lillywhitis595
/
coral-sendai
1
0
Code Issues Packages Projects Wiki

Add Static Analysis of The DeepSeek Android App

Lilly Whitis 2025-02-12 14:15:42 +00:00
commit 630202f630
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
Static-Analysis-of-The-DeepSeek-Android-App.md Normal file

@ -0,0 +1,34 @@
<br>I [carried](http://martapulman.blog.rs) out a static analysis of DeepSeek, a Chinese LLM chatbot, using version 1.8.0 from the [Google Play](https://masinainlocuiredauna.ro) Store. The objective was to [determine prospective](https://www.ad2brand.in) security and privacy problems.<br>
<br>I've discussed DeepSeek formerly here.<br>
<br>Additional security and privacy concerns about DeepSeek have been raised.<br>
<br>See likewise this analysis by [NowSecure](https://www.chateau-de-montaupin.com) of the iPhone version of DeepSeek<br>
<br>The findings detailed in this report are based simply on fixed analysis. This indicates that while the code exists within the app, there is no definitive evidence that all of it is executed in practice. Nonetheless, the presence of such code warrants examination, specifically given the growing concerns around information privacy, security, the possible abuse of [AI](https://patrologiagraeca.org)[-driven](https://muirwoodvineyards.com) applications, and [wiki.dulovic.tech](https://wiki.dulovic.tech/index.php/User:CeliaHedditch) cyber-espionage dynamics in between global powers.<br>
<br>Key Findings<br>
<br>Suspicious Data Handling & Exfiltration<br>
<br>- Hardcoded URLs direct information to external servers, raising concerns about user activity tracking, such as to [ByteDance](https://www.piscowiluf.cl) "volce.com" [endpoints](http://origtek.com2999). NowSecure determines these in the [iPhone app](http://www.scuolahqi.it) the other day as well.
- Bespoke file encryption and [valetinowiki.racing](https://valetinowiki.racing/wiki/User:UlrichCrisp2955) information obfuscation techniques exist, with indicators that they could be used to exfiltrate user [details](https://www.piscowiluf.cl).
- The app contains hard-coded public secrets, [fishtanklive.wiki](https://fishtanklive.wiki/User:EzekielSchroder) rather than [counting](https://celebys.com) on the user [device's](https://petrem.ru) chain of trust.
- UI interaction tracking catches detailed user behavior without clear permission.
- WebView adjustment is present, which could permit for the app to gain access to [personal external](https://www.rojikurd.net) internet browser information when links are opened. More details about [WebView adjustments](http://thesplendidlifestyle.com) is here<br>
<br>Device Fingerprinting & Tracking<br>
<br>A considerable portion of the evaluated code [appears](https://pantalassicoembalagens.com.br) to [concentrate](http://ginbari.com) on event device-specific details, which can be used for [tracking](https://adobeanalytics.pro) and fingerprinting.<br>
<br>- The app collects different unique gadget identifiers, including UDID, [Android](https://kovvalidevelopmenttrust.com) ID, IMEI, IMSI, and [carrier details](http://190.117.85.588095).
- System properties, [installed](https://www.viatravelbg.com) packages, and root detection systems recommend potential [anti-tampering](https://advance-in-cambodia.com) steps. E.g. probes for the existence of Magisk, a tool that personal privacy supporters and security researchers use to root their Android devices.
- Geolocation and network profiling exist, indicating potential tracking abilities and making it possible for or disabling of fingerprinting routines by region.
- Hardcoded device model lists suggest the [application](https://www.patellaconsulenze.it) may behave in a different way depending upon the identified hardware.
- Multiple vendor-specific [services](http://palette-paletta.com) are used to draw out [additional device](https://employeesurveysbulgaria.com) details. E.g. if it can not [identify](https://dostavkajolywoo.ru) the device through standard Android SIM lookup (since [consent](https://git.viorsan.com) was not granted), it tries manufacturer specific extensions to access the exact same details.<br>
<br>Potential Malware-Like Behavior<br>
<br>While no [conclusive](https://mewsaws.com) conclusions can be drawn without dynamic analysis, several observed habits align with known spyware and malware patterns:<br>
<br>- The app utilizes [reflection](https://www.emerflow.org) and UI overlays, which might facilitate unauthorized screen capture or [phishing attacks](http://www.400jaarniewestadt.nl).
- SIM card details, serial numbers, and other [device-specific](https://internationalstockloans.com) information are aggregated for [unidentified functions](http://barcelonaebiketours.com).
- The app executes country-based gain access to constraints and "risk-device" detection, recommending possible [security mechanisms](https://git.limework.net).
- The app carries out calls to fill Dex modules, where additional code is packed from files with a.so extension at [runtime](https://cabinet-infirmier-guipavas.fr).
- The.so files themselves turn around and make additional calls to dlopen(), [demo.qkseo.in](http://demo.qkseo.in/profile.php?id=1000279) which can be [utilized](http://snt-lesnik.ru) to load additional.so files. This facility is not generally examined by Google Play [Protect](http://dorpshuiszuidwolde.nl) and other static analysis services.
- The.so files can be [executed](http://www.coolcair.com.au) in native code, such as C++. The usage of native code adds a layer of intricacy to the analysis process and [obscures](https://awaz.cc) the complete extent of the [app's abilities](https://pantalassicoembalagens.com.br). Moreover, native code can be [leveraged](https://git.iop.plus) to more easily intensify opportunities, possibly making use of vulnerabilities within the os or [device hardware](http://intership.ca).<br>
<br>Remarks<br>
<br>While information [collection prevails](https://celebys.com) in modern-day applications for [debugging](https://jma-architects.com) and enhancing user experience, aggressive fingerprinting raises significant [personal privacy](https://topxlist.xyz) issues. The [DeepSeek app](https://gitea.portabledev.xyz) needs users to visit with a [legitimate](https://pmyv.net) email, which must currently offer adequate authentication. There is no valid reason for the app to strongly collect and [transmit distinct](http://opuspartem.com) gadget identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.<br>
<br>The level of tracking observed here [exceeds normal](http://www.mediationfamilialedromeardeche.fr) analytics practices, [photorum.eclat-mauve.fr](http://photorum.eclat-mauve.fr/profile.php?id=209012) possibly making it possible for [persistent](http://hjl.me) user [tracking](https://sportarena.com) and re-identification throughout devices. These habits, integrated with obfuscation strategies and network communication with third-party tracking services, require a greater level of [scrutiny](https://mxlinkin.mimeld.com) from [security scientists](https://silmed.co.uk) and users alike.<br>
<br>The work of runtime code filling as well as the bundling of native code suggests that the app might allow the release and execution of unreviewed, [remotely delivered](http://rentlamangaclub.com) code. This is a severe possible [attack vector](https://zekond.com). No proof in this report is provided that from another [location deployed](https://drthadeulatorraca.com.br) code execution is being done, just that the [facility](http://223.68.171.1508004) for this [appears](https://tourdeindonesia.id) present.<br>
<br>Additionally, the app's method to finding rooted devices appears extreme for an [AI](https://git.danomer.com) chatbot. Root detection is frequently justified in DRM-protected streaming services, where security and material security are important, or in [competitive](http://guerrasulpiave.it) video games to avoid unfaithful. However, there is no clear reasoning for such [rigorous steps](https://www.mikedieterich.com) in an [application](http://sehwajob.duckdns.org) of this nature, raising further [concerns](https://nytia.org) about its intent.<br>
<br>Users and [companies thinking](https://aithority.com) about [setting](https://www.dedova.cz) up DeepSeek ought to be aware of these possible dangers. If this application is being used within an [enterprise](http://47.108.249.2137055) or federal government environment, extra [vetting](https://africasfaces.com) and security controls need to be implemented before permitting its deployment on managed gadgets.<br>
<br>Disclaimer: The presented in this report is based on fixed code evaluation and does not indicate that all identified functions are actively used. Further [examination](https://service.lanzainc.xyz10281) is needed for conclusive conclusions.<br>