NowSecure Uncovers Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App

If this surprises you, shame on you:

https://www.nowsecure.com/blog/2025/02/06/nowsecure-uncovers-multiple-security-and-privacy-flaws-in-deepseek-ios-mobile-app/

A NowSecure mobile application security and privacy assessment has uncovered multiple security and privacy issues in the DeepSeek iOS mobile app that lead us to urge enterprises to prohibit/forbid its usage in their organizations.

As the top iOS app since Jan 25, 2025, the DeepSeek iOS app has already been downloaded and used on millions of devices belonging to individuals enterprise and government employees, prompting swift bans from countries, state and federal governments and the U.S. military to protect their organizations and safeguard national security.

Executive Summary
NowSecure has conducted a comprehensive security and privacy assessment of the DeepSeek iOS mobile app, uncovering multiple critical vulnerabilities that put individuals, enterprises, and government agencies at risk. These findings highlight the immediate need for organizations to prohibit the app’s use to safeguard sensitive data and mitigate potential cyber risks.

Key Risks Identified:

Unencrypted Data Transmission: The app transmits sensitive data over the internet without encryption, making it vulnerable to interception and manipulation.
Weak & Hardcoded Encryption Keys: Uses outdated Triple DES encryption, reuses initialization vectors, and hardcodes encryption keys, violating best security practices.
Insecure Data Storage: Username, password, and encryption keys are stored insecurely, increasing the risk of credential theft.
Extensive Data Collection & Fingerprinting: The app collects user and device data, which can be used for tracking and de-anonymization.
Data Sent to China & Governed by PRC Laws: User data is transmitted to servers controlled by ByteDance, raising concerns over government access and compliance risks.
Implications for Enterprises & Government Agencies:

Exposure of sensitive data, including prompt data; intellectual property, strategic plans, and confidential communications.
Increased risk of surveillance through fingerprinting and data aggregation.
Regulatory & compliance risks, as data is stored and processed in China under its legal framework.
Recommended Actions:

NowSecure urges enterprises and agencies to:

Immediately remove the DeepSeek iOS app from managed and BYOD environments.
Explore alternative AI platforms that prioritize mobile app security and data protection.
Continuously monitor all mobile applications to detect emerging risks.
Summary of Risks
Recent DeepSeek privacy analysis has focused on its Privacy Policy and Terms of Service. However NowSecure analyzed the iOS app by running and inspecting the mobile app on real iOS devices to uncover confirmed security vulnerabilities and privacy issues. We are releasing this report given the immediate risk users, enterprises and government agencies face, and importantly the immediate actions they should take. Specifically, users can leverage DeepSeek’s AI model via self-hosting, hosted versions from companies like Microsoft, or simply leverage a different AI capability. Note: even with self or other hosted versions of DeepSeek, censorship built into the model will still exist unless the model is customized.

NowSecure recommends that organizations remove the DeepSeek iOS mobile app from their environment (managed and BYOD deployments) due to privacy and security risks, such as:

Privacy issues due to insecure data transmission
Vulnerability issues due to hardcoded keys
Data sharing with third parties such as ByteDance
Data analysis and storage in China
The issues listed above may lead to:

Loss of intellectual property and sensitive data
Compromised data integrity due to security flaws
Tracking and surveillance from data collection
Loss of control over data sent to and governed by China

In addition to removing the DeepSeek iOS mobile app, there are more steps individuals, companies and government agencies can take to mitigate mobile app risks. Because mobile apps change quickly and are a largely unprotected attack surface, they present a very real risk to companies and consumers. DeepSeek is high profile, but not unique. A key mitigation is monitoring the mobile apps you use to ensure new risks are not introduced. Connect with NowSecure to discover what hidden risks lurk in popular mobile apps used in the enterprise

Unencrypted Data Exposed and Modifiable over the Network
The DeepSeek iOS app sends some mobile app registration and device data over the Internet without encryption. This exposes any data in the internet traffic to both passive and active attacks. An attacker can passively monitor all traffic and learn important information about users of the DeepSeek app. While Apple has built-in platform protections to protect developers from introducing this flaw, the protection was disabled globally for the DeepSeek iOS app. See the Missing iOS privacy and security controls section for additional details.

An attacker with privileged access on the network (known as a Man-in-the-Middle attack) could also intercept and modify the data, impacting the integrity of the app and data. Specifically, the late 2024 breach of U.S. Internet Service providers by the Chinese based “Salt Typhoon” threat actor would enable these attacks against anyone using the services providers for data access.

When a user first launches the DeepSeek iOS app, it communicates with the DeepSeek’s backend infrastructure to configure the application, register the device and establish a device profile mechanism. Even when the network is configured to actively attack the mobile app (via a MITM attack), the app still executes these steps which enables both passive and active attacks against the data.

Here is an example of an unencrypted network request for “cloudconf” from http://fp-it.fengkongcloud.com/v3/cloudconf

We can see that some identifying data is insecurely transmitted, including what languages are configured for the device (such as the configure language (English) and the User Agent with device details) as well as information about the organization id for your install (“P9usCUBauxft8eAmUXaZ” which shows up in subsequent requests) and basic information about the device (e.g. operating system).

While none of this data taken separately is highly risky, the aggregation of many data points over time quickly leads to easily identifying individuals. The recent data breach of Gravy Analytics demonstrates this data is actively being collected at scale and can effectively de-anonymize millions of individuals.

A subsequent request to a “deviceprofile” endpoint (http://fp-it.fengkongcloud.com/deviceprofile/v4) sends significantly more data, some of which is compressed and encrypted. The server responds with an encrypted deviceId.

To better understand what type of data is collected and transmitted about app installs and users, see the Data Collected section below. It’s also important to reemphasize that since all of this data is sent unencrypted over the Internet, an attack could manipulate the data and undermine the privacy (confidentiality) and integrity of the app data.

Insecure Symmetric Encryption with Hardcoded Keys
To protect the confidentiality and integrity of data, modern applications implement data encryption. However, the encryption must be properly implemented to protect user data.

The DeepSeek iOS app has multiple weaknesses in how they implement encryption. In one instance, the flaws include:

Uses an insecure symmetric encryption algorithm (3DES)
Hardcoded encryption key
Using NIL for the Initialization Vector
Reusing Initialization Vector (IV)
The encryption algorithm chosen for this part of the application leverages a known broken encryption algorithm (3DES) which makes it a poor choice to protect the confidentiality of data.

The NowSecure Research team further analyzed the app, leveraging two key open- source tools we sponsor:

r2ai, an AI-enhanced reverse engineering project of radare2
frida, a binary instrumentation framework
The function in question is part of a custom service called “BDAutoTrackLocalConfigService” and specifically a “saveUser” call. The team was able to identify the encryption parameters, including the NIL Initialization Vector (from radare2) and the hardcoded encryption key (omitted until mitigated by developer):

Leveraging Frida’s ability to hook app functions, the NowSecure Research team also traced the CCCrypt calls to determine what data is being encrypted and decrypted (the user ID generated by the app) and to verify the security flaw. Here’s the output from hooking the encryption function with Frida and we’ve included the Frida script in the appendix:

================ CCCrypt Call ================
Operation => kCCDecrypt
Algorithm => kCCAlgorithm3DES
Options => kCCOptionPKCS7Padding
Key size => 24
Key => MEMyNyRTU2
IV => None
Data input => 4pvOAF6luXJQ==
Data output => NjRjOWxNmFk

Username, Password and Encryption Keys Stored Insecurely
Sensitive data was recovered in a cached database on the device. In certain conditions, notably with physical access to an unlocked device, this data can be recovered and leveraged by an attacker.

This cached data occurs when developers use the NSURLRequest API to communicate with remote endpoints. The API will, by default, caches HTTP responses in a Cache.db file unless caching is explicitly disabled.

Below is a redacted sample of the sensitive data recovered from the mobile app.

follow link at the top to read more.