#introduction I'm Jiqiang Feng, independent security researcher at Innora AI.

7/7 All evidence permanently preserved on IPFS:
gateway.pinata.cloud/ipfs/QmWUnbmgHsb3BMLufJWhzVaaZqd8j7XMjN2YVUmAGRGJ4C

Please fork github.com/sgInnora/alipay-securityguard-analysis as backup against further takedowns.

If you've experienced similar vendor retaliation for security research, I'd like to hear from you.

#infosec #ipfs #opensecurity

6/7 Regulatory responses (12+ jurisdictions):
- CSSF Luxembourg: CSSFWB-2026-080
- CNPD Luxembourg: GDPR investigation
- HKMA Hong Kong: CE20260313175412
- PDPC Singapore: #00629724
- BSP Philippines, PCPD HK, BNM Malaysia
- Google Play, CISA/CERT
- MITRE: 18 CVEs across 4 tickets

#regulation #gdpr #fintech

5/7 Cross-platform suppression:

WeChat: 8 articles deleted (March 15-20)
Twitter/X: Account permanently suspended (March 16-17)

Meanwhile, the research was independently validated by IACR, MITRE (18 CVEs), Packet Storm (#217089), and acknowledged by 12+ regulatory agencies worldwide.

Full timeline: innora.ai/zfb/article_censorship.html

#digitalrights

4/7 Then came the censorship.

March 15: 4 research articles deleted from WeChat after Ant Group's law firm filed takedown requests.

WeChat initially REJECTED the complaint. It was resubmitted under China's Cybersecurity Law — articles removed without specific provision cited.

March 20: 4 MORE articles deleted. 8/8 = 100% censored.

#censorship #pressfreedom

3/7 The cryptographic infrastructure is broken:
- APK signing cert uses MD5+RSA-1024 (collision in 9 seconds)
- 27 server RSA private keys recovered via batch GCD
- Hardcoded DES keys

11 verified PoCs: github.com/sgInnora/hash-collision-lab
IACR paper: eprint.iacr.org/2026/526

#cryptography #appsec

2/7 Key findings:
- 976 proxy classes intercepting 208 system API categories (GPS, camera, clipboard, crypto)
- 97.1% of internal APIs (396/408) have ZERO access control
- PatchProxy: every security method remotely replaceable without app update
- SM4 encryption remotely disableable by server config

Full analysis: github.com/sgInnora/alipay-securityguard-analysis

#mobilesecurity #reverseengineering

THREAD: Alipay SecurityGuard SDK — What we found and what happened next.

1/7 We reverse-engineered Alipay's SecurityGuard SDK (v10.8.30.8000, 89K Java source files). Found 17 vulnerabilities including a whitelist bypass (CVSS 9.3) that makes all 17 remotely exploitable via a single crafted URL.

18 CVEs filed across 4 MITRE tickets. Vendor says: 'normal functionality.'

#infosec #alipay #vulnerability

#introduction I'm Jiqiang Feng, independent security researcher at Innora AI. I found 17 vulnerabilities (CVSS up to 9.3) in Alipay, a payment app used by 1B+ people. 18 CVEs filed with MITRE. Peer-reviewed paper published by IACR.

My Twitter/X account was permanently suspended during this disclosure. 8 research articles were also deleted from WeChat by the vendor's lawyers.

innora.ai | github.com/sgInnora

#infosec #security #vulnerability #mobilesecurity