What data does DeepSeek's Android app collect and send to China?
Security company SecurityScorecard has published the results of its investigation into DeepSeek's Android app and its potential vulnerabilities.
A Deep Peek at DeepSeek - SecurityScorecard
At the time of the investigation, DeepSeek's privacy policy stated that 'we collect text or voice input, prompts, uploaded files, feedback, chat history, or other content you provide to our models and services, which may contain a wide range of personal data, including potentially sensitive information.'
Technically, it states that 'DeepSeek collects detailed technical data such as your device model, operating system, IP address, and, among other things, 'your keystroke pattern or cadence.''
Regarding where the data is stored, according to the privacy policy, it is stored on 'secure servers located in the People's Republic of China.' However, SecurityScorecard points out that there are concerns that the government may have access to user data, given China's Data Security Law. 'The policy outlines various uses for the data collected, but is not specific about how it will be shared with third parties. The lack of clear information about who will have access to the data and under what conditions is problematic,' it said, and conducted its own analysis to obtain more detailed information.
Our analysis shows that user behavior and device metadata are likely transmitted to ByteDance servers, allowing ByteDance to dynamically modify app behavior. This transmission of data to ByteDance-controlled endpoints could raise issues regarding the EU's General Data Protection Regulation and US national security laws.
After analyzing the code, the researchers found no evidence that the DeepSeek Android app made any malicious requests and operated appropriately within the scope of its permissions, but found some areas that may have been involved in data collection beyond normal use.
In addition, DeepSeek's Android application contains vulnerabilities that expose AES keys, API keys, and other sensitive data dynamically or statically, and third-party domains that the app connects to, such as Ktor, have failing security scores, increasing business risks regarding data security.
SecurityScorecard points out that even if there is nothing wrong with the app itself, there may be risks to the servers that store data and the third-party companies to which the data is provided, but this is not limited to DeepSeek.
SecurityScorecard pointed out that the most significant concern with DeepSeek's Android app is that it employs anti-debugging mechanisms designed to thwart security analysis, which is an unusual move for a company that claims to be transparent.
The DeepSeek iOS app is being investigated by another company called NowSecure.
DeepSeek's iOS app sends unencrypted data to ByteDance-controlled servers - GIGAZINE
Related Posts:
