DeepSeek’s iOS app has been found to transmit sensitive user data over the internet without encryption to ByteDance servers, leaving it vulnerable to interception and manipulation. Despite built-in security controls on iOS, the app disables these protections, putting its users at risk of Man-in-the-Middle attacks.
Even though the data being transmitted may not seem individually risky, when aggregated over time, it can lead to the identification of individuals and compromise their privacy.
The DeepSeek iOS mobile app, which became the top app on the platform on January 25, 2025, has sparked concerns over security and privacy. Millions of users, including individuals, enterprise employees, and government personnel, have already downloaded the app, prompting swift action by organisations worldwide.
“The DeepSeek iOS app sends some mobile app registration and device data over the Internet without encryption. This exposes any data in the internet traffic to both passive and active attacks. An attacker can passively monitor all traffic and learn important information about users of the DeepSeek app,” researchers report. ” While Apple has built-in platform protections to protect developers from introducing this flaw, the protection was disabled globally for the DeepSeek iOS app.”
Due to critical vulnerabilities uncovered within the app, several countries, including Italy, India, Australia, and the United States, have banned DeepSeek to protect their data.
Further complicating matters is the app’s use of outdated encryption techniques, such as Triple DES, alongwith hardcoded encryption keys and reused initialisation vectors. These practices weaken the encryption and fail to protect user data adequately, opening the door for potential exploitation.
Additionally, DeepSeek stores sensitive information like usernames, passwords, and encryption keys insecurely, which attackers could access and steal with physical access to devices.
The app also raises alarm over the extensive data collection practices. It gathers detailed information about users and devices, which can be used for tracking and profiling. This data is then sent to servers operated by ByteDance, a company based in China.
Given the country’s data laws and its government’s potential access to this information, the transmission of user data to China presents grave security and regulatory risks for businesses and government agencies that rely on this app.
Researchers have urged companies and governments to stop using the DeepSeek iOS app immediately, consider leveraging DeepSeek models hosted on Microsoft or Hugging Face servers, and investigate alternative apps that offer the DeepSeek open-source model.
In the News: Mumbai corporate employee duped of Rs 11 lakh in parcel scam
