New cell apps from the Chinese language synthetic intelligence (AI) firm DeepSeek have remained among the many prime three “free” downloads for Apple and Google units since their debut on Jan. 25, 2025. However specialists warning that lots of DeepSeek’s design decisions — reminiscent of utilizing hard-coded encryption keys, and sending unencrypted consumer and gadget knowledge to Chinese language corporations — introduce numerous evident safety and privateness dangers.
Public curiosity within the DeepSeek AI chat apps swelled following widespread media experiences that the upstart Chinese language AI agency had managed to match the talents of cutting-edge chatbots whereas utilizing a fraction of the specialised laptop chips that main AI corporations depend on. As of this writing, DeepSeek is the third most-downloaded “free” app on the Apple retailer, and #1 on Google Play.
DeepSeek’s speedy rise caught the eye of the cell safety agency NowSecure, a Chicago-based firm that helps shoppers display cell apps for safety and privateness threats. In a teardown of the DeepSeek app printed right this moment, NowSecure urged organizations to take away the DeepSeek iOS cell app from their environments, citing safety issues.
NowSecure founder Andrew Hoog mentioned they haven’t but concluded an in-depth evaluation of the DeepSeek app for Android units, however that there’s little motive to consider its primary design could be functionally a lot totally different.
Hoog instructed KrebsOnSecurity there have been numerous qualities concerning the DeepSeek iOS app that recommend the presence of deep-seated safety and privateness dangers. For starters, he mentioned, the app collects an terrible lot of knowledge concerning the consumer’s gadget.
“They’re doing a little very fascinating issues which might be on the sting of superior gadget fingerprinting,” Hoog mentioned, noting that one property of the app tracks the gadget’s title — which for a lot of iOS units defaults to the shopper’s title adopted by the kind of iOS gadget.
The gadget info shared, mixed with the consumer’s Web handle and knowledge gathered from cell promoting corporations, may very well be used to deanonymize customers of the DeepSeek iOS app, NowSecure warned. The report notes that DeepSeek communicates with Volcengine, a cloud platform developed by ByteDance (the makers of TikTok), though NowSecure mentioned it wasn’t clear if the info is simply leveraging ByteDance’s digital transformation cloud service or if the declared info share extends additional between the 2 corporations.
Picture: NowSecure.
Maybe extra regarding, NowSecure mentioned the iOS app transmits gadget info “within the clear,” with none encryption to encapsulate the info. This implies the info being dealt with by the app may very well be intercepted, learn, and even modified by anybody who has entry to any of the networks that carry the app’s visitors.
“The DeepSeek iOS app globally disables App Transport Safety (ATS) which is an iOS platform degree safety that forestalls delicate knowledge from being despatched over unencrypted channels,” the report noticed. “Since this safety is disabled, the app can (and does) ship unencrypted knowledge over the web.”
Hoog mentioned the app does selectively encrypt parts of the responses coming from DeepSeek servers. However in addition they discovered it makes use of an insecure and now deprecated encryption algorithm known as 3DES (aka Triple DES), and that the builders had hard-coded the encryption key. Meaning the cryptographic key wanted to decipher these knowledge fields could be extracted from the app itself.
There have been different, much less alarming safety and privateness points highlighted within the report, however Hoog mentioned he’s assured there are further, unseen safety issues lurking throughout the app’s code.
“After we see folks exhibit actually simplistic coding errors, as you dig deeper there are often much more points,” Hoog mentioned. “There’s just about no precedence round safety or privateness. Whether or not cultural, or mandated by China, or a witting selection, taken collectively they level to vital lapse in safety and privateness controls, and that places corporations in danger.”
Apparently, loads of others share this view. Axios reported on January 30 that U.S. congressional workplaces are being warned to not use the app.
“[T]hreat actors are already exploiting DeepSeek to ship malicious software program and infect units,” learn the discover from the chief administrative officer for the Home of Representatives. “To mitigate these dangers, the Home has taken safety measures to limit DeepSeek’s performance on all Home-issued units.”
TechCrunch experiences that Italy and Taiwan have already moved to ban DeepSeek over safety issues. Bloomberg writes that The Pentagon has blocked entry to DeepSeek. CNBC says NASA additionally banned workers from utilizing the service, as did the U.S. Navy.
Past safety issues tied to the DeepSeek iOS app, there are indications the Chinese language AI firm could also be enjoying quick and unfastened with the info that it collects from and about customers. On January 29, researchers at Wiz mentioned they found a publicly accessible database linked to DeepSeek that uncovered “a big quantity of chat historical past, backend knowledge and delicate info, together with log streams, API secrets and techniques, and operational particulars.”
“Extra critically, the publicity allowed for full database management and potential privilege escalation throughout the DeepSeek surroundings, with none authentication or protection mechanism to the skin world,” Wiz wrote. [Full disclosure: Wiz is currently an advertiser on this website.]
KrebsOnSecurity sought touch upon the report from DeepSeek and from Apple. This story might be up to date with any substantive replies.