- 3,002
- 280
- 1,730
Researchers from NowSecure have begun an audit of the DeepSeek mobile app for iOS and have discovered serious security issues. The main one is that the app transmits sensitive data without any encryption, exposing it to the risk of interception and manipulation.
The experts also note that the app does not comply with security rules and collects a large amount of data about users and their devices.
[td]“DeepSeek for iOS transmits some app login data and device data over the internet without encryption,” the analysts wrote. “This exposes any data in internet traffic to both passive and active attacks. DeepSeek for iOS globally disables App Transport Security (ATS), an iOS platform-level protection that prevents sensitive data from being sent over unencrypted channels. With this protection disabled, the app can (and does) transmit unencrypted data over the internet.”[/td]NowSecure’s report also listed a number of weaknesses in the encryption implementation of user data. These include the use of the insecure 3DES algorithm; hard-coded symmetric keys stored on the device that are the same for all iOS users; and the reuse of initialization vectors. It also found that the data was transmitted to servers operated by Volcano Engine, a cloud computing and storage platform owned by ByteDance, a Chinese company that also owns TikTok. The researchers warned that while some of this data was properly encrypted using TLS, once decrypted on ByteDance-controlled servers, the information could be matched with other user data collected elsewhere, potentially leading to the identification of specific individuals and potential tracking of requests. While NowSecure’s audit is not yet complete, the researchers were quick to warn that the DeepSeek iOS app “is not designed or prepared to provide basic protection for your data and identity.” According to them, DeepSeek for iOS intentionally or accidentally disregards even fundamental security rules. At the same time, experts called the DeepSeek app for Android even more problematic and advised to remove it. It should be noted that last week the Associated Press reported that the DeepSeek website is configured to transfer user data to the infrastructure of China Mobile, a Chinese state-owned telecommunications company that is banned from operating in the United States. To date, several countries, including Australia, Italy, the Netherlands, and South Korea, as well as a number of government agencies in India and the United States, have banned the use of DeepSeek on government devices for national security reasons. @ xakep.ru
The experts also note that the app does not comply with security rules and collects a large amount of data about users and their devices.