Several security vulnerabilities have been identified in the DeepSeek iOS application, which continues to rank as one of the top downloads in the App Store, following its explosive debut.
The recent discoveries reveal concerns far more serious than previous issues that exposed chat histories and sensitive data in an unsecured database requiring no authentication…
Prior Concerns Regarding DeepSeek
While we had previously raised alarms about it before it gained popularity, many users found DeepSeek to be an unexpected overnight sensation as it rapidly climbed the download charts.
AI experts were astounded by the application’s abilities, which required significantly less hardware than comparable chatbots, leading to a decline in the stock prices of several US AI firms.
However, security and privacy anxieties quickly surfaced. Italy’s privacy regulator questioned whether the app adhered to European privacy regulations, with similar inquiries from Ireland. US authorities are also looking into potential national security risks.
It was later revealed that the firm unknowingly left a database unprotected, containing over a million log entries, including chat histories and sensitive keys.
Numerous Security Vulnerabilities in DeepSeek iOS App
Mobile security firm NowSecure has uncovered multiple security flaws within the iPhone application – notably, its neglect to implement Apple’s App Transport Security (ATS) system. ATS is intended to ensure that personal data is transmitted solely via encrypted channels, yet NowSecure discovered that DeepSeek had disabled this feature.
The DeepSeek iOS application globally deactivates App Transport Security (ATS), a protective measure at the iOS platform level that prevents sensitive information from being transmitted over non-encrypted channels. With this protection turned off, the app can (and does) transmit unencrypted data across the internet.
While the exposed data may appear harmless on its own, it can easily be combined to reidentify users.
Although none of this data is independently very risky, aggregating numerous data points over time can lead to the identification of individuals. The recent data breach involving Gravy Analytics illustrates how this data is being amassed at scale, effectively de-anonymizing millions.
For the data that is encrypted, the application employs an outdated encryption method known to be compromised.
The encryption algorithm utilized for this segment of the application employs a known vulnerable encryption standard (3DES), rendering it a poor choice for safeguarding data confidentiality.
Moreover, data gathered through the app could potentially identify individuals as targets for espionage.
A sample user operates on the latest iPad, using a cellular data connection registered with FirstNet (the American public safety broadband network operator), making this user a potential high-value target for espionage.
It is important to note that the DeepSeek iOS app collects tens of data points, in addition to related data collected from millions of other applications, which can be easily purchased, combined, and correlated to swiftly de-anonymize users.
The comprehensive analysis concludes that the DeepSeek iOS app is not safe for use, noting that the Android version is even less secure.
DMN’s Opinion
While the DeepSeek application showcases impressive technical capabilities, and it has been engaging to explore its features, we recommend that users avoid employing it for real-world tasks involving any personal information disclosure. One should assume that DeepSeek is capable of identifying users and accessing their interaction content.
We are still in the nascent phase of security researchers investigating the app, and it is likely that further security and privacy issues will surface. Personally, I have since uninstalled it from my iPhone and would suggest others do the same.
Image: DMN
FTC: We utilize income-generating auto affiliate links. More.
