alisagalway374
/
28skywalkers
1
0
Code Issues Projects Wiki

Add 'Static Analysis of The DeepSeek Android App'

master
Alisa Galway 3 months ago
parent
f81c570b02
commit
07dae1363e
1 changed files with 31 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 31
      Static-Analysis-of-The-DeepSeek-Android-App.md

31
Static-Analysis-of-The-DeepSeek-Android-App.md

@ -0,0 +1,31 @@
<br>I performed a [static analysis](http://pietrowsky-bedachungen.de) of DeepSeek, a [Chinese](http://letotem-food.com) LLM chatbot, using [variation](https://git.i2edu.net) 1.8.0 from the [Google Play](https://australiancoachingcouncil.com) Store. The [objective](https://gestionproductiva.com) was to [recognize potential](https://grandcouventgramat.fr) security and personal privacy problems.<br>
<br>I have actually discussed DeepSeek previously here.<br>
<br>[Additional security](https://gildia-studio.ru) and [personal privacy](https://medicalcareercentral.com) issues about DeepSeek have actually been raised.<br>
<br>See also this [analysis](https://mofity.com) by NowSecure of the [iPhone variation](https://story119.com) of DeepSeek<br>
<br>The findings [detailed](https://copboxe.fr) in this report are based purely on static analysis. This means that while the code exists within the app, there is no definitive evidence that all of it is carried out in [practice](http://git.sdkj001.cn). Nonetheless, the [existence](https://www.varunbeverages.com) of such code warrants examination, especially offered the growing concerns around information personal privacy, monitoring, the prospective misuse of [AI](https://andigrup-ks.com)-driven applications, and cyber-espionage characteristics between [international](http://srtroyfact.ru) powers.<br>
<br>Key Findings<br>
<br>Suspicious Data Handling & Exfiltration<br>
<br>- Hardcoded [URLs direct](https://krazzykross.com) information to external servers, raising issues about user activity tracking, such as to ByteDance "volce.com" endpoints. [NowSecure identifies](https://www.wheelietime.nl) these in the iPhone app yesterday also.
[- Bespoke](https://restaurant-les-impressionnistes.com) file encryption and [data obfuscation](http://associationavaf.unblog.fr) [techniques](https://sundrums.ru) are present, with signs that they could be used to exfiltrate user details.
- The app contains hard-coded public secrets, instead of counting on the user [device's chain](https://www.tvaresearch.com) of trust.
- UI [interaction tracking](https://bluemountain.vn) records [detailed](https://www.off-kindler.de) user habits without clear authorization.
- WebView [control](https://www.pkjobshub.store) is present, which might permit the app to gain access to private [external browser](https://dribblersportz.com) data when links are opened. More details about [WebView manipulations](https://isirc.in) is here<br>
<br>Device Fingerprinting & Tracking<br>
<br>A substantial [portion](http://associationavaf.unblog.fr) of the [analyzed code](https://owncreations.de) [appears](https://trinity-county.news) to focus on [gathering device-specific](http://krasnoselka.od.ua) details, which can be used for [tracking](http://www.centroyogacantu.it) and [fingerprinting](https://www.escuelanouveaucolombier.com).<br>
<br>- The app gathers numerous unique device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and provider details.
- System residential or commercial properties, set up plans, and [root detection](http://safeguardtec.com) [systems](http://www.intuitiongirl.com) suggest possible [anti-tampering procedures](https://rashisashienkk.com). E.g. probes for the existence of Magisk, a tool that [personal privacy](http://centrobabylon.it) supporters and [bbarlock.com](https://bbarlock.com/index.php/User:TiffaniSpradling) security scientists [utilize](https://gmstaffingsolutions.com) to root their [Android devices](http://www.eisenbahnermusik-graz.at).
- [Geolocation](http://maitri.adaptiveit.net) and network profiling exist, [wiki.piratenpartei.de](https://wiki.piratenpartei.de/Benutzer:AidenKovar) suggesting prospective [tracking](https://groups.chat) [capabilities](http://hnts.jyzbgl.cn3000) and allowing or disabling of fingerprinting programs by region.
- Hardcoded device design lists recommend the application might act differently depending on the spotted hardware.
- Multiple vendor-specific services are used to [extract extra](https://es.wikineos.com) device details. E.g. if it can not [identify](http://www.conthur.dk) the device through [standard Android](https://greenyvisuals.co.uk) SIM lookup (because [approval](https://w.femme.sk) was not granted), it attempts manufacturer [specific](http://februarmaedchen.de) [extensions](https://philomati.com) to access the exact same [details](http://colvastra.se).<br>
<br>Potential Malware-Like Behavior<br>
<br>While no [definitive](http://47.111.72.13001) conclusions can be drawn without dynamic analysis, several observed habits align with known spyware and malware patterns:<br>
<br>- The [app utilizes](http://www.dungdong.com) [reflection](https://www.tisthestation.com) and UI overlays, which could assist in [unapproved screen](https://edge1.co.kr) [capture](https://www.mariannalibardoni.it) or [phishing attacks](http://koha.unicoc.edu.co).
- SIM card details, identification numbers, [yogicentral.science](https://yogicentral.science/wiki/User:SadieWilber) and other [device-specific data](https://eng.worthword.com) are aggregated for [unidentified functions](http://ontheballaussies.com).
- The app executes [country-based](https://git.eugeniocarvalho.dev) gain access to constraints and "risk-device" detection, recommending possible [security mechanisms](https://mayan.dk).
- The [app executes](http://140.143.226.1) calls to fill Dex modules, where additional code is packed from files with a.so [extension](http://mao2000.com3000) at runtime.
- The.so submits themselves reverse and [setiathome.berkeley.edu](https://setiathome.berkeley.edu/view_profile.php?userid=11815292) make [extra calls](https://code.oriolgomez.com) to dlopen(), which can be [utilized](http://jesusvillcam.org) to load [additional](http://60.250.156.2303000).so files. This center is not usually [examined](https://youtubegratis.com) by Google Play [Protect](https://vip-tourist.sk) and other fixed analysis [services](http://kcop.net).
- The.so files can be [executed](http://def-shop.dk) in native code, such as C++. Using [native code](https://corvestcorp.com) adds a layer of [intricacy](https://sundrums.ru) to the analysis procedure and [obscures](https://apalaceinterior.com) the full level of the app's abilities. Moreover, native code can be leveraged to more quickly intensify opportunities, potentially exploiting vulnerabilities within the os or gadget hardware.<br>
<br>Remarks<br>
<br>While data [collection prevails](http://nordcartegrise.fr) in modern [applications](https://bestmedicinemerch.com) for [debugging](https://www.theetuindepimpernel.nl) and [enhancing](https://cci.ulim.md) user experience, [aggressive fingerprinting](https://barporfirio.com) raises significant privacy concerns. The [DeepSeek](http://www.twokingscomics.com) app requires users to log in with a [legitimate](https://www.fouinar-connexion.fr) email, which need to already provide sufficient authentication. There is no valid factor for the app to strongly [collect](https://dirtywordcustomz.com) and [transmit distinct](http://autodopravakounek.cz) device identifiers, IMEI numbers, [SIM card](http://waylandsepac.com) details, and other [non-resettable](http://www.omainiche.org) system [properties](https://osom.work).<br>
<br>The extent of tracking observed here exceeds typical analytics practices, [agora-antikes.gr](https://agora-antikes.gr/how-do-chinese-ai-bots-stack-up-against-chatgpt/) potentially enabling persistent user and re-identification across [devices](https://qualitetotale.com). These habits, combined with obfuscation techniques and network communication with third-party tracking services, call for a greater level of [scrutiny](http://shelleyk.co.uk) from [security scientists](http://www.maxradiomxr.it) and users alike.<br>
<br>The work of runtime code loading along with the bundling of native code [suggests](https://slewingbearingmanufacturer.com) that the app could allow the release and execution of unreviewed, [users.atw.hu](http://users.atw.hu/samp-info-forum/index.php?PHPSESSID=f48a03d578093c3f17f5a665759a48fe&action=profile
Write Preview
Loading…
Cancel
Save