DeepSeek’s iOS app uses unencrypted data transmission, weak and hardcoded encryption keys, and sends unencrypted data to China, a report claims.
Several countries have recently banned DeepSeek’s software due to security concerns and its ties with China.
A new report by US-based mobile security company NowSecure adds to these concerns, detailing security issues related to DeepSeek’s iOS app, which last week became the most downloaded app on the App Store.
NowSecure says it analyzed the iOS app by running and inspecting it on real iOS devices and uncovered confirmed security vulnerabilities and privacy issues.
The company claims that the issues pose risks for governments such as exposure to sensitive data, surveillance, and regulatory issues, and recommends deleting the app from devices belonging to governmental institutions and businesses.
Unencrypted data
The first major issue highlighted by the report is that the DeepSeek iOS app sends some mobile app registration and device data over the internet without encryption, exposing data to attacks and monitoring.
For example, an attacker with privileged access to the network could intercept and modify the data, impacting the integrity of the app and data.
While Apple has built-in platform protections to protect developers from introducing this flaw, NowSecure notes that the protection was disabled globally for the DeepSeek iOS app.
“When a user first launches the DeepSeek iOS app, it communicates with DeepSeek’s backend infrastructure to configure the application, register the device, and establish a device profile mechanism. Even when the network is configured to actively attack the mobile app, it still executes these steps which enables both passive and active attacks against the data,” the report reads.
The app also uses outdated Triple DES encryption, reuses initialization vectors, and hardcodes encryption keys, violating best security practices.
Insecure data storage
The report claims that the DeepSeek iOS app insecurely stores user names, passwords, and encryption keys, which may lead to data recovery and be leveraged by an attacker if they gain physical access to the device.
The company says it recovered sensitive data in a cached database on the device.
“This cached data occurs when developers use the NSURLRequest API to communicate with remote endpoints. The API will, by default, caches HTTP responses in a Cache.db file unless caching is explicitly disabled,” the report states.
The app also uses tenths of data points, including organization ID and device OS version. While many apps also use the same practices, NowSecure highlights that the DeepSeek data is sent to the servers controlled by TikTok owner ByteDance. This raises concerns over government access and compliance risks.
Many countries are issuing warnings and banning DeepSeek, while a Republican senator proposed fines stretching up to millions of dollars for using Chinese AI software in the US.
South Korea's defense ministry has blocked access to DeepSeek on ministry computers used for military purposes. Australia has recently banned using the app on Government devices, saying that it was an “unacceptable risk.”
Authorities in Ireland and France have started their own investigations into DeepSeek, which stores user data on servers in China.
Australia's decision to ban DeepSeek follows similar action in Italy, while Taiwan also banned government departments from using the app earlier this week.
Your email address will not be published. Required fields are markedmarked