There are growing concerns about the security of the DeepSeek iOS app, as it may be transmitting unprotected user data to ByteDance, the parent company of TikTok.
According to US-based mobile security company NowSecure, who conducted a comprehensive security and privacy assessment of the DeepSeek iOS mobile app on actual iOS devices, found that the app uses unencrypted data transmission, weak and hardcoded encryption keys, insecure data storage, extensive data collection and fingerprinting, and sends unencrypted data to China.
The first and foremost issue highlighted by NowSecure is that the DeepSeek iOS app sends ome mobile app registration and device data over the internet without encryption, making it vulnerable to interception and manipulation.
For instance, a network attacker with privileged access (commonly known as a Man-in-the-Middle attack) could intercept and modify the data, compromising the app’s integrity and data security.
Although Apple has built-in platform protections to protect developers from introducing this flaw, according to NowSecure, the protection was disabled globally for the DeepSeek iOS app.
“When a user first launches the DeepSeek iOS app, it communicates with the DeepSeek’s backend infrastructure to configure the application, register the device and establish a device profile mechanism. Even when the network is configured to actively attack the mobile app (via a MITM attack), the app still executes these steps which enables both passive and active attacks against the data,” the company wrote in a blog post published on Thursday.
Modern apps use data encryption to safeguard confidentiality and integrity, which requires proper implementation to protect user data.
However, the app relies on an insecure symmetric encryption algorithm (3DES), reuses initialization vectors, and hardcodes encryption keys, violating best security practices.
Additionally, the DeepSeek iOS app insecurely stores usernames, passwords, and encryption keys, increasing the risk of credential theft. The app also collects user and device data that can be used for tracking and de-anonymization.
Moreover, the app uses tens of data points, including organization ID, device OS version, and the language selected in the configuration. NowSecure notes that user data is sent to servers by Volcengine, a cloud service platform released by ByteDance in 2021.
Since ByteDance is governed by Chinese laws, it may be compelled to share the data it collects with the Chinese government, raising major surveillance and compliance concerns for enterprises and governments utilizing the app.
“The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels. Since this protection is disabled, the app can (and does) send unencrypted data over the internet,” NowSecure added.
NowSecure suggests that users promptly remove DeepSeek from their iPhones to protect their security and privacy.
It also recommends enterprises and agencies immediately remove the DeepSeek mobile iOS app from their managed and BYOD environments, consider alternative AI (artificial intelligence) platforms that prioritize mobile security and data protection, and continuously monitor mobile applications for emerging risks.
