In early February 2025, NowSecure, a leading mobile security company, discovered severe security and privacy vulnerabilities in the popular DeepSeek iOS mobile application. This AI-powered app, which briefly topped the iOS app charts, has been flagged for significant risks that could expose sensitive user data. This article will dive into the specifics of these flaws and why NowSecure is urging enterprises and government agencies to ban the app immediately.
NowSecure's assessment of the DeepSeek iOS app has revealed critical vulnerabilities, posing substantial risks to individuals, enterprises, and government bodies. These findings necessitate immediate action to protect sensitive data and mitigate potential cyber threats.
These vulnerabilities could lead to:
Given these critical findings, NowSecure strongly recommends that enterprises and government agencies take the following actions:
Recent privacy analyses of DeepSeek have focused primarily on its Privacy Policy and Terms of Service. NowSecure's analysis went a step further by running and examining the iOS app on real iOS devices, revealing confirmed security vulnerabilities and privacy issues.
The DeepSeek iOS app sends mobile app registration and device data over the internet without encryption. This exposes sensitive information to both passive and active attacks.
Here's an unencrypted network request for "cloudconf" from http://fp-it.fengkongcloud.com/v3/cloudconf:
This request reveals identifying data, including configured languages, device details, organization ID, and operating system.
While individual data points may seem benign, their aggregation over time can easily de-anonymize individuals. The recent data breach of Gravy Analytics highlighted the real-world consequences of data collection at scale and is why mobile standards & compliance are essential for the modern enterprise..
Additionally, a "deviceprofile" endpoint (http://fp-it.fengkongcloud.com/deviceprofile/v4) transmits even more data, some of which is compressed and encrypted.
It's critical to understand that these data transmissions occur unencrypted, allowing attackers to manipulate the data and undermine the app's privacy and integrity.
The DeepSeek iOS app contains multiple weaknesses in its encryption implementation. One instance includes:
The app's use of the known broken 3DES encryption algorithm is a major security flaw. Researchers used r2ai, an AI-enhanced reverse engineering project, and frida, a binary instrumentation framework, to analyze the app.
The identified function, part of a custom service called "BDAutoTrackLocalConfigService," uses a "saveUser" call. Researchers were also able to identify the encryption parameters, including the NIL Initialization Vector and the hardcoded encryption key.
Sensitive data was found in a cached database on the device, and under certain conditions -- such as physical access to an unlocked device -- this data can be recovered and leveraged by an attacker. This data caching happens by default when using the NSURLRequest API. The sample below highlights the data that can be recovered from the app in this manner:
Mobile applications often gather extensive data, which can be used to identify individuals precisely.
A few data points can drastically alter how an AI Prompt is evaluated, responded to, or otherwise analyzed and collected for strategic value. It is also common knowledge that this data can be purchased by third parties. Recent breaches involving companies that collect and sell user data underscore the risks associated with massive data aggregation from multiple apps.
Data Sent to Volcengine by Bytedance: Volcengine, ByteDance's cloud services platform, receives sensitive and fingerprinting data such as:
Tracking Data Processed in the Mobile App: The "a67" property within tracking data tracks the device's name, often defaulting to the customer's name followed by the iOS device model.
Data Sent to Third-Party Supplier Intercom: The DeepSeek iOS application also integrates the Intercom iOS SDK, leading to further data exchanges that enable user de-anonymization, as captured in the image below:
It is critical to know where your data is sent, what laws govern it, and the potential impact on your business, intellectual property, customer data, and identity.
In the case of the DeepSeek iOS app:
Data transfers to China and related PRC law have implications on your business and is a cause for heightened security.
Given the numerous security, privacy, and data risks present in the DeppSeek iOS app, NowSecure recommends the following steps:
Mobile apps and AI offerings evolve rapidly, making it critical to conduct regular security and privacy analyses. NowSecure offers solutions to uncover risks in both the mobile apps your organization builds and third-party apps like DeepSeek.
