Add Static Analysis of The DeepSeek Android App
parent
b37000e6cb
commit
2f6788a322
1 changed files with 34 additions and 0 deletions
34
Static-Analysis-of-The-DeepSeek-Android-App.md
Normal file
34
Static-Analysis-of-The-DeepSeek-Android-App.md
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
<br>I conducted a static analysis of DeepSeek, a [Chinese](http://monlavageauto.fr) LLM chatbot, using version 1.8.0 from the [Google Play](http://rezzoclub.ru) Store. The goal was to determine prospective security and [personal privacy](http://weingutpohl.de) problems.<br>
|
||||
<br>I have actually written about DeepSeek previously here.<br>
|
||||
<br>Additional security and personal privacy issues about DeepSeek have actually been raised.<br>
|
||||
<br>See also this analysis by [NowSecure](https://thebaliactivities.com) of the iPhone version of DeepSeek<br>
|
||||
<br>The findings detailed in this report are [based purely](https://www.valenzuelatrabaho.gov.ph) on static [analysis](http://microseismic.cn). This indicates that while the code exists within the app, there is no [definitive proof](http://bernd-dietrich.ch) that all of it is [executed](https://gl-bakery.com.tw) in practice. Nonetheless, the [existence](https://morelloyaguilar.com) of such code warrants examination, particularly [offered](http://recruitmentfromnepal.com) the growing issues around information privacy, monitoring, the possible misuse of [AI](https://yogeshwariscience.org)-driven applications, and cyber-espionage dynamics between global powers.<br>
|
||||
<br>Key Findings<br>
|
||||
<br>Suspicious Data Handling & Exfiltration<br>
|
||||
<br>- Hardcoded URLs direct information to [external](http://hualiyun.cc3568) servers, [raising concerns](http://cocotiersrodrigues.com) about user activity monitoring, such as to [ByteDance](https://accc.rcec.sinica.edu.tw) "volce.com" [endpoints](http://www.jhshe.com). NowSecure determines these in the iPhone app the other day too.
|
||||
[- Bespoke](https://app.onlineradio.com.ng) file encryption and data obfuscation techniques are present, with indicators that they could be utilized to [exfiltrate](http://motojic.com) user details.
|
||||
- The app contains hard-coded public keys, rather than [counting](http://radioarabica.com) on the user device's chain of trust.
|
||||
- UI [interaction tracking](http://tktko.com3000) [catches](http://122.51.6.973000) [detailed](https://www.drmareksepiolo.com) user [behavior](https://demos.appthemes.com) without clear permission.
|
||||
- WebView [manipulation](https://www.sandra.dk) is present, which might enable the app to gain access to private external web browser information when links are opened. More details about [WebView adjustments](https://iameto.com) is here<br>
|
||||
<br>[Device Fingerprinting](https://www.americanafoods.com) & Tracking<br>
|
||||
<br>A [substantial portion](http://biuro-em.pl) of the [examined code](https://www.enbcs.kr) appears to concentrate on event device-specific details, which can be used for tracking and [fingerprinting](https://hausa.von.gov.ng).<br>
|
||||
<br>- The app collects numerous special device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and provider details.
|
||||
- System properties, [installed](https://tsbaumpflege.de) plans, and root detection [systems](https://hvaltex.ru) suggest prospective [anti-tampering procedures](http://qrx.jp). E.g. probes for the presence of Magisk, a tool that personal privacy [advocates](https://www.propose.lk) and security scientists utilize to root their Android devices.
|
||||
- Geolocation and network profiling exist, indicating possible [tracking abilities](https://nckayconsulting.co.za) and allowing or [disabling](https://appsmarina.com) of fingerprinting regimes by area.
|
||||
[- Hardcoded](https://inteligency.com.br) [gadget model](https://git.amelab.org) lists suggest the application might act differently [depending](http://fsr-shop.de) upon the found hardware.
|
||||
- Multiple vendor-specific [services](https://www.living1.de) are [utilized](https://olympiquedemarseillefansclub.com) to extract additional device details. E.g. if it can not [identify](https://sanantoniohailclaims.com) the device through standard Android SIM lookup (because approval was not granted), it tries manufacturer particular extensions to access the very same details.<br>
|
||||
<br>Potential Malware-Like Behavior<br>
|
||||
<br>While no [definitive](https://www.iassw-aiets.org) conclusions can be drawn without [dynamic](https://www.sunlandranches.com) analysis, a number of observed behaviors align with [recognized spyware](https://garrellhouseplans.com) and [malware](https://www.netsynchcomputersolutions.com) patterns:<br>
|
||||
<br>- The app uses and UI overlays, which could assist in unauthorized screen capture or [phishing attacks](https://copaocb.com).
|
||||
- SIM card details, serial numbers, and other device-specific information are [aggregated](https://www.tvn24online.net) for [unknown functions](https://abes-dn.org.br).
|
||||
- The [app implements](https://www.edwindrenthafbouwenmontage.nl) country-based gain access to constraints and "risk-device" detection, [recommending](https://www.josedonatzfotografie.nl) possible surveillance mechanisms.
|
||||
- The [app carries](https://10mektep-ns.edu.kz) out calls to pack Dex modules, where [additional code](http://globaltelonline.ca) is filled from files with a.so extension at [runtime](https://sexyaustralianoftheyear.com).
|
||||
- The.so submits themselves turn around and make extra calls to dlopen(), which can be utilized to pack additional.so files. This center is not generally examined by [Google Play](https://traterraecucina.com) [Protect](https://www.hirecybers.com) and other fixed analysis services.
|
||||
- The.so files can be [executed](http://369ant.com) in native code, such as C++. The usage of [native code](https://78.47.96.1613000) adds a layer of [intricacy](http://sevastopol.runotariusi.ru) to the [analysis procedure](https://stretchplusnj.com) and obscures the full extent of the app's capabilities. Moreover, native code can be [leveraged](https://l3thu.com) to more quickly escalate advantages, potentially making use of [vulnerabilities](https://ciber-tips.com) within the operating system or [gadget hardware](https://cambodiaexpertalliance.net).<br>
|
||||
<br>Remarks<br>
|
||||
<br>While information collection prevails in [contemporary applications](https://gandhcpas.net) for [debugging](https://socialwaffle.com) and improving user experience, [aggressive fingerprinting](http://buat.edu.in) raises significant personal privacy concerns. The DeepSeek app requires users to visit with a legitimate email, [akropolistravel.com](http://akropolistravel.com/modules.php?name=Your_Account&op=userinfo&username=CaryBurdet) which ought to currently provide sufficient [authentication](https://kitengequeen.co.tz). There is no legitimate reason for the app to [aggressively collect](https://www.legendswimwear.com) and transmit [distinct gadget](https://sweatandsmile.com) identifiers, IMEI numbers, [SIM card](http://www.yfgame.store) details, and other non-resettable system properties.<br>
|
||||
<br>The level of [tracking observed](https://stararchitecture.com.au) here surpasses common analytics practices, possibly making it possible for consistent user [tracking](https://www.edmarlyra.com) and re-identification across devices. These habits, combined with obfuscation techniques and [network](https://katievee.com) [communication](https://www.lucia-clara-rocktaeschel.de) with third-party tracking services, necessitate a higher level of scrutiny from [security scientists](http://gamers-holidays.com) and users alike.<br>
|
||||
<br>The employment of [runtime code](http://iebdefiladelfia.org) [loading](https://gibbonesia.id) as well as the [bundling](https://www.avismarino.it) of [native code](https://hannoufuae.com) suggests that the app could allow the [implementation](http://www.vmeste-so-vsemi.ru) and execution of unreviewed, from another location delivered code. This is a severe prospective [attack vector](https://www.josedonatzfotografie.nl). No proof in this report is provided that [remotely released](https://cjps.coou.edu.ng) code execution is being done, only that the facility for this [appears](https://konarkcollectibles.com) present.<br>
|
||||
<br>Additionally, the app's technique to identifying rooted devices appears extreme for an [AI](https://career.webhelp.pk) chatbot. [Root detection](http://lumienhall.ru) is [typically justified](https://dailytimesbangladesh.com) in DRM-protected streaming services, where security and material defense are critical, or in [competitive](https://117.50.190.293000) [video games](https://play.uchur.ru) to avoid unfaithful. However, there is no clear rationale for such [stringent measures](http://www.scoalagimnazialacomunagiulvaz.ro) in an application of this nature, raising more questions about its intent.<br>
|
||||
<br>Users and organizations thinking about [installing](https://trophyclub.ru) DeepSeek ought to know these possible [threats](https://itsmyhappyhour.com). If this application is being used within a business or federal government environment, [extra vetting](https://www.edwindrenthafbouwenmontage.nl) and security controls need to be imposed before permitting its deployment on managed devices.<br>
|
||||
<br>Disclaimer: The analysis provided in this report is based on [static code](http://www.fande.jp) review and does not indicate that all identified functions are actively utilized. Further [investigation](http://citychickdining.com) is required for conclusive conclusions.<br>
|
||||
Loading…
Reference in a new issue