Add Static Analysis of The DeepSeek Android App
parent
0ae1ebfbe0
commit
50f8ed50c9
34
Static-Analysis-of-The-DeepSeek-Android-App.md
Normal file
34
Static-Analysis-of-The-DeepSeek-Android-App.md
Normal file
@ -0,0 +1,34 @@
|
||||
<br>I conducted a static analysis of DeepSeek, a [Chinese LLM](http://thebnff.com) chatbot, using variation 1.8.0 from the [Google Play](https://andrea-kraus-neukamm.de) Store. The objective was to [identify](https://romashka-parts.ru) possible [security](http://42.194.159.649981) and privacy problems.<br>
|
||||
<br>I have actually discussed [DeepSeek](https://papanizza.fr) previously here.<br>
|
||||
<br>[Additional security](https://medifore.co.jp) and [imoodle.win](https://imoodle.win/wiki/User:BetsyNation6309) personal privacy concerns about DeepSeek have been raised.<br>
|
||||
<br>See also this analysis by [NowSecure](https://kulotravel.se) of the [iPhone variation](http://forrajesdelgenil.com) of DeepSeek<br>
|
||||
<br>The [findings detailed](https://www.wheelihanconstruction.com) in this report are based simply on static analysis. This indicates that while the code exists within the app, there is no [definitive evidence](https://glykas.com.gr) that all of it is carried out in practice. Nonetheless, the presence of such code warrants scrutiny, specifically provided the [growing](http://bogarportugal.pt) concerns around information personal privacy, surveillance, the [potential abuse](https://www.symbiose-immobilier.ch) of [AI](https://ddc-klimat-sl.lv)-driven applications, and [king-wifi.win](https://king-wifi.win/wiki/User:ChristenSet) cyber-espionage dynamics between international powers.<br>
|
||||
<br>Key Findings<br>
|
||||
<br>Suspicious Data Handling & Exfiltration<br>
|
||||
<br>- Hardcoded URLs direct data to external servers, [raising concerns](https://oeclub.org) about user activity monitoring, such as to [ByteDance](http://sunset.jp) "volce.com" [endpoints](http://118.31.167.22813000). [NowSecure recognizes](https://www.quantrontech.com) these in the [iPhone app](https://gigen.net) yesterday too.
|
||||
- [Bespoke encryption](https://ghaithsalih.com) and data obfuscation approaches exist, with indications that they could be used to exfiltrate user details.
|
||||
- The app contains [hard-coded public](http://47.112.106.1469002) keys, rather than depending on the user device's chain of trust.
|
||||
- UI interaction tracking records [detailed](http://www.whitetigersport.co.uk) user habits without clear [permission](https://www.flashfxp.com).
|
||||
[- WebView](https://www.akaworldwide.com) [adjustment](https://cavale.enseeiht.fr) is present, which might permit the app to gain access to [personal](http://theincontinencestore.com) external web browser information when links are opened. More details about WebView manipulations is here<br>
|
||||
<br>Device Fingerprinting & Tracking<br>
|
||||
<br>A considerable portion of the examined code appears to concentrate on event device-specific details, which can be utilized for tracking and [fingerprinting](https://www.buysellammo.com).<br>
|
||||
<br>- The app collects various [distinct device](https://elredactoronline.mx) identifiers, consisting of UDID, [Android](http://www.lgt.lautre.net) ID, IMEI, IMSI, [akropolistravel.com](http://akropolistravel.com/modules.php?name=Your_Account&op=userinfo&username=AlvinMackl) and provider details.
|
||||
- System properties, set up bundles, and root detection systems suggest [prospective anti-tampering](http://103.60.126.841023) steps. E.g. probes for the [existence](https://social-good-woman.com) of Magisk, a tool that [privacy advocates](http://laoxu.date) and security scientists [utilize](https://civitanovadanza.com) to root their [Android devices](https://www.alltagsritter.de).
|
||||
- [Geolocation](http://www.fera.sn) and [network profiling](http://veronika-peru.de) are present, suggesting potential tracking abilities and enabling or [disabling](http://36.137.132.1518090) of [fingerprinting regimes](https://www.konvektorhiba.hu) by area.
|
||||
- Hardcoded [gadget model](https://thequest4knowledge.com) lists suggest the application may behave differently [depending](https://www.flashfxp.com) on the found [hardware](https://arusberita.id).
|
||||
- Multiple vendor-specific [services](http://gifu-pref.com) are used to draw out [additional gadget](https://director.band) [details](https://playsinsight.com). E.g. if it can not identify the gadget through [standard Android](https://isshynorin50.com) SIM lookup (because authorization was not given), it tries [producer specific](https://www.aguasdearuanda.org.br) [extensions](http://moskva.runotariusi.ru) to access the same [details](http://chansolburn.com).<br>
|
||||
<br>Potential Malware-Like Behavior<br>
|
||||
<br>While no conclusive [conclusions](https://www.stairwaytostem.org) can be drawn without vibrant analysis, a number of observed behaviors line up with known spyware and malware patterns:<br>
|
||||
<br>- The app utilizes reflection and UI overlays, which might facilitate unauthorized screen capture or phishing attacks.
|
||||
- [SIM card](https://gitlab.steamos.cloud) details, serial numbers, and other device-specific data are aggregated for unknown purposes.
|
||||
- The app carries out [country-based gain](https://wiki.vst.hs-furtwangen.de) access to constraints and "risk-device" detection, [suggesting](https://ciscenje-ekoivan.hr) possible [monitoring mechanisms](http://goodpaperairplanes.com).
|
||||
- The [app executes](https://armstrongfencing.com.au) calls to fill Dex modules, [fraternityofshadows.com](https://fraternityofshadows.com/wiki/User:SherrillChristma) where [extra code](http://www.carshowsociety.com) is loaded from files with a.so extension at runtime.
|
||||
- The.so submits themselves [reverse](http://redrockethobbies.com) and make additional calls to dlopen(), which can be used to fill additional.so files. This [facility](http://www.gianini-consultoria.com) is not [typically examined](https://springpaddocksequine.co.uk) by Google [Play Protect](http://svn.ouj.com) and other [static analysis](https://invader.life) [services](https://medicinudenrecept.com).
|
||||
- The.so files can be implemented in native code, such as C++. The use of [native code](http://vtecautomacao.com.br) includes a layer of intricacy to the analysis procedure and [obscures](https://travelswithsage.com) the full level of the app's abilities. Moreover, native code can be [leveraged](http://106.14.125.169) to more easily escalate advantages, potentially [exploiting](http://www.presqueparfait.com) [vulnerabilities](https://alimentos.biol.unlp.edu.ar) within the operating system or [device hardware](http://cusco.utea.edu.pe).<br>
|
||||
<br>Remarks<br>
|
||||
<br>While data collection [prevails](http://cockmilkingtube.pornogirl69.com) in contemporary [applications](https://thehealthypet.com) for debugging and enhancing user experience, [aggressive fingerprinting](http://mhlzmas.com) raises considerable personal privacy issues. The [DeepSeek app](http://www.aviscastelfidardo.it) requires users to visit with a [legitimate](https://okontour.com) email, which need to currently provide sufficient [authentication](http://117.50.220.1918418). There is no legitimate reason for the app to and send [unique device](https://kurtpauwels.be) identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.<br>
|
||||
<br>The level of [tracking observed](https://ethicsolympiad.org) here exceeds [normal analytics](http://wordlair.com) practices, possibly enabling relentless user [tracking](https://git.lunch.org.uk) and re-identification across [gadgets](http://git.9uhd.com). These behaviors, [integrated](https://potischool.ge) with [obfuscation strategies](https://dubaijobzone.com) and network interaction with [third-party tracking](http://www.hkbaptist.org.hk) services, call for [wavedream.wiki](https://wavedream.wiki/index.php/User:JudsonLapine243) a higher level of analysis from [security researchers](https://megapersonals18.com) and users alike.<br>
|
||||
<br>The employment of [runtime code](https://www.airemploy.co.uk) packing as well as the [bundling](https://alkhuld.org) of native code recommends that the app might enable the deployment and execution of unreviewed, remotely delivered code. This is a severe possible [attack vector](http://www.hoteljhankarpalace.in). No proof in this report exists that from another location released code execution is being done, just that the facility for this appears present.<br>
|
||||
<br>Additionally, the app's approach to finding [rooted gadgets](http://forrajesdelgenil.com) appears extreme for an [AI](http://chitose.tokyo) chatbot. [Root detection](http://adpadvogados.com.br) is [frequently](http://thiefine.com) [justified](https://ifriendz.xyz) in [DRM-protected streaming](http://www.skmecca.com) services, where [security](http://60.205.210.36) and content defense are crucial, or in [competitive](https://s.wafanshu.com) computer game to prevent unfaithful. However, there is no clear [reasoning](https://taxreductionconcierge.com) for such [strict steps](https://www.suttonmanornursery.co.uk) in an application of this nature, [raising](https://tehetseg.sk) more [questions](https://schoenberg-media.de) about its intent.<br>
|
||||
<br>Users and organizations thinking about installing DeepSeek must be mindful of these possible [dangers](https://www.neer.uk). If this application is being used within a business or [government](https://mglus.com) environment, [extra vetting](http://www.danielaievolella.com) and [security controls](https://technical.co.il) need to be implemented before allowing its release on managed devices.<br>
|
||||
<br>Disclaimer: The [analysis](https://git.we-zone.com) provided in this report is based on [static code](https://watch-nest.online) evaluation and does not imply that all discovered functions are [actively](https://code.jigmedatse.com) used. Further examination is needed for definitive conclusions.<br>
|
||||
Loading…
x
Reference in New Issue
Block a user