DeepSeek iOS App Leaks Data to ByteDance Servers Without Encryption

DeepSeek iOS app—a highly popular AI assistant recently crowned as the top iOS app since its January 25 release—has been discovered to transmit sensitive user data to ByteDance servers without encryption. 

The security flaws, uncovered by mobile app security firm NowSecure, have prompted swift reactions from governments, enterprises, and cybersecurity experts worldwide.

The findings paint a sobering picture of the app’s vulnerabilities and its risk to users’ sensitive information.

Unprecedented Privacy Risks

NowSecure’s comprehensive assessment of the DeepSeek iOS app has exposed alarming security issues affecting millions of users worldwide, including individuals, enterprise employees, and government officials.

Despite its meteoric rise in popularity, the app harbors critical vulnerabilities that make it a significant threat to data privacy.

Key Findings:

1. Unencrypted Data Transmission: The app transmits sensitive user data without encryption, leaving it vulnerable to interception via Man-in-the-Middle (MITM) attacks.
2. Hardcoded & Weak Encryption: Outdated Triple DES (3DES) encryption is used, with hardcoded and reused keys, violating fundamental cryptographic principles.
3. Insecure Data Storage: Sensitive credentials such as usernames, passwords, and encryption keys are stored insecurely, exposing them to theft in case of device access.
4. Aggressive Data Collection: The app collects extensive user and device data, including unique identifiers, that can be used for detailed tracking and de-anonymization.
5. Data Sent to ByteDance Servers in China: User data is routed to ByteDance-controlled servers under Chinese jurisdiction, raising concerns about compliance with PRC laws and potential government access.

One of the report’s most alarming revelations is the direct transmission of user data to ByteDance servers, facilitated through its Volcengine cloud service.

ByteDance’s connection to the Chinese government and its legal obligations under PRC surveillance laws have heightened fears of state-driven data access and surveillance.

While ByteDance has repeatedly denied allegations of data sharing with the Chinese government, regulatory agencies and governments remain deeply wary.

The DeepSeek app’s practices may further fuel geopolitical tensions in the realm of digital data privacy.

The fallout has been swift and sweeping. Several governments and organizations, including the U.S. military and state agencies, have issued immediate bans on the app to safeguard national security.

Enterprises have taken similar actions, prohibiting its use on managed and Bring Your Device (BYOD) environments.

Technical Breakdown of the Vulnerabilities

1. Unencrypted Network Requests: Data such as device configuration, user agents, and organizational identifiers are sent over plaintext HTTP, making them easily interceptable.
2. Weak Symmetric Encryption Implementation: Keys and data are encrypted using 3DES—a cryptographic algorithm deemed insecure for years. The use of hardcoded keys and a nil initialization vector makes decryption trivial for attackers.
3. Tracking & Fingerprinting: Data such as device names, operating systems, and user prompts are collected and transmitted to external servers, facilitating surveillance and de-anonymization of users.
4. Disabled iOS Platform Protections: The app globally disables App Transport Security (ATS), bypassing Apple’s built-in security features that mandate encrypted data transmission.

For affected users, uninstalling the app and resetting credentials used within it are necessary first steps to protect personal and organizational data.

The revelations have also reignited debate around app store accountability. While Apple enforces strict app review policies, critics argue that security flaws like those in DeepSeek highlight the limitations of existing safeguards.

“Apple and Google must step up their app vetting processes to prevent apps with severe security risks from reaching consumers,” cybersecurity expert Dr. Amelia Jensen said.

“Mobile apps are an unprotected attack surface, and as DeepSeek shows, even widely popular apps can be compromised.”

The DeepSeek debacle underscores the urgent need for stricter data privacy measures, secure app design, and vigilant oversight in the digital age.

As more organizations banish the app, its vulnerabilities serve as a stark warning about the high stakes of mobile app security in a globally interconnected network.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free