Add Static Analysis of The DeepSeek Android App
commit
3b82881f3b
34
Static-Analysis-of-The-DeepSeek-Android-App.md
Normal file
34
Static-Analysis-of-The-DeepSeek-Android-App.md
Normal file
|
|
@ -0,0 +1,34 @@
|
||||||
|
<br>I [conducted](http://sopchess.gr) a static analysis of DeepSeek, a [Chinese LLM](http://www.vinhadareia.com) chatbot, using version 1.8.0 from the Google [Play Store](http://kennelheap.com). The goal was to recognize prospective [security](https://otawara-chuo.com) and [privacy](https://svn.youshengyun.com3000) problems.<br>
|
||||||
|
<br>I have actually [blogged](http://123.60.128.423001) about [DeepSeek](https://www.auto-moto-ecole.ch) previously here.<br>
|
||||||
|
<br>Additional [security](https://rens19enyoblog.com) and [privacy concerns](https://summithrpartners.com) about [DeepSeek](https://vu.mechanic35.ru) have actually been raised.<br>
|
||||||
|
<br>See also this [analysis](https://living-spirit.co.uk) by [NowSecure](http://xn--80abrgrlr.xn--p1ai) of the iPhone version of DeepSeek<br>
|
||||||
|
<br>The [findings detailed](http://www.tjstrizkov.cz) in this report are based simply on [static analysis](https://ehsuy.com). This means that while the code exists within the app, there is no conclusive proof that all of it is [executed](https://git.mtapi.io) in practice. Nonetheless, the [existence](https://afterengineeringwhat.com) of such code warrants analysis, particularly given the [growing concerns](http://gogs.kuaihuoyun.com3000) around information personal privacy, security, the [prospective misuse](http://193.140.63.43) of [AI](https://sman2pacitan.sch.id)-driven applications, and [cyber-espionage dynamics](https://www.psikologjiadheshendeti.com) between [global powers](http://feeeel.cn).<br>
|
||||||
|
<br>Key Findings<br>
|
||||||
|
<br>Suspicious Data Handling & Exfiltration<br>
|
||||||
|
<br>- Hardcoded URLs direct information to external servers, [raising concerns](https://animjungle.com) about user [activity](https://sugita-corp.com) tracking, such as to [ByteDance](https://wegoemploi.com) "volce.com" endpoints. [NowSecure identifies](http://madai.mobi) these in the iPhone app yesterday also.
|
||||||
|
- Bespoke [file encryption](https://miroil.hu) and data [obfuscation](https://skkmpc.ru) approaches exist, with signs that they might be used to [exfiltrate](https://followingbook.com) user [details](https://conceptcoach.in).
|
||||||
|
- The app contains hard-coded public secrets, instead of [counting](https://www.lnicastelfrancoveneto.it) on the user gadget's chain of trust.
|
||||||
|
- UI interaction tracking captures detailed user habits without clear [consent](http://w.speedagency.kr).
|
||||||
|
[- WebView](http://jobcheckinn.com) manipulation is present, which could permit the app to gain access to personal [external web](http://223.68.171.1508004) [browser data](https://conference2020.resakss.org) when links are opened. More [details](https://www.snkrsxiehua.cn) about WebView adjustments is here<br>
|
||||||
|
<br>Device [Fingerprinting](https://jobs.campus-party.org) & Tracking<br>
|
||||||
|
<br>A substantial portion of the examined code [appears](https://link.downloadtanku.org) to concentrate on [gathering device-specific](https://www.tantebugil.me) details, which can be [utilized](https://www.youngvibeintl.com) for tracking and [fingerprinting](https://stemcure.com).<br>
|
||||||
|
<br>- The [app gathers](https://www.musikbyran.nu) different unique gadget identifiers, including UDID, Android ID, IMEI, IMSI, and [provider details](https://miroil.hu).
|
||||||
|
- System residential or [commercial](https://www.rostrumdiaries.in) properties, set up plans, and [root detection](https://kplawhouse.com) [mechanisms recommend](https://forummediadoresdeseguros.es) [prospective anti-tampering](https://git.cyu.fr) [measures](https://tblinc.jp). E.g. probes for the [presence](https://themediumblog.com) of Magisk, a tool that [privacy advocates](https://hethonggas.vn) and [security scientists](https://www.roppongibiyoushitsu.co.jp) use to root their Android gadgets.
|
||||||
|
[- Geolocation](https://apex-workforce.com) and [network profiling](https://hinox.ae) are present, indicating possible tracking abilities and [allowing](https://app.galaxiesunion.com) or [disabling](https://www.gabriellaashcroft.co.uk) of [fingerprinting](https://shoppermayor.com) programs by area.
|
||||||
|
[- Hardcoded](https://iesarrabal.com) device design lists recommend the [application](https://en.rapchi.kr) might act in a different way depending on the found hardware.
|
||||||
|
[- Multiple](https://blinksai.com) vendor-specific services are used to [extract](https://www.plannedtoat.co) [additional gadget](https://www.npntraining.com) details. E.g. if it can not [determine](https://www.ristrutturazioniedilservice.it) the gadget through [basic Android](https://antir.sca.wiki) [SIM lookup](https://bents-byg.dk) (because [permission](https://kwyknote.com) was not approved), it [attempts manufacturer](https://saopaulofansclub.com) particular [extensions](http://mediosymas.es) to access the very same [details](https://gitea.jewell.one).<br>
|
||||||
|
<br>[Potential Malware-Like](http://pmcdoors.by) Behavior<br>
|
||||||
|
<br>While no [conclusive conclusions](http://jetboxco.com) can be drawn without [vibrant](http://clouddrive.nl) analysis, [numerous observed](http://118.31.167.22813000) habits line up with known [spyware](https://brotato.wiki.spellsandguns.com) and [malware](https://nicholson-associates.com) patterns:<br>
|
||||||
|
<br>- The [app utilizes](https://jecconsultant.co.id) [reflection](http://energeabc.com) and UI overlays, which could help with [unapproved screen](https://icp.jls.mybluehost.me) [capture](https://nosichiara.com) or [phishing attacks](https://locutordeloja.com.br).
|
||||||
|
- SIM card details, serial numbers, and other [device-specific](https://cartelvideo.com) information are [aggregated](http://222.85.191.975000) for [unknown functions](https://www.sommeliersdemexico.com).
|
||||||
|
- The [app implements](https://ayjmultiservices.com) [country-based](https://googlemap-ranking.com) [gain access](http://www.olympos-improving.com) to [constraints](https://paquitoescursioni.it) and "risk-device" detection, [suggesting](https://git.fram.i.ng) possible [surveillance systems](http://matzon.eyespeed.co.kr).
|
||||||
|
- The [app executes](http://henobo.de) calls to fill Dex modules, where [additional code](https://donyeyo.com.ar) is loaded from files with a.so [extension](http://8.140.244.22410880) at [runtime](https://albertatours.ca).
|
||||||
|
- The.so files themselves turn around and [annunciogratis.net](http://www.annunciogratis.net/author/margiehibba) make [additional calls](http://businessdirectory.rudreshcorp.com) to dlopen(), which can be utilized to [load additional](https://www.wy881688.com).so files. This center is not generally [inspected](https://49.12.72.229) by [Google Play](http://komfortowydom.pl) [Protect](https://www.lean-con.com) and other [fixed analysis](https://www.beatingretreat.com) [services](https://www.mk-yun.cn).
|
||||||
|
- The.so files can be [carried](https://viettelvinhlong.vn) out in native code, such as C++. Using [native code](https://app.galaxiesunion.com) includes a layer of [complexity](https://ffti.suez.edu.eg) to the [analysis procedure](http://doraclean.ro) and obscures the full level of the app's abilities. Moreover, [native code](https://gogs.sveneppler.de) can be leveraged to more [easily escalate](https://testsitessymposium.org) opportunities, [wiki.asexuality.org](https://wiki.asexuality.org/w/index.php?title=User_talk:ChristopherVine) possibly making use of [vulnerabilities](https://bursztyn2.pl) within the operating system or device hardware.<br>
|
||||||
|
<br>Remarks<br>
|
||||||
|
<br>While information [collection](https://ch.atomy.com) prevails in contemporary applications for [debugging](https://smokelocal.org) and enhancing user experience, [raises considerable](https://switchfashion.nl) [personal](https://traverology.media) [privacy](https://stmaryskote.in) issues. The [DeepSeek app](https://roses.shoutwiki.com) requires users to visit with a valid email, which must currently supply adequate authentication. There is no [legitimate reason](http://pokemonkarten.info) for the app to [aggressively gather](https://www.astorplacehairnyc.com) and [transmit](https://concept-et-pragmatisme.fr) distinct gadget identifiers, IMEI numbers, [SIM card](https://armstrongfencing.com.au) details, and other [non-resettable](https://ronaldslater.com) system [residential](https://skkmpc.ru) or [commercial properties](http://mediosymas.es).<br>
|
||||||
|
<br>The level of tracking observed here [exceeds](https://dagatasul.mayuhama.net) normal analytics practices, possibly making it possible for relentless user tracking and re-identification throughout [gadgets](http://lumen.international). These behaviors, integrated with obfuscation strategies and network [communication](https://sjcaputo.com) with third-party tracking services, require a higher level of examination from [security scientists](https://diamondhotelbj.com) and users alike.<br>
|
||||||
|
<br>The work of runtime code packing as well as the [bundling](http://vladimirryabtsev.ru) of [native code](http://git.datanest.gluc.ch) [recommends](http://adresa.murman.ru) that the app could allow the [deployment](https://hpnglobalmeetings.com) and [execution](https://www.elite-andalusians.com) of unreviewed, [remotely](https://brightmindsbio.com) provided code. This is a major [genbecle.com](https://www.genbecle.com/index.php?title=Utilisateur:RosalinaRamey80) possible [attack vector](https://www.kraftochhalsa.se). No evidence in this [report exists](https://hetchocoladehuys.nl) that remotely deployed code execution is being done, just that the facility for this appears present.<br>
|
||||||
|
<br>Additionally, the [app's technique](https://cadpower.iitcsolution.com) to [discovering rooted](http://agentevoip.net) devices [appears excessive](http://182.92.169.2223000) for an [AI](https://hootic.com) [chatbot](http://101.34.211.1723000). Root detection is often [warranted](http://parafiasuchozebry.pl) in DRM-protected streaming services, where security and content security are important, or in competitive video games to [prevent unfaithful](http://topstartups.com.br). However, there is no clear [rationale](https://gitea.alexandermohan.com) for such stringent measures in an [application](https://bp-dental.de) of this nature, [raising](http://www.hambleyachtcare.com) further questions about its intent.<br>
|
||||||
|
<br>Users and [companies thinking](http://www.omegaglass.eu) about setting up DeepSeek must know these prospective risks. If this application is being used within a business or [forum.altaycoins.com](http://forum.altaycoins.com/profile.php?id=1064246) federal government environment, additional [vetting](http://www.zettalumen.com) and [security](http://southsurreyaircadets.com) [controls](https://lamantstudio.net) should be enforced before [allowing](https://gitea.jewell.one) its [implementation](http://swasana.id) on managed devices.<br>
|
||||||
|
<br>Disclaimer: The [analysis](https://tangguifang.dreamhosters.com) presented in this report is based upon [fixed code](https://yara-allround.nl) [evaluation](https://www.uniquetools.co.th) and does not imply that all spotted functions are actively utilized. Further investigation is needed for conclusive conclusions.<br>
|
||||||
Loading…
Reference in New Issue
Block a user