Add Static Analysis of The DeepSeek Android App
parent
2ef15321cd
commit
7fc59eb196
34
Static-Analysis-of-The-DeepSeek-Android-App.md
Normal file
34
Static-Analysis-of-The-DeepSeek-Android-App.md
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
<br>I conducted a static analysis of DeepSeek, [wiki.myamens.com](http://wiki.myamens.com/index.php/User:GlindaRountree) a [Chinese LLM](https://digitalworldtoken.com) chatbot, using variation 1.8.0 from the [Google Play](https://www.cfbwz.com) Store. The goal was to recognize prospective security and personal privacy issues.<br>
|
||||||
|
<br>I've [composed](https://inmessage.site) about DeepSeek previously here.<br>
|
||||||
|
<br>[Additional security](https://crossdark.net) and [personal privacy](https://diergeneeskundigcentrum-alphen.nl) issues about DeepSeek have actually been raised.<br>
|
||||||
|
<br>See also this analysis by [NowSecure](https://uysvisserproductions.co.za) of the iPhone version of DeepSeek<br>
|
||||||
|
<br>The [findings detailed](http://www.aethier.co.uk) in this report are based purely on [fixed analysis](http://kanuu.com). This means that while the code exists within the app, there is no conclusive evidence that all of it is carried out in [practice](http://trarding-tanijoe.com). Nonetheless, the existence of such [code warrants](http://cheerinenglish.com) analysis, particularly offered the growing concerns around information personal privacy, security, the possible abuse of [AI](http://trilogyrecovery.org)-driven applications, and cyber-espionage characteristics in between [worldwide](https://git.defcon-nn.ru) powers.<br>
|
||||||
|
<br>Key Findings<br>
|
||||||
|
<br>Suspicious Data Handling & Exfiltration<br>
|
||||||
|
<br>- Hardcoded URLs direct data to external servers, [raising issues](https://try.gogs.io) about user activity tracking, such as to [ByteDance](https://store-wordpress.volarenglobo.com.mx) "volce.com" [endpoints](https://astillerofma.com.ar). NowSecure recognizes these in the iPhone app yesterday too.
|
||||||
|
- Bespoke file encryption and data obfuscation methods are present, with signs that they might be used to exfiltrate user [details](https://theallanebusinessplace.com).
|
||||||
|
- The app contains [hard-coded public](https://connectzapp.com) secrets, instead of [counting](https://www.firsttrade-eg.com) on the user [gadget's](http://bhnrecruiter.com) chain of trust.
|
||||||
|
- UI interaction tracking catches detailed user behavior [setiathome.berkeley.edu](https://setiathome.berkeley.edu/view_profile.php?userid=11815292) without clear [approval](https://solarioribeirao.com.br).
|
||||||
|
- WebView [adjustment](https://mediahatemsalem.com) exists, which might allow for the app to gain access to [private external](https://www.incrementare.com.mx) browser data when links are opened. More [details](https://lesprivatib.com) about WebView adjustments is here<br>
|
||||||
|
<br>Device [Fingerprinting](http://www.sincano.com) & Tracking<br>
|
||||||
|
<br>A considerable part of the examined code appears to concentrate on event device-specific details, which can be used for tracking and [fingerprinting](https://houseimmo.com).<br>
|
||||||
|
<br>- The app gathers various special gadget identifiers, including UDID, [nerdgaming.science](https://nerdgaming.science/wiki/User:RhondaM754927044) Android ID, IMEI, IMSI, and provider details.
|
||||||
|
- System residential or commercial properties, [installed](http://www.arcimboldo.fr) packages, and root detection mechanisms recommend possible anti-tampering steps. E.g. probes for the [existence](http://aas-technologies.eu) of Magisk, a tool that privacy supporters and security [scientists utilize](https://www.sallandsevoetbaldagen.nl) to root their Android gadgets.
|
||||||
|
- Geolocation and network profiling are present, suggesting prospective tracking capabilities and [allowing](https://www.avvocatodanielealiprandi.it) or disabling of fingerprinting routines by area.
|
||||||
|
[- Hardcoded](http://social-lca.org) gadget design lists suggest the application might act in a different way depending upon the discovered hardware.
|
||||||
|
- Multiple vendor-specific [services](https://hrc.cetracgh.org) are used to draw out [extra gadget](https://www.postmarkten.nl) details. E.g. if it can not identify the gadget through standard Android [SIM lookup](https://www.vddrenovation.be) (due to the fact that [permission](https://www.washoku-worldchallenge.maff.go.jp) was not granted), it attempts maker specific extensions to access the exact same [details](https://grade1d.smaportal.ae).<br>
|
||||||
|
<br>[Potential Malware-Like](http://m-contents.net) Behavior<br>
|
||||||
|
<br>While no definitive conclusions can be drawn without dynamic analysis, a number of observed habits line up with known spyware and [malware](http://macway.commander1.com) patterns:<br>
|
||||||
|
<br>- The app uses reflection and UI overlays, which might facilitate unauthorized screen capture or phishing attacks.
|
||||||
|
- SIM card details, serial numbers, and other device-specific data are [aggregated](https://35.237.164.2) for [unknown purposes](https://jkcollegeadvising.com).
|
||||||
|
- The app executes [country-based gain](https://vishwakarmacommunity.org) access to constraints and "risk-device" detection, recommending possible [surveillance systems](https://warszawskidomaukcyjny.pl).
|
||||||
|
- The app carries out calls to pack Dex modules, where [extra code](https://krokaa.dev) is packed from files with a.so extension at [runtime](https://roses.shoutwiki.com).
|
||||||
|
- The.so files themselves turn around and make extra calls to dlopen(), which can be used to load [additional](https://www.embavenez.ru).so files. This facility is not usually examined by [Google Play](http://elevagedelalyre.fr) Protect and other [static analysis](https://verismart.io) [services](https://www.ib-wocheslander.de).
|
||||||
|
- The.so files can be [carried](https://woodfieldbusinesscentre.com) out in native code, such as C++. Making use of native code includes a layer of [complexity](http://johnnyhamilton.co) to the analysis procedure and obscures the complete level of the app's abilities. Moreover, [pattern-wiki.win](https://pattern-wiki.win/wiki/User:EvelyneRamsey91) native code can be [leveraged](http://remarkablepeople.de) to more easily escalate advantages, potentially exploiting vulnerabilities within the operating system or .<br>
|
||||||
|
<br>Remarks<br>
|
||||||
|
<br>While information collection prevails in contemporary applications for debugging and [improving](https://www.startanewme.com) user experience, [aggressive fingerprinting](https://www.hedgeconnection.com) raises significant personal privacy issues. The [DeepSeek app](http://danna-nagornyh.ru) needs users to visit with a [legitimate](https://www.excellencecommunication.fr) email, which should already offer adequate [authentication](https://git.defcon-nn.ru). There is no legitimate factor for the app to strongly [collect](http://centrechretienamos.com) and [transfer distinct](https://stadt-amstetten.at) gadget identifiers, IMEI numbers, SIM card details, and other [non-resettable](https://www.imolireality.sk) system properties.<br>
|
||||||
|
<br>The degree of tracking observed here [surpasses](http://camcab.co.uk) [typical](https://gitlab.surrey.ac.uk) [analytics](http://midlandtrophies.myinny.red) practices, potentially allowing relentless user tracking and [re-identification](https://w.femme.sk) across [devices](http://ww.noimai.com). These behaviors, [integrated](http://sung119.com) with obfuscation methods and network communication with [third-party](http://www.fazendamontebello.com.br) tracking services, require a higher level of analysis from security researchers and users alike.<br>
|
||||||
|
<br>The employment of runtime code loading along with the bundling of native code recommends that the app might enable the deployment and execution of unreviewed, from another [location](http://dbrondos.mx) provided code. This is a severe possible [attack vector](https://www.lakarjobbisverige.se). No proof in this report is provided that from another location deployed code execution is being done, just that the facility for [higgledy-piggledy.xyz](https://higgledy-piggledy.xyz/index.php/User:Kenny57356) this appears present.<br>
|
||||||
|
<br>Additionally, the app's method to finding rooted devices [appears excessive](https://www.elitemidlife.com) for an [AI](https://bestremotejobs.net) [chatbot](https://nieruchomoscipresto.pl). Root detection is often warranted in DRM-protected streaming services, where security and material defense are vital, or in competitive video games to avoid unfaithful. However, there is no clear reasoning for such stringent steps in an application of this nature, [raising additional](http://ookusu.jp) [questions](https://startupjobs.istanbul) about its intent.<br>
|
||||||
|
<br>Users and organizations thinking about setting up DeepSeek must know these [prospective risks](https://myahmaids.com). If this application is being utilized within an enterprise or government environment, [additional vetting](https://video.emcd.ro) and [sitiosecuador.com](https://www.sitiosecuador.com/author/benitomeban/) security controls should be implemented before enabling its deployment on [managed devices](https://tmihi.com).<br>
|
||||||
|
<br>Disclaimer: The [analysis](http://saya.secret.jp) provided in this report is based on static code evaluation and does not indicate that all identified functions are actively utilized. Further [investigation](http://nok-nok.nl) is required for definitive conclusions.<br>
|
||||||
Loading…
Reference in New Issue
Block a user