How a Top AI App Compromises User Privacy and National Security
- Sensitive data is sent unencrypted to ByteDance-controlled servers, exposing users to interception and tampering.
- Apple’s App Transport Security (ATS) protections are globally disabled, leaving data vulnerable.
- Critical security flaws, including outdated encryption and hardcoded keys, put individuals, enterprises, and governments at risk.
In a world increasingly reliant on artificial intelligence, the DeepSeek iOS app has emerged as a cautionary tale of how innovation can come at the expense of security and privacy. Launched by a relatively unknown China-based company, DeepSeek stunned the AI community with its open-source chatbot boasting reasoning capabilities comparable to OpenAI‘s models. Within days, it became the most downloaded free app on the iPhone App Store, surpassing even ChatGPT. However, beneath its meteoric rise lies a troubling reality: DeepSeek is riddled with security vulnerabilities that jeopardize user data, enterprise systems, and even national security.
A Breach of Trust: Unencrypted Data and Disabled Protections
Mobile security firm NowSecure recently revealed that the DeepSeek iOS app transmits sensitive user data over unencrypted channels. This means that anyone monitoring network traffic—whether malicious hackers or state-sponsored actors—can intercept and potentially manipulate the data. Even more concerning, Apple’s App Transport Security (ATS), which enforces encryption for data transmission, has been globally disabled in the app. This decision, unexplained by both DeepSeek and Apple, leaves users’ data exposed to passive and active attacks, such as man-in-the-middle (MITM) exploits.
During the app’s initial registration process, unencrypted data such as the organization ID, software development kit version, user operating system, and language settings is sent over the internet. While these details may seem innocuous in isolation, their aggregation can lead to the de-anonymization of users. This is particularly alarming given the app’s connection to ByteDance, the Chinese company behind TikTok, which has faced scrutiny over its data practices and ties to the Chinese government.
ByteDance Servers and the China Connection
DeepSeek’s data transmission infrastructure relies on Volcengine, a cloud platform developed by ByteDance. Although the app connects to U.S.-based servers, its privacy policy explicitly states that user data is stored on servers in China. Under Chinese law, companies are required to provide access to data upon government request, raising significant concerns about surveillance and misuse.
Once data reaches ByteDance-controlled servers, it can be cross-referenced with other datasets to identify users and track their activity. This poses a serious risk not only to individual privacy but also to enterprises and government agencies using the app. Sensitive information, such as intellectual property, strategic plans, and confidential communications, could be exposed to foreign entities.
Outdated Encryption and Hardcoded Keys
The app’s security flaws extend beyond unencrypted data transmission. DeepSeek employs Triple DES (3DES) encryption, a symmetric encryption scheme deprecated by the National Institute of Standards and Technology (NIST) in 2016 due to its vulnerability to practical attacks. Even worse, the encryption keys are hardcoded into the app and identical for all iOS users. This means that once an attacker discovers the key, they can decrypt data for any user.
Such practices violate basic security principles and highlight a lack of commitment to protecting user data. According to NowSecure co-founder Andrew Hoog, these flaws suggest either negligence or intentional disregard for security standards.
Broader Implications for Enterprises and Governments
The risks posed by DeepSeek extend far beyond individual users. Enterprises and government agencies that allow the app on their devices face significant exposure to data breaches, surveillance, and regulatory non-compliance. The app’s extensive data collection and fingerprinting capabilities enable tracking and de-anonymization, which could compromise sensitive operations and national security.
In response to these concerns, U.S. lawmakers have called for an immediate ban on DeepSeek from all government devices. If enacted, the ban could take effect within 60 days, reflecting the urgency of the threat.
A Pattern of Negligence
DeepSeek’s security issues are not limited to its iOS app. The Android version is reportedly even less secure, compounding the risks for users across platforms. Additionally, researchers have uncovered other alarming practices by the company. For instance, a publicly accessible database containing over one million instances of chat history, backend data, and sensitive information was recently discovered. This database allowed full control and privilege escalation, exposing internal API endpoints and operational details.
The app’s privacy policy also raises red flags. It explicitly states that user data may be shared with law enforcement, public authorities, and third parties under vague conditions, further eroding trust.
Recommendations and Next Steps
Given the severity of the risks, NowSecure has urged organizations to immediately remove the DeepSeek app from their environments, including both managed and BYOD (bring your own device) deployments. The firm also recommends exploring alternative AI platforms that prioritize security and data protection.
For individuals, enterprises, and governments, the following steps are critical:
- Uninstall the DeepSeek app to prevent further data exposure.
- Monitor mobile applications for emerging risks, as apps can change rapidly and introduce new vulnerabilities.
- Consider self-hosted or alternative AI solutions to maintain control over sensitive data.
A Wake-Up Call for Mobile Security
The DeepSeek controversy underscores the importance of rigorous security practices in the development and deployment of mobile apps. As AI continues to integrate into our daily lives, the stakes for protecting user data have never been higher. While DeepSeek’s AI capabilities may be impressive, its disregard for basic security principles serves as a stark reminder that innovation must not come at the expense of privacy and safety.
In an era where data is power, safeguarding it is not just a technical challenge—it is a moral imperative.