Mobile security firm NowSecure has uncovered significant security vulnerabilities in the DeepSeek iOS mobile app that could compromise enterprise and government data security. The research identified multiple critical issues that expose user information and potentially enable unauthorized data interception.
The security assessment revealed several alarming vulnerabilities, including unencrypted data transmission, insecure credential storage, and the app's ability to bypass iOS privacy controls. Of particular concern is the app's data transmission to Volcengine, a cloud platform operated by ByteDance, which raises potential surveillance and data governance risks.
These security flaws could have substantial implications for organizations, potentially allowing unauthorized access to intellectual property, corporate secrets, and sensitive information. The vulnerabilities are especially critical given DeepSeek's popularity as a top-ranked AI mobile application.
Key risks include the transmission of sensitive data without encryption, making it susceptible to Man-in-the-Middle attacks, and the storage of usernames, passwords, and encryption keys in an insecure manner. The app also reportedly uses outdated encryption algorithms and transmits data to third-party platforms under potentially problematic jurisdictional control.
NowSecure recommends that enterprises and government agencies immediately discontinue using the DeepSeek iOS app and consider alternative AI solutions with more robust security measures. The firm emphasizes the importance of continuous mobile app security monitoring to mitigate emerging risks in the rapidly evolving digital landscape.
