DeepSeek iOS App Transfers Confidential Data Without Encryption: A Critical Security Flaw

In today’s digital landscape, ensuring the confidentiality of your data is paramount. However, a recent audit by NowSecure researchers has revealed serious security vulnerabilities in the DeepSeek mobile application for iOS.

The audit found that the app transfers confidential data without any encryption, exposing sensitive information to potential interception and manipulation.

Unencrypted Data Transmission: A Major Vulnerability

NowSecure’s audit discovered that DeepSeek for iOS transmits registration and device data over the Internet without encryption.

This alarming practice bypasses a fundamental layer of security—App Transport Security (ATS)—which is designed to prevent the transmission of confidential data over unencrypted channels. According to the researchers:

DeepSeek for iOS transmits some of the registration data of the application and the data of the device via the Internet without encryption. This exposes any data in Internet traffic to both passive and active attacks.”

By globally disabling ATS, DeepSeek leaves all transmitted data vulnerable to interception by cybercriminals.

Weak Encryption Practices and Excessive Data Collection

The audit also revealed several concerning weaknesses in the app’s encryption methods:

• Unsafe 3DES Algorithm: The app uses a vulnerable 3DES algorithm with keys that are identical for all users.
• Poor Key Management: Symmetric keys are rigidly encoded and stored on the device.
• Reused Initialization Vectors: This practice further undermines the encryption, making it easier for attackers to decrypt the data.

In addition to these encryption flaws, DeepSeek collects a substantial amount of user and device data without adhering to basic safety rules, raising further privacy concerns.

Data Transmission to Third-Party Servers

DeepSeek transfers the unencrypted data to servers operating on the Volcano Engine cloud platform, owned by ByteDance—the parent company of TikTok. While some data is encrypted using TLS, it is decrypted on ByteDance-controlled servers, where it can be cross-referenced with other user information collected elsewhere. This process can potentially lead to the identification and tracking of individual users.

Implications for Users and Businesses

The NowSecure audit, though not yet complete, has already prompted stark warnings:

• For iOS Users: The DeepSeek iOS app is not adequately secured to protect your data and identity.
• For Android Users: The DeepSeek Android app has been deemed even more problematic, with recommendations to remove it immediately.
• Wider Impact: Last week, the Associated Press reported that DeepSeek is transferring user data to China Mobile infrastructure—a Chinese state-owned telecommunications company prohibited from operating in the United States. Consequently, several countries (including Australia, Italy, the Netherlands, and South Korea) and government agencies in India and the U.S. have banned the use of DeepSeek on government devices for national security reasons.

According to CNBC: Tech CEOs are sounding alarm on ByteDance, DeepSeek breakthroughs

Conclusion: Reassessing App Security

The vulnerabilities identified in the DeepSeek iOS app serve as a stark reminder that not all applications prioritize user security. With unencrypted data transmission and weak encryption practices, users’ sensitive information is at significant risk of exposure and misuse.

Protect your data and digital identity:

• Always verify that the apps you use adhere to fundamental security practices.
• Consider the implications of excessive data collection and poor encryption.

If you’re concerned about the security of your mobile applications and overall digital environment, our experts are here to help. Schedule your consultation today and let us guide you in building a robust security strategy to safeguard your business and personal data.

‍