From f93b4e53e685d48ac8723fed5d5a6ce19d6c1163 Mon Sep 17 00:00:00 2001 From: Adrianne Foveaux Date: Wed, 12 Feb 2025 12:11:22 +0100 Subject: [PATCH] Add Static Analysis of The DeepSeek Android App --- ...ic-Analysis-of-The-DeepSeek-Android-App.md | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 Static-Analysis-of-The-DeepSeek-Android-App.md diff --git a/Static-Analysis-of-The-DeepSeek-Android-App.md b/Static-Analysis-of-The-DeepSeek-Android-App.md new file mode 100644 index 0000000..1d37e71 --- /dev/null +++ b/Static-Analysis-of-The-DeepSeek-Android-App.md @@ -0,0 +1,34 @@ +
I performed a static analysis of DeepSeek, a [Chinese](https://skubi-du.online) LLM chatbot, [gratisafhalen.be](https://gratisafhalen.be/author/lowellmcgah/) using variation 1.8.0 from the [Google Play](https://rajigaf.com) Store. The goal was to determine potential security and personal privacy issues.
+
I have actually discussed DeepSeek previously here.
+
Additional security and personal privacy issues about DeepSeek have actually been raised.
+
See likewise this analysis by [NowSecure](https://mekasa.it) of the iPhone version of DeepSeek
+
The findings detailed in this report are based purely on static analysis. This indicates that while the [code exists](https://shop.alwaysreview.com) within the app, there is no definitive evidence that all of it is executed in practice. Nonetheless, the presence of such code warrants analysis, particularly given the [growing concerns](http://l-con.com.au) around data personal privacy, security, the potential misuse of [AI](https://kadiramac.com)-driven applications, and [cyber-espionage dynamics](https://krazzykross.com) in between global powers.
+
Key Findings
+
Suspicious Data Handling & Exfiltration
+
- Hardcoded URLs direct information to external servers, raising issues about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure recognizes these in the [iPhone app](https://metagirlontheroad.com) the other day too. +- Bespoke encryption and information [obfuscation techniques](https://schanwoo.com) exist, with signs that they could be utilized to exfiltrate user details. +- The app contains hard-coded public secrets, instead of depending on the user gadget's chain of trust. +- UI interaction tracking catches detailed user behavior without clear consent. +- WebView manipulation exists, which could permit the app to gain access to personal external browser data when links are opened. More details about WebView controls is here
+
Device Fingerprinting & Tracking
+
A significant part of the examined code appears to focus on [gathering device-specific](https://tagshag.com) details, which can be used for [tracking](http://114.115.138.988900) and fingerprinting.
+
- The different unique device identifiers, including UDID, Android ID, IMEI, IMSI, and [carrier details](https://yapimtarunaseirotan.sch.id). +- System homes, set up plans, and [forum.altaycoins.com](http://forum.altaycoins.com/profile.php?id=1070268) root detection mechanisms recommend [prospective](https://sel-in-re.com) [anti-tampering procedures](http://120.77.221.1993000). E.g. probes for the presence of Magisk, a tool that [personal privacy](https://www.carrozzeriapigliacelli.it) advocates and security scientists use to root their [Android gadgets](https://sistemagent.com8081). +- Geolocation and network profiling exist, indicating prospective [tracking capabilities](http://49.235.147.883000) and enabling or disabling of fingerprinting routines by region. +- Hardcoded device model lists recommend the [application](http://www.hantla.com) might act differently depending on the found hardware. +- Multiple [vendor-specific](https://noto-highschool.com) services are used to extract additional [device details](https://swatisaini.com). E.g. if it can not figure out the gadget through basic Android [SIM lookup](https://fwevwerwe4.com) (due to the fact that authorization was not approved), it tries manufacturer particular [extensions](https://www.mfustvarjalnica.com) to access the exact same details.
+
Potential Malware-Like Behavior
+
While no conclusive [conclusions](https://lusapiresdorio.com.br) can be drawn without dynamic analysis, a number of observed behaviors line up with recognized spyware and malware patterns:
+
- The [app utilizes](https://jobs.com.bn) reflection and UI overlays, which could help with unauthorized screen [capture](https://www.covaicareers.com) or phishing [attacks](https://kameron.cz). +- SIM card details, identification numbers, and other device-specific information are aggregated for [unidentified purposes](https://wiki.roboco.co). +- The app implements country-based gain access to constraints and "risk-device" detection, recommending possible surveillance systems. +- The app implements calls to load Dex modules, where additional code is filled from files with a.so [extension](http://mancajuvan.com) at runtime. +- The.so files themselves reverse and make extra calls to dlopen(), which can be [utilized](https://sundas.pk) to load [additional](http://armakita.net).so files. This center is not typically examined by [Google Play](https://subwebco.com) Protect and other fixed analysis services. +- The.so files can be [carried](https://dubai.risqueteam.com) out in native code, such as C++. Making use of native code adds a layer of complexity to the analysis procedure and [obscures](https://deepakmuduli.com) the full level of the app's capabilities. Moreover, native code can be leveraged to more [easily escalate](https://jaicars.in) benefits, possibly making use of vulnerabilities within the operating system or gadget hardware.
+
Remarks
+
While information collection prevails in contemporary applications for debugging and improving user experience, [aggressive fingerprinting](https://www.ozportal.tv) raises significant privacy issues. The DeepSeek app requires users to log in with a valid email, which ought to already [supply adequate](https://gogs.tyduyong.com) authentication. There is no [valid reason](https://analisisglobal.com) for the app to strongly collect and transfer distinct gadget identifiers, IMEI numbers, [SIM card](https://estateandassetprotection.co.uk) details, and other non-resettable system properties.
+
The extent of tracking observed here [exceeds](http://47.108.94.35) typical analytics practices, potentially allowing relentless user tracking and re-identification throughout devices. These behaviors, integrated with obfuscation techniques and network communication with third-party tracking services, necessitate a higher level of [scrutiny](https://labs.hellowelcome.org) from [security researchers](https://www.fingestcredit.it) and users alike.
+
The work of runtime code filling in addition to the bundling of [native code](https://www.bordeauxrock.com) recommends that the app could enable the implementation and execution of unreviewed, remotely delivered code. This is a serious [potential attack](http://joinpca.com) vector. No proof in this report is provided that from another [location released](http://www.mauriziocalo.org) code execution is being done, only that the facility for this appears present.
+
Additionally, the app's technique to identifying rooted gadgets appears extreme for an [AI](https://app.lifewithabba.com) chatbot. [Root detection](https://www.passadforbundet.se) is typically justified in DRM-protected streaming services, where [security](https://jobportal.kernel.sa) and [material security](https://www.jr-it-services.de3000) are important, or in competitive computer game to prevent unfaithful. However, there is no clear rationale for such [strict steps](https://gitea.aabee.ru) in an application of this nature, raising further questions about its intent.
+
Users and companies thinking about setting up DeepSeek needs to understand these possible risks. If this application is being used within a business or federal government environment, extra vetting and security controls should be imposed before allowing its release on managed devices.
+
Disclaimer: The analysis provided in this report is based on [fixed code](https://www.linomilita.com) review and does not imply that all [discovered functions](http://orbita.co.il) are actively utilized. Further investigation is [required](http://www.sergeselvon.de) for definitive conclusions.
\ No newline at end of file