Listen to this Post
2025-02-07
A recent audit of the DeepSeek mobile application for iOS has uncovered critical security issues that put user data at risk. Conducted by NowSecure, the analysis highlights multiple flaws, including the transmission of sensitive information without encryption, the use of outdated cryptographic methods, and a concerning lack of adherence to established security best practices. This revelation raises significant concerns about the app’s potential vulnerabilities, especially given its rapid rise in popularity and its connections to China-based companies.
the Findings
An audit of DeepSeekās iOS app revealed severe security flaws, the most alarming being the unencrypted transmission of sensitive user data over the internet. This data is exposed to potential interception and manipulation by malicious actors, as it lacks adequate encryption. NowSecure’s assessment also found several weak encryption practices, including the use of 3DES encryption, a hard-coded key, and the reuse of initialization vectors.
Furthermore, the app disables Appleās App Transport Security (ATS), which is a built-in security feature that prevents unencrypted data from being transmitted. This increases the risk of exposure to both passive and active attacks. The data collected by DeepSeek is also sent to servers operated by Volcano Engine, a cloud platform owned by ByteDance, the parent company of TikTok. This raises additional concerns regarding potential data privacy issues.
In addition to technical vulnerabilities, the DeepSeek app has been linked to malicious activities. Cybersecurity company Check Point has observed that threat actors are exploiting DeepSeekās AI engine to develop information stealers, distribute spam, and create unrestricted content. This, coupled with reports of ongoing DDoS attacks and fraudulent schemes targeting DeepSeek’s popularity, further underlines the urgency for better security measures.
What Undercode Says:
The findings in NowSecureās audit shine a light on a growing concern regarding the security practices of popular mobile applications, particularly those that collect sensitive user data and operate across global markets. The vulnerability of DeepSeekās iOS app is particularly troubling because it highlights a broader trend: the ease with which applications can bypass fundamental security measures, such as encryption protocols, to deliver a product faster or at a lower cost.
Data Transmission and Encryption Weaknesses
The fact that DeepSeekās app sends data over the internet without encryption is one of the most egregious security lapses uncovered in the audit. In today’s cybersecurity landscape, the failure to implement robust encryption is a critical risk factor. Without encryption, any data sent through the app is vulnerable to interception during transmission, which means that sensitive informationāsuch as personal details or authentication credentialsācould be accessed by unauthorized parties. This leaves users exposed to identity theft, data manipulation, and even financial fraud.
Insecure Cryptographic Practices
The use of the outdated 3DES encryption algorithm in DeepSeekās app is also a serious security concern. 3DES is no longer considered secure and has been phased out by many modern platforms in favor of stronger encryption algorithms, such as AES. The fact that DeepSeek uses a hard-coded encryption key and reuses initialization vectors further exacerbates the risk, as these practices can make encrypted data vulnerable to attacks like brute force or cryptographic analysis.
Disabling iOS Security Features
Perhaps even more alarming is the deliberate disabling of iOS’s App Transport Security (ATS) feature. ATS is a fundamental security protocol designed to ensure that all data transmitted by iOS apps is encrypted using strong encryption standards. By turning off ATS, DeepSeek has made it easier for malicious actors to intercept data and conduct man-in-the-middle attacks. This action directly contradicts Appleās security guidelines, putting users at significant risk.
Privacy Concerns and the Link to ByteDance
The data collected by DeepSeek is sent to servers managed by Volcano Engine, a platform owned by ByteDance. ByteDance, also the parent company of TikTok, has already faced scrutiny over its data practices, particularly regarding the potential for data to be accessed by the Chinese government. Given the geopolitical tensions surrounding Chinaās influence on tech platforms, this connection raises significant concerns about how DeepSeek handles user data, especially in the context of growing global regulatory scrutiny.
Rising Threats and Malicious Exploits
The security risks associated with DeepSeek are not limited to encryption failures. Cybercriminals are actively exploiting the appās popularity to set up fake pages and distribute malware, phishing schemes, and fraudulent investment opportunities. The use of DeepSeekās AI engine in the development of information stealers and spam distribution further highlights the dangers of AI-powered tools falling into the wrong hands. As AI technologies become more advanced, the potential for misuse also grows, creating an urgent need for developers to prioritize security in their designs.
Government and Industry Responses
The international response to DeepSeekās rise in popularity has been swift and wide-reaching. Several governments, including the United States, India, and Australia, have banned DeepSeek from government devices due to concerns over potential data leakage to China. These actions reflect growing concerns about national security and the risks of foreign-owned apps collecting large volumes of sensitive data from users.
In addition to government actions, cybersecurity experts are urging organizations to implement stronger defenses against AI-driven threats. As deepfake technology, data-stealing bots, and spam scripts evolve, so too must our ability to protect against these new and sophisticated cyber threats.
Conclusion
The security vulnerabilities in the DeepSeek iOS app are a stark reminder of the importance of encryption and robust security measures in todayās digital landscape. As apps like DeepSeek continue to gain popularity and attract large user bases, their developers must prioritize user privacy and data protection. The exploitation of AI technologies by malicious actors, combined with the potential for government surveillance and data misuse, underscores the need for a more proactive approach to cybersecurity in the mobile app industry.
References:
Reported By: https://thehackernews.com/2025/02/deepseek-app-transmits-sensitive-user.html
https://www.linkedin.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
