DeepSeek iOS App Poses Severe Security and Privacy Risks
A recent investigation has uncovered alarming security flaws in the DeepSeek iOS app, an AI chatbot that has quickly gained popularity. Researchers at NowSecure found that the app transmits sensitive data over unencrypted channels, making it highly vulnerable to cyber threats. Even more concerning, this data is sent to servers controlled by ByteDance, the Chinese parent company of TikTok.
How DeepSeek Bypasses Apple’s Security Protocols
Apple’s App Transport Security (ATS) is designed to ensure encrypted communication over iOS apps. However, DeepSeek has globally disabled ATS, exposing user data to potential interception. This means that any attacker monitoring network traffic could access user details, putting both individuals and organizations at risk.
What Data Is at Risk?
During the app’s initial registration process, the following unencrypted information is transmitted:
- Organization ID
- SDK version used to develop the app
- User’s OS version
- Language preference
Although some data is encrypted using Transport Layer Security (TLS), security experts warn that once decrypted on ByteDance-controlled servers, it could be cross-referenced with other user data to track individuals and their queries.
Use of Deprecated Encryption Methods
In addition to disabling ATS, the DeepSeek app employs an outdated encryption scheme known as 3DES (Triple Data Encryption Standard). The National Institute of Standards and Technology (NIST) deprecated 3DES in 2016 due to vulnerabilities that allow hackers to break encryption and decrypt data.
Even more troubling is that DeepSeek has hardcoded symmetric encryption keys into the app itself, meaning every iOS user shares the same keys. This practice is a major security failure and leaves users exposed to potential cyberattacks.
DeepSeek’s Data Storage in China Raises Red Flags
DeepSeek’s privacy policy explicitly states that all collected data is stored on servers in China. Furthermore, the policy notes that DeepSeek may share user data with:
- Law enforcement agencies
- Public authorities
- Copyright holders
- Other third parties, as deemed necessary
This raises concerns that the Chinese government could access user data, which is particularly alarming for organizations handling sensitive or confidential information.
Experts Warn Against Using DeepSeek
Security researchers and cybersecurity firms have strongly advised against using the DeepSeek app due to its glaring vulnerabilities.
Andrew Hoog, co-founder of NowSecure, stated:
“There are fundamental security practices that are not being observed, either intentionally or unintentionally. In the end, it puts your and your company’s data and identity at risk.”
Similarly, Thomas Reed, an iOS security expert at Huntress, warned:
“There’s no good reason for disabling ATS in this day and age. Even if they secured communications, I wouldn’t trust any sensitive data going to a server that China’s government could access.”
U.S. Lawmakers Call for Immediate Ban
In response to the security concerns, U.S. lawmakers have proposed banning DeepSeek from all government devices, citing national security threats. If the proposed legislation passes, the app could be prohibited within 60 days.
What Should Users Do?
If you have installed the DeepSeek app on your device, cybersecurity experts recommend the following actions:
- Uninstall the app immediately to prevent further data exposure.
- Avoid using the Android version, as it is reportedly even less secure than the iOS version.
- Use only reputable AI chatbots from companies that follow strict security protocols.
- Monitor for security updates from Apple and cybersecurity researchers regarding DeepSeek and similar apps.
Final Thoughts
The DeepSeek iOS app has demonstrated a blatant disregard for user security by disabling Apple’s encryption safeguards, employing outdated encryption methods, and storing data on Chinese servers. Given the potential risks of data leaks and government surveillance, users and organizations should immediately remove the app and avoid using its services.
For continued updates on cybersecurity threats, stay informed and follow trusted sources in the security industry.
