DeepSeek ios app exposes sensitive data due to encryption flaws

In a shocking revelation, the DeepSeek iOS app, developed by a lesser-known Chinese company, has been found to transmit sensitive data over unencrypted channels to ByteDance-controlled servers. This alarming security breach comes just weeks after DeepSeek launched an open-source AI chatbot, quickly rising to prominence in the App Store, surpassing even ChatGPT in downloads. Mobile security firm NowSecure disclosed that the app does not use App Transport Security (ATS) effectively, allowing potentially harmful data exposure during transmission.

NowSecure’s report highlights that while some data is protected by transport layer security during communication, it remains vulnerable once it reaches ByteDance’s servers. The unencrypted transmission, particularly during the initial app registration, poses severe risks, as sensitive user data could be intercepted or modified by malicious actors. Users are left exposed, as the app’s failing security controls contradict Apple’s strong encryption guidelines.

Further compounding security concerns, the DeepSeek app reportedly employs the outdated encryption protocol 3DES, which has been deemed insecure and deprecated due to its vulnerability to various types of attacks. This choice, combined with hardcoded symmetric keys that are the same for every user, presents a glaring security failure that experts have criticized.

Andrew Hoog, co-founder of NowSecure, expressed grave concerns about the DeepSeek app’s lack of basic security frameworks. He stated, “The app is not equipped or willing to provide basic security protections of your data and identity.” This highlights the overarching concern that the app, intentionally or not, fails to adhere to fundamental cybersecurity practices, placing users’ data at significant risk.

Additionally, privacy policies revealed that DeepSeek retains the right to share user information with law enforcement tiers, raising alarm bells about potential data misuse and abuse. Despite this, When contacted, representatives for DeepSeek and Apple did not respond to inquiries about these security breaches.

As scrutiny intensifies, U.S. lawmakers advocate for immediate action against the DeepSeek app, highlighting potential national security risks tied to the app’s Chinese origins. The fears primarily stem from the possibility that the Chinese Communist Party could exploit vulnerabilities within DeepSeek to access sensitive American user data.

The vulnerabilities detailed by NowSecure also echo reports from other credible sources that DeepSeek’s AI models demonstrate concerning failures against malicious prompts and experiments. Malicious prompts devised to exploit the AI assistant resulted in an alarming 100% failure rate, emphasizing significant weaknesses within the algorithmic architecture itself.

With security concerns mounting, experts including Thomas Reed from Huntress noted that the unencrypted HTTP endpoints are particularly alarming in an age where cybersecurity threats are rampant. He condemned the decision to disable ATS, contending that there’s no valid reason for such negligence when developing modern applications. “Even if they managed to secure communications, sending sensitive data to a server potentially accessible by the Chinese government remains an unacceptable risk,” Reed stated, exposing the evident challenges faced by users of DeepSeek.

In the wake of these revelations, the recommendation from security experts is clear: users and organizations should immediately remove the DeepSeek iOS app from all devices to protect against potential data breaches and privacy violations. The findings about the Android version of DeepSeek paint an even dire picture, as it has been deemed even less secure than its iOS counterpart.

The ongoing investigation by NowSecure has yet to definitively clarify the scope of vulnerabilities present in DeepSeek’s software; however, the current findings prompt serious caution. As app security becomes a pivotal concern for users, robust encryption practices and stringent adherence to security protocols need to become non-negotiable standards for developers, particularly for applications handling sensitive user information. This incident serves as a stark reminder to remain vigilant amidst growing cybersecurity threats and the responsible management of personal data.