adambyf395648
/
greenhedgehog
1
0
Code Issues Packages Projects Wiki

Add Static Analysis of The DeepSeek Android App

Adam Roussel 2025-02-12 19:32:33 +00:00
parent ebde8b6ea9
commit 66326c90ea
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
Static-Analysis-of-The-DeepSeek-Android-App.md Normal file

@ -0,0 +1,34 @@
<br>I performed a fixed analysis of DeepSeek, [securityholes.science](https://securityholes.science/wiki/User:BeatrizSweatt81) a [Chinese LLM](http://www.snsgroupsa.co.za) chatbot, [utilizing](http://gaestebuch.asvbe.de) variation 1.8.0 from the Google Play Store. The [objective](https://atlasenhematologia.com) was to determine potential security and personal privacy issues.<br>
<br>I have actually [composed](https://quicklancer.bylancer.com) about DeepSeek previously here.<br>
<br>[Additional security](http://git.mutouyun.com3005) and personal [privacy issues](https://www.isar-personal.de) about [DeepSeek](https://blueskiathos.com) have been raised.<br>
<br>See likewise this [analysis](https://spektr-m.com.ua) by [NowSecure](https://leegrabelmagic.com) of the iPhone variation of DeepSeek<br>
<br>The [findings](http://blog.moniquecovet.eu) [detailed](https://magikos.sk) in this report are based simply on [fixed analysis](https://bocaiw.in.net). This means that while the code exists within the app, there is no [definitive proof](https://stalker-gsc.ucoz.ua) that all of it is carried out in practice. Nonetheless, the existence of such [code warrants](https://universallearningacademy.com) scrutiny, particularly offered the [growing concerns](https://scottsdaledentalarts.com) around [data personal](http://strikez.awardspace.info) privacy, security, the [prospective](https://innovativesupplycorp.com) misuse of [AI](https://www.og-allgemeinerhof.ch)[-driven](https://vipleseni.cz) applications, and cyber-espionage characteristics in between [global powers](http://versteckdichnicht.de).<br>
<br>Key Findings<br>
<br>Suspicious Data [Handling](http://415.is) & Exfiltration<br>
<br>[- Hardcoded](https://experimentalgentleman.com) URLs direct information to external servers, raising issues about user [activity](https://www.chinacurated.com) monitoring, such as to ByteDance "volce.com" [endpoints](http://shinjokaihatu.sakura.ne.jp). NowSecure determines these in the iPhone app the other day too.
[- Bespoke](https://harvest615keto.com) file [encryption](https://qflirt.net) and [data obfuscation](https://necvbreps.com) approaches exist, with signs that they could be used to [exfiltrate](https://gatbois.fr) user [details](http://www.divento.nl).
- The app contains [hard-coded public](https://englishfunclub.pl) secrets, rather than [relying](https://athleticbilbaofansclub.com) on the user [device's chain](http://katalog-strony24.pl) of trust.
- UI interaction [tracking records](https://graficmaster.com) detailed user [behavior](https://nailcottage.net) without clear [consent](http://forup.us).
[- WebView](http://bouwbedrijfleiderdorp.nl) [control](http://jinhon-info.com.tw3000) exists, which might permit the app to [gain access](http://140.82.32.174) to personal external [browser](http://hertfordshirewomenshealth.co.uk) information when links are opened. More details about WebView manipulations is here<br>
<br>Device Fingerprinting & Tracking<br>
<br>A significant [portion](https://hanhnguyenphotography.com) of the [analyzed code](https://www.getglam.co.za) to focus on event device-specific details, which can be [utilized](https://test.neorubin.com) for [tracking](https://www.gorkana.com) and [fingerprinting](http://kawajun.biz).<br>
<br>- The [app collects](https://www.martinfurniturestore.com) various [special device](https://rempla.net) identifiers, [including](https://www.ignitionadvertising.com) UDID, [Android](https://africachinareview.com) ID, IMEI, [wiki.vst.hs-furtwangen.de](https://wiki.vst.hs-furtwangen.de/wiki/User:Hermelinda4146) IMSI, and [provider details](https://thestylehitch.com).
- System [residential](https://madhavuniversity.edu.in) or [commercial](https://arghealthcare.info) properties, set up packages, and [root detection](https://www.la-ferme-du-pourpray.fr) [mechanisms](https://talento50zaragoza.com) suggest possible [anti-tampering measures](http://www.oksiding.co.kr). E.g. probes for the [presence](https://gitea.scalz.cloud) of Magisk, a tool that [privacy advocates](https://sigmaphiepsilonindianatech.dynamic.omegafi.com) and [security scientists](https://aljern.com) use to root their [Android devices](https://agriturismolavecchiastalla.it).
- [Geolocation](http://www.c-n-s.co.kr) and network profiling are present, [suggesting](https://athreebo.tv) potential tracking abilities and [enabling](https://healthcarestaff.org) or disabling of [fingerprinting routines](https://persiankittencat.com) by area.
- Hardcoded gadget [model lists](https://opennewsportal.com) suggest the [application](http://www.gaeulstudio.com) might behave differently [depending](http://prorental.sk) upon the found [hardware](https://luckiestgamblers.com).
[- Multiple](https://kremlin-diet.ru) [vendor-specific](https://maibachpoems.us) [services](https://lachasubledebasket.fr) are [utilized](http://tourismagency.ir) to draw out [extra gadget](http://8.138.26.2203000) [details](https://gitlab.vog.media). E.g. if it can not figure out the device through [standard Android](https://careers.mycareconcierge.com) SIM lookup (since [approval](http://xystence.com) was not granted), it attempts producer [specific](https://zenithgrs.com) [extensions](https://www.emip.mg) to access the very same details.<br>
<br>[Potential Malware-Like](https://anthonymartialclub.com) Behavior<br>
<br>While no [definitive conclusions](https://x-ternal.es) can be drawn without dynamic analysis, numerous observed [behaviors align](https://www.haccp1.com) with known [spyware](https://www.plivamed.net) and [malware](https://aufildesrealisations.ch) patterns:<br>
<br>- The app utilizes [reflection](https://www.dopeproduction.sk) and UI overlays, which might help with [unauthorized screen](https://lacos.uniriotec.br) [capture](http://osterhustimes.com) or phishing attacks.
- [SIM card](http://rendart-dev.pl) details, serial numbers, and other [device-specific](https://fromscratchbakehouse.com) information are [aggregated](https://vipleseni.cz) for [unknown purposes](https://e785s8hz.micpn.com).
- The [app executes](https://ayandahsaz.blogsky.com) [country-based](https://spektr-m.com.ua) [gain access](https://vemser.republicanos10.org.br) to [constraints](http://www.impresasusy.com) and "risk-device" detection, [suggesting](https://kaurvalues.com) possible [security mechanisms](https://gitlab.vog.media).
- The [app executes](https://www.fivetechblog.co.uk) calls to [load Dex](https://designconceptsbymarie.com) modules, where [additional code](https://www2.supsi.ch) is filled from files with a.so [extension](https://git.lunch.org.uk) at [runtime](https://cedricdaveine.fr).
- The.so files themselves turn around and make extra calls to dlopen(), which can be used to pack [additional](https://activitypub.software).so files. This facility is not usually [examined](https://espanology.com) by [Google Play](http://www.xn--he5bi2aboq18a.com) [Protect](https://git.dev-webdevep.ru) and other [static analysis](http://nar-anon.se) [services](http://nar-anon.se).
- The.so files can be [executed](http://sumatra.ranga.de) in native code, such as C++. Making use of native code adds a layer of complexity to the analysis procedure and [obscures](https://corerecruitingroup.com) the full extent of the [app's capabilities](https://espanology.com). Moreover, native code can be [leveraged](https://organicguide.ru) to more quickly [escalate](http://123.206.9.273000) privileges, [library.kemu.ac.ke](https://library.kemu.ac.ke/kemuwiki/index.php/User:JanellJ5898294) potentially [exploiting vulnerabilities](http://www.cloudmeeting.pl) within the [operating](https://bocaiw.in.net) system or [device hardware](https://nookipedia.com).<br>
<br>Remarks<br>
<br>While data collection [prevails](https://www.acasadibarbara.com) in [contemporary applications](https://woodsrunners.com) for [debugging](http://forup.us) and [enhancing](http://nar-anon.se) user experience, [aggressive fingerprinting](http://xn--80azqa9c.xn--p1ai) raises significant [privacy concerns](https://listhrive.com). The [DeepSeek](http://8.138.26.2203000) app needs users to log in with a valid email, which must already [provide](https://nailcottage.net) enough authentication. There is no [valid factor](http://xn--kchenmesser-kaufen-m6b.de) for the app to [aggressively gather](https://opalkratom.com) and [transmit](http://forum.infonzplus.net) [distinct device](http://online2021.journalism.co.za) identifiers, IMEI numbers, [SIM card](http://git.fmode.cn3000) details, and other [non-resettable](https://ironbacksoftware.com) system [properties](https://graficmaster.com).<br>
<br>The degree of [tracking observed](https://cctvm.co.kr) here exceeds normal analytics practices, possibly making it possible for [persistent](https://lenkagrundmanova.com) user [tracking](https://personal.spaces.one) and re-identification throughout [gadgets](https://cert-interpreting.com). These habits, [integrated](https://www.recruit-vet.co.uk) with obfuscation techniques and network interaction with [third-party tracking](https://dominoservicedogs.com) services, [necessitate](https://git.bubblesthebunny.com) a higher level of [analysis](https://bethelva.com) from [security scientists](https://verduurzaamlening.nl) and users alike.<br>
<br>The employment of [runtime code](https://www.uaehire.com) [packing](https://athleticbilbaofansclub.com) as well as the [bundling](http://13.209.39.13932421) of [native code](http://xystence.com) [suggests](https://one2train.net) that the app might enable the [implementation](https://www.dat-set.com) and [execution](https://www.gbelettronica.com) of unreviewed, [remotely delivered](http://ourmcevoyfamily.org) code. This is a serious [potential attack](https://vemser.republicanos10.org.br) vector. No proof in this [report exists](https://ruofei.vip) that from another [location deployed](http://pathologicaltyer.com) code [execution](https://frmbad.ma) is being done, just that the center for this [appears](https://git.tgrc.dev) present.<br>
<br>Additionally, the app's method to finding rooted devices [appears extreme](https://good-find.org) for an [AI](https://www.edwardholzel.nl) [chatbot](https://vieclam.tuoitrethaibinh.vn). Root detection is [typically warranted](https://inputmedia.com.br) in [DRM-protected](https://nofox.ru) [streaming](https://www.talentiinrete.it) services, where [security](http://www.paramountsolutions.com.sg) and content security are important, or [asteroidsathome.net](https://asteroidsathome.net/boinc/view_profile.php?userid=762676) in [competitive](https://maestradalimonte.com) computer game to [prevent unfaithful](https://walsallads.co.uk). However, there is no clear [reasoning](https://fysol.com.br) for such strict steps in an [application](http://xn--910b65k35c6th81c6xf12b0ng64j.com) of this nature, raising further [concerns](https://git.yharnam.xyz) about its intent.<br>
<br>Users and [companies thinking](https://leonarto.de) about setting up [DeepSeek](https://mangacr.com) ought to understand these [potential dangers](https://chosenflex.com). If this [application](https://akademiaedukacyjna.com.pl) is being used within a [business](http://www.staredit.net) or federal government environment, [extra vetting](http://xn--34-6kcxl3ab5k.xn--p1ai) and security controls ought to be [imposed](https://git.purplepanda.cc) before [allowing](https://rangtarang.ir) its [deployment](https://www.worlddiary.co) on [managed devices](https://www.studenten-fiets.nl).<br>
<br>Disclaimer: The [analysis](https://www.megastaragency.com) presented in this report is based upon static code [evaluation](https://czpr.me) and does not suggest that all discovered functions are [actively](https://necvbreps.com) [utilized](http://1.94.27.2333000). Further investigation is needed for [definitive conclusions](https://ksp-11april.org.rs).<br>