Company’s expert researchers discover severe security and privacy flaws in the popular DeepSeek artificial intelligence app.

[CHICAGO, Feb. 6, 2025] – NowSecure, a leader in mobile app security and privacy research and solutions, has identified multiple critical security and privacy vulnerabilities in the DeepSeek iOS app, the top-ranked AI mobile app since late January 2025. These issues pose significant risks to enterprises, government agencies, millions of users, their customers and employees. Other security concerns regarding the DeepSeek model have led to swift bans from multiple countries, federal agencies and the U.S. military.

Major Security & Privacy Risks Identified

NowSecure experts conducted an in-depth security assessment that uncovered alarming vulnerabilities in the DeepSeek iOS application, including:

• Unencrypted Data Transmission: Sensitive user data is sent over the Internet without encryption, exposing it to interception and manipulation via Man-in-the-Middle (MITM) attacks.
• Hardcoded Encryption Keys: Poor encryption implementation, including the use of outdated algorithms (3DES), leaves user data exposed.
• Insecure Storage of Credentials: Usernames, passwords and encryption keys are stored in an insecure manner, making them susceptible to unauthorized access.
• Fingerprinting: The app transmits data to Volcengine, a cloud platform operated by ByteDance, raising concerns about warrantless surveillance and data governance under Chinese jurisdiction.

Disabled iOS Privacy Controls: The app bypasses Apple’s security features, including App Transport Security (ATS), and lacks mandatory Privacy Manifests, increasing exposure to tracking and fingerprinting.

Implications for Enterprises & Governments

DeepSeek’s security flaws jeopardize intellectual property, corporate secrets and national security. The app’s ability to collect and transmit sensitive data to third parties, including China-linked entities, raises significant cybersecurity concerns. Given these threats, enterprises and government agencies are urged to cease using the DeepSeek iOS app until these issues are mitigated. NowSecure has not analyzed the DeepSeek Android mobile app, but high-risk organizations should assume that it presents similar risks to the iOS mobile app.

NowSecure’s Call to Action

1. Immediate Cessation of DeepSeek iOS App Usage: Enterprises and government agencies should halt use until security flaws are resolved.
2. Assessment of Alternative AI Solutions: Users can consider self-hosting DeepSeek’s AI model or leveraging alternative AI tools with better security and compliance measures that do NOT have a high-risk mobile app.
3. Continuous Monitoring & Mobile App Security Testing: Given the fast-changing nature of mobile apps, organizations must implement continuous security monitoring. NowSecure offers a free trial for enterprises to assess security risks across commonly used mobile applications.

In addition to removing the DeepSeek iOS mobile app, individuals, companies and government agencies should take additional steps to mitigate mobile app risks. Because mobile apps change quickly and are a largely unprotected attack surface, they present a very real risk to companies and consumers. DeepSeek is high profile, but not unique. A key mitigation is monitoring the mobile apps you use to ensure new risks are not introduced. Connect with NowSecure to uncover the risks in both the mobile apps you build and third-party apps such as DeepSeek.

NowSecure Marketing