- Cyber Syrup
- Posts
- DeepSeek iOS App Audit Uncovers Critical Security Flaws
DeepSeek iOS App Audit Uncovers Critical Security Flaws
A recent security audit of DeepSeek's iOS mobile app has revealed significant vulnerabilities
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
The gold standard of business news
Morning Brew is transforming the way working professionals consume business news.
They skip the jargon and lengthy stories, and instead serve up the news impacting your life and career with a hint of wit and humor. This way, you’ll actually enjoy reading the news—and the information sticks.
Best part? Morning Brew’s newsletter is completely free. Sign up in just 10 seconds and if you realize that you prefer long, dense, and boring business news—you can always go back to it.
DeepSeek iOS App Audit Uncovers Critical Security Flaws
A recent security audit of DeepSeek's iOS mobile app has revealed significant vulnerabilities, with the most alarming issue being the transmission of sensitive data over the internet without encryption. This security lapse exposes user data to interception and manipulation attacks, posing a serious privacy risk.
Findings from the Security Audit
The audit, conducted by NowSecure, highlights DeepSeek’s failure to adhere to basic cybersecurity best practices. The assessment found that the app collects and transmits extensive user and device data, failing to secure this data through industry-standard encryption methods.
"The DeepSeek iOS app sends some mobile app registration and device data over the Internet without encryption," NowSecure reported. "This exposes any data in the internet traffic to both passive and active attacks."
The audit identified several encryption-related weaknesses, including:
Use of an outdated encryption algorithm (3DES), which is considered insecure.
A hard-coded encryption key, making it easy for attackers to decrypt stored data.
Reuse of initialization vectors (IVs), reducing the effectiveness of encryption.
Additionally, the app disables Apple's App Transport Security (ATS), a built-in security feature designed to prevent unencrypted data transmission over the internet. This means the app intentionally bypasses security mechanisms that are designed to protect user data.
Links to ByteDance’s Infrastructure
Another concerning revelation is that DeepSeek transmits user data to servers hosted on Volcano Engine, a cloud computing and storage service owned by ByteDance, the parent company of TikTok.
This connection raises further privacy concerns, particularly in light of ongoing scrutiny over China-linked technology companies and their data handling practices.
"Since this protection is disabled, the app can (and does) send unencrypted data over the internet," NowSecure stated.
Growing Privacy and Security Concerns
These findings add to a growing list of concerns surrounding DeepSeek's AI-powered chatbot, which has gained massive popularity in recent weeks. The app has quickly risen to the top of app store charts on both Android and iOS in multiple global markets.
Cybersecurity firm Check Point has also raised alarms about threat actors leveraging DeepSeek’s AI engine to:
Develop info-stealing malware.
Generate uncensored and restricted content.
Optimize mass spam campaigns.
"As cybercriminals increasingly use AI for malicious purposes, organizations must implement proactive defenses against potential misuse of AI technologies," Check Point warned.
International Scrutiny and Government Bans
The security and privacy risks posed by DeepSeek have prompted governments worldwide to take action. Earlier this week, The Associated Press revealed that DeepSeek’s website sends user login information to China Mobile, a state-owned telecommunications company banned from operating in the United States.
This revelation has fueled efforts among U.S. lawmakers to push for a federal ban on the app from government devices, citing national security risks. Several other governments have already taken action:
The U.S. Congress, Pentagon, NASA, Navy, and the state of Texas have all banned DeepSeek from government devices.
Australia, Italy, the Netherlands, Taiwan, South Korea, and India have also blocked the app for government use.
The scrutiny surrounding DeepSeek mirrors concerns that led to the ban of TikTok on federal devices in the U.S. in 2023.
DeepSeek Faces Cyberattacks and Fraudulent Impersonation
DeepSeek’s rapid rise has also made it a target for cyberattacks. According to Chinese cybersecurity firm XLab, the AI service has been subjected to:
Sustained Distributed Denial-of-Service (DDoS) attacks.
Targeting by Mirai botnets such as hailBot and RapperBot.
Additionally, cybercriminals have been quick to exploit the popularity of DeepSeek by creating lookalike websites for:
Malware distribution.
Fake investment scams.
Fraudulent cryptocurrency schemes.
Conclusion
The recent audit of DeepSeek’s iOS app security has raised serious concerns about data privacy and cybersecurity risks. With glaring encryption flaws, ties to ByteDance, and potential government surveillance risks, the app is now under intense scrutiny from global regulators.
As more governments move toward banning DeepSeek, users are urged to exercise caution when interacting with AI-powered platforms and be aware of the privacy implications of using apps that lack proper security measures.