DeepSeek App Transmits Sensitive User and Device Data Without Encryption

February 7, 2025

A new audit of DeepSeek's mobile app for the Apple iOS operating system has found glaring security issues, the foremost being that it sends sensitive data over the internet sans any encryption, exposing it to interception and manipulation attacks.

The assessment comes from NowSecure, which also found that the app fails to adhere to best security practices and that it collects extensive user and device data.

"The DeepSeek iOS app sends some mobile app registration and device data over the Internet without encryption," the company said. "This exposes any data in the internet traffic to both passive and active attacks."

The teardown also revealed several implementation weaknesses when it comes to applying encryption on user data. This includes the use of an insecure symmetric encryption algorithm (3DES), a hard-coded encryption key, and the reuse of initialization vectors.

What's more, the data is sent to servers that are managed by a cloud compute and storage platform named Volcano Engine, which is owned by ByteDance, the Chinese company that also operates TikTok.

"The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels," NowSecure said. "Since this protection is disabled, the app can (and does) send unencrypted data over the internet."

The findings add to a growing list of concerns that have been raised around the artificial intelligence (AI) chatbot service, even as it skyrocketed to the top of the app store charts on both Android and iOS in several markets across the world.

Cybersecurity company Check Point said that it observed instances of threat actors leveraging AI engines from DeepSeek, alongside Alibaba Qwen and OpenAI ChatGPT, to develop information stealers, generate uncensored or unrestricted content, and optimize scripts for mass spam distribution.

"As threat actors utilize advanced techniques like jailbreaking to bypass protective measures and develop info stealers, financial theft, and spam distribution, the urgency for organizations to implement proactive defenses against these evolving threats ensures robust defenses against potential misuse of AI technologies," the company said.

Earlier this week, the Associated Press revealed that DeepSeek's website is configured to send user login information to China Mobile, a state-owned telecommunications company that has been banned from operating in the United States.

The app's Chinese links, much like TikTok, have prompted U.S. lawmakers to push for a nation-wide ban on DeepSeek from government devices over risks that it could provide user information to Beijing.

It's worth noting that several countries, including Australia, Italy, the Netherlands, Taiwan, and South Korea, and government agencies in India and the United States, such as the Congress, NASA, Navy, Pentagon, and Texas, have instituted bans on DeepSeek from government devices.

DeepSeek's explosion in popularity has also led to it battling malicious attacks, with Chinese cybersecurity firm XLab telling Global Times that the service has been subjected to sustained distributed denial-of-service (DDoS) attacks originating from Mirai botnets hailBot and RapperBot late last month.

Meanwhile, cybercriminals are wasting no time to capitalize on the frenzy surrounding DeepSeek to set up lookalike pages that propagate malware, fake investment scams, and fraudulent cryptocurrency schemes.