NowSecure Reveals Critical Security Vulnerabilities in DeepSeek iOS App

NowSecure, a mobile app security research firm, has uncovered significant security and privacy vulnerabilities in the DeepSeek iOS mobile application that could pose substantial risks to enterprises, government agencies, and individual users.

The comprehensive security assessment revealed multiple critical issues, including unencrypted data transmission, hardcoded encryption keys, and insecure credential storage. Of particular concern is the app's ability to transmit data to Volcengine, a cloud platform operated by ByteDance, which raises potential data governance and surveillance risks.

Key vulnerabilities include the transmission of sensitive user data without encryption, making it susceptible to Man-in-the-Middle attacks. The app also bypasses standard iOS privacy controls and lacks mandatory Privacy Manifests, increasing exposure to unauthorized tracking and data collection.

These security flaws could potentially compromise intellectual property, corporate secrets, and national security. The risks are particularly acute for high-profile organizations, given the app's potential for transmitting sensitive information to third-party entities.

NowSecure recommends that enterprises and government agencies immediately cease using the DeepSeek iOS app. Organizations are advised to explore alternative AI solutions with more robust security measures and implement continuous mobile app security monitoring.

While the investigation focused on the iOS version, NowSecure suggests that high-risk organizations should assume similar vulnerabilities might exist in other versions of the app. The findings underscore the growing importance of rigorous mobile application security assessments in an increasingly digital landscape.