Detecting hardcoded encryption keys in applications like DeepSeek involves a combination of manual inspection and automated tools. Hereâs a detailed approach to identify such vulnerabilities:
Manual Inspection
1. Code Review: Developers should regularly review their codebase for any hardcoded values, especially during debugging phases. This includes inspecting code comments and documentation for sensitive information that might have been left in the codebase.
2. Peer Reviews: Implementing peer reviews can help catch hardcoded secrets early in the development cycle. This process involves having other developers inspect the code for potential security risks.
Automated Detection
1. Static Code Analysis Tools: Utilize tools like Black Duckâs Rapid Scan Static, which can analyze source code for embedded secrets and sensitive information. These tools can automatically detect hardcoded secrets across various file types and formats.
2. Binary Analysis Tools: Tools such as Black Duck Binary Analysis (BDBA) can scan final shipping products or container contents to find secrets in binaries and archives. This is particularly useful for detecting hardcoded keys in compiled applications.
3. Open-Source Tools: Leverage tools like Frida for dynamic instrumentation and analysis of app functions at runtime. Frida can be used to hook into crypto functions and verify if encryption keys are hardcoded.
4. Secret Scanners: Use tools like TruffleHog to scan codebases for hardcoded secrets. These tools are designed to identify patterns that match common secret types, such as API keys or encryption keys.
Specific Techniques for DeepSeek
Given the specific vulnerabilities identified in DeepSeek, such as the use of insecure symmetric encryption algorithms (3DES) and hardcoded keys, the following techniques can be applied:
- Reverse Engineering: Use tools like radare2 to reverse-engineer the app and identify encryption parameters, including hardcoded keys and initialization vectors.
- Dynamic Analysis: Employ Frida to hook into the appâs encryption functions and verify the presence of hardcoded keys. This involves tracing CCCrypt calls to determine what data is being encrypted and decrypted.
By combining these methods, developers and security researchers can effectively detect hardcoded encryption keys in applications like DeepSeek, ensuring better security practices and protecting user data.
Citations:
[1] https://www.nowsecure.com/blog/2025/02/06/nowsecure-uncovers-multiple-security-and-privacy-flaws-in-deepseek-ios-mobile-app/
[2] https://www.blackduck.com/blog/finding-hard-coded-secrets-before-you-suffer-a-breach.html
[3] https://www.bardeen.ai/answers/deepseek-data-privacy-and-security
[4] https://trufflesecurity.com/blog/research-finds-12-000-live-api-keys-and-passwords-in-deepseek-s-training-data
[5] https://blog.ostorlab.co/hardcoded-secrets.html
[6] https://fpt-is.com/en/insights/deepseek-and-the-dangers-no-one-tells/
[7] https://securityscorecard.com/blog/a-deep-peek-at-deepseek/
[8] https://blog.codacy.com/hard-coded-secrets
[9] https://www.bankinfosecurity.com/security-researchers-warn-new-risks-in-deepseek-ai-app-a-27486