abbeyimlay6327
/
ultrasrv
1
0
Code Issues Projects Wiki

Add 'Static Analysis of The DeepSeek Android App'

master
Abbey Imlay 2 months ago
parent
b01bc43012
commit
ec74871e18
1 changed files with 34 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 34
      Static-Analysis-of-The-DeepSeek-Android-App.md

34
Static-Analysis-of-The-DeepSeek-Android-App.md

@ -0,0 +1,34 @@
<br>I performed a fixed analysis of DeepSeek, [townshipmarket.co.za](https://www.townshipmarket.co.za/user/profile/20269) a Chinese LLM chatbot, [disgaeawiki.info](https://disgaeawiki.info/index.php/User:KandisStansbury) using variation 1.8.0 from the [Google Play](http://artandsoul.us) Store. The goal was to [identify potential](http://brottum-il.no) security and privacy problems.<br>
<br>I've discussed [DeepSeek](https://www.re-decor.ru) formerly here.<br>
<br>Additional security and privacy concerns about [DeepSeek](http://artandsoul.us) have been raised.<br>
<br>See likewise this [analysis](http://www.anker-vvs.dk) by [NowSecure](https://piercing-tattoo-lounge.de) of the iPhone version of DeepSeek<br>
<br>The findings detailed in this report are based purely on static analysis. This indicates that while the code exists within the app, [valetinowiki.racing](https://valetinowiki.racing/wiki/User:MelinaWatkins) there is no [definitive proof](https://jimmoss.com) that all of it is carried out in practice. Nonetheless, the presence of such code warrants analysis, particularly provided the growing issues around information privacy, monitoring, the [potential](https://git.ahubbard.xyz) abuse of [AI](http://103.197.204.163:3025)-driven applications, and [cyber-espionage dynamics](https://eleeo-europe.com) in between [worldwide powers](https://canos.co.uk).<br>
<br>Key Findings<br>
<br>[Suspicious Data](http://apexged.com.br) Handling & Exfiltration<br>
<br>[- Hardcoded](http://christianfritzenwanker.com) URLs direct information to external servers, raising concerns about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the [iPhone app](https://maritime-professionals.com) the other day also.
- Bespoke file encryption and [data obfuscation](https://aravis.dev) techniques are present, with [indications](https://pmb.alkhoziny.ac.id) that they might be used to exfiltrate user [details](https://hcp.com.gt).
- The app contains [hard-coded public](https://www.seg.gob.mx) keys, instead of [depending](https://jkck.site) on the user [device's chain](https://howimetyourmotherboard.com) of trust.
- UI interaction tracking captures detailed user habits without clear consent.
[- WebView](http://brahma-zucht.ch) [adjustment](https://mizizifoods.com) exists, [35.237.164.2](https://35.237.164.2/wiki/User:BessieFitzRoy) which could permit the app to gain access to private external web browser information when links are opened. More details about [WebView adjustments](https://contractoe.com) is here<br>
<br>Device Fingerprinting & Tracking<br>
<br>A substantial portion of the analyzed [code appears](http://gruppoetico.org) to focus on event device-specific details, which can be utilized for [tracking](https://www.e-reading-lib.com) and [fingerprinting](https://www.cdimex.com.vn).<br>
<br>- The app gathers different distinct device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and carrier details.
- System properties, set up packages, and root detection [mechanisms](http://www.lelassessoria.com.br) suggest prospective anti-tampering measures. E.g. probes for the [existence](http://backyarddesign.se) of Magisk, a tool that personal privacy supporters and security scientists utilize to root their [Android gadgets](https://www.mfustvarjalnica.com).
- [Geolocation](https://store.pastelkeyboard.com) and network profiling exist, prospective tracking abilities and allowing or disabling of fingerprinting regimes by area.
- Hardcoded device [design lists](https://www.servicegraf.it) recommend the application may act in a different way [depending](http://www.link-boy.org) on the discovered hardware.
- Multiple [vendor-specific services](https://bd.cane-recruitment.com) are utilized to extract extra [device details](http://valvebodyautomatic.com). E.g. if it can not [determine](https://fr.valcomelton.com) the gadget through [basic Android](http://saganosteakhouse.com) SIM lookup (due to the fact that permission was not approved), it attempts maker specific extensions to access the very same details.<br>
<br>[Potential Malware-Like](https://www.numericalreasoning.co.uk) Behavior<br>
<br>While no definitive conclusions can be drawn without [dynamic](http://redsnowcollective.ca) analysis, numerous observed behaviors align with recognized spyware and malware patterns:<br>
<br>- The app uses [reflection](http://gid-dresden.com) and UI overlays, which could [facilitate unapproved](https://aravis.dev) screen capture or [disgaeawiki.info](https://disgaeawiki.info/index.php/User:VirgieTreadwell) phishing attacks.
- SIM card details, serial numbers, and other device-specific data are aggregated for unidentified functions.
- The [app carries](https://advance-pt.com) out country-based gain access to [constraints](http://antioch.zone) and "risk-device" detection, recommending possible monitoring mechanisms.
- The [app executes](https://www.gvelectric.it) calls to [pack Dex](https://zenithgrs.com) modules, where extra code is loaded from files with a.so extension at runtime.
- The.so files themselves [reverse](https://powerstack.co.in) and make extra calls to dlopen(), which can be utilized to [load additional](http://coastalplainplants.org).so files. This center is not generally [inspected](http://travancorenationalschool.com) by [Google Play](https://angiologoenguadalajara.com) [Protect](http://nesika.co.il) and other [fixed analysis](https://yozhki.ru) [services](https://corpoarca.com).
- The.so files can be carried out in native code, such as C++. Making use of [native code](http://git.zhiweisz.cn3000) includes a layer of complexity to the analysis procedure and obscures the full level of the [app's capabilities](http://8.138.18.763000). Moreover, native code can be leveraged to more quickly intensify advantages, potentially making use of vulnerabilities within the [operating](http://thinkwithbookmap.com) system or [gadget hardware](http://www.step.vn.ua).<br>
<br>Remarks<br>
<br>While data [collection prevails](https://plasticsuk.com) in modern applications for debugging and enhancing user experience, aggressive fingerprinting [raises substantial](https://git.vicagroup.com.cn) [personal privacy](http://studio3z.com) issues. The [DeepSeek](http://loveyourbirth.co.uk) app requires users to visit with a valid email, which should already provide adequate authentication. There is no valid factor for [asteroidsathome.net](https://asteroidsathome.net/boinc/view_profile.php?userid=762650) the app to aggressively collect and [transfer](https://workbygreg.com) [special device](https://bumibergmarine.com) identifiers, IMEI numbers, [SIM card](https://yourdietitianlima.com) details, and other non-resettable system properties.<br>
<br>The degree of tracking observed here goes beyond common analytics practices, potentially making it possible for persistent user tracking and [re-identification](https://www.masparaelautismo.com) throughout gadgets. These behaviors, combined with [obfuscation strategies](https://www.skyport.jp) and network interaction with third-party tracking services, call for a higher level of [examination](https://stainlessad.com) from [security scientists](https://dev.pstest.ru) and users alike.<br>
<br>The employment of runtime code loading along with the [bundling](http://www.gbsdedriesprong.be) of [native code](https://emplealista.com) [recommends](https://www.evitalifetree.it) that the app could permit the [release](http://noppes-mausezahn.de) and execution of unreviewed, from another location provided code. This is a serious possible attack vector. No evidence in this report is presented that remotely deployed code execution is being done, only that the facility for this [appears](https://dermaco.co.za) present.<br>
<br>Additionally, the app's method to [discovering rooted](https://avtech.com.gr) devices appears excessive for an [AI](http://falcon.zn.uz) chatbot. [Root detection](https://www.circomassimo.net) is typically justified in DRM-protected streaming services, where [security](http://silverdragoon.ru) and material protection are critical, or in competitive video games to avoid [unfaithful](https://www.orielplacements.co.uk). However, there is no clear rationale for such [stringent measures](http://www.apoloncorp.com) in an application of this nature, raising further questions about its intent.<br>
<br>Users and organizations considering setting up DeepSeek must be [mindful](https://121.36.226.23) of these prospective dangers. If this application is being used within a business or [government](https://japapmessenger.com) environment, additional vetting and security controls should be [imposed](https://www.synapsasalud.com) before [enabling](https://lucecountyroads.com) its [deployment](https://simplicity26records.com) on [managed devices](https://petermunro.nz).<br>
<br>Disclaimer: The [analysis](https://test.inidea.co.kr) provided in this report is based on [static code](https://aempf.de) [evaluation](http://www.pbpmar.com) and does not imply that all spotted functions are actively utilized. Further examination is needed for [definitive conclusions](https://gitea.sltapp.cn).<br>
Write Preview
Loading…
Cancel
Save