Security researchers at NowSecure have uncovered significant security vulnerabilities in the DeepSeek iOS mobile application, raising serious concerns about user data protection. The investigation revealed critical flaws in the app’s encryption implementation and data handling practices, potentially exposing sensitive user information to unauthorized access.
Disabled Security Protocols and Transport Layer Vulnerabilities
The most alarming discovery is the complete deactivation of Apple’s App Transport Security (ATS) framework within the application. This native iOS security mechanism, designed to enforce secure communication protocols, has been deliberately disabled, leaving user data exposed during transmission. This deviation from standard security practices significantly increases the risk of man-in-the-middle attacks and data interception.
Compromised Encryption Implementation
The security audit identified multiple critical deficiencies in the app’s encryption system, including:
– Implementation of the deprecated Triple DES (3DES) encryption algorithm
– Usage of identical symmetric encryption keys across all iOS installations
– Insecure storage of encryption keys on user devices
– Reuse of initialization vectors in encryption processes
These vulnerabilities collectively create multiple attack vectors that could be exploited by malicious actors.
Data Processing and Privacy Concerns
A particularly concerning aspect of the investigation reveals that user data is being transmitted to Volcano Engine servers, operated by ByteDance. While TLS encryption is partially implemented, the potential for data aggregation and user de-anonymization after server-side decryption poses significant privacy risks. This practice raises questions about compliance with international data protection regulations.
Global Response and Security Implications
The severity of these security findings has prompted immediate action from several nations. Australia, Italy, the Netherlands, and South Korea have implemented bans on DeepSeek usage on government devices. Similar restrictions have been adopted by various government agencies in the United States and India, reflecting growing concerns about data security risks.
Security experts strongly advise users to immediately remove DeepSeek from both iOS and Android devices, citing inadequate protection of personal information. The Android version reportedly contains even more severe security vulnerabilities, according to preliminary assessments. Organizations and individuals should conduct thorough security evaluations of mobile applications, especially those handling sensitive data, and implement robust security policies to protect against similar threats.
