内容标识 / Content Notice:
本页面内容基于可核实的客观事实记录,所有时间节点均有文件或公开记录作为来源。部分文本整理使用了 AI 辅助。
This page documents verifiable, objective events only. All timestamps are sourced from contemporaneous records or public archives. Text editing assisted by AI.
Q1 – Q2 2024
启动对 SecurityGuard v2 SDK 的初步分析
Initial discovery and analysis of SecurityGuard v2 SDK
通过公开渠道获取的支付宝 APK(Android 版本),对内嵌的 SecurityGuard v2 SDK 进行初步静态分析,识别关键组件与架构模式。
Began static analysis of SecurityGuard v2 SDK embedded in publicly available Alipay APK builds. Identified key components and architectural patterns.
Analysis
Q3 – Q4 2025
深入分析加密实现、原生代码与隐私机制
Deep analysis of cryptographic implementations, native code, and privacy mechanisms
系统性分析 SDK 的密码学实现、热修复机制(PatchProxy / AVMP)、网络通信层及数据收集行为。研究范围扩展至原生 .so 库与 JNI 层。
Systematic analysis of cryptographic implementations, hot-patch mechanisms (PatchProxy / AVMP), network communication layers, and data collection behaviors. Scope extended to native .so libraries and JNI layer.
Deep Dive
Feb 25, 2026
通过 AntSRC 向厂商提交漏洞报告
Vulnerability report submitted to vendor via AntSRC
通过蚂蚁集团官方安全漏洞响应渠道(AntSRC /
[email protected])提交详细技术报告,启动负责任披露流程。
Detailed technical report submitted via Ant Group's official security vulnerability response channel (AntSRC /
[email protected]), initiating the responsible disclosure process.
Vendor Contact
Mar 10, 2026
厂商回复:认定为"正常功能"
Vendor responds: classified as "normal function"
蚂蚁集团通过 AntSRC 渠道回复,将报告中涉及的技术行为定性为"正常功能",未提出修复计划。
Ant Group replied via AntSRC, classifying the reported technical behaviors as "normal function" with no remediation plan indicated.
Vendor Response
Mar 12, 2026
向 MITRE 提交首批 CVE 报告(Ticket #2005801,9 份 CVE)
First MITRE CVE submission — Ticket #2005801, 9 CVE reports
鉴于厂商回复不认可,依据 MITRE CVE 提交流程,正式向 MITRE 提交首批 CVE 报告,覆盖密码学、热修复与隐私等多个技术领域。
Following the vendor's non-acknowledgment, formally submitted the first batch of CVE reports to MITRE covering cryptography, hot-patch, and privacy domains.
CVE Submission
Mar 12 – Mar 22, 2026
8 篇技术分析文章在微信公众号发布
8 technical analysis articles published on WeChat Official Account
以中文撰写并发布 8 篇系列技术分析文章("The Nora Chronicles"),涵盖 PatchProxy 机制、加密降级、隐私分析、DeepLink 攻击面等专题。
Published 8 technical analysis articles in Chinese ("The Nora Chronicles") covering PatchProxy, encryption downgrade, privacy analysis, DeepLink attack surface, and related topics.
Published
Mar 17, 2026
GitHub 代码库公开发布
GitHub repository published
正式公开 GitHub 证据仓库,包含技术报告、反编译代码片段(jadx)、脚本及 Docker 验证环境说明。
Publicly released GitHub evidence repository containing technical reports, decompiled code excerpts (jadx), scripts, and Docker verification environment documentation.
Published
github.com/sgInnora/alipay-securityguard-analysis
Mar 19, 2026
IACR ePrint 论文发布(编号 2026/526)
IACR ePrint paper published — 2026/526
在国际密码学研究协会(IACR)ePrint 服务器发布预印本研究论文,题目:"Broken by Design: A Static Analysis of Alipay's SecurityGuard SDK"。注:ePrint 为预印本服务,不属于同行评审出版物。
Published preprint research paper on the IACR ePrint server: "Broken by Design: A Static Analysis of Alipay's SecurityGuard SDK." Note: ePrint is a preprint service, not a peer-reviewed publication.
Academic Record
eprint.iacr.org/2026/526
Mar 19, 2026
Packet Storm Security 收录(编号 #217089)
Packet Storm Security publication — #217089
安全漏洞信息聚合平台 Packet Storm Security 收录本研究,进一步扩大技术社区的可见度。
Research indexed by Packet Storm Security, a widely referenced security advisory aggregation platform.
Published
packetstormsecurity.com/files/217089
Mar 19 – Mar 23, 2026
后续 MITRE CVE 提交(Batch 1–4,累计 36 份 CVE,11 个工单)
Additional MITRE submissions — Batches 1–4, total 36 CVE reports across 11 tickets
在初始提交基础上,分四批次陆续向 MITRE 提交补充 CVE 报告,覆盖认证机制、JSBridge 授权、Wi-Fi 追踪、弱随机数等新发现领域。
Submitted four additional batches of CVE reports to MITRE covering authentication mechanisms, JSBridge authorization, Wi-Fi tracking, weak random number generation, and other newly documented areas.
36 CVE Reports
11 Tickets
Mar 22, 2026
8 篇微信文章因厂商投诉被移除
8 WeChat articles removed following vendor complaint
微信平台依据蚂蚁集团经代理律师事务所提出的投诉,将前期发布的 8 篇技术分析文章下架。各文章已同步存档于 innora.ai/zfb/ 永久保存。
WeChat platform removed the 8 previously published technical analysis articles following a complaint filed by Ant Group through a proxy law firm. All articles are permanently archived at innora.ai/zfb/.
Platform Removal
Mar 22, 2026
创建 Mastodon 账号(infosec.exchange/@Innora)
Mastodon account created — infosec.exchange/@Innora
在去中心化社交平台 Mastodon 的 infosec.exchange 实例创建账号,建立独立于平台审查的技术社区沟通渠道。
Created account on infosec.exchange Mastodon instance to establish a communication channel independent of centralized platform moderation.
Platform
Mar 23, 2026
Zenodo 永久学术存档(DOI: 10.5281/zenodo.19186848)
Zenodo permanent academic archive — DOI: 10.5281/zenodo.19186848
在欧洲核子研究中心(CERN)运营的 Zenodo 平台完成研究材料的永久学术存档,获得不可删除的 DOI,确保数字内容长期可访问性。
Completed permanent academic archival of research materials on Zenodo (operated by CERN), obtaining a non-revocable DOI ensuring long-term digital accessibility.
Permanent Archive
doi.org/10.5281/zenodo.19186848
Mar 23, 2026
Docker 验证环境发布(37/37 测试通过)
Docker verification environment published — 37/37 tests pass
发布完整的 Docker 化验证环境,使第三方研究人员可独立复现全部 37 项技术发现,所有测试 100% 通过。验证脚本与 Dockerfile 均已包含在 GitHub 仓库中。
Published complete Dockerized verification environment enabling independent third-party reproduction of all 37 technical findings with 100% test pass rate. Verification scripts and Dockerfile included in GitHub repository.
Reproducible
37 / 37 Tests Pass
Mar 13 – Mar 25, 2026
已向 9+ 国家/地区的监管机构通报
Regulatory authorities in 9+ countries/regions briefed
依据各机构的管辖范围,向多个国家和地区的监管机构提交技术简报,涵盖金融监管、数据保护、网络安全应急响应等职能类型。
Technical briefings submitted to regulatory authorities across multiple jurisdictions based on their respective mandates, covering financial regulation, data protection, and cybersecurity incident response functions.
Regulatory
9+ Jurisdictions