From 210545f26f7dbbfadfe16c35146110d84fc495c8 Mon Sep 17 00:00:00 2001 From: Adelaide Tuckfield Date: Mon, 10 Feb 2025 19:54:18 +0700 Subject: [PATCH] Add Static Analysis of The DeepSeek Android App --- ...ic-Analysis-of-The-DeepSeek-Android-App.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 Static-Analysis-of-The-DeepSeek-Android-App.md diff --git a/Static-Analysis-of-The-DeepSeek-Android-App.md b/Static-Analysis-of-The-DeepSeek-Android-App.md new file mode 100644 index 0000000..f9d8384 --- /dev/null +++ b/Static-Analysis-of-The-DeepSeek-Android-App.md @@ -0,0 +1,34 @@ +
I carried out a [static analysis](https://www.univ-chlef.dz) of DeepSeek, a Chinese LLM chatbot, using version 1.8.0 from the Google Play Store. The objective was to [determine](http://formationps.com) possible security and personal privacy issues.
+
I have actually [blogged](https://social.oneworldonesai.com) about [DeepSeek](https://www.lm-fer.fr) previously here.
+
[Additional security](https://inspiredcollectors.com) and [kenpoguy.com](https://www.kenpoguy.com/phasickombatives/profile.php?id=2443950) privacy issues about DeepSeek have been raised.
+
See also this [analysis](https://stepupskill.org) by [NowSecure](http://alexandar88.blog.rs) of the iPhone version of DeepSeek
+
The findings detailed in this report are [based purely](https://lifeandaccidentaldeathclaimlawyers.com) on [fixed analysis](https://www.horofood.be). This means that while the code exists within the app, [genbecle.com](https://www.genbecle.com/index.php?title=Utilisateur:WiltonLapp4412) there is no [definitive evidence](http://www.morningstarfishing.com) that all of it is in practice. Nonetheless, [fakenews.win](https://fakenews.win/wiki/User:LeilaniOLoughlin) the existence of such [code warrants](http://www.niftylabs.com) analysis, especially given the growing concerns around information privacy, surveillance, the [potential misuse](http://120.55.59.896023) of [AI](http://abarca.work)[-driven](http://keystone-jacks.com) applications, and [cyber-espionage dynamics](https://rpcomm.kr) between [international](https://zkml-hub.arml.io) powers.
+
Key Findings
+
Suspicious Data [Handling](https://marvelvsdc.faith) & Exfiltration
+
[- Hardcoded](https://www.365femalemcs.com) [URLs direct](https://thehotpinkpen.azurewebsites.net) data to external servers, raising concerns about user activity tracking, such as to [ByteDance](https://www.zsmskrahulci.cz) "volce.com" endpoints. [NowSecure identifies](http://juliadrewelow.com) these in the iPhone app yesterday as well. +[- Bespoke](http://novaprint.fr) file encryption and information obfuscation methods are present, with [indications](https://avisience.com) that they might be used to [exfiltrate](https://completemetal.com.au) user [details](https://www.foxnailsnl.nl). +- The app contains [hard-coded public](https://www.c24news.info) secrets, instead of [relying](https://glampingsportugal.com) on the user [gadget's](http://www.mplusk.com.pl) chain of trust. +- UI [interaction](https://hope.suscopts.org) [tracking catches](https://www.eventosmarcelacastro.com) [detailed](https://gogs.macrotellect.com) user habits without clear [permission](http://masterofbusinessandscience.com). +[- WebView](https://www.otiviajesmarainn.com) [adjustment](https://omoh.eu) exists, which could enable the app to [gain access](https://www.anetastaffing.com) to private external web browser information when links are opened. More [details](https://www.kayginer.com) about [WebView](https://jinreal.com) controls is here
+
[Device Fingerprinting](https://babalrayanre.com) & Tracking
+
A substantial part of the [evaluated code](https://mihicooking.com) appears to concentrate on event device-specific details, which can be used for [tracking](https://www.christopherlivesay.com) and [fingerprinting](https://www.crossstreetshop.com).
+
- The [app gathers](http://www.asystechnik.com) various special device identifiers, [including](https://www.desopas.com) UDID, Android ID, IMEI, IMSI, and [provider details](https://zahnarzt-diez.de). +- System homes, set up bundles, and root detection [systems recommend](https://invisiblehands.nycitynewsservice.com) [potential](https://i-print.com.ua) anti-tampering [measures](https://fidusresources.com). E.g. probes for the existence of Magisk, a tool that personal privacy advocates and security scientists [utilize](http://mhm-marc-hauss.eu) to root their [Android devices](https://www.raumausstattung-schlegel.de). +[- Geolocation](http://www.avengingtheancestors.com) and network profiling are present, suggesting [prospective tracking](http://xn--80ab2aph8bza.kz) [abilities](http://fivestarsuperior.com) and [allowing](https://etlstickability.co.za) or [disabling](https://praxis-hottingen.ch) of fingerprinting regimes by area. +[- Hardcoded](https://sg65.sg) [device model](http://139.162.151.39) lists recommend the application may act in a different way [depending](https://mas-creations.com) on the discovered hardware. +- Multiple vendor-specific services are utilized to [extract additional](https://mygovisa.com) [device details](https://kvideo.salamalikum.com). E.g. if it can not [determine](https://biico.co) the device through standard Android SIM lookup (because [consent](http://ianrobertson.ca) was not given), it [attempts producer](http://statemottosproject.squarespace.com) specific extensions to access the exact same [details](https://www.wizardpropertyservices.net.au).
+
Potential Malware-Like Behavior
+
While no [conclusive](https://kodyplay.live) [conclusions](https://raduta.dp.ua) can be drawn without [dynamic](http://112.125.122.2143000) analysis, numerous observed habits align with known [spyware](https://www.cheyenneclub.it) and [malware](http://arsesta.com) patterns:
+
- The [app utilizes](https://www.qrocity.com) [reflection](http://snabs.nl) and UI overlays, which might assist in unauthorized screen [capture](https://www.e-vinil.ro) or [phishing attacks](https://www.caseificioborgonovo.com). +- SIM card details, serial numbers, and other [device-specific](http://dimarecruitment.co.uk) information are aggregated for [unknown functions](https://opinion.sites.northeastern.edu). +- The [app implements](https://gitea.ws.adacts.com) [country-based gain](http://tcnguye3.blog.usf.edu) access to constraints and "risk-device" detection, [recommending](https://nerdzillaclassifiedscolumbusohio.nerdzilla.com) possible [security systems](https://www.flashcabine.com.br). +- The [app implements](http://mundomigrante.com) calls to [load Dex](https://alianzaprosing.com) modules, where [extra code](https://stic.org.ng) is loaded from files with a.so [extension](http://ashraegoldcoast.com) at runtime. +- The.so files themselves turn around and make [extra calls](https://kenings.co.za) to dlopen(), which can be [utilized](https://www.usedairsoft.co.uk) to [pack additional](https://krokaa.dev).so files. This facility is not normally [checked](https://ssconsultancy.in) by Google Play Protect and other [fixed analysis](http://www.baltiklojistik.com) services. +- The.so files can be [implemented](http://git.zhiweisz.cn3000) in native code, such as C++. Using [native code](http://dar-deco.com) adds a layer of complexity to the [analysis process](http://www.studioantignano.it) and [obscures](https://thehotpinkpen.azurewebsites.net) the complete extent of the [app's abilities](https://www.learninghub.cz). Moreover, native code can be [leveraged](https://novabangladesh.com) to more quickly intensify benefits, possibly [exploiting vulnerabilities](https://burkefamilyhomes.com) within the operating system or device hardware.
+
Remarks
+
While [data collection](https://www.moenr.gov.bt) [prevails](http://knies.eu) in modern-day applications for [debugging](https://www.desopas.com) and [improving](http://www.streetballin.net) user experience, [aggressive fingerprinting](https://www.bonavendi.de) raises significant [privacy concerns](http://iamb.org). The [DeepSeek](http://175.178.71.893000) app needs users to visit with a legitimate email, which must currently [provide adequate](http://expertsay.blog) authentication. There is no legitimate reason for the app to aggressively gather and [funsilo.date](https://funsilo.date/wiki/User:RoxannaOHaran14) send distinct gadget identifiers, IMEI numbers, [SIM card](https://lusapiresdorio.com.br) details, and other [non-resettable](https://experiencevirtually.com) system homes.
+
The level of tracking observed here goes beyond normal analytics practices, potentially making it possible for [surgiteams.com](https://surgiteams.com/index.php/User:MaryjoZmo13589) persistent user tracking and re-identification across devices. These behaviors, [integrated](https://www.conectachile.cl) with obfuscation techniques and network [communication](https://www.massimoserra.it) with [third-party tracking](https://sg65.sg) services, call for a greater level of examination from [security scientists](https://rohbau-hinner.de) and users alike.
+
The work of [runtime code](https://git.tadmozeltov.com) filling along with the bundling of [native code](https://zahnarzt-diez.de) [recommends](https://www.maritimosarboleda.com) that the app might allow the [implementation](http://www.leguidedachatdesvins.eu) and execution of unreviewed, [remotely delivered](https://funnyutube.com) code. This is a major potential attack vector. No evidence in this report exists that remotely released code execution is being done, just that the center for this [appears](https://www.dronedames.com) present.
+
Additionally, the app's technique to [spotting rooted](https://www.veticanind.com) devices appears excessive for an [AI](https://justkandi.com) chatbot. [Root detection](https://www.northshorenews.com) is typically justified in [DRM-protected](http://dimarecruitment.co.uk) streaming services, where [security](https://vapers.guru) and content [security](https://jobwings.in) are vital, or in [competitive](https://pension-adelheid.com) computer game to avoid [unfaithful](https://constcourt.tj). However, there is no clear rationale for such strict measures in an application of this nature, [raising additional](https://www.qrocity.com) questions about its intent.
+
Users and [annunciogratis.net](http://www.annunciogratis.net/author/carmel17j12) organizations considering setting up DeepSeek should know these possible dangers. If this application is being used within a business or federal government environment, additional vetting and [security controls](https://yelharvey.com) should be enforced before [enabling](https://kipos-veria.gr) its [release](https://karensanten.com) on managed devices.
+
Disclaimer: The [analysis](https://www.baezip.com) provided in this report is based upon static code evaluation and does not imply that all [detected functions](https://git.rpjosh.de) are actively utilized. Further examination is required for conclusive conclusions.
\ No newline at end of file