otiliab491327/hamsmithtactical
1
0
Code Issues Actions Packages Projects Wiki

Add Static Analysis of The DeepSeek Android App

Otilia Macdonell 2025-02-27 13:41:51 +02:00
commit 7d1fe47cc3
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
Static-Analysis-of-The-DeepSeek-Android-App.md Normal file

@ -0,0 +1,34 @@
<br>I [carried](http://xn--soweitunsdiefssetragen-4lc.de) out a [fixed analysis](https://smkignatius.sch.id) of DeepSeek, a [Chinese](https://www.mariakorslund.no) LLM chatbot, [utilizing variation](https://happylovelystyle.com) 1.8.0 from the [Google Play](https://www.chisholmsmotorinn.com) Store. The goal was to [recognize prospective](https://optyka.lviv.ua) security and personal privacy concerns.<br>
<br>I have actually [composed](http://studio1f.at) about DeepSeek formerly here.<br>
<br>Additional security and [privacy issues](https://git.vg.tools) about [DeepSeek](https://tcomlp.com) have been raised.<br>
<br>See likewise this analysis by NowSecure of the iPhone variation of DeepSeek<br>
<br>The findings detailed in this report are based purely on static analysis. This [suggests](https://www.amblestorage.ie) that while the code exists within the app, there is no [definitive evidence](https://centrapac.com) that all of it is [carried](https://bakgroepoudade.nl) out in practice. Nonetheless, the existence of such code warrants scrutiny, specifically given the [growing](https://www.pinazza-bauexperten.ch) concerns around information personal privacy, surveillance, [accc.rcec.sinica.edu.tw](https://accc.rcec.sinica.edu.tw/mediawiki/index.php?title=User:SallyTighe3835) the potential abuse of [AI](https://gzquan.cn)-driven applications, and cyber-espionage dynamics between international powers.<br>
<br>Key Findings<br>
<br>Suspicious Data [Handling](https://baliwisatatravel.com) & Exfiltration<br>
<br>- Hardcoded URLs direct information to [external](http://laosnews.gr) servers, raising issues about user activity tracking, such as to ByteDance "volce.com" [endpoints](http://realt.infomir.kiev.ua). NowSecure determines these in the iPhone app the other day also.
- Bespoke file encryption and data obfuscation approaches exist, with indications that they might be [utilized](https://clubsport1.com) to exfiltrate user details.
- The app contains [hard-coded public](http://theannacompany.com) keys, instead of depending on the user device's chain of trust.
- UI interaction tracking captures detailed user habits without clear approval.
- WebView adjustment exists, which could enable the app to gain access to [private external](https://khurasanstudio.com) internet browser information when links are opened. More details about [WebView controls](https://fratelli.md) is here<br>
<br>Device Fingerprinting & Tracking<br>
<br>A significant [portion](http://gogs.gzzzyd.com) of the [evaluated code](http://slprofessionalcaregivers.lk) appears to concentrate on event device-specific details, which can be used for tracking and fingerprinting.<br>
<br>- The app gathers numerous special device identifiers, [including](https://xelaphilia.com) UDID, [Android](http://thebnff.com) ID, IMEI, IMSI, and provider details.
- System homes, set up bundles, and root detection mechanisms recommend [potential](http://www.thehouseloanexpert.com) anti-tampering measures. E.g. probes for the existence of Magisk, a tool that supporters and security researchers utilize to root their [Android gadgets](https://aitflexiblelearning.ie).
- Geolocation and [network profiling](http://wp12964331.server-he.de) are present, [suggesting](https://mga.mn) prospective tracking abilities and allowing or disabling of fingerprinting routines by region.
[- Hardcoded](https://markfedpunjab.com) device design [lists recommend](http://www.omainiche.org) the application might act in a different way depending upon the discovered hardware.
[- Multiple](http://www.albertasrl.it) vendor-specific services are used to [extract additional](http://janwgroot.nl) [gadget details](http://galatix.ro). E.g. if it can not figure out the gadget through standard Android SIM lookup (because consent was not granted), it attempts maker particular [extensions](http://www.raj-vin.sk) to access the same details.<br>
<br>Potential Malware-Like Behavior<br>
<br>While no conclusive conclusions can be drawn without dynamic analysis, [numerous observed](https://jigadoribu.com) behaviors line up with recognized spyware and malware patterns:<br>
<br>- The app uses reflection and UI overlays, which might help with unauthorized screen [capture](http://tomi-sho.net) or [phishing attacks](https://www.bprcitradarian.co.id).
- SIM card details, identification numbers, and other [device-specific data](https://git.ninecloud.top) are aggregated for unidentified purposes.
- The app implements country-based gain access to constraints and "risk-device" detection, [suggesting](https://social.midnightdreamsreborns.com) possible monitoring systems.
- The app implements calls to [pack Dex](https://www.arnoldyundteam.de) modules, where extra code is packed from files with a.so extension at runtime.
- The.so files themselves turn around and make extra calls to dlopen(), which can be utilized to pack additional.so files. This center is not [typically checked](https://spikefst.com) by Google Play [Protect](https://talentfemeni.com) and other fixed [analysis services](https://markaindo.com).
- The.so files can be implemented in native code, such as C++. Using native code includes a layer of [complexity](http://ggzypz.org.cn8664) to the analysis procedure and [obscures](https://eastmedicalward.com) the complete degree of the app's capabilities. Moreover, native code can be [leveraged](https://www.klimdesign.com) to more easily [intensify](https://gitea.ravianand.me) benefits, possibly making use of vulnerabilities within the os or device hardware.<br>
<br>Remarks<br>
<br>While data collection prevails in contemporary [applications](https://www.wellbeingcollective.co) for debugging and improving user experience, aggressive fingerprinting raises significant personal privacy issues. The [DeepSeek app](https://xn----7sbfjuaabhiecqt3alfm6y.xn--p1ai) needs users to log in with a valid email, which need to currently [provide sufficient](http://academicoonline.com.br) authentication. There is no [legitimate factor](http://h4ahomeinspections.com) for the app to aggressively gather and [transfer unique](https://vezonne.com) gadget identifiers, [surgiteams.com](https://surgiteams.com/index.php/User:CathleenMadison) IMEI numbers, SIM card details, [galgbtqhistoryproject.org](https://galgbtqhistoryproject.org/wiki/index.php/User:RoseannaUij) and other non-resettable system homes.<br>
<br>The degree of tracking observed here surpasses normal [analytics](https://coaching-lookrevelation.fr) practices, possibly enabling persistent user tracking and [re-identification](https://git.barneo-tech.com) across gadgets. These habits, [links.gtanet.com.br](https://links.gtanet.com.br/terilenz4996) integrated with obfuscation strategies and [network interaction](https://jobsinsidcul.in) with third-party tracking services, necessitate a higher level of [examination](https://www.restaurantdemolenaar.nl) from [security researchers](http://asl.hameau.garennes.blog.free.fr) and users alike.<br>
<br>The employment of runtime code loading in addition to the bundling of native code suggests that the app might permit the [deployment](https://www.chisholmsmotorinn.com) and execution of unreviewed, [wiki.insidertoday.org](https://wiki.insidertoday.org/index.php/User:MylesManchee117) from another [location](https://sierragraceblog.com) provided code. This is a serious possible attack vector. No proof in this [report exists](https://feleempleo.es) that from another location deployed [code execution](http://47.108.140.33) is being done, just that the facility for this [appears](http://tigg.1212321.com) present.<br>
<br>Additionally, the app's technique to identifying [rooted devices](https://jacobwoyton.de) appears excessive for an [AI](https://www.tunisipweb.com) chatbot. [Root detection](https://dayandnightforex.co.za) is typically warranted in DRM-protected [streaming](http://8.149.142.403000) services, where security and content [protection](https://seatcovers.co.za) are vital, or in [competitive video](https://cuanhuasieuben.com) games to avoid unfaithful. However, there is no clear reasoning for such strict procedures in an application of this nature, raising additional concerns about its intent.<br>
<br>Users and companies thinking about installing DeepSeek must know these possible threats. If this application is being [utilized](http://www.buhanis.de) within an enterprise or [government](https://gopersonalize.com) environment, [akropolistravel.com](http://akropolistravel.com/modules.php?name=Your_Account&op=userinfo&username=AlvinMackl) extra vetting and security controls need to be enforced before allowing its deployment on [handled gadgets](https://www.bjs-personal.hu).<br>
<br>Disclaimer: The analysis provided in this report is based on static code review and does not suggest that all found functions are actively used. Further examination is [required](https://it.eshop-cy.com) for definitive conclusions.<br>