Critical vulnerabilities have been disclosed in the DeepSeek iOS app, raising concerns over privacy and national security risks.
The app, which has been the top iOS download since January 25, 2025, transmits sensitive user data unencrypted to servers controlled by ByteDance, the Chinese company behind TikTok.
Notably, this discovery has prompted swift bans from governments and organizations worldwide.
DeepSeek iOS App Sends Unencrypted Data
The NowSecure report highlights several alarming flaws in the DeepSeek iOS app:
Unencrypted Data Transmission: Sensitive user and device data are sent over insecure channels, exposing them to interception and manipulation. This flaw is exacerbated by the app’s global disabling of iOS’s App Transport Security (ATS), a built-in protection designed to enforce encrypted communications.
Weak Encryption Practices: The app employs outdated Triple DES (3DES) encryption with hardcoded keys and reused initialization vectors (IVs). These practices violate modern security standards, making encrypted data vulnerable to decryption by attackers.
Insecure Data Storage: Critical information such as usernames, passwords, and encryption keys is stored insecurely on devices, increasing the risk of credential theft.
Extensive Data Collection and Fingerprinting: The app collects detailed user and device data, including device names, operating systems, and network configurations. This data can be aggregated to de-anonymize users and facilitate tracking.
Data Sent to China: User data is transmitted to ByteDance’s Volcengine servers, governed by Chinese laws that may compel disclosure to the government. This raises significant compliance and surveillance concerns for enterprises and governments using the app.
During their analysis, researchers uncovered specific technical flaws:
Unencrypted Network Requests: Requests to endpoints such as http://fp-it.fengkongcloud.com/v3/cloudconf send identifiable user data without encryption, making it susceptible to man-in-the-middle (MITM) attacks.
Hardcoded Encryption Keys: Using tools like Frida and radare2, researchers identified hardcoded keys within the app’s codebase.
Username, Password, and Encryption Keys Stored Insecurely: The device’s cache database contained sensitive information that was recovered. An attacker may recover and use this data under specific circumstances, most notably if they have physical access to an unlocked device.
Implications for Enterprises and Governments
The vulnerabilities identified in the DeepSeek iOS app pose serious risks:
- Data Exposure: Sensitive information such as intellectual property, strategic plans, and confidential communications could be intercepted or compromised.
- Surveillance Risks: Extensive fingerprinting capabilities increase the likelihood of surveillance through data aggregation.
- Regulatory Non-Compliance: Organizations operating under strict data protection laws face compliance challenges due to the app’s data storage in China.
Several countries have already taken action against DeepSeek. South Korea, Australia, Taiwan, and various U.S. government agencies have banned its use on official devices.
The U.S. military has also prohibited its installation to safeguard national security.
Recommended Actions
NowSecure strongly advises organizations to take immediate steps:
- Prohibit its use in managed and BYOD environments.
- Consider self-hosted or secure AI platforms like Microsoft-hosted versions of DeepSeek.
- Regularly assess third-party apps for emerging risks.
Organizations must conduct independent security assessments of all mobile apps deployed within their environments. The DeepSeek case underscores the importance of prioritizing cybersecurity in an increasingly interconnected digital landscape.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
