New cell apps from the Chinese language synthetic intelligence (AI) firm DeepSeek have remained among the many prime three “free” downloads for Apple and Google gadgets since their debut on Jan. 25, 2025. However consultants warning that a lot of DeepSeek’s design selections — corresponding to utilizing hard-coded encryption keys, and sending unencrypted consumer and machine knowledge to Chinese language corporations — introduce plenty of obtrusive safety and privateness dangers.
Public curiosity within the DeepSeek AI chat apps swelled following widespread media stories that the upstart Chinese language AI agency had managed to match the talents of cutting-edge chatbots whereas utilizing a fraction of the specialised pc chips that main AI corporations depend on. As of this writing, DeepSeek is the third most-downloaded “free” app on the Apple retailer, and #1 on Google Play.
DeepSeek’s speedy rise caught the eye of the cell safety agency NowSecure, a Chicago-based firm that helps purchasers display cell apps for safety and privateness threats. In a teardown of the DeepSeek app printed at the moment, NowSecure urged organizations to take away the DeepSeek iOS cell app from their environments, citing safety considerations.
NowSecure founder Andrew Hoog mentioned they haven’t but concluded an in-depth evaluation of the DeepSeek app for Android gadgets, however that there’s little purpose to consider its fundamental design can be functionally a lot completely different.
Hoog advised KrebsOnSecurity there have been plenty of qualities concerning the DeepSeek iOS app that counsel the presence of deep-seated safety and privateness dangers. For starters, he mentioned, the app collects an terrible lot of information concerning the consumer’s machine.
“They’re performing some very fascinating issues which can be on the sting of superior machine fingerprinting,” Hoog mentioned, noting that one property of the app tracks the machine’s title — which for a lot of iOS gadgets defaults to the shopper’s title adopted by the kind of iOS machine.
The machine data shared, mixed with the consumer’s Web handle and data gathered from mobile advertising companies, might be used to deanonymize customers of the DeepSeek iOS app, NowSecure warned. The report notes that DeepSeek communicates with Volcengine, a cloud platform developed by ByteDance (the makers of TikTok), though NowSecure mentioned it wasn’t clear if the information is simply leveraging ByteDance’s digital transformation cloud service or if the declared data share extends additional between the 2 corporations.
Picture: NowSecure.
Maybe extra regarding, NowSecure mentioned the iOS app transmits machine data “within the clear,” with none encryption to encapsulate the information. This implies the information being dealt with by the app might be intercepted, learn, and even modified by anybody who has entry to any of the networks that carry the app’s site visitors.
“The DeepSeek iOS app globally disables App Transport Safety (ATS) which is an iOS platform stage safety that stops delicate knowledge from being despatched over unencrypted channels,” the report noticed. “Since this safety is disabled, the app can (and does) ship unencrypted knowledge over the web.”
Hoog mentioned the app does selectively encrypt parts of the responses coming from DeepSeek servers. However additionally they discovered it makes use of an insecure and now deprecated encryption algorithm known as 3DES (aka Triple DES), and that the builders had hard-coded the encryption key. Meaning the cryptographic key wanted to decipher these knowledge fields could be extracted from the app itself.
There have been different, much less alarming safety and privateness points highlighted within the report, however Hoog mentioned he’s assured there are further, unseen safety considerations lurking throughout the app’s code.
“After we see individuals exhibit actually simplistic coding errors, as you dig deeper there are normally much more points,” Hoog mentioned. “There’s just about no precedence round safety or privateness. Whether or not cultural, or mandated by China, or a witting alternative, taken collectively they level to vital lapse in safety and privateness controls, and that places corporations in danger.”
Apparently, loads of others share this view. Axios reported on January 30 that U.S. congressional workplaces are being warned to not use the app.
“[T]hreat actors are already exploiting DeepSeek to ship malicious software program and infect gadgets,” learn the discover from the chief administrative officer for the Home of Representatives. “To mitigate these dangers, the Home has taken safety measures to limit DeepSeek’s performance on all Home-issued gadgets.”
TechCrunch reports that Italy and Taiwan have already moved to ban DeepSeek over safety considerations. Bloomberg writes that The Pentagon has blocked entry to DeepSeek. CNBC says NASA additionally banned workers from utilizing the service, as did the U.S. Navy.
Past safety considerations tied to the DeepSeek iOS app, there are indications the Chinese language AI firm could also be enjoying quick and unfastened with the information that it collects from and about customers. On January 29, researchers at Wiz said they found a publicly accessible database linked to DeepSeek that uncovered “a big quantity of chat historical past, backend knowledge and delicate data, together with log streams, API secrets and techniques, and operational particulars.”
“Extra critically, the publicity allowed for full database management and potential privilege escalation throughout the DeepSeek surroundings, with none authentication or protection mechanism to the surface world,” Wiz wrote. [Full disclosure: Wiz is currently an advertiser on this website.]
KrebsOnSecurity sought touch upon the report from DeepSeek and from Apple. This story will probably be up to date with any substantive replies.
