DeepSeek, a popular AI app developed by a China-based company, has been found to have significant security and privacy issues related to its data transfer practices. Here are the full details about DeepSeek’s unencrypted data transfer:
Key Security Risks
- Unencrypted Data Transmission:
- The DeepSeek iOS app transmits sensitive user and device data over the internet without encryption[1][2][6]. This makes the data vulnerable to interception and manipulation by unauthorized parties.
- An attacker can passively monitor all traffic or actively modify it through Man-in-the-Middle (MITM) attacks[1].
- Weak Encryption Practices:
- The app uses outdated encryption algorithms like Triple DES (3DES), which is considered insecure by modern standards[2].
- It also reuses initialization vectors and hardcodes encryption keys, further weakening its security posture[1].
- Insecure Data Storage:
- User credentials such as usernames, passwords, and encryption keys are stored insecurely within the app[2]. This increases the risk of unauthorized access.
- Data Sent to China:
- User data is transmitted to servers controlled by ByteDance in China[6], raising concerns about government access under Chinese laws.
- Fingerprinting & Tracking:
- The app collects extensive user and device information that can be used for tracking purposes, potentially leading to de-anonymization of users[1][3].
Implications
- Exposure of Sensitive Information: Unencrypted transmission exposes sensitive information such as intellectual property or confidential communications.
- Surveillance Risks: Data collection practices facilitate surveillance through fingerprinting.
- Regulatory Concerns: Storing data in China subjects it to Chinese legal frameworks, posing compliance risks for enterprises.
Recommendations
Given these risks, organizations are advised to remove DeepSeek from their environments until these issues are resolved and explore alternative AI platforms with better security measures.
Additional Context
Beyond these specific issues with unencrypted data transfer:
- A recent database leak exposed over a million lines of sensitive logs including chat histories and internal system details due to poor database security practices by DeepSeek[4][5].
- Other investigations have revealed hidden code sending user data directly to Chinese entities like CMPassport.com via encrypted channels in browser versions of DeepSeek[3].
These findings collectively highlight significant privacy concerns associated with using DeepSeek across various platforms.
Citations:
[1] https://www.nowsecure.com/blog/2025/02/06/nowsecure-uncovers-multiple-security-and-privacy-flaws-in-deepseek-ios-mobile-app/
[2] https://www.nowsecure.com/press-releases/nowsecure-urges-enterprises-to-ban-the-deepseek-ios-mobile-app/
[3] https://www.feroot.com/news/the-independent-feroot-security-uncovers-deepseeks-hidden-code-sending-user-data-to-china/
[4] https://proton.me/blog/deepseek
[5] https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak
[6] https://arstechnica.com/security/2025/02/deepseek-ios-app-sends-data-unencrypted-to-bytedance-controlled-servers/
[7] https://www.wired.com/story/exposed-deepseek-database-revealed-chat-prompts-and-internal-data/
[8] https://www.infosecurity-magazine.com/news/deepseek-database-leaks-sensitive/
