DeepSeek's iOS app sends unencrypted data to ByteDance-controlled servers
An investigation conducted by security firm NowSecure has found certain security and privacy risks in China-based DeepSeek's iOS app.
NowSecure Uncovers Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App - NowSecure
https://www.nowsecure.com/blog/2025/02/06/nowsecure-uncovers-multiple-security-and-privacy-flaws-in-deepseek-ios-mobile-app/
DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers - Ars Technica
https://arstechnica.com/security/2025/02/deepseek-ios-app-sends-data-unencrypted-to-bytedance-controlled-servers/
DeepSeek became a hot topic for developing a high-performance AI model at low cost, and the app version quickly rose to the top of the App Store's free app rankings.
Chinese AI development company 'DeepSeek' is rapidly emerging as a hot topic in the technology industry, and has also ranked first in the App Store's free app rankings - GIGAZINE
NowSecure, which investigated the app, found that using the app could result in the insecure transmission of sensitive data, which could be read by third-party companies such as ByteDance, and warned companies and institutions to remove the DeepSeek app immediately.
According to NowSecure, DeepSeek was not transmitting data in a manner recommended by Apple. Apple strongly encourages iPhone and iPad app developers to encrypt communication data using a protocol called 'App Transport Security (ATS)' so that apps do not send insecure data over HTTP channels. However, DeepSeek is said to have somehow disabled this protection within its app.
NowSecure also found that some of the data was encrypted or stored in an insecure manner, which, combined with the disabled ATS, could leave the data vulnerable to interception using techniques such as man-in-the-middle attacks , or even alteration that could have unintended consequences, NowSecure said in its analysis.
Additionally, it was discovered that the data was being transmitted to DeepSeek via infrastructure provided by Volcengine, a cloud platform developed by ByteDance.
The data included basic device information such as the language set on the device, user agent, organization ID, OS version, etc. NowSecure warned that while obtaining this data individually is not particularly dangerous, when a lot of data is aggregated over a long period of time, it may be easy to identify an individual from a combination of multiple data.
NowSecure said, 'At this time, it is difficult, if not impossible, to immediately mitigate the numerous security, privacy, and data risks present in DeepSeek's iOS app. We hope that over time the security issues will be improved and some of the privacy-impacting practices will be addressed.' It also said that individuals and organizations using DeepSeek's iOS app should immediately stop using it and, if they want to use DeepSeek's model, they should use other methods.
DeepSeek publishes various models as open source, so users can self-host the models and run them completely locally, or use a hosting service from a company like Microsoft, which avoids the risk of data leakage, unlike using DeepSeek's 'apps' and 'chat services'. However, even if used locally, censorship of certain words such as 'Tiananmen Square' cannot be avoided as is, so NowSecure cautions that 'censorship will still exist unless the model is customized.'
'DeepSeek-R1' refuses to answer 85% of sensitive topics about China, but points out that restrictions can be easily circumvented - GIGAZINE
Related Posts:
