# **Concerns About DeepSeek AI App Security: A Rising Privacy Threat**
## **Overview**
In recent times, the AI sector has been buzzing with discussions regarding DeepSeek, a company based in China that introduced an open-source AI chatbot with reasoning abilities similar to those of OpenAI’s models. The chatbot quickly became popular, achieving the top spot in the iPhone App Store’s “Free Apps” category. However, a recent security assessment conducted by mobile security firm NowSecure has brought to light significant apprehensions about the app’s data protection measures, uncovering numerous security and privacy vulnerabilities that could endanger users.
## **Unencrypted Data Transmission: A Significant Security Issue**
One of the most concerning discoveries from NowSecure’s evaluation is that the DeepSeek AI app sends sensitive user information over unencrypted channels. This situation implies that any entity capable of monitoring network traffic—be it hackers, internet service providers, or government agencies—might intercept and read this data.
Apple strongly recommends that developers implement **App Transport Security (ATS)** for encrypting data transmissions, yet DeepSeek has entirely disabled this safeguard. The rationale behind this choice remains unknown, but it greatly heightens the risk of data interception and manipulation.
## **Data Redirected to ByteDance-Managed Servers**
Compounding the worries, the app sends user data to servers managed by **ByteDance**, the Chinese technology titan that owns TikTok. While part of this information is encrypted utilizing **Transport Layer Security (TLS)**, it can be decrypted and potentially cross-referenced with other data once it arrives at ByteDance’s servers. This elevates significant privacy issues, as it could facilitate user tracking and profiling.
## **Outdated Encryption Standards**
The security review also revealed that the DeepSeek app relies on **Triple DES (3DES)** encryption, a symmetric encryption method that was deprecated by the **National Institute of Standards and Technology (NIST)** in 2016 due to its susceptibility to contemporary cryptographic attacks. Even more troubling is the fact that the encryption keys are hardcoded within the app and are uniform for all iOS users, rendering them vulnerable to attackers.
## **Other Security Vulnerabilities**
In addition to unencrypted data transmission and subpar encryption methods, the DeepSeek app displays several additional concerning security issues:
– **Hardcoded encryption keys:** These keys can be extracted from the app, simplifying the process for attackers to decrypt sensitive information.
– **Data storage in China:** DeepSeek’s privacy policy indicates that user data is stored on servers in **the People’s Republic of China**, where it might be accessed by government authorities.
– **Possible data sharing with external parties:** The app’s privacy policy permits data sharing with law enforcement and other entities under ambiguous terms.
## **Professional Responses and Suggestions**
Andrew Hoog, co-founder of NowSecure, strongly recommended that organizations uninstall the DeepSeek app from their devices due to its security dangers. He noted:
> “There are essential security practices that are not being adhered to, whether purposely or inadvertently. In the end, it threatens your and your company’s data and identity.”
Thomas Reed, an iOS security authority at Huntress, also critiqued the app’s security shortcomings:
> “The disabling of ATS is generally a poor decision. It effectively allows the app to communicate using insecure protocols, such as HTTP. Apple permits this, but they shouldn’t. There’s no valid reason for this in today’s context.”
## **DeepSeek’s Privacy Policy Triggers Alarms**
The DeepSeek privacy policy clearly indicates that user data may be accessed and shared with law enforcement and other third parties if deemed necessary. This fosters concerns over potential government surveillance, especially considering that the data is housed in China.
Moreover, security analysts from **Cisco and the University of Pennsylvania** discovered that DeepSeek’s AI model showcased a **100% failure rate** against malicious prompts intended to generate harmful content, further underlining the app’s vulnerabilities.
## **Government Action and Potential Prohibition**
In light of these security issues, **U.S. legislators have suggested prohibiting DeepSeek from all governmental devices**. The proposed law references national security vulnerabilities, particularly the risk that the Chinese Communist Party could leverage the app to gain access to sensitive user information. If approved, the ban could become effective within **60 days**.
## **Final Thoughts**
The swift ascent of the DeepSeek AI app has been overshadowed by significant security and privacy issues. From unencrypted data transmission to outdated encryption practices and potential government surveillance, the app presents considerable risks to users. Security professionals strongly discourage using the app, and U.S. lawmakers are contemplating banning it from government devices.
For users concerned about data privacy, staying informed and exercising caution when engaging with AI-enabled applications, particularly those with dubious security measures, is essential.
