Full Report
Apple's defenses that protect data from being sent in the clear are globally disabled.
Analysis Summary
# Incident Report: DeepSeek iOS App Data Leakage and Insecure Practices
## Executive Summary
The DeepSeek iOS mobile application was found to be transmitting sensitive user data, including registration details and potential query information, over unencrypted channels, effectively disabling Apple's App Transport Security (ATS) protections. Further concerns include the use of deprecated 3DES encryption with hardcoded, static keys, and the routing of all data to servers controlled by ByteDance in China. This combination of insecure practices presents significant privacy and security risks to users.
## Incident Details
- Discovery Date: Thursday (Date implied by "Thursday" in the report)
- Incident Date: Ongoing at the time of discovery (Related to application use)
- Affected Organization: DeepSeek (AI Chatbot provider)
- Sector: Technology / Artificial Intelligence
- Geography: Affected users globally; operational centers/data storage noted in China.
## Timeline of Events
### Initial Access
- Date/Time: Not applicable (This is a flaw in the application code, not an intrusion event).
- Vector: Insecure application configuration allowing clear-text data transmission.
- Details: The DeepSeek iOS app globally disables Apple's App Transport Security (ATS), allowing data to be sent over insecure HTTP channels.
### Lateral Movement
- Not applicable (No network intrusion or lateral movement identified; the issue is inherent to the application's design).
### Data Exfiltration/Impact
- Details: Sensitive data, including organization ID, SDK version, user OS version, and selected language, is sent unencrypted during initial app registration. Other application data that is encrypted is sent to ByteDance-controlled servers, where it is decrypted and potentially linked to user identity.
### Detection & Response
- **Discovery:** Detected by mobile security company NowSecure starting approximately two weeks prior to the public report (Thursday).
- **Response:** NowSecure publicly disclosed the findings, strongly recommending that organizations remove the DeepSeek iOS app immediately.
## Attack Methodology
- **Initial Access:** N/A (Vulnerability in application design)
- **Persistence:** N/A
- **Privilege Escalation:** N/A
- **Defense Evasion:** Global disabling of ATS may have been intentional or unintentional, bypassing standard OS security countermeasures against insecure connections.
- **Credential Access:** Not explicitly detailed, but insecure transmission increases risk.
- **Discovery:** N/A (Internal auditing by NowSecure)
- **Lateral Movement:** N/A
- **Collection:** Data is collected during registration and user interaction (though some transmission uses weak, hardcoded symmetric encryption).
- **Exfiltration:** Data sent over unencrypted channels or weakly encrypted using deprecated 3DES (with hardcoded keys) to ByteDance-controlled infrastructure ultimately storing data in China.
- **Impact:** Severe privacy risk due to exposing personal and device configuration data in clear-text and the potential for data correlation/identification on foreign servers.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Sensitive registration data (Org ID, OS version, language) sent in the clear. User queries and usage data potentially accessible/correlatable on ByteDance servers.
- **Operational:** Users relying on the app for work or personal tasks face immediate data exposure risks.
- **Reputational:** Significant reputational damage to DeepSeek due to fundamental security oversights; immediate governmental scrutiny (US lawmakers pushing for a ban).
## Indicators of Compromise
- **Network Indicators (Defanged):** Connections to Volcengine infrastructure (ByteDance cloud platform).
- **File Indicators:** Application uses deprecated 3DES symmetric encryption scheme; symmetric keys are hardcoded within the application binary.
- **Behavioral Indicators:** Application transmits data over unsecured HTTP protocols despite iOS ATS requirements; use of hardcoded, identical symmetric keys across all users.
## Response Actions
- **Containment:** NowSecure advised the immediate removal of the DeepSeek iOS mobile app from all managed and BYOD deployments.
- **Eradication:** Not applicable for users, requiring the developer (DeepSeek) to issue updates addressing the flaws (ATS enforcement, key management, encryption strength).
- **Recovery:** Users must wait for a patch or cease using the service until security is validated.
## Lessons Learned
- **Key Takeaways:** Reliance on deprecated security standards (3DES) and hardcoding sensitive values (encryption keys) represents critical, non-negotiable security failures. Failure to adhere to platform-specific security encourages (or requires) insecure data transmission.
- **What could have been done better:** The developer should have enforced ATS, used modern, supported cryptographic protocols (like TLS 1.3), and avoided storing hardcoded symmetric keys for encryption.
## Recommendations
- **Prevention measures for similar incidents:**
1. **Mandatory Encryption:** Enforce robust TLS/SSL for all data in transit; never disable platform-level protections like ATS.
2. **Key Management:** Use ephemeral session keys derived securely, never hardcode cryptographic keys within the application binary.
3. **Cryptographic Standards:** Adhere strictly to current NIST/industry standards for cryptography (e.g., deprecate 3DES immediately).
4. **Data Flow Review:** Vet backend providers and ensure jurisdiction/storage agreements align with data governance and privacy requirements.