast, getLocation)
  • Only checks typeof window.AlipayJSBridge
  • Pure HTML with no bridge interaction

Result: Also shows white screen (~31KB)

This proves URL-level blocking: The server blocks based on the source URL/domain (innora.ai/zfb/poc/), not based on page content analysis. The URL was added to a server-side blocklist after our initial CVE-3 PoC triggered successfully.

6. Synthesis: What This Means for MITRE

6.1 The Vulnerability Was Real

CVE-3 (tradePay) was successfully triggered from an external page loaded via DeepLink. The payment UI appeared with "交易订单处理失败" — proving the JSAPI was callable without domain restriction. This is documented with timestamped screenshots.

6.2 Server-Side Countermeasures Were Deployed

After our initial PoC success, the server-side security systems responded:

  1. NewJsAPIPermissionExtension sent our URL to alipay.mappconfig.appContainerCheck
  2. Server flagged our domain (innora.ai) or specific URL patterns
  3. FlowCustomsRpcHandleCallback returned "block" for subsequent requests
  4. URL-level blocking applied (even clean pages from same domain were blocked)

6.3 Hot Updates Enable Silent Patching

The PatchProxy + RealTimeReceiver framework means:

  • No APK update needed — patches are pushed server-side
  • Instant deploymentCONFIG_CHANGE broadcast triggers sync
  • Method-level granularity — any security check can be replaced
  • Even APK v10.8.30.8000 (old version) receives new rules

6.4 Implications for CVE Assessment

  1. The "one-time success then blocked" pattern is evidence of the vulnerability existing, not evidence of it being non-exploitable
  2. Server-side blocking is a reactive countermeasure, not an inherent security control
  3. An attacker using a fresh domain/URL would succeed until that domain is also flagged
  4. The vulnerability exists in the architectural design (no client-side domain whitelist for sensitive JSAPIs), not in the server-side detection rules

6.5 Code Architecture Summary

External DeepLink (alipays://platformapi/startapp?appId=20000067&url=...)
    │
    ├── OuterSchemeVerify ──── FCRuleController (server rules)
    │       │                   FCRpcUtil (server RPC)
    │       │                   BlackProductSafeGuardUtil (blocklist)
    │       │
    │       └── PatchProxy → [hot-patchable]
    │
    ├── WebView loads external URL
    │       │
    │       ├── NewJsAPIPermissionExtension ── sendSimpleRpc() → Server
    │       │       │                           appContainerCheck /
    │       │       │                           appContainerHighLevelCheck
    │       │       │
    │       │       └── FlowCustomsRpcHandleCallback
    │       │               ├── onAllow()   → JSAPI call proceeds
    │       │               ├── onBlock()   → Page blocked (white screen)
    │       │               └── onAlert()   → Warning shown
    │       │
    │       ├── EdgeContentDetector (local, server-controlled switch)
    │       │       ├── EdgeTextDetector
    │       │       ├── EdgeLinkDetector
    │       │       └── EDGE_CONTENT_DETECT_COVERAGE_ON (server toggle)
    │       │
    │       └── PatchProxy → [ALL methods hot-patchable]
    │
    └── RealTimeReceiver
            ├── CONFIG_CHANGE → syncHotpatchConfig()
            ├── TO_FOREGROUND → triggerPatch()
            └── USER_LEAVEHINT → triggerPatch()

7. Files Referenced

File Location Evidence For
NewJsAPIPermissionExtension.java nebulax/integration/mpaas/extensions/ Server-side RPC permission checking
NewRedirectUrlPermissionExtension.java nebulax/integration/mpaas/extensions/ Server-side redirect URL checking
LegacyShouldLoadUrlExtension.java nebulax/integration/mpaas/extensions/ PatchProxy in URL loading
FlowCustomsRpcHandleCallback.java nebulax/integration/base/security/h5jsapi/ Allow/block/alert response handling
OuterSchemeVerify.java flowcustoms/jumpin/ External scheme verification
FCRuleController.java flowcustoms/engine/rule/ Server-synced rule engine
FCRpcUtil.java flowcustoms/rpc/util/ FlowCustoms server RPC
BlackProductSafeGuardUtil.java flowcustoms/startapp/ URL/product blacklist
EdgeContentDetector.java edge/contentsecurity/ Local content scanning
EdgeBloomFilter.java edge/contentsecurity/model/bloom/ Bloom filter for content sampling
RealTimeReceiver.java dynamicrelease/hotpatch/ Hot patch config sync
BundleCheckValve.java dynamicrelease/ Dynamic release control

All code extracted from jadx decompilation of Alipay_10.8.30.8000_APKPure.apk.

Reference in New Issue View Git Blame Copy Permalink