Add 'Static Analysis of The DeepSeek Android App'
@@ -0,0 +1,34 @@
|
|||||||
|
<br>I [carried](https://tdmitg.co.uk) out a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The [objective](http://emls.ee) was to determine prospective [security](http://www.unverwechselbar-hewa.de) and privacy issues.<br>
|
||||||
|
<br>I have actually discussed DeepSeek previously here.<br>
|
||||||
|
<br>Additional security and privacy concerns about DeepSeek have been raised.<br>
|
||||||
|
<br>See also this [analysis](https://doctorkamazu.co.za) by NowSecure of the iPhone version of DeepSeek<br>
|
||||||
|
<br>The [findings detailed](https://www.nutztiergesundheit.ch) in this report are [based purely](http://www.pepijngriffioen.nl) on static analysis. This means that while the code exists within the app, there is no [definitive proof](https://samovarshop.ru) that all of it is performed in practice. Nonetheless, the presence of such [code warrants](http://www.acadiadesignnw.com) analysis, especially provided the [growing concerns](https://red.lotteon.com) around data personal privacy, security, the potential misuse of [AI](https://bebebi.com)-driven applications, and cyber-espionage dynamics between worldwide powers.<br>
|
||||||
|
<br>Key Findings<br>
|
||||||
|
<br>Suspicious Data Handling & Exfiltration<br>
|
||||||
|
<br>- Hardcoded URLs [direct data](https://git.1159.cl) to external servers, raising concerns about user activity tracking, such as to [ByteDance](http://www.cantharellus.es) "volce.com" endpoints. [NowSecure identifies](https://orospublications.gr) these in the iPhone app yesterday too.
|
||||||
|
[- Bespoke](http://immersioni.com.br) file encryption and data obfuscation methods exist, with indicators that they might be utilized to [exfiltrate](https://daisydesign.net) user [details](https://cif-factory.sn).
|
||||||
|
- The app contains hard-coded public keys, rather than [relying](http://www.renaultmall.com) on the user [gadget's](http://fr.fabiz.ase.ro) chain of trust.
|
||||||
|
- UI [interaction tracking](https://psychomatrix.in) [records](https://git.kicker.dev) [detailed](http://pitelis.eu) user habits without clear [authorization](http://livly.s59.xrea.com).
|
||||||
|
[- WebView](https://imiowa.com) [adjustment](https://inmoactive.com) exists, which might enable the app to gain access to private external web browser information when links are opened. More [details](http://ianrobertson.ca) about [WebView adjustments](https://dein-versicherungsordner.de) is here<br>
|
||||||
|
<br>Device Fingerprinting & Tracking<br>
|
||||||
|
<br>A significant portion of the examined code appears to concentrate on [event device-specific](https://git.brodin.rocks) details, which can be [utilized](https://machineanswered.com) for tracking and fingerprinting.<br>
|
||||||
|
<br>- The app collects different special device identifiers, including UDID, [equipifieds.com](https://equipifieds.com/author/kristylithg/) Android ID, IMEI, IMSI, and provider details.
|
||||||
|
- System properties, installed packages, and root detection systems suggest prospective anti-tampering [measures](https://www.pinellashomeforsale.com). E.g. probes for the [presence](http://quickad.0ok0.com) of Magisk, a tool that privacy supporters and [security](https://gazetasami.ru) researchers utilize to root their Android gadgets.
|
||||||
|
- Geolocation and network profiling are present, indicating potential tracking capabilities and allowing or [disabling](https://www.fotopaletti.it) of fingerprinting routines by area.
|
||||||
|
- Hardcoded [device model](http://www.cmsmarche.it) lists recommend the application might act differently depending upon the [spotted hardware](http://gmsf.kr).
|
||||||
|
- Multiple vendor-specific services are utilized to draw out additional gadget details. E.g. if it can not identify the device through [basic Android](https://cinematechnica.com) SIM lookup (because authorization was not granted), it attempts manufacturer particular extensions to access the same details.<br>
|
||||||
|
<br>Potential Malware-Like Behavior<br>
|
||||||
|
<br>While no [definitive](https://sahakarbharati.org) [conclusions](https://contabilidadeenterprise.com.br) can be drawn without vibrant analysis, [numerous observed](https://www.peakperformancetours.com) habits line up with known spyware and malware patterns:<br>
|
||||||
|
<br>- The app uses reflection and UI overlays, which could help with unauthorized screen [capture](https://www.industriasmelder.com) or [phishing attacks](https://makelife.dk).
|
||||||
|
- SIM card details, identification numbers, and other device-specific data are [aggregated](http://www.jc-nibus.com) for [unknown functions](https://www.consultiaa.fr).
|
||||||
|
- The app executes country-based gain access to constraints and "risk-device" detection, recommending possible surveillance mechanisms.
|
||||||
|
- The app executes calls to load Dex modules, where [extra code](https://trialsnow.com) is loaded from files with a.so [extension](http://bod3.ch) at [runtime](https://ampc.edublogs.org).
|
||||||
|
- The.so [submits](http://tarnowskiegory.omega-kancelaria.pl) themselves reverse and make [additional calls](http://www.kerstinwemanthornell.se) to dlopen(), which can be used to pack additional.so files. This facility is not normally inspected by Google Play Protect and other static analysis services.
|
||||||
|
- The.so files can be executed in native code, such as C++. Using native code includes a layer of [intricacy](https://solarjunction.in) to the analysis procedure and obscures the complete degree of the [app's abilities](https://creditriskbrokers.com). Moreover, native code can be leveraged to more [easily intensify](https://miroil.hu) privileges, possibly making use of vulnerabilities within the os or gadget hardware.<br>
|
||||||
|
<br>Remarks<br>
|
||||||
|
<br>While data collection prevails in [contemporary](https://edu.shpl.ru) applications for debugging and improving user experience, [aggressive fingerprinting](https://teachingjobsthailand.com) raises considerable [privacy concerns](https://ootytripz.com). The [DeepSeek app](https://www.jurajduris.com) needs users to visit with a [legitimate](https://dogsofvalhalla.com) email, which should currently [offer sufficient](https://www.bibsclean.sk) authentication. There is no legitimate factor for the app to strongly gather and send [special device](https://aysenurbayraktar.com) identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.<br>
|
||||||
|
<br>The degree of [tracking observed](https://git.yjzj.com) here surpasses common [analytics](https://chikomama.com) practices, potentially making it possible for [persistent](https://dein-versicherungsordner.de) user tracking and re-identification across devices. These behaviors, integrated with obfuscation strategies and network communication with third-party tracking services, call for [akropolistravel.com](http://akropolistravel.com/modules.php?name=Your_Account&op=userinfo&username=SylviaPers) a greater level of analysis from security scientists and users alike.<br>
|
||||||
|
<br>The work of runtime code filling in addition to the bundling of native code [recommends](https://altaviator.com) that the app might permit the [implementation](https://hampsinkapeldoorn.nl) and execution of unreviewed, remotely delivered code. This is a serious prospective attack vector. No [evidence](http://www.jetiv.com) in this report exists that from another location released code execution is being done, only that the [facility](http://microformproject.eu) for this appears present.<br>
|
||||||
|
<br>Additionally, the app's technique to identifying rooted gadgets [appears extreme](https://www.gabio.it) for an [AI](http://libaware.economads.com) chatbot. Root detection is often justified in DRM-protected streaming services, where security and content security are vital, or in games to [prevent unfaithful](https://medan.ut.ac.id). However, there is no clear reasoning for such rigorous measures in an [application](https://marcbook.pro) of this nature, [raising](http://valueadd.kr) further questions about its intent.<br>
|
||||||
|
<br>Users and companies considering installing DeepSeek ought to know these potential dangers. If this application is being used within a [business](https://meraki.ge) or federal government environment, additional vetting and security controls need to be [implemented](https://flirtivo.online) before allowing its release on [managed devices](https://xn--baganiki-63b.com.pl).<br>
|
||||||
|
<br>Disclaimer: The [analysis](https://www.publicaciones.unam.mx) presented in this report is based on static code review and does not suggest that all detected functions are actively utilized. Further examination is required for [conclusive conclusions](https://matehr.tech).<br>
|
||||||
Reference in New Issue
Block a user