The DeepSeek AI app, developed by a Chinese artificial intelligence company, has rapidly gained popularity, topping the charts as one of the most downloaded free apps on both Apple and Google platforms. However, this surge in popularity has brought with it increased scrutiny, with security experts raising significant concerns about the app's security and privacy practices. This article delves into the reported issues and what they could mean for users.
Following media attention highlighting DeepSeek's ability to rival leading chatbots with fewer computational resources, its apps quickly climbed to the top of app store charts. This rapid ascent prompted mobile security firm NowSecure to conduct a thorough analysis of the DeepSeek iOS app, uncovering several potential security flaws.
NowSecure's teardown of the DeepSeek app revealed several alarming practices:
Excessive Data Collection: The app gathers an extensive amount of data about the user's device, pushing the boundaries of advanced device fingerprinting. This includes tracking the device's name, which often defaults to the user's name followed by the device type.
Unencrypted Data Transmission: A significant portion of device information is transmitted without encryption, leaving it vulnerable to interception and modification by malicious actors on the network. The app disables App Transport Security (ATS), an iOS platform-level protection that prevents sensitive data from being sent over unencrypted channels.
Insecure Encryption Practices: While some server responses are encrypted, the app utilizes an outdated and insecure encryption algorithm (Triple DES) with a hard-coded encryption key. This means the key needed to decrypt the data can be easily extracted from the app itself.
The combination of device information, user's Internet address, and data from mobile advertising companies raises serious concerns about user deanonymization. NowSecure warns that this information could be used to identify DeepSeek iOS app users. The app also communicates with Volcengine, a cloud platform developed by ByteDance (the parent company of TikTok), raising questions about the extent of data sharing between the two companies. This highlights the importance of understanding data privacy regulations and how companies handle user data.
The security and privacy risks associated with DeepSeek have not gone unnoticed by governmental and organizational bodies.
These actions underscore the seriousness of the identified vulnerabilities and the potential for exploitation.
Adding to the list of concerns, researchers at Wiz discovered a publicly accessible database linked to DeepSeek that exposed a significant amount of sensitive information. This included chat history, backend data, API secrets, and operational details. The exposure allowed for full database control and potential privilege escalation within the DeepSeek environment, without any authentication or defense mechanisms.
Given these findings, users of the DeepSeek app should be aware of the potential security and privacy risks. Consider the following:
The author also made mention multiple times in the comment section of users inquiring about running the software locally without the concerns of the app version, and the replies indicated as long as it is properly sandboxed with either Kubernetes or Docker then there should be no issues.
The DeepSeek AI app's rapid rise has been accompanied by serious security and privacy concerns. From unencrypted data transmission to insecure encryption practices and exposed databases, the app's design choices raise significant questions about its commitment to user security. As governments and organizations take action to restrict the app's use, individuals should carefully consider the risks and take steps to protect their data. Keeping yourself informed by seeking information on other platforms such as cybersecurity blogs is also a very important step in navigating this quickly advancing technological age.
