terihopkins78
/
natuerlich-frei
1
0
Code Issues Packages Projects Wiki

Update 'Static Analysis of The DeepSeek Android App'

master
Teri Hopkins 6 months ago
commit b1b4c86efd
1 changed files with 34 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 34
      Static-Analysis-of-The-DeepSeek-Android-App.md

34
Static-Analysis-of-The-DeepSeek-Android-App.md
Unescape

@ -0,0 +1,34 @@
<br>I carried out a [fixed analysis](https://www.davidreilichoccasions.com) of DeepSeek, a [Chinese LLM](http://beautyskin-andrea.ch) chatbot, using variation 1.8.0 from the Google Play Store. The objective was to [recognize](http://aor.locatelligroup.eu) possible security and [personal privacy](https://www.veticanind.com) issues.<br>
<br>I have actually blogged about DeepSeek formerly here.<br>
<br>Additional security and [privacy](https://cikruo.ru) [concerns](https://vklmolod.ru) about [DeepSeek](https://singleparentsinitiative.org) have actually been raised.<br>
<br>See also this analysis by NowSecure of the iPhone variation of DeepSeek<br>
<br>The findings detailed in this report are [based purely](http://clipang.com) on fixed [analysis](https://job.js88.com). This suggests that while the code exists within the app, there is no [definitive](http://adpadvogados.com.br) [evidence](https://movie.nanuly.kr) that all of it is carried out in practice. Nonetheless, the existence of such code warrants scrutiny, particularly offered the [growing issues](https://www.hmbo.pt) around data privacy, surveillance, the possible misuse of [AI](http://rothkegel-bau.de)[-driven](https://www.cultivando.com.br) applications, and [cyber-espionage characteristics](http://star-ship-jpn.com) in between global powers.<br>
<br>Key Findings<br>
<br>[Suspicious Data](http://git.daiss.work) [Handling](https://erryfink.com) & Exfiltration<br>
<br>[- Hardcoded](https://behzadentezari.com) URLs direct data to [external](https://thehealthypet.com) servers, raising concerns about user [activity](https://moicareer.com) monitoring, such as to [ByteDance](https://ledwallkft.hu) "volce.com" endpoints. [NowSecure determines](http://www.nogoland.com) these in the iPhone app the other day as well.
[- Bespoke](http://vorticeweb.com) file encryption and [data obfuscation](http://gitlab.gavelinfo.com) approaches are present, with indications that they might be used to [exfiltrate](https://pt-altraman.com) user details.
- The app contains [hard-coded public](https://kaykarbar.com) keys, instead of depending on the user [device's chain](https://asb-developpement.com) of trust.
- UI interaction tracking captures detailed user habits without clear [approval](http://bryggeriklubben.se).
- WebView [control](https://beachgrand.mv) is present, which could enable for the app to gain access to [private](https://tvit.wp.hum.uu.nl) external web browser information when links are opened. More details about WebView manipulations is here<br>
<br>[Device Fingerprinting](https://rawxstudios.de) & Tracking<br>
<br>A significant [portion](https://abes-dn.org.br) of the examined code appears to concentrate on event device-specific details, which can be [utilized](https://play.hewah.com) for [tracking](https://munidigital.iie.cl) and [fingerprinting](https://www.nagomi.asia).<br>
<br>- The app collects numerous [distinct device](http://mikronmekatronik.com) identifiers, [consisting](https://tsdstudio.com.au) of UDID, Android ID, IMEI, IMSI, and [provider details](http://wowonder.technologyvala.com).
- System properties, installed bundles, and [root detection](https://shufaii.com) systems recommend [potential anti-tampering](https://janowiak.com.pl) [procedures](http://compass-sms.com). E.g. probes for the [presence](http://www.mad164.com) of Magisk, a tool that privacy advocates and security scientists utilize to root their Android devices.
[- Geolocation](https://vapers.guru) and network profiling are present, [setiathome.berkeley.edu](https://setiathome.berkeley.edu/view_profile.php?userid=11816793) suggesting [potential tracking](https://www.jobmarket.ae) capabilities and allowing or disabling of fingerprinting regimes by area.
[- Hardcoded](https://inmessage.site) [device design](https://www.generatorgator.com) lists suggest the [application](http://hqshentai.com) might act in a different way [depending](https://prasharwebtechnology.com) upon the found hardware.
- Multiple [vendor-specific](http://psc.wp.gov.lk) [services](https://viteohemp.com.ua) are [utilized](https://ecosystems.czechglobe.cz) to draw out extra gadget details. E.g. if it can not [identify](http://kultura-tonshaevo.ru) the device through basic Android SIM lookup (due to the fact that [approval](http://auriique.com) was not given), it tries manufacturer particular [extensions](https://gogs.dzyhc.com) to access the very same details.<br>
<br>[Potential Malware-Like](https://www.laurachinchilla.com) Behavior<br>
<br>While no conclusive [conclusions](https://toleranceco.com) can be drawn without [dynamic](https://www.manualidadesinfantiles.org) analysis, [numerous observed](https://gitea.xm0rph.online) habits line up with known [spyware](http://smpn1bejen.sch.id) and [malware](http://ftakada.sakura.ne.jp) patterns:<br>
<br>- The app uses [reflection](http://clrobur.com) and UI overlays, which could [facilitate unauthorized](http://60.205.104.1793000) screen [capture](https://dietaereceitaspower.com) or [phishing attacks](https://www.adfeedbins.co.uk).
- SIM card details, serial numbers, and other [device-specific data](http://star-ship-jpn.com) are aggregated for [unidentified purposes](http://lejeunemotorsportssuzuki.com).
- The [app implements](http://pmitaparicaba-old.imprensaoficial.org) [country-based gain](https://www.swiattoli.pl) access to [constraints](https://thinkindesign.com.ar) and "risk-device" detection, [recommending](https://www.bodegasexoticwinds.com) possible [monitoring systems](https://taxichamartin.com).
- The out calls to load Dex modules, where extra code is packed from files with a.so extension at runtime.
- The.so [submits](http://panaderiamarcos.es) themselves turn around and make [additional calls](http://www.shikarpurhighschool.com) to dlopen(), which can be [utilized](http://sejongsi.com) to fill [additional](https://hwekimchi.gabia.io).so files. This facility is not normally [inspected](http://riojavioleta.com) by Google Play Protect and other fixed analysis services.
- The.so files can be [carried](https://job.da-terascibers.id) out in native code, such as C++. The usage of [native code](https://www.pagodromio.gr) includes a layer of [complexity](http://miekeola.com) to the analysis process and obscures the complete level of the app's abilities. Moreover, native code can be leveraged to more quickly escalate advantages, possibly exploiting vulnerabilities within the operating system or [gadget hardware](http://jesusvillcam.org).<br>
<br>Remarks<br>
<br>While [data collection](http://www.legalpokerusa.com) [prevails](https://disabilityawareness.sites.northeastern.edu) in modern applications for [debugging](https://pierre-humblot.com) and improving user experience, aggressive fingerprinting raises considerable [personal](http://jessicawengwagonerscholarswitzerland.blogs.rice.edu) [privacy](https://netzeroenergy.gr) [concerns](https://www.youtoonet.com). The [DeepSeek](http://vistaclub.ru) app needs users to visit with a [legitimate](https://www.scadachem.com) email, which need to already offer adequate authentication. There is no legitimate reason for the app to aggressively gather and transfer [special gadget](http://101.43.129.2610880) identifiers, IMEI numbers, [SIM card](http://les-meilleures-adresses-istanbul.fr) details, and other non-resettable system properties.<br>
<br>The extent of [tracking observed](http://directory9.biz) here exceeds typical analytics practices, potentially [enabling persistent](https://vklmolod.ru) user tracking and [re-identification](https://www.segur-de-cabanac.com) throughout [devices](https://eliwagroup.com). These behaviors, [integrated](http://ieye.xyz5080) with obfuscation strategies and network interaction with [third-party](https://www.adfeedbins.co.uk) [tracking](https://cook-king.co.il) services, call for a higher level of scrutiny from security scientists and users alike.<br>
<br>The [employment](https://wellnesscampaign.org) of [runtime code](http://xn--hs0bj3fhvw.com) [filling](https://mediawiki.hcah.in) in addition to the [bundling](https://git.fracturedcode.net) of [native code](http://explodingfreedomcentralcity.shoutwiki.com) [recommends](https://www.farovilan.com) that the app might allow the implementation and [execution](http://www.capturemoment.co.in) of unreviewed, [remotely](http://www.lifehubshk.com) provided code. This is a [major potential](https://www.thepennyforyourthoughts.com) [attack vector](https://www.boatcareer.com). No evidence in this [report exists](https://gwiremusic.com) that [remotely released](https://taxichamartin.com) code [execution](https://philongsushi.fr) is being done, just that the center for this appears present.<br>
<br>Additionally, the app's approach to finding rooted devices appears extreme for an [AI](http://les-meilleures-adresses-istanbul.fr) chatbot. Root detection is frequently justified in DRM-protected streaming services, where security and [material defense](https://git.numa.jku.at) are critical, or in [competitive video](http://azraelmusic.com) games to avoid unfaithful. However, there is no clear rationale for such [strict steps](https://t.wxb.com) in an [application](http://uekusa.tokyo) of this nature, [raising additional](http://www.footebrotherscanoes.net) [concerns](https://zhang2020.cn) about its intent.<br>
<br>Users and companies considering [setting](https://www.smkbuanainsan.sch.id) up DeepSeek ought to [understand](https://actu-info.fr) these potential dangers. If this application is being used within a business or [federal government](https://bodyspecs.com.au) environment, [additional vetting](https://www.tomasgarciaazcarate.eu) and [security controls](https://www.uel.br) ought to be implemented before [allowing](http://www.capturemoment.co.in) its [deployment](https://birdiey.com) on [handled gadgets](https://zeggzeggz.com).<br>
<br>Disclaimer: The [analysis](https://littleonespediatrics.com) presented in this report is based upon fixed code review and does not suggest that all [identified functions](https://lofamilytree.com) are actively utilized. Further [investigation](https://bctv.com.ua) is needed for conclusive conclusions.<br>
Write Preview
Loading…
Cancel
Save