Everything here is reproducible from the Google Play APK with jadx.

APK: com.eg.android.AlipayGphone v10.8.50.7000
SHA-256: 7b56faa5a0de644fd1803e2a002654e0abec45c9d72a1489ea220c04121a7587

IACR ePrint 2026/526
Zenodo: 10.5281/zenodo.19186848
IPFS: QmeWzqWUfHToBTcuPVSfrzxMDiPT6F48M7qtDVXRBHwhHS
https://github.com/sgInnora/alipay-securityguard-analysis

If you work on Google Play policy review, or if you're a security researcher who can independently verify — please look at this APK.

#infosec #googleplay #android #privacy

Ant Group via CIRCL Luxembourg (Case #4782984):

"A comprehensive technical analysis, corroborated by an accredited Chinese testing institution, has conclusively determined that these vulnerabilities do not exist."

• Institution name: withheld
• Test report: withheld
• 3 requests for disclosure: unanswered

Meanwhile:
• 9 security research articles censored from WeChat
• Legal threat letter sent within 4 hours of publication
• PoC blocked via server-side whitelist

📊 40-Day Version Comparison (v10.8.30 → v10.8.56)

Post-disclosure, Ant Group modified:
• 100% of DEX files (19/19 + 1 new)
• +8,315 new classes / -4,678 removed
• 28 new obfuscated JSBridge security classes

But the SSL bypass? Unchanged.
EmptyX509TrustManagerWrapper? Unchanged.
ALLOW_ALL_HOSTNAME_VERIFIER? Unchanged.

Massive refactoring around the reported areas, but the specific mechanisms untouched.

Full diff: https://innora.ai/zfb/

🚪 97% of JSBridge APIs Skip Permission Checks

396 of 408 BridgeExtension classes: permit() → null

DefaultAccessController.java:132:
if (guard2.permit() != null) { asyncInterceptJsapi(); }

null = no check. Affected:
• TradePayBridgeExtension (payments)
• DCEPWalletBridgeExtension (Digital Yuan)
• LoginExtension, NFCBridgeExtension
• ClipboardBridgeExtension
• AddPhoneContactBridgeExtension

Not a few missed checks — 97% systematic.

📡 1,834 Undisclosed Data Interception Points

DexAOP framework, InterferePointInitHelper.java:

• IMEI — "读取设备信息" (line 1662)
• MAC — "MAC地址|位置获取" (line 1065)
• Installed apps — "APP列表获取" (line 520)
• Clipboard (line 400)
• GPS — "位置获取" (line 624)
• Audio — 96 hooks, labeled "录音"
• Bluetooth — 52 hooks

Internal Chinese labels confirm structured collection.
Google Play Data Safety does NOT disclose this.

🔄 79,371 Methods With Server-Side Code Replacement

PatchProxy/ChangeQuickRedirect in 79,371 files. When the server sets a non-null ChangeQuickRedirect field, the original method is replaced at runtime.

The SSL validation code itself is PatchProxy-wrapped — certificate checking can be remotely disabled.

PrivacyNewInstanceListener.java intercepts BaseDexClassLoader, DexClassLoader, PathClassLoader.

Google Play prohibits downloading executable code outside Play.

🔓 SSL/TLS Certificate Validation Bypass

NetworkConfigCenter.java, line 562:
setHttpsValidationEnabled(false)
→ ALLOW_ALL_HOSTNAME_VERIFIER: verify() returns true for ANY hostname
→ checkServerTrusted(): empty method body, accepts ALL certificates

This is a payment app. For 100M+ users.

Wrapped by PatchProxy (line 563) — the server can toggle this remotely without an app update.

Unpatched in v10.8.56.8000 (compiled 2026-04-07).

https://innora.ai/zfb/

One concrete ask:

@hackerone — please publish program-level SLA compliance rates. Researchers currently have no visibility into whether a 28-day wait is an anomaly or the norm for a given program.

Transparency builds trust. Silence erodes it.

Timeline and documentation: forthcoming on Medium.

#InfoSec #BugBounty #CyberSecurity 3/3

Related case: 36 vulnerabilities reported to a CNA-designated fintech (1.4B users) with full PoC on 3 devices.

Vendor dismissed in one line. Legal counsel demanded takedown within 4 hours (documented: innora.ai/zfb/). 9 research articles subsequently removed. As CNA: zero CVE-IDs assigned.

CISA Root CNA dispute filed. Evidence chain preserved with timestamps.

#InfoSec #CVE #VulnerabilityDisclosure 2/3