otiliab491327/hamsmithtactical
1
0
Code Issues Actions Packages Projects Wiki
Page: Static Analysis of The DeepSeek Android App
Pages
Static Analysis of The DeepSeek Android App
1 Static Analysis of The DeepSeek Android App
otiliab491327 edited this page 2025-02-27 13:41:51 +02:00


I carried out a fixed analysis of DeepSeek, a Chinese LLM chatbot, utilizing variation 1.8.0 from the Google Play Store. The goal was to recognize prospective security and personal privacy concerns.

I have actually composed about DeepSeek formerly here.

Additional security and privacy issues about DeepSeek have been raised.

See likewise this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based purely on static analysis. This suggests that while the code exists within the app, there is no definitive evidence that all of it is carried out in practice. Nonetheless, the existence of such code warrants scrutiny, specifically given the growing concerns around information personal privacy, surveillance, accc.rcec.sinica.edu.tw the potential abuse of AI-driven applications, and cyber-espionage dynamics between international powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising issues about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the iPhone app the other day also.

  • Bespoke file encryption and data obfuscation approaches exist, with indications that they might be utilized to exfiltrate user details.
  • The app contains hard-coded public keys, instead of depending on the user device's chain of trust.
  • UI interaction tracking captures detailed user habits without clear approval.
  • WebView adjustment exists, which could enable the app to gain access to private external internet browser information when links are opened. More details about WebView controls is here

    Device Fingerprinting & Tracking

    A significant portion of the evaluated code appears to concentrate on event device-specific details, which can be used for tracking and fingerprinting.

    - The app gathers numerous special device identifiers, including UDID, Android ID, IMEI, IMSI, and provider details.
  • System homes, set up bundles, and root detection mechanisms recommend potential anti-tampering measures. E.g. probes for the existence of Magisk, a tool that supporters and security researchers utilize to root their Android gadgets.
  • Geolocation and network profiling are present, suggesting prospective tracking abilities and allowing or disabling of fingerprinting routines by region. - Hardcoded device design lists recommend the application might act in a different way depending upon the discovered hardware. - Multiple vendor-specific services are used to extract additional gadget details. E.g. if it can not figure out the gadget through standard Android SIM lookup (because consent was not granted), it attempts maker particular extensions to access the same details.

    Potential Malware-Like Behavior

    While no conclusive conclusions can be drawn without dynamic analysis, numerous observed behaviors line up with recognized spyware and malware patterns:

    - The app uses reflection and UI overlays, which might help with unauthorized screen capture or phishing attacks.
  • SIM card details, identification numbers, and other device-specific data are aggregated for unidentified purposes.
  • The app implements country-based gain access to constraints and "risk-device" detection, suggesting possible monitoring systems.
  • The app implements calls to pack Dex modules, where extra code is packed from files with a.so extension at runtime.
  • The.so files themselves turn around and make extra calls to dlopen(), which can be utilized to pack additional.so files. This center is not typically checked by Google Play Protect and other fixed analysis services.
  • The.so files can be implemented in native code, such as C++. Using native code includes a layer of complexity to the analysis procedure and obscures the complete degree of the app's capabilities. Moreover, native code can be leveraged to more easily intensify benefits, possibly making use of vulnerabilities within the os or device hardware.

    Remarks

    While data collection prevails in contemporary applications for debugging and improving user experience, aggressive fingerprinting raises significant personal privacy issues. The DeepSeek app needs users to log in with a valid email, which need to currently provide sufficient authentication. There is no legitimate factor for the app to aggressively gather and transfer unique gadget identifiers, surgiteams.com IMEI numbers, SIM card details, galgbtqhistoryproject.org and other non-resettable system homes.

    The degree of tracking observed here surpasses normal analytics practices, possibly enabling persistent user tracking and re-identification across gadgets. These habits, links.gtanet.com.br integrated with obfuscation strategies and network interaction with third-party tracking services, necessitate a higher level of examination from security researchers and users alike.

    The employment of runtime code loading in addition to the bundling of native code suggests that the app might permit the deployment and execution of unreviewed, wiki.insidertoday.org from another location provided code. This is a serious possible attack vector. No proof in this report exists that from another location deployed code execution is being done, just that the facility for this appears present.

    Additionally, the app's technique to identifying rooted devices appears excessive for an AI chatbot. Root detection is typically warranted in DRM-protected streaming services, where security and content protection are vital, or in competitive video games to avoid unfaithful. However, there is no clear reasoning for such strict procedures in an application of this nature, raising additional concerns about its intent.

    Users and companies thinking about installing DeepSeek must know these possible threats. If this application is being utilized within an enterprise or government environment, akropolistravel.com extra vetting and security controls need to be enforced before allowing its deployment on handled gadgets.

    Disclaimer: The analysis provided in this report is based on static code review and does not suggest that all found functions are actively used. Further examination is required for definitive conclusions.