DeepSeek app topped the App Store charts as it was the most downloaded AI app, even beating ChatGPT in its first month of release. However, the app has raised various concerns since its arrival, which include privacy and security. It has now been discovered that DeepSeek has been sending unencrypted data to Chinese servers due to multiple security flaws in its iOS app.
DeepSeek iOS app poses a major security risk by transmitting unencrypted data to Chinese servers
We have previously reported various concerns related to DeepSeek, including its lack of filters, which could get anyone into trouble based on their queries. Additionally, US officials are investigating the potential national security risks associated with the platform and how it could send user data to Chinese servers without consent.
According to NowSecure, a mobile security company, there are multiple security flaws in DeepSeek’s iOS app. It was also discovered that the app also does not use Apple’s custom App Transport Security system or ATS. If you are not familiar, Apple has set ATS in place to make sure that the sensitive data is only transferred over encrypted channels. In its findings, NowSecure reveals that DeepSeel has switched the feature off in its iOS app.
The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels. Since this protection is disabled, the app can (and does) send unencrypted data over the internet.
The security company states that while the exposed data might seem harmless, it can be manipulated to de-anonymize users.
While none of this data taken separately is highly risky, the aggregation of many data points over time quickly leads to easily identifying individuals. The recent data breach of Gravy Analytics demonstrates this data is actively being collected at scale and can effectively de-anonymize millions of individuals.
DeepSeek is found to be using outdated or old encryption methods, which are flawed with broken algorithms and a poor choice to protect user data. Furthermore, the data collected by the DeepSeek app has the potential to identify potential espionage targets.
[A sample user] is operating on the latest iPad, leveraging a cellular data connection that is registered to FirstNet (American public safety broadband network operator) and ostensibly the user would be considered a high value target for espionage.
Bear in mind that not only are 10’s of data points collected in the DeepSeek iOS app but related data is collected from millions of apps and can be easily purchased, combined and then correlated to quickly de-anonymize users.
The complete analysis of the report details that DeepSeek’s iOS app is not safe or secure to use, and the Android counterpart is equally or even slightly worse. DeepSeek has to address a lot of security and privacy concerns if the company wishes to operate the model in the US and other markets. Failure to do so could lead the app to the same fate as TikTok, which is either being banned permanently or sold to a US-based company.
