DeepSeek iOS App has Severe Security Flaws

ip

DeepSeek iOS App has Severe Security Flaws

 

The DeepSeek app has gained popularity among iPhone users since its launch, even reaching the top of the App Store charts in the US. A recent analysis by researchers has revealed multiple critical vulnerabilities in the DeepSeek iOS app, posing significant risks to individuals, businesses and government agencies. Since its rapid rise in popularity after its launch on January 25, 2025, the app has amassed millions of downloads. The vulnerabilities include unencrypted data transmission, weak encryption keys, insecure data storage, extensive data collection and data being transmitted to China. In response, several governments, including the U.S. military, have banned the app to protect sensitive information.

Technical Description

Research conducted by NowSecure revealed that the app does not follow best security practices and collects extensive user and device data. According to the company, the DeepSeek iOS app transmits some mobile app registration and device information over the internet without encryption, leaving the data vulnerable to both passive and active attacks. These flaws are considered more severe than a previous security issue that exposed chat history and sensitive data due to a lack of database authentication.

Identified Key Risks

  1. Unencrypted Data Transmission:

One of the critical vulnerabilities identified is the unencrypted transmission of sensitive user data. The DeepSeek app sends registration and device information over the internet without encryption, making it highly vulnerable to interception and man-in-the-middle (MITM) attacks. This lack of encryption allows attackers to both passively monitor and actively manipulate the data, compromising its confidentiality and integrity. As a result, sensitive user information is exposed to potential exploitation by malicious actors.

 

  1. Weak & Hardcoded Encryption Keys

The app uses outdated Triple DES (3DES) encryption which is considered insecure. Additionally, the encryption keys are hardcoded, and initialization vectors (IVs) are reused, violating basic cryptographic best practices. This weakens the encryption, making it vulnerable to attacks and exposing user data to potential decryption by malicious actors.

 

  1. Insecure Data Storage:

Usernames, passwords and encryption keys are stored insecurely within the app. Sensitive data is found in a cached database on the device, making it accessible under certain conditions, particularly if an unlocked device is physically accessed. This significantly raises the risk of credential theft and unauthorized access to user accounts.

 

  1. Extensive Data Collection & Fingerprinting:

DeepSeek aggressively tracks users and devices, collecting identifiers that can be used to de-anonymize individuals. As data points accumulate, they can be combined to uniquely identify a user, presenting serious privacy and surveillance risks. This extensive data collection raises concerns about the potential misuse of user information and the violation of privacy.

 

  1. Data Sent to China & Governed by PRC Laws:

User data is directed to servers controlled by ByteDance, making it subject to Chinese data governance laws. This raises significant concerns regarding surveillance, regulatory compliance and data sovereignty. The legal and geopolitical implications of DeepSeek’s data practices are troubling, as they expose organizations to potential surveillance and unauthorized data access by foreign entities.

Conclusion

The vulnerabilities identified in the DeepSeek iOS app pose significant risks to the security and privacy of users. These findings highlight the immediate need for organizations to prohibit the app’s use to safeguard sensitive data and mitigate potential cyber risks.

Impact

The vulnerabilities in the DeepSeek iOS app could result in the exposure of sensitive data, heightened surveillance risks, regulatory violations, and a loss of control over corporate and government communications. These risks threaten confidentiality, integrity and availability of data. The app’s insecure practices make it a major liability for any organization using it. Immediate action is necessary to address these vulnerabilities and safeguard sensitive information.

IOC and Context Details

Table
Topics Details
Tactic Name NA
Technique Name NA
Sub Technique Name NA
Attack Type Vulnerability
Targeted Applications Generic
Region Impacted Global
Industry Impacted All
IOC’s NA
CVE NA

Recommended Actions

  1. Promptly remove the DeepSeek iOS app from both managed and BYOD environments.
  2. Evaluate alternative AI platforms that emphasize mobile app security and data protection.
  3. Regularly monitor all mobile applications to identify and address new risks
  4. Review Data Policies to ensure that data collection, privacy policies, and terms of service do not put your organization at risk.

References

https://www.nowsecure.com/blog/2025/02/06/nowsecure-uncovers-multiple-security-and-privacy-flaws-in-deepseek-ios-mobile-app/

View all Advisories
Post Views: 36