Static Analysis of The DeepSeek Android App
I carried out a static analysis of DeepSeek, a Chinese LLM chatbot, using variation 1.8.0 from the Google Play Store. The objective was to recognize prospective security and privacy issues.
I have actually blogged about DeepSeek previously here.
Additional security and personal privacy issues about DeepSeek have actually been raised.
See likewise this analysis by NowSecure of the iPhone version of DeepSeek
The findings detailed in this report are based simply on static analysis. This implies that while the code exists within the app, there is no conclusive evidence that all of it is carried out in practice. Nonetheless, the presence of such code warrants analysis, especially provided the growing concerns around information privacy, security, the prospective abuse of AI-driven applications, and cyber-espionage characteristics in between international powers.
Key Findings
Suspicious Data Handling & Exfiltration
- Hardcoded URLs direct data to external servers, raising issues about user activity monitoring, such as to ByteDance "volce.com" endpoints. NowSecure recognizes these in the iPhone app yesterday as well.
- Bespoke encryption and data obfuscation techniques exist, with indicators that they might be utilized to exfiltrate user details.
- The app contains hard-coded public secrets, rather than depending on the user device's chain of trust.
- UI interaction tracking records detailed user behavior without clear authorization.
-
WebView control is present, which might permit the app to gain access to private external internet browser information when links are opened. More details about WebView adjustments is here
Device Fingerprinting & Tracking
A considerable portion of the examined code appears to focus on event device-specific details, oke.zone which can be utilized for tracking and fingerprinting.
- The app gathers numerous distinct device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and provider details. - System residential or commercial properties, set up plans, and root detection mechanisms suggest prospective anti-tampering measures. E.g. probes for the presence of Magisk, a tool that personal privacy supporters and security researchers use to root their Android gadgets.
- Geolocation and network profiling exist, suggesting prospective tracking abilities and allowing or disabling of fingerprinting programs by region.
- Hardcoded gadget design lists recommend the application may behave differently depending on the identified hardware.
- Multiple vendor-specific services are utilized to draw out extra device details. E.g. if it can not identify the device through standard Android SIM lookup (due to the fact that authorization was not approved), it tries maker particular extensions to access the exact same details.
Potential Malware-Like Behavior
While no conclusive conclusions can be drawn without dynamic analysis, numerous observed behaviors line up with recognized spyware and malware patterns:
- The app uses reflection and photorum.eclat-mauve.fr UI overlays, townshipmarket.co.za which could facilitate unapproved screen capture or phishing attacks. - SIM card details, serial numbers, and other device-specific information are aggregated for unidentified purposes.
- The app implements country-based gain access to constraints and "risk-device" detection, recommending possible surveillance systems.
- The app carries out calls to pack Dex modules, where extra code is loaded from files with a.so extension at runtime.
- The.so submits themselves turn around and make extra calls to dlopen(), which can be used to load additional.so files. This center is not normally inspected by Google Play Protect and other fixed analysis services.
- The.so files can be carried out in native code, such as C++. Making use of native code includes a layer of complexity to the analysis process and obscures the full degree of the app's capabilities. Moreover, native code can be leveraged to more easily intensify privileges, potentially exploiting vulnerabilities within the os or device hardware.
Remarks
While information collection prevails in contemporary applications for debugging and enhancing user experience, aggressive fingerprinting raises considerable privacy concerns. The DeepSeek app requires users to log in with a valid email, which need to currently offer sufficient authentication. There is no legitimate factor for the app to aggressively collect and send special device identifiers, IMEI numbers, SIM card details, and other non-resettable system homes.
The degree of tracking observed here exceeds common analytics practices, possibly making it possible for persistent user tracking and re-identification throughout gadgets. These habits, combined with obfuscation techniques and network communication with third-party tracking services, require a higher level of analysis from security scientists and wiki.asexuality.org users alike.
The work of runtime code loading along with the of native code recommends that the app might enable the deployment and execution of unreviewed, remotely delivered code. This is a major possible attack vector. No evidence in this report is provided that remotely deployed code execution is being done, just that the facility for this appears present.
Additionally, the app's technique to discovering rooted devices appears extreme for an AI chatbot. Root detection is frequently warranted in DRM-protected streaming services, where security and content defense are crucial, or in competitive computer game to avoid unfaithful. However, there is no clear reasoning for such rigorous procedures in an application of this nature, raising further questions about its intent.
Users and companies thinking about setting up DeepSeek should be conscious of these potential threats. If this application is being used within a business or government environment, extra vetting and security controls should be implemented before enabling its release on handled gadgets.
Disclaimer: swwwwiki.coresv.net The analysis provided in this report is based upon static code evaluation and does not imply that all spotted functions are actively used. Further investigation is required for conclusive conclusions.