Full Report
New mobile apps from the Chinese artificial intelligence (AI) company DeepSeek have remained among the top three "free" downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek's design choices -- such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies -- introduce a number of glaring security and privacy risks.
Analysis Summary
# Vulnerability: Multiple Security and Privacy Flaws in DeepSeek Mobile Application
## CVE Details
- CVE ID: Not specified in the provided text. The issues are design flaws and configuration errors rather than specific, tracked CVEs.
- CVSS Score: Not calculated. The issues are classified as security and privacy risks.
- CWE: Multiple included, notably hard-coded secrets, insufficient transport layer protection (CWE-319, CWE-321).
## Affected Systems
- Products: DeepSeek iOS Mobile App (Android app analysis pending, but presumed similar design).
- Versions: Current versions available as of late January/early February 2025.
- Configurations: All standard deployments, especially those leveraging network communication.
## Vulnerability Description
The DeepSeek iOS application exhibits significant security and privacy deficits, including:
1. **Unencrypted Data Transmission:** The app globally disables iOS platform-level App Transport Security (ATS), causing it to send significant user and device data "in the clear" over the internet, making it susceptible to man-in-the-middle interception and modification.
2. **Insecure Cryptography:** Where data is selectively encrypted (server responses), the app utilizes the deprecated and insecure 3DES algorithm.
3. **Hard-Coded Keys:** The encryption key used for data protection is hard-coded within the application binary, allowing any attacker to extract the key and decrypt sensitive communications.
4. **Excessive Data Collection & Fingerprinting:** The app collects extensive device information, including the device name (which may contain the user's name), combined with IP addresses and advertising data, enabling advanced device fingerprinting and potential user deanonymization.
5. **Data Exposure (External to App):** Related findings indicate a publicly exposed DeepSeek database containing chat history, backend data, API secrets, and operational details, allowing unauthenticated, full database control.
## Exploitation
- Status: Exploitation confirmed for related data exposure (database leak). Direct exploitation of the mobile flaws mentioned could lead to data interception and modification. Threat actors are already exploiting DeepSeek infrastructure to deliver malicious software.
- Complexity: Low (for interception of unencrypted data via network sniffing); Medium (for extracting hard-coded keys).
- Attack Vector: Network (for data interception); Local (if an attacker can reverse-engineer the application package).
## Impact
- Confidentiality: High (User data, device identifiers, chat history transmitted in cleartext or easily decryptable format).
- Integrity: Medium (Data transmitted in the clear can be modified in transit).
- Availability: Low (No direct impact on service availability noted, though external data breaches could affect trust).
## Remediation
### Patches
- No specific patch version was detailed in the source material, as the flaws appear systemic.
- **Immediate Action Urged:** Security firm NowSecure explicitly urged organizations to remove the DeepSeek iOS mobile application from their environments immediately.
### Workarounds
- Organizations should restrict or block the application's network traffic at the firewall/proxy level.
- Users should avoid installing or using the application until vendor remediation is confirmed.
- If used, ensure all network traffic is monitored, although this will not stop the initial transmission of unencrypted metadata.
## Detection
- **Indicators of Compromise (IoCs):** Network traffic originating from the DeepSeek application destined for Volcengine (ByteDance) infrastructure, especially traffic not utilizing modern TLS versions or showing cleartext HTTP payloads.
- **Detection Methods and Tools:** Mobile security analysis tools (app teardown), network traffic inspection tools (e.g., packet sniffers monitoring application endpoints), and EDR/Mobile Threat Defense (MTD) solutions monitoring for suspicious data collection behaviors or disabled security protections (like blocked ATS).
## References
- NowSecure Advisory (refer to the teardown blog post by NowSecure)
- Wiz Report on Exposed Database
- Various news reports indicating bans by US Congressional Offices, The Pentagon, NASA, US Navy, Italy, and Taiwan.
*Note: Due to the nature of the findings (design flaws rather than specific CVEs), this summary focuses on the identified security risks and immediate configuration issues.*