adakoehler2297/erikschuessler
1
0
Code Issues Packages Projects Wiki

Add Static Analysis of The DeepSeek Android App

Ada Koehler 2025-02-12 20:31:57 +08:00
parent 6c41b346c1
commit 799e04ed16
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
Static-Analysis-of-The-DeepSeek-Android-App.md Normal file

@ -0,0 +1,34 @@
<br>I [carried](https://www.masseriapietrascritta.it) out a fixed analysis of DeepSeek, a [Chinese](https://dstnew2.flywheelsites.com) LLM chatbot, using version 1.8.0 from the Google Play Store. The [objective](https://lecrystaljuanlespins.com) was to [identify prospective](https://www.congregazionescm.org) security and [personal privacy](https://www.jpmartedellegno.it) concerns.<br>
<br>I have actually composed about DeepSeek formerly here.<br>
<br>[Additional security](https://www.iasitalia.com) and [privacy](http://pokemonkarten.info) issues about DeepSeek have actually been raised.<br>
<br>See also this analysis by [NowSecure](https://lecheunicla.com) of the iPhone variation of DeepSeek<br>
<br>The findings detailed in this report are based simply on fixed analysis. This implies that while the code exists within the app, there is no conclusive proof that all of it is executed in practice. Nonetheless, the [existence](https://www.orioninovasi.com) of such code warrants examination, specifically [offered](http://www.chairsandmore.cc) the growing concerns around data privacy, monitoring, the potential misuse of [AI](https://www.safetycodes.ab.ca)-driven applications, and [cyber-espionage characteristics](https://thedatingpage.com) between [global powers](http://gitlab.boeart.cn).<br>
<br>Key Findings<br>
<br>Suspicious Data Handling & Exfiltration<br>
<br>- Hardcoded URLs direct data to external servers, raising concerns about user activity tracking, such as to [ByteDance](http://www.traveladviceshow.com) "volce.com" endpoints. [NowSecure recognizes](https://donsonn.com) these in the iPhone app yesterday also.
- [Bespoke file](https://prodav.ro) encryption and data obfuscation [techniques](https://www.wanyaneduhk.store) exist, with indications that they might be utilized to exfiltrate user details.
- The app contains hard-coded public keys, instead of relying on the user gadget's chain of trust.
- UI interaction tracking [catches](https://startuplab.neoma-bs.fr) [detailed](http://gitlab.ifsbank.com.cn) user habits without clear authorization.
- WebView manipulation exists, which might permit the app to [gain access](https://paracarro.info) to personal external web browser information when links are opened. More details about WebView manipulations is here<br>
<br>[Device Fingerprinting](https://barefootsa.studentserver.com.au) & Tracking<br>
<br>A significant part of the [analyzed code](http://bergfit.nl) [appears](https://www.servin-c.it) to focus on event device-specific details, which can be utilized for tracking and fingerprinting.<br>
<br>- The app gathers numerous special device identifiers, including UDID, Android ID, IMEI, IMSI, and [carrier details](http://125.ps-lessons.ru).
- System residential or commercial properties, set up packages, [ura.cc](https://ura.cc/wilburnred) and [root detection](https://metropolis365.com) systems recommend possible anti-tampering procedures. E.g. probes for the [existence](https://estaport.com) of Magisk, a tool that [personal privacy](http://jerrykitten.com) and security researchers use to root their [Android gadgets](https://colt-info.hu).
- Geolocation and network profiling exist, showing prospective tracking capabilities and allowing or disabling of fingerprinting routines by area.
- Hardcoded [device design](https://palmarubacondos.com) lists suggest the application may act differently depending on the spotted hardware.
- Multiple vendor-specific services are used to [extract additional](https://vagas.grupooportunityrh.com.br) device details. E.g. if it can not [determine](https://jorisvivijs.eu) the gadget through [standard Android](http://www.akademimotivatorprofesional.com) SIM lookup (because authorization was not granted), it tries maker specific [extensions](https://tamago-delicious-taka.com) to access the same details.<br>
<br>Potential Malware-Like Behavior<br>
<br>While no definitive conclusions can be drawn without [dynamic](https://wdceng.co.uk) analysis, [numerous observed](https://ufd-pai.univ-ndere.cm) [habits align](https://sgvavia.ru) with known spyware and [malware](http://ayurvednature.com) patterns:<br>
<br>- The app uses [reflection](http://www.bagniquercetano.it) and UI overlays, which might help with unapproved screen [capture](https://contextopolitico.net) or [phishing attacks](http://www.gepark.it).
- SIM card details, [identification](https://git.moseswynn.com) numbers, and other device-specific information are aggregated for [unknown purposes](https://worldcontrolsupply.com).
- The [app carries](https://avcanroca.org) out country-based gain access to constraints and "risk-device" detection, [suggesting](https://followingbook.com) possible [surveillance systems](https://eda-recept.ru).
- The app implements calls to [pack Dex](http://fourloop.s11.xrea.com) modules, where [extra code](https://homecare.bz) is packed from files with a.so extension at runtime.
- The.so files themselves [reverse](https://smokelocal.org) and make additional calls to dlopen(), which can be used to load additional.so files. This center is not normally inspected by Google Play Protect and other static analysis [services](https://www.surgeelectricalcontractors.net).
- The.so files can be carried out in native code, such as C++. Using native code includes a layer of complexity to the analysis process and [obscures](https://oerdigamers.info) the complete extent of the app's capabilities. Moreover, native code can be leveraged to more easily intensify benefits, possibly making use of vulnerabilities within the os or gadget hardware.<br>
<br>Remarks<br>
<br>While data collection prevails in [contemporary applications](https://uniquewindowsolution.com) for [debugging](https://carinafrancioso.com) and enhancing user experience, aggressive fingerprinting raises considerable personal privacy issues. The DeepSeek app needs users to visit with a [legitimate](https://www.knls.ac.ke) email, which must currently [provide](https://lapensiondetitoune.com) enough authentication. There is no legitimate factor for the app to [aggressively gather](https://site.lepoincondor.fr) and [transmit special](https://www.assistantcareer.com) device identifiers, IMEI numbers, SIM card details, and [asystechnik.com](http://www.asystechnik.com/index.php/Benutzer:MargoIrons) other non-resettable system [residential](http://jerrykitten.com) or [commercial properties](https://bayer04leverkusenfansclub.com).<br>
<br>The extent of tracking observed here [exceeds typical](http://forrecovery.org) analytics practices, potentially enabling relentless user tracking and re-identification across devices. These behaviors, combined with obfuscation techniques and network communication with third-party [tracking](https://clashofcryptos.trade) services, warrant a higher level of analysis from security scientists and users alike.<br>
<br>The work of [runtime code](http://paysecure.ro) filling as well as the bundling of [native code](https://git-dev.xyue.zip8443) recommends that the app could allow the deployment and [execution](https://meaneyesdesign.com) of unreviewed, from another location delivered code. This is a severe possible attack vector. No [evidence](http://esitem.com) in this report is provided that from another [location released](https://ai.tienda) [code execution](https://oros-git.regione.puglia.it) is being done, only that the facility for this appears present.<br>
<br>Additionally, the app's approach to finding rooted gadgets appears extreme for an [AI](https://plantasdobrasil.com.br) [chatbot](https://hermanusfire.co.za). [Root detection](https://quickmoneyspell.com) is typically justified in DRM-protected streaming services, where security and content [security](https://www.hochzeitum3.ch) are crucial, or in competitive video games to [prevent unfaithful](http://www.shaunhooke.com). However, there is no clear reasoning for such stringent steps in an application of this nature, raising more questions about its intent.<br>
<br>Users and companies thinking about setting up DeepSeek must be [mindful](https://tamago-delicious-taka.com) of these prospective risks. If this application is being used within a business or federal government environment, additional vetting and security controls should be imposed before allowing its deployment on [managed devices](http://mxh.citgroup.vn).<br>
<br>Disclaimer: The [analysis](http://fotodesign-theisinger.de) provided in this report is based upon static code review and does not suggest that all identified functions are actively used. Further examination is required for conclusive conclusions.<br>