Security researchers at NowSecure have identified multiple severe security and privacy vulnerabilities in the DeepSeek iOS mobile application, which has been among the top downloaded apps since January 2025. The investigation revealed that the app transmits unencrypted user data, employs weak encryption methods with hardcoded keys, and sends sensitive information to servers connected to Chinese companies, including ByteDance.
The technical analysis found that DeepSeek’s iOS app deliberately disables Apple’s App Transport Security protection, allowing unencrypted data transmission over the internet. The app collects extensive device information that could be used for user identification, including device names that often contain personal information. Additionally, the app uses an outdated Triple DES encryption algorithm with hardcoded keys, making it vulnerable to interception and manipulation.
In response to these findings, multiple government agencies and organizations have taken action to protect their data. The U.S. Pentagon, NASA, and the U.S. Navy have banned the app’s use, while Italy and Taiwan have implemented nationwide restrictions. Security researchers at Wiz separately discovered a publicly accessible database linked to DeepSeek that exposed chat histories, API secrets, and operational details, further highlighting the app’s security concerns.
Sources: NowSecure, Krebs on Security