A series of security vulnerabilities has been identified in the DeepSeek iOS application, which remains one of the most frequently downloaded apps on the App Store, having initially surged to the top shortly after its release.
The recent discoveries are significantly more severe than earlier breaches that revealed chat history and other confidential information in an easily accessible database.
Prior Concerns Regarding DeepSeek
Although earlier warnings had been issued before the app garnered widespread attention, many users found DeepSeek to have emerged unexpectedly as the leading iPhone app in downloads.
AI researchers expressed astonishment at the app’s capabilities, which required far less hardware than similar powerful chatbots, causing several US AI companies’ stock prices to plummet.
However, it didn’t take long for concerns about security and privacy to surface. Italy’s privacy regulators questioned the app’s compliance with European data protection laws, with Ireland echoing similar inquiries. Investigations into potential national security risks by US authorities also commenced.
Subsequently, it came to light that the company inadvertently left a database unprotected, exposing over a million lines of log entries, including chat histories and confidential keys.
Multiple Vulnerabilities Located in DeepSeek iOS Application
Mobile security firm NowSecure has discovered several vulnerabilities in the iOS app, including the disabling of Apple’s App Transport Security (ATS) feature. ATS is intended to ensure that sensitive personal data is transmitted solely via encrypted channels, yet NowSecure found that DeepSeek had disabled this protection.
The DeepSeek iOS application disables App Transport Security (ATS) globally, which is a core iOS defense mechanism preventing sensitive data transmission over unencrypted channels. As this safeguard is turned off, the app is capable of (and does) transmit unencrypted data via the internet.
Although the exposed data may appear innocuous on its own, it can nevertheless be combined to de-anonymize users.
Individually, none of this data poses significant risk, but accumulating various data points over time allows for the straightforward identification of individuals. The recent breach involving Gravy Analytics illustrates how data can be harvested on a large scale, effectively de-anonymizing millions.
For the data that is encrypted, the application employs an outdated and flawed encryption method.
The encryption method used in this section of the application relies on a known broken algorithm (3DES), rendering it a poor choice for safeguarding data confidentiality.
Moreover, the data collected by the app could potentially be leveraged to identify high-value intelligence targets.
[A sample user] utilizes the latest iPad, connected to a cellular network registered with FirstNet (the American public safety broadband network operator), which ostensibly identifies them as a valuable espionage target.
It is important to note that not only does the DeepSeek iOS application gather extensive data, but it also collects related information from millions of applications, which can be easily obtained, combined, and correlated, leading to quick de-anonymization of users.
The extensive analysis concludes that the DeepSeek iOS application is unsafe for use, with indications that the Android version is even less secure.
DMN’s Perspective
While the DeepSeek app showcases impressive technology and it has been intriguing to explore its functionalities, we advise caution against using it for any real-world applications that involve sharing personal data. Users should operate under the assumption that DeepSeek could recognize them and access the details of their interactions.
The investigation into the app’s security is still in its early stages, so it is likely that more privacy and security vulnerabilities will come to light. Personally, I have removed it from my iPhone and recommend that others consider doing the same.
Image: DMN
: . More.
