Just days after several vulnerabilities were found in the DeepSeek iOS app, another research team has discovered similar privacy and security issues in the company’s Android app.
Both DeepSeek’s Android and iOS apps have grown in popularity after the Chinese startup released its reasoning model, R1. However, the company sending user data to China prompted several national and local governments, including the state of New York, to ban the app on governmental devices.
Research by the US-based Security Scorecard claims that while DeepSeek’s Android app doesn’t exhibit overtly malicious behavior, its poor security practices and aggressive data collection create risks that organizations can’t afford to overlook.
Among the most notable concerns are hardcoded keys and weak cryptography, vulnerabilities to SQL injection attacks, and sending data to China.
Researchers note that DeepSeek’s Android app deploys anti-debugging mechanisms designed to obstruct security analysis, which is unusual for a company that claims transparency.
API keys and passwords are stored in plaintext
A number of risks posed by DeepSeek’s app are detailed in the company’s privacy policy, which states that the app collects “text or audio input, prompt, uploaded files, feedback, and chat history.
It also gathers detailed technical data such as device model, operating system, IP address, and, notably, “keystroke patterns or rhythms.” Security Scorecard notes that the collection of keystroke dynamics is particularly intrusive, as it can be used to infer user behavior and identity.
The company also analyzed the app and identified issues based on the Common Weakness Enumeration (CWE) list. High-risk weaknesses include using outdated DES encryption, hardcoded keys, SQL injection risks, and improper file permissions.
After performing an analysis of extracted sensitive data, the researchers found instances of API keys, passwords, and authentication tokens stored in plaintext within the application files increasing the risk of unauthorized access and account takeover.
Security Scorecard also highlights that analysis of the application’s Smali code revealed multiple anti-debugging techniques.
“The application invokes android.os.Debug.isDebuggerConnected() and android.os.Debug.waitForDebugger() to detect active debugging sessions. Additionally, system properties are queried using System.getProperty(“ro.debuggable”) and System.getProperty(“ro.secure”) to determine if the application is running in a debug-enabled environment,” the researchers say in a blog post entry.
If debugging is detected, the application force closes itself to prevent analysis.
User data sent to China
The report also examines the risks of the company’s data being sent and stored in China.
“The extracted codebase's analysis reveals multiple direct references to ByteDance–owned libraries, services, and telemetry frameworks, including ApmInsight, SlardarConfigManager, and WebViewMonitorHelper,” Security Scorecard says.
According to the company, user behavior and device metadata are likely sent to ByteDance servers, which raises compliance issues with GDPR, CCPA, and national security laws due to data transmission to ByteDance-controlled endpoints.
Similar findings were released last week by a company called NowScure released similar findings last week. It also highlighted that the iOS app uses weak, hardcoded encryption keys and transmits unencrypted data to China.
Many countries are issuing warnings and banning DeepSeek. This week, the state of New York banned the app from being used on governmental devices.
Last week, South Korea's defense ministry blocked access to DeepSeek on ministry computers used for military purposes. Australia has recently banned the app on Government devices, while Italy and Taiwan banned government departments from using it.
Your email address will not be published. Required fields are markedmarked