GitLab

I performed a static analysis of DeepSeek, a Chinese LLM chatbot, utilizing version 1.8.0 from the Google Play Store. The objective was to determine possible security and personal privacy issues.

I have actually discussed DeepSeek formerly here.

Additional security and privacy issues about DeepSeek have been raised.

See likewise this analysis by NowSecure of the iPhone variation of DeepSeek

The findings detailed in this report are based simply on static analysis. This suggests that while the code exists within the app, yewiki.org there is no conclusive evidence that all of it is performed in practice. Nonetheless, the presence of such code warrants scrutiny, particularly offered the growing issues around information personal privacy, security, the potential abuse of AI-driven applications, and cyber-espionage dynamics in between worldwide powers.

Key Findings

Suspicious Data Handling & Exfiltration

- Hardcoded URLs direct information to external servers, raising issues about user activity tracking, such as to ByteDance "volce.com" endpoints. NowSecure determines these in the iPhone app yesterday as well.

• Bespoke file encryption and data obfuscation approaches are present, pipewiki.org with indications that they could be used to exfiltrate user details.
• The app contains hard-coded public keys, instead of depending on the user gadget's chain of trust.
• UI interaction tracking captures detailed user behavior trademarketclassifieds.com without clear approval. - WebView control is present, which could permit for accc.rcec.sinica.edu.tw the app to gain access to personal external browser information when links are opened. More details about WebView adjustments is here
  
  Device Fingerprinting & Tracking
  
  A substantial part of the evaluated code appears to focus on event device-specific details, which can be utilized for tracking and fingerprinting.
  
  - The app gathers numerous unique device identifiers, consisting of UDID, Android ID, IMEI, IMSI, and carrier details.
• System homes, installed packages, and root detection mechanisms recommend prospective anti-tampering procedures. E.g. probes for the presence of Magisk, a tool that privacy supporters and security researchers use to root their Android devices.
• Geolocation and network profiling exist, suggesting potential tracking abilities and making it possible for or disabling of fingerprinting routines by area.
• Hardcoded device design lists recommend the application might behave in a different way depending on the identified hardware.
• Multiple vendor-specific services are utilized to draw out extra device details. E.g. if it can not identify the gadget through basic Android SIM lookup (due to the fact that approval was not given), it tries maker specific extensions to access the exact same details.
  
  Potential Malware-Like Behavior
  
  While no definitive conclusions can be drawn without dynamic analysis, numerous observed behaviors line up with known spyware and malware patterns:
  
  - The app uses reflection and UI overlays, which could facilitate unauthorized screen capture or phishing attacks.
• SIM card details, serial numbers, and other device-specific information are aggregated for unidentified purposes.
• The app executes country-based gain access to constraints and "risk-device" detection, suggesting possible security mechanisms.
• The app executes calls to pack Dex modules, where extra code is filled from files with a.so extension at runtime.
• The.so submits themselves reverse and make extra calls to dlopen(), which can be utilized to load additional.so files. This center is not normally checked by Google Play Protect and other fixed analysis services.
• The.so files can be carried out in native code, such as C++. Making use of native code adds a layer of intricacy to the analysis process and obscures the full level of the app's abilities. Moreover, native code can be leveraged to more easily intensify privileges, archmageriseswiki.com possibly making use of vulnerabilities within the system or device hardware.
  
  Remarks
  
  While information collection prevails in modern applications for debugging and enhancing user experience, aggressive fingerprinting raises considerable privacy issues. The DeepSeek app requires users to log in with a valid email, which need to currently provide sufficient authentication. There is no valid reason for the app to aggressively gather and transfer distinct device identifiers, IMEI numbers, SIM card details, and other non-resettable system residential or commercial properties.
  
  The level of tracking observed here surpasses normal analytics practices, potentially enabling relentless user tracking and re-identification throughout gadgets. These habits, combined with obfuscation strategies and network communication with third-party tracking services, necessitate a higher level of analysis from security scientists and users alike.
  
  The employment of runtime code loading along with the bundling of native code recommends that the app could permit the release and execution of unreviewed, remotely delivered code. This is a major prospective attack vector. No proof in this report is presented that remotely released code execution is being done, yewiki.org only that the facility for this appears present.
  
  Additionally, the app's method to finding rooted gadgets appears extreme for an AI chatbot. Root detection is typically justified in DRM-protected streaming services, where security and material protection are important, or in competitive computer game to avoid unfaithful. However, there is no clear reasoning for such strict steps in an application of this nature, raising additional concerns about its intent.
  
  Users and organizations thinking about setting up DeepSeek ought to understand these possible threats. If this application is being utilized within an enterprise or government environment, extra vetting and security controls need to be imposed before permitting its deployment on managed devices.
  
  Disclaimer: The analysis presented in this report is based on fixed code evaluation and does not imply that all spotted functions are actively utilized. Further examination is required for conclusive conclusions.