Full Report
A new audit of DeepSeek's mobile app for the Apple iOS operating system has found glaring security issues, the foremost being that it sends sensitive data over the internet sans any encryption, exposing it to interception and manipulation attacks. The assessment comes from NowSecure, which also found that the app fails to adhere to best security practices and that it collects extensive user and
Analysis Summary
# Vulnerability: DeepSeek iOS App Insecure Data Transmission and Cryptographic Weaknesses
## CVE Details
- CVE ID: Not provided in the source article.
- CVSS Score: Not provided in the source article.
- CWE: Not explicitly provided, but related weaknesses include CWE-319 (Cleartext Transmission of Sensitive Information) and weaknesses related to encryption implementation (e.g., CWE-327, CWE-326).
## Affected Systems
- Products: DeepSeek Mobile Application
- Versions: Affects the version audited by NowSecure (specific version not detailed, but relevant to the current release on iOS at the time of the report).
- Configurations: Standard usage of the iOS application.
## Vulnerability Description
The DeepSeek iOS application suffers from critical security and privacy flaws, primarily revolving around insecure data handling:
1. **Unencrypted Data Transmission:** The app transmits sensitive data, including mobile app registration and device information, over the internet without any encryption.
2. **ATS Disablement:** The application globally disables App Transport Security (ATS), an iOS security feature designed to prevent sensitive data transmission over unencrypted channels, thereby enabling insecure HTTP connections.
3. **Insecure Local Encryption:** Where encryption is applied to user data, it utilizes an insecure symmetric encryption algorithm (3DES), employs a hard-coded encryption key, and improperly reuses initialization vectors (IVs).
4. **Data Egress:** Sensitive data is sent to servers managed by Volcano Engine, a cloud platform owned by ByteDance.
## Exploitation
- Status: The article implies the flaws are exploitable, as data is sent unencrypted, exposing it to real-time interception and manipulation attacks ("passive and active attacks").
- Complexity: Low (due to disabling ATS and sending data over plain text).
- Attack Vector: Network (Remote attacks are possible by intercepting traffic).
## Impact
- Confidentiality: High (Sensitive registration/device data sent in cleartext; weak local encryption).
- Integrity: High (Data can be intercepted and manipulated during transit).
- Availability: Low (No direct impact on service availability, though data exposure is critical).
## Remediation
### Patches
- Specific patch versions from DeepSeek are **not provided** in the source article. Remediation requires the vendor to implement secure transport layer security (HTTPS/TLS) by re-enabling ATS and strengthening/correcting local encryption implementation.
### Workarounds
- **Disable or Uninstall:** Users, especially in sensitive environments (government/corporate), should temporarily disable or uninstall the application.
- **Network Monitoring:** Organizations should monitor egress traffic from mobile devices targeting the DeepSeek specified endpoints to identify and block unauthorized cleartext data transmission.
- **Use Encrypted Proxies:** If use is unavoidable, route traffic through tools that enforce TLS, though this does not mitigate the flawed application logic itself.
## Detection
- **Network Traffic Analysis (MITM):** Inspection of HTTP traffic originating from the iOS device to identify cleartext transmission of device or registration data.
- **Static/Dynamic Analysis:** Security teams can use mobile security tools to confirm the disabling of ATS within the application binary.
- **Indicators of Compromise (IoCs):** Unencrypted connections to DeepSeek's known backend infrastructure (specific domains not detailed, but related to the service providers mentioned).
## References
- Vendor Advisories: NowSecure Audit Report: `https://www.nowsecure.com/blog/2025/02/06/nowsecure-uncovers-multiple-security-and-privacy-flaws-in-deepseek-ios-mobile-app/`
- Related Context (Data Egress Risk): `https://apnews.com/article/deepseek-china-generative-ai-internet-security-concerns-c52562f8c4760a81c4f76bc5fbdebad0`