A security analysis has uncovered critical vulnerabilities in the DeepSeek iOS app, including the transmission of unencrypted user data to servers controlled by ByteDance.
The findings reinforce previous concerns about DeepSeek's security and privacy practices, leading to widespread bans by government agencies and enterprises.
Data going to ByteDance
DeepSeek is an AI platform developed by a Chinese startup of the same name. The company gained significant attention in January 2025 when its AI model, DeepSeek R1, ranked among the top reasoning models on the Chatbot Arena leaderboard. However, earlier investigations raised serious concerns over its security, including its susceptibility to jailbreak attacks, exposure of over one million chat logs and API keys, and its storage of all user data on servers in China. Given China's strict data-sharing laws, experts have warned that any user data collected by DeepSeek could be subject to government access.
The latest NowSecure report provides further proof of DeepSeek's weak security posture, uncovering direct connections between the DeepSeek app and ByteDance-controlled infrastructure, specifically the Volcengine cloud platform. Network traffic analysis revealed that sensitive user data, including device tracking details and potential fingerprinting information, was transmitted to ByteDance-owned endpoints. The app also integrates third-party services such as Intercom, further expanding the scope of potential data exposure.
NowSecure
Bypassing iOS's protections
NowSecure's research involved a deep technical analysis of the app's behavior on real iOS devices. The investigation confirmed that the app disables Apple's built-in security protections, allowing sensitive user data to be sent over the internet without encryption. Researchers identified network requests transmitting user registration details, device information, and organization IDs in plaintext.
The DeepSeek iOS app also suffers from weak encryption implementations. It employs the outdated Triple DES (3DES) encryption algorithm with hardcoded keys and improperly implemented initialization vectors (IVs), undermining data confidentiality. Such flaws allow attackers to decrypt stored credentials, potentially leading to credential theft and unauthorized access to user accounts.
The discovery has prompted immediate actions from governments and enterprises to mitigate the risks associated with DeepSeek. The U.S. military, state agencies, and federal organizations have issued bans on the app, citing national security concerns.
NowSecure advises all enterprises to immediately remove the DeepSeek iOS app from managed and bring-your-own-device (BYOD) environments, and consider alternative AI platforms with stronger security and privacy protections.
While DeepSeek's AI capabilities have been praised, its continuous security lapses, from jailbreak exploits to large-scale data exposures, highlight the dangers of prioritizing AI advancement over user protection. Given the mounting evidence, organizations and individuals are urged to exercise extreme caution when using DeepSeek.
Data Breach at Thermomix Forum Exposed Info of 3.1 Million Users
Leave a Reply