DeepSeek Exposes Unencrypted Data to Chinese Servers: Critical Security Vulnerabilities Found in iOS App

The DeepSeek application has made waves by becoming the most downloaded AI app on the App Store, surpassing even ChatGPT within the first month of its launch. However, this popularity has been overshadowed by serious concerns surrounding privacy and security issues. Recent investigations have revealed that the DeepSeek app is transmitting unencrypted user data to servers in China owing to significant security vulnerabilities present in its iOS version.

Critical Security Concerns of DeepSeek’s iOS Application

As previously highlighted, DeepSeek raises major alarms due to its lack of filtering mechanisms, which may inadvertently expose users to risks based on their search queries. This has drawn the scrutiny of U. S.officials, who are currently evaluating the potential national security implications of the app’s data handling practices, particularly its unauthorized transmission of information to foreign servers.

Unencrypted Data Transmission

According to insights from NowSecure, a reputable mobile security firm, the DeepSeek app contains multiple vulnerabilities related to its architecture. Crucially, it has been reported that the app does not utilize Apple’s App Transport Security (ATS), a system designed to ensure sensitive information is conveyed exclusively over secure, encrypted channels. In fact, findings indicate that DeepSeek has intentionally disabled this essential feature within its iOS platform.

The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels. Since this protection is disabled, the app can (and does) send unencrypted data over the internet.

Data Vulnerability and Manipulation Risks

NowSecure has noted that although the exposed data may seem innocuous at first glance, it can be manipulated to compromise user anonymity. For instance, the recent breach involving Gravy Analytics serves as a warning, illustrating how data can be aggregated on a massive scale, effectively revealing the identities of millions.

The recent data breach of Gravy Analytics demonstrates this data is actively being collected at scale and can effectively de-anonymize millions of individuals.

Outdated Security Practices

DeepSeek’s reliance on obsolete encryption methodologies is another alarming factor. The algorithms in use are not only outdated but also highly flawed, raising questions about the adequacy of protection for user data. Additionally, the information amassed by DeepSeek could inadvertently highlight individuals who may be of interest to espionage activities.

[A sample user] is operating on the latest iPad, leveraging a cellular data connection that is registered to FirstNet (American public safety broadband network operator) and ostensibly the user would be considered a high value target for espionage.

Bear in mind that not only are 10’s of data points collected in the DeepSeek iOS app but related data is collected from millions of apps and can be easily purchased, combined and then correlated to quickly de-anonymize users.

Future Implications for DeepSeek

A thorough review of the security report indicates that the DeepSeek iOS application poses significant risks and is unsafe for consumer use. The Android version of the app reportedly exhibits similar, if not worse, security flaws. For DeepSeek to maintain its market presence in the United States and beyond, it must urgently address these critical security and privacy concerns. Otherwise, it could face a fate parallel to that of TikTok, which is currently navigating turbulent waters that could lead to a permanent ban or a forced sale to a U. S.-based entity.

Source&Images