WARNING: DeepSeek Transmits Unencrypted Data To ByteDance Controlled Servers

NowSecure, a Chicago-based mobile security company has published a comprehensive security and privacy assessment of the DeepSeek iOS mobile app, uncovering multiple critical vulnerabilities that put individuals, enterprises, and government agencies at risk.

These findings highlight the immediate need for organizations to prohibit the app’s use to safeguard sensitive data and mitigate potential cyber risks.

Key Security and Privacy Risks

The DeepSeek iOS app transmits sensitive data over the internet without encryption, making it vulnerable to interception and manipulation. It employs outdated encryption methods, such as Triple DES, with weak and hardcoded encryption keys, violating best security practices. Additionally, usernames, passwords, and encryption keys are stored insecurely, increasing the risk of credential theft. The app collects extensive user and device data, enabling tracking and de-anonymization. Furthermore, user data is transmitted to servers controlled by ByteDance in China, raising concerns over government access and compliance risks.

Organizations using DeepSeek face significant risks, including exposure of sensitive data such as intellectual property, strategic plans, and confidential communications. The app’s data collection capabilities increase the risk of surveillance, while regulatory and compliance concerns arise due to data storage and processing in China. These factors contribute to a loss of control over data and heightened security vulnerabilities.

NowSecure urges enterprises and agencies to take immediate action. Organizations should remove the DeepSeek iOS app from managed and BYOD environments to prevent potential data breaches. Alternative AI platforms that prioritize mobile app security and data protection should be explored. It is also essential to continuously monitor all mobile applications to detect emerging risks and ensure compliance with security protocols.

DeepSeek Analysis

A deeper analysis of DeepSeek’s privacy issues reveals that its Privacy Policy and Terms of Service do not provide adequate protection. The iOS app was analyzed by running and inspecting it on real devices, confirming multiple security vulnerabilities and privacy concerns. Users can mitigate risks by leveraging alternative AI models, including self-hosted versions or platforms offered by companies like Microsoft. However, even with self-hosting, censorship built into the model remains unless customization is applied.

Unencrypted Data Exposure

The DeepSeek iOS app transmits registration and device data over the internet without encryption, exposing users to both passive and active attacks. Attackers with privileged network access could intercept and modify data, impacting its integrity. A recent breach involving U.S. Internet Service Providers by the Chinese-based “Salt Typhoon” threat actor demonstrates how such vulnerabilities can be exploited. Even when network attacks are actively conducted, the app continues transmitting sensitive data without sufficient security controls.

DeepSeek uses weak encryption methods that fail to ensure data confidentiality and integrity. The app employs an insecure symmetric encryption algorithm (3DES), relies on a hardcoded encryption key, and fails to implement proper initialization vectors. These weaknesses make the encryption ineffective against potential attacks. NowSecure researchers leveraged tools like r2ai and Frida to analyze these security flaws and confirm vulnerabilities in how user data is stored and processed.

Insecure Data Storage

Sensitive data, including usernames, passwords, and encryption keys, was found stored insecurely within the app’s cached database. This data can be recovered under certain conditions, particularly with physical access to an unlocked device. The use of default NSURLRequest API caching further exacerbates these risks, as it stores HTTP responses in a local cache file unless explicitly disabled by the developer.

Data Collection and Fingerprinting

DeepSeek collects and transmits extensive data that can be used for user tracking and de-anonymization. Recent breaches, such as those involving data brokers like Gravy Analytics, highlight how this information can be leveraged for surveillance and espionage. The app captures detailed device information, including operating system details, network configurations, and user behavior patterns. This data, when combined with external sources, enables profiling and targeted tracking of individuals.

Data Transmission to ByteDance and China

User data from the DeepSeek iOS app is sent to Volcengine, a cloud service operated by ByteDance. While some endpoints appear to be located in the United States, further investigation reveals affiliations with Chinese companies, raising concerns over data sovereignty and security. Given China’s legal framework on data access, sensitive user information could be subject to government intervention.

Missing iOS Security Controls

Despite Apple’s built-in privacy protections, DeepSeek disables essential security features, including App Transport Security (ATS), allowing unencrypted data transmission. The app also accesses privacy-sensitive APIs that can be used for device fingerprinting and tracking. These include APIs related to system boot times, disk space, and file timestamps. The lack of proper disclosure in the app’s privacy manifest further raises concerns about compliance and transparency.

Privacy Policy and Terms of Service Concerns

An examination of DeepSeek’s Privacy Policy and Terms of Service confirms that vast amounts of data are collected and transmitted to China. The documents reveal that user data is subject to foreign governance, increasing the risk of unauthorized access and misuse. Given the app’s data collection practices, organizations must assess whether continued usage aligns with their privacy and security policies.

Mitigation Strategies

Mitigating the risks posed by the DeepSeek iOS app requires immediate action. Organizations should discontinue use of the app until security and privacy issues are addressed. Decision-makers must evaluate whether the app’s data collection practices and legal jurisdiction align with their risk tolerance. For those requiring DeepSeek’s AI capabilities, exploring self-hosted or alternative AI models with improved security measures is recommended.

Several countries, including Australia, Italy, the Netherlands, Taiwan, and South Korea, along with government agencies in India and the United States—such as Congress, NASA, the Navy, the Pentagon, and the state of Texas—have implemented bans on DeepSeek for government devices.

Given the rapid evolution of technology, continuous security assessments are crucial. Mobile apps and AI tools must be regularly evaluated to identify and mitigate emerging threats. NowSecure provides advanced security analysis solutions to uncover vulnerabilities in mobile applications, ensuring that enterprises and government agencies remain protected against potential threats.

Read the complete NowSecure report here