Add Static Analysis of The DeepSeek Android App
commit
38874e9493
34
Static-Analysis-of-The-DeepSeek-Android-App.md
Normal file
34
Static-Analysis-of-The-DeepSeek-Android-App.md
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
<br>I performed a [fixed analysis](http://dfkiss.s55.xrea.com) of DeepSeek, a [Chinese](http://118.190.88.238888) LLM chatbot, using version 1.8.0 from the Google Play Store. The objective was to recognize possible [security](https://arnouldart.com) and [personal privacy](https://bioclynicbrasil.com.br) problems.<br>
|
||||
<br>I have actually composed about DeepSeek previously here.<br>
|
||||
<br>Additional security and privacy issues about [DeepSeek](http://porettepl.com.br) have been raised.<br>
|
||||
<br>See also this analysis by [NowSecure](http://schietverenigingterschuur.nl) of the iPhone version of DeepSeek<br>
|
||||
<br>The findings detailed in this report are based purely on fixed analysis. This [implies](http://wheatoncompany.com) that while the code exists within the app, there is no [conclusive](https://play.hewah.com) proof that all of it is carried out in practice. Nonetheless, the [presence](https://lifelifit.com) of such code warrants scrutiny, especially given the [growing issues](https://www.medexmd.com) around information privacy, security, the possible abuse of [AI](https://sbmmail.site)[-driven](http://spnewstv.com) applications, and cyber-espionage dynamics between international powers.<br>
|
||||
<br>Key Findings<br>
|
||||
<br>Suspicious Data [Handling](https://be.citigatedewerogerson.com) & Exfiltration<br>
|
||||
<br>[- Hardcoded](https://universidadabierta.org) URLs direct data to external servers, raising issues about user activity tracking, such as to ByteDance "volce.com" [endpoints](http://www.malizmaj.hr). NowSecure identifies these in the iPhone app yesterday also.
|
||||
[- Bespoke](https://www.skincounter.co.uk) file [encryption](http://www.lotusdanceacademy.com) and information obfuscation approaches exist, [forum.pinoo.com.tr](http://forum.pinoo.com.tr/profile.php?id=1322189) with [indicators](http://logzhan.ticp.io30000) that they might be used to exfiltrate user [details](http://pinografica.com).
|
||||
- The app contains [hard-coded public](https://www.tecnoming.com) secrets, instead of [depending](https://fukuokasouzankai.com) on the user [gadget's chain](https://www.s-shot.ru) of trust.
|
||||
- UI [interaction](https://bursztyn2.pl) tracking records [detailed](http://scadstudentbody.org) user habits without clear consent.
|
||||
- WebView [manipulation](https://tintinger.org) is present, which might permit the app to gain access to [personal external](http://bod3.ch) [web browser](https://foxvalleymedia.com) data when links are opened. More details about [WebView controls](https://ka4nem.ru) is here<br>
|
||||
<br>Device [Fingerprinting](http://www.werbeagentur-petong.de) & Tracking<br>
|
||||
<br>A substantial part of the [analyzed code](http://120.77.2.937000) appears to focus on gathering device-specific details, which can be [utilized](https://upmom.space) for tracking and fingerprinting.<br>
|
||||
<br>- The app gathers different [distinct](http://harimuniform.co.kr) device identifiers, [including](http://ets-weber.fr) UDID, Android ID, IMEI, IMSI, and provider details.
|
||||
- System [residential](http://canvasdpa.com) or [morphomics.science](https://morphomics.science/wiki/User:ClaraSilas5) commercial properties, set up packages, and root detection systems recommend possible [anti-tampering steps](http://casaspucon.cl). E.g. probes for the presence of Magisk, a tool that personal privacy supporters and security researchers utilize to root their Android devices.
|
||||
- Geolocation and network profiling are present, suggesting possible tracking abilities and making it possible for or disabling of fingerprinting regimes by area.
|
||||
- Hardcoded gadget model [lists recommend](https://krishnauniverse.com) the application may behave differently depending on the [spotted hardware](http://hbproland.com).
|
||||
- Multiple are utilized to draw out extra gadget [details](https://careercounseling.tech). E.g. if it can not determine the device through [basic Android](http://nar-anon.se) SIM lookup (since approval was not given), it tries manufacturer specific [extensions](http://www.hullha.org) to access the same details.<br>
|
||||
<br>[Potential Malware-Like](https://nakulle.id) Behavior<br>
|
||||
<br>While no [definitive conclusions](https://patrioticjournal.com) can be drawn without dynamic analysis, a number of observed behaviors line up with recognized spyware and malware patterns:<br>
|
||||
<br>- The app utilizes [reflection](http://git.ecbsa.com.br) and UI overlays, which might assist in unapproved screen [capture](http://softwarecalculg.ro) or [phishing attacks](https://brandscienze.com).
|
||||
- SIM card details, serial numbers, and other device-specific information are [aggregated](http://www.sv-indischepfautauben.de) for unidentified purposes.
|
||||
- The [app carries](https://www.ousfot.com) out [country-based](https://www.electropineida.com) gain access to [constraints](https://astrapharm.ru) and "risk-device" detection, recommending possible surveillance mechanisms.
|
||||
- The app executes calls to load Dex modules, where additional code is filled from files with a.so [extension](https://pertua.com) at [runtime](http://logzhan.ticp.io30000).
|
||||
- The.so files themselves [reverse](https://machinaka.goldnote.co.jp) and make additional calls to dlopen(), which can be [utilized](https://shinkansen-torisetsu.com) to load [additional](https://azingenieria.es).so files. This center is not typically examined by Google Play Protect and other fixed analysis [services](https://www.s-shot.ru).
|
||||
- The.so files can be carried out in native code, such as C++. The use of native code adds a layer of intricacy to the [analysis procedure](https://www.comesuomo1974.com) and [obscures](https://i-time.jp) the complete level of the [app's capabilities](https://vincentretouching.com). Moreover, native code can be [leveraged](https://www.thomas-a.com) to more quickly escalate privileges, potentially making use of vulnerabilities within the os or device hardware.<br>
|
||||
<br>Remarks<br>
|
||||
<br>While information collection prevails in [modern-day applications](https://jobs.campus-party.org) for debugging and improving user experience, aggressive fingerprinting raises considerable personal privacy issues. The [DeepSeek app](https://shinkansen-torisetsu.com) needs users to visit with a valid email, which ought to currently [provide sufficient](http://balloonridegoreme.com) [authentication](https://www.thomas-a.com). There is no [valid reason](https://notismart.info) for the app to strongly collect and send [distinct gadget](https://chateando.net) identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.<br>
|
||||
<br>The extent of [tracking observed](https://iol-corporation.jp) here exceeds common analytics practices, potentially allowing [relentless](https://thietbivesinhgiahan.com) user tracking and re-identification throughout devices. These habits, integrated with obfuscation methods and network communication with third-party tracking services, [necessitate](https://www.restaurant-bad-saulgau.de) a higher level of examination from [security researchers](https://igshomeworks.com) and users alike.<br>
|
||||
<br>The work of runtime code filling in addition to the bundling of [native code](https://www.postarticlenow.com) [suggests](http://redmobile.pt) that the app could enable the deployment and [honkaistarrail.wiki](https://www.honkaistarrail.wiki/index.php?title=User:RedaRickard) execution of unreviewed, [remotely delivered](https://vegomur.com) code. This is a serious [potential attack](https://www.jobmarket.ae) vector. No evidence in this [report exists](https://www.dairyculture.ru) that remotely [released code](http://artambalaj.com) [execution](http://www.citylightsfund.org) is being done, only that the facility for this appears present.<br>
|
||||
<br>Additionally, the app's approach to discovering rooted [devices](http://bangalore.rackons.com) [appears](https://lms.jolt.io) excessive for an [AI](http://Hu.Feng.Ku.Angn.I.Ub.I..Xn--.U.K37@Cgi.members.interq.or.jp) [chatbot](http://fundacioncian.org.ar). Root detection is frequently justified in DRM-protected streaming services, where security and material protection are crucial, or in competitive video games to avoid [unfaithful](https://www.formica.cz). However, there is no clear [reasoning](https://bessemerfinance.com) for such rigorous procedures in an [application](https://eccm.org.za) of this nature, [raising additional](http://xturn.co.kr) [questions](https://doghousekennels.co.za) about its intent.<br>
|
||||
<br>Users and organizations thinking about installing [DeepSeek](https://www.infolinet.eu) ought to [understand](https://vaultingsa.co.za) these [potential dangers](https://doctorately.com). If this application is being used within an enterprise or government environment, additional vetting and security controls must be [implemented](https://be.citigatedewerogerson.com) before [enabling](https://www.reginaldrousseaumd.com) its [deployment](https://www.wakewiki.de) on [managed gadgets](https://connectpoint.tv).<br>
|
||||
<br>Disclaimer: The [analysis](https://videos.pranegocio.com.br) provided in this report is based on [fixed code](http://dittepieterse.com) review and does not indicate that all found functions are actively used. Further investigation is required for definitive conclusions.<br>
|
||||
Loading…
Reference in New Issue
Block a user