A leading cybersecurity firm has issued a stark warning to businesses and organizations regarding the widespread use of the DeepSeek app, citing multiple security flaws that could expose users’ sensitive data.
The DeepSeek application, which took the stock market by storm after rapidly climbing to the top of the Apple App Store rankings in January, has been found to transmit user data without encryption. Additionally, the app fails to securely store critical credentials such as usernames and passwords, according to an in-depth analysis by mobile security firm NowSecure.
Alarming Security Gaps Identified
NowSecure’s investigation uncovered vulnerabilities specifically within the mobile application that serves as the primary interface for accessing DeepSeek’s AI models. While the core AI models themselves remain unaffected, the app’s weak security measures pose a significant risk to users.
“Mobile applications evolve rapidly and often represent an overlooked attack surface, making them a prime target for cyber threats,” NowSecure stated. “DeepSeek’s security flaws are concerning, but unfortunately, they are not unique in the mobile app landscape.”
In an analysis conducted on real mobile devices, NowSecure discovered that the iOS version of the DeepSeek app had a critical security feature disabled.
“The DeepSeek iOS application completely disables App Transport Security (ATS), a crucial iOS platform safeguard designed to prevent data from being transmitted over unprotected channels,” the security researchers explained. “With this protection turned off, the app is capable of and actively sends unencrypted data over the internet.”
Risks of Data Exposure and Unauthorized Access
The absence of encryption mechanisms significantly heightens the risk of man-in-the-middle (MITM) attacks. In such scenarios, an attacker with control over the network could intercept and potentially alter communications between a user and DeepSeek’s servers.
Furthermore, NowSecure identified that the app caches sensitive user information—including login credentials—in unencrypted files stored on the device. This could be exploited by an attacker with either physical access or remote control over the compromised device.
Broader Privacy Concerns and Government Bans
In addition to these critical vulnerabilities, researchers found that DeepSeek’s mobile application actively gathers extensive data about a user’s device and network environment. This data collection could potentially be leveraged by third-party data brokers or malicious actors to track and monitor user activity.
These security concerns have led several governments to impose restrictions on the use of DeepSeek. Authorities in multiple countries have cited security flaws and the app’s ties to China as key factors in their decisions to prohibit its use among government employees.
On Monday, New York Governor Kathy Hochul announced a ban on state employees using DeepSeek’s AI models on official devices. Meanwhile, Congress is reviewing proposed legislation that would extend a similar ban to federal agencies. Internationally, South Korea, Australia, and Taiwan have already taken action by restricting access to DeepSeek on government devices.
As awareness of these security risks grows, experts urge both individual users and enterprises to exercise caution when using AI-powered applications and to prioritize security measures that safeguard their data from potential cyber threats.
