New mobile applications of the Chinese Artificial Intelligence Society (AI) In depth Among the first three “free” downloads for Apple and Google devices since their debut on January 25, 2025. But experts warn that many Deepseek design choices – such as the use of hard coded encryption keys and ‘Sending non -encrypted and not encrypted users and devices given to Chinese companies – present a number of flagrant security and confidentiality risks.
The public interest in Ai Deepseek cat applications swelled after being spread media The reports according to which the Chinese IA company arrives had managed to correspond to the capacities of advanced chatbots while using a fraction of specialized computer flea markets on which the main companies of AI are being made. To date, Deepseek is the third most downloaded “free” application on the Apple Store, and n ° 1 on Google Play.
Deepseek’s rapid rise drew the attention of the mobile security company NowsecureA company based in Chicago which helps customers detect mobile applications for security and confidentiality threats. In A dismantling From the Deepseek application published today, Nowsecure has urged organizations to remove the IOS Deepseek mobile application from their environment, citing safety problems.
Founder of Nowsecure Andrew Hoog said they had not yet concluded an in -depth analysis of the Deepseek application for Android Apparatus, but that there are few reasons to believe that its basic design would be functionally very different.
Hoog told KrebssonScurity that there were a number of qualities on the iOS Deepseek application which suggests the presence of deeply anchored security and confidentiality risks. To start, he said, the application collects a lot of data on the user’s device.
“They do very interesting things that are on the brink of the advanced imprint of the advanced device,” said Hoog, noting that a property of the application follows the name of the device – which for many iOS devices is by default the name of the customer followed by the type of device.
Shared device information, combined with the user’s internet address and the data collected from mobile advertising companies, could be used to unresard users of the IOS Deepseek application, warned Nowsecure. The report notes that Deepseek communicates with VolcèneA cloud platform developed by Bytedance (Manufacturers of Tiktok), although NOWSECURE said that it was not clear if the data only takes advantage of the Digital Transformation Cloud Service of Bytedance or whether the sharing of information declared extends further between the two companies.
Image: Nowsecure.
Perhaps more worrying, Nowsecure said that the iOS application transmits information on the “clear” device, without encryption to encapsulate the data. This means that the data managed by the application could be intercepted, read and even modified by anyone who has access to one of the networks that transport the traffic traffic.
“The IOS Deepseek application deactivates the safety of the transport of applications (ATS) which is protection at the iOS platform which prevents sensitive data from being sent to non-encrypted channels,” observed the report. “Since this protection is deactivated, the application can (and fact) send uninsisted data on the Internet.”
Hoog said that the selectively crypt application of the parts of the responses from Deepseek servers. But they also found that he uses an insecure and now obsolete encryption algorithm called 3des (aka Triple of), and that the developers had coded the encryption key. This means that the cryptographic key necessary to decipher these data fields can be extracted from the application itself.
There were other less alarming security and confidentiality problems highlighted in the report, but Hoog said he was convinced that there were additional and invisible security problems hiding in the code of the ‘application.
“When we see that people have really simplistic coding errors, because you dig more deeply, there are generally many more problems,” said Hoog. “There is practically no priority regarding security or confidentiality. Whether cultural, or mandated by China, or a judicious choice, they highlight significant efforts of security and confidentiality controls, which endangers in danger. »»
Apparently, many others share this point of view. Axios reported On January 30, the offices of the US Congress were warned not to use the application.
“(T) the players hreat already exploit Deepseek to deliver malware and infect the aircraft,” reads the opinion of the administrative director of the House of Representatives. “To alleviate these risks, the Chamber has taken safety measures to restrict Deepseek’s functionality on all the devices issued by the house.”
Techcrunch reports That Italy and Taiwan have already decided to ban Deepseek on security problems. Bloomberg writing that The Pentagon blocked access to Deepseek. CNBC said Nasa has also prohibited employees to use the service, as is the US Navy.
Beyond the security problems linked to the IOS Deepseek application, there are indications that the Chinese AI company can play quickly and loosen with the data which it collects and about users. On January 29, researchers to AS said They discovered a database accessible to the public linked to Deepseek which exhibited “a large volume of cat history, backend data and sensitive information, including newspaper flows, API secrets and operational details” .
“More critically, the exhibition allowed a complete control of the database and an escalation of potential privileges in the Deepseek environment, without any authentication or defense mechanism to the outside world,” Wiz wrote. (Complete disclosure: WIZ is currently an advertiser on this site.)
Krebsoncurity asked for comments on the Deepseek and Apple report. This story will be updated with all the substantial answers.