Experts Flag Security, Privacy Risks in DeepSeek AI App

The DeepSeek AI chatbot app is surging in popularity, but cybersecurity experts warn it presents serious security and privacy risks.

Since launching on January 25, 2025, DeepSeek has become one of the most downloaded apps on both the Apple App Store and Google Play. The Chinese AI company behind it has gained attention for rivaling industry leaders while using far fewer high-end AI chips.

However, NowSecure's investigation into the iOS version of the app revealed multiple red flags. Andrew Hoog, founder of NowSecure, explained their findings in an interview with Brian Krebs:

"They are doing some very interesting things that are on the edge of advanced device fingerprinting. The app collects an awful lot of data about the user's device."

Major Security Concerns

1. Unencrypted Transmission of Device Data

• The iOS app disables App Transport Security (ATS), a security feature that forces encrypted HTTPS traffic.

• Without ATS, DeepSeek sends sensitive data in plaintext, making it vulnerable to interception.

• Attackers on the same network, such as public Wi-Fi, could monitor, intercept, and manipulate user data.

2. Hardcoded Encryption Keys & Outdated Algorithms

• DeepSeek encrypts some data but uses 3DES, a deprecated encryption algorithm with known weaknesses.

• The encryption key is hardcoded into the app, making it easy for attackers to extract and decrypt data.

• This effectively nullifies any protection encryption would normally provide.

3. Advanced Device Fingerprinting & De-Anonymization Risks

• The app collects extensive device metadata, including:

  • Device name (which on iOS often includes the user’s real name)

  • IP address and mobile advertising data

  • System identifiers that enable tracking across devices

• This level of data collection increases the risk of de-anonymizing users and tracking them across networks.

4. Publicly Accessible Database Exposing User Data

• Security firm Wiz discovered a DeepSeek-related database that was left exposed online.

• The database contained chat histories, API keys, log data, and operational backend details.

• It had no authentication, allowing anyone to access, modify, or exfiltrate sensitive user data.

Hoog expressed concern that these issues likely indicate deeper security problems:

"When we see people exhibit really simplistic coding errors, as you dig deeper there are usually a lot more issues. There is virtually no priority around security or privacy."

The security risks have not gone unnoticed by government agencies and organizations. U.S. congressional offices have been warned against using the app, with the House of Representatives' chief administrative officer stating:

"[T]hreat actors are already exploiting DeepSeek to deliver malicious software and infect devices."

Government Bans & Warnings

The security risks have led to major government agencies restricting or banning DeepSeek:

• U.S. House of Representatives: Issued a warning stating that threat actors are already exploiting the app.

• The Pentagon, NASA, and U.S. Navy: Banned DeepSeek from government employee devices.

• Italy and Taiwan: Fully banned the app over security concerns.

• DeepSeek communicates with ByteDance’s Volcengine cloud (ByteDance is the parent company of TikTok), raising concerns over potential data-sharing practices.

Should You Be Concerned?

Given the scale of DeepSeek’s security lapses, organizations and individuals should carefully assess the risks before using the app, especially when handling sensitive or corporate data.

As DeepSeek continues to face scrutiny, it remains unclear whether these security concerns will be addressed.