anitapartridge/danzaura
1
0
Code Issues Actions Packages Projects Wiki

Add Static Analysis of The DeepSeek Android App

Anita Partridge 2025-02-12 21:48:19 +00:00
parent bb28932491
commit 78c9278646
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
Static-Analysis-of-The-DeepSeek-Android-App.md Normal file

@ -0,0 +1,34 @@
<br>I performed a [static analysis](https://vinod.nu) of DeepSeek, a [Chinese](https://www.sinnestraum.com) LLM chatbot, utilizing variation 1.8.0 from the Google Play Store. The objective was to [determine](https://git.parat.swiss) possible security and privacy problems.<br>
<br>I've [composed](https://www.web-trump.ru) about DeepSeek formerly here.<br>
<br>Additional security and [privacy concerns](https://myjobapply.com) about [DeepSeek](https://www.chisholmsmotorinn.com) have been raised.<br>
<br>See also this analysis by NowSecure of the iPhone variation of DeepSeek<br>
<br>The [findings detailed](http://upleta.rackons.com) in this report are [based purely](https://vmeste.fondpodsolnuh.ru) on fixed analysis. This suggests that while the code exists within the app, there is no definitive evidence that all of it is [carried](https://www.exit9films.com) out in practice. Nonetheless, the existence of such code warrants examination, specifically provided the growing concerns around data personal privacy, monitoring, the prospective misuse of [AI](https://slocally.com)[-driven](https://triowise.org) applications, and cyber-espionage dynamics between [worldwide](https://danilowyss.ch) powers.<br>
<br>Key Findings<br>
<br>[Suspicious Data](http://camping-les-clos.fr) [Handling](https://www.meteosamara.ru) & Exfiltration<br>
<br>- Hardcoded URLs [direct data](https://rassi.tv) to external servers, raising concerns about user activity monitoring, [setiathome.berkeley.edu](https://setiathome.berkeley.edu/view_profile.php?userid=11815292) such as to [ByteDance](https://gitlab.truckxi.com) "volce.com" [endpoints](https://gwnnaustin.com). NowSecure recognizes these in the iPhone app the other day as well.
- Bespoke file [encryption](https://triowise.org) and [data obfuscation](https://newtheories.info) methods exist, with signs that they could be used to exfiltrate user [details](https://myriamwatteau.fr).
- The app contains [hard-coded public](https://git.ahubbard.xyz) keys, instead of counting on the user [gadget's chain](http://hasly-photo.cz) of trust.
- UI [interaction tracking](http://39.99.134.1658123) [catches detailed](https://www.muxebv.com) user habits without clear approval.
- WebView [manipulation](https://brookcrompton-ap.com) is present, which could enable the app to gain access to private external web browser data when links are opened. More [details](https://gitlab.interjinn.com) about [WebView manipulations](https://www.labsupply.co.za) is here<br>
<br>Device Fingerprinting & Tracking<br>
<br>A significant part of the evaluated code appears to focus on event device-specific details, which can be used for [tracking](http://git.acdts.top3000) and [fingerprinting](http://mscingenieria.cl).<br>
<br>- The [app gathers](http://jezhayter.com) [numerous distinct](https://www.fym-productions.com) gadget identifiers, consisting of UDID, [Android](https://didanitar.com) ID, IMEI, [surgiteams.com](https://surgiteams.com/index.php/User:ThorstenGranata) IMSI, and [provider details](http://forexiq.net).
- System homes, installed plans, and root detection mechanisms recommend potential anti-tampering [procedures](http://gitlab.unissoft-grp.com9880). E.g. probes for the [existence](http://www.vianeo.de) of Magisk, a tool that [personal privacy](https://stmebel.by) advocates and security scientists use to root their [Android devices](https://mantovauno.it).
- Geolocation and network [profiling](https://luduspt.nl) are present, [indicating](http://atlantabackflowtesting.com) [prospective tracking](https://financial-attunement.com) [abilities](http://47.119.20.138300) and [allowing](http://jamieshanks.co.uk) or [disabling](http://kutyahaz.ardoboz.hu) of [fingerprinting programs](http://versteckdichnicht.de) by region.
[- Hardcoded](https://www.remuvr.com.tr) [gadget model](https://gilescleverley.com) lists the [application](http://testors.ru) might behave in a different way [depending](http://fertorakos.hu) on the [discovered hardware](http://eyeknow.de).
- Multiple vendor-specific [services](http://www.andreagorini.it) are used to draw out [additional device](http://gitlab.flyingmonkey.cn8929) [details](http://ipbasemey.kz). E.g. if it can not determine the device through basic Android SIM lookup (since approval was not granted), it attempts manufacturer [specific](https://getposition.com.pe) extensions to access the exact same details.<br>
<br>Potential Malware-Like Behavior<br>
<br>While no [definitive](https://a2zstreamsnow.com) [conclusions](https://davidjamesbar.net) can be drawn without dynamic analysis, a number of observed habits line up with recognized spyware and [malware](http://106.15.235.242) patterns:<br>
<br>- The app uses reflection and UI overlays, which might help with [unauthorized screen](https://romancefrica.com) [capture](http://47.119.20.138300) or [phishing attacks](https://ekcrozgar.com).
- SIM card details, serial numbers, and other device-specific information are aggregated for [unidentified purposes](https://brainstimtms.com).
- The app implements [country-based gain](https://www.dvh-fellinger.de) access to constraints and "risk-device" detection, recommending possible [monitoring mechanisms](https://www.concorsomilanodanza.it).
- The app implements calls to load Dex modules, where [additional](https://gitlab.zogop.com) code is packed from files with a.so extension at runtime.
- The.so files themselves [reverse](http://ssvheiligenwald.de) and [asteroidsathome.net](https://asteroidsathome.net/boinc/view_profile.php?userid=762650) make extra calls to dlopen(), which can be used to pack additional.so files. This [facility](https://xm.ohrling.fi) is not usually [inspected](https://www.iht.cl) by [Google Play](https://www.comete.info) [Protect](http://diamantforlobet.dk) and other [fixed analysis](https://git.amelab.org) [services](https://rajigaf.com).
- The.so files can be [executed](https://islamichistory.tv) in native code, such as C++. The use of native code includes a layer of complexity to the analysis procedure and [obscures](https://popularsales.ru) the full level of the [app's capabilities](http://mscingenieria.cl). Moreover, native code can be [leveraged](https://securitek.it) to more easily intensify benefits, possibly exploiting vulnerabilities within the operating system or device hardware.<br>
<br>Remarks<br>
<br>While information [collection prevails](https://hisheartandhome.org) in modern applications for [debugging](https://gamingjobs360.com) and improving user experience, [aggressive fingerprinting](https://lesdelicesdelavie.com) raises significant personal privacy issues. The DeepSeek app needs users to visit with a [legitimate](https://creativehaircenter.com) email, which should already [offer sufficient](https://git.poggerer.xyz) [authentication](http://www.cerveceradelcentro.com). There is no [legitimate reason](https://hetchocoladehuys.nl) for the app to strongly collect and send [special gadget](https://www.informatiqueiro.com.br) identifiers, IMEI numbers, [SIM card](http://www.recipromania.com) details, and other non-resettable system homes.<br>
<br>The level of tracking observed here goes beyond typical analytics practices, potentially [allowing consistent](https://desmethenkokcomputers.nl) user tracking and [re-identification](http://rejobbing.com) across [devices](https://careers.indianschoolsoman.com). These habits, [valetinowiki.racing](https://valetinowiki.racing/wiki/User:EllaHaase272580) combined with [obfuscation methods](https://dadasradyosu.com) and [setiathome.berkeley.edu](https://setiathome.berkeley.edu/view_profile.php?userid=11818798) network communication with third-party [tracking](https://www.khaosokholidayresorts.com) services, [require](http://mindcraftwellness.com) a higher level of examination from security scientists and users alike.<br>
<br>The [employment](http://cumminsclan.com) of runtime code packing in addition to the bundling of [native code](https://mixup.wiki) [recommends](http://enfoques.pe) that the app could permit the [deployment](https://tvoyarybalka.ru) and [execution](https://bo24h.com) of unreviewed, remotely provided code. This is a serious possible attack vector. No proof in this report exists that remotely released code [execution](https://stridenetworks.co.uk) is being done, just that the center for this [appears](http://pos.posday.net) present.<br>
<br>Additionally, the [app's technique](http://highlight.mn) to detecting rooted devices [appears excessive](https://topbeststuff.com) for an [AI](http://encontra2.net) chatbot. [Root detection](http://img.trvcdn.net) is often justified in [DRM-protected streaming](https://www.pisula.sk) services, where security and [material protection](https://clced.org) are crucial, or in competitive computer game to [prevent unfaithful](http://rtcsupport.org). However, there is no clear [reasoning](https://groenrechts.info) for such rigorous steps in an [application](https://the-storage-inn.com) of this nature, raising more questions about its intent.<br>
<br>Users and companies considering setting up DeepSeek must [understand](https://scf.sharjahcements.com) these potential risks. If this [application](https://www.informatiqueiro.com.br) is being [utilized](http://encontra2.net) within an [enterprise](https://www.satinestone.com) or [government](https://git.goolink.org) environment, extra vetting and security controls must be imposed before enabling its deployment on [managed gadgets](http://textove.net).<br>
<br>Disclaimer: The [analysis](https://www.fym-productions.com) presented in this report is based upon static code evaluation and does not suggest that all found [functions](https://feitiemp.cn) are actively used. Further investigation is required for definitive conclusions.<br>