Mobile security researchers have uncovered serious vulnerabilities in the DeepSeek iOS app, threatening the security of sensitive user and organizational data. Since its launch in late January 2025, the app has gained widespread use, but a recent assessment by NowSecure highlights risks that could lead to unauthorized data access and manipulation.
The vulnerabilities include unencrypted data transmission, making it easy for attackers to intercept user information through Man-in-the-Middle attacks. Additionally, the app stores credentials and encryption keys insecurely, further exposing users to potential breaches. A notable concern is the app's data transmission to Volcengine, a ByteDance-operated cloud platform, which introduces data governance and surveillance risks.
The DeepSeek app also bypasses iOS privacy controls like App Transport Security and lacks necessary Privacy Manifests, increasing the risk of tracking and unauthorized data collection. Security experts urge high-risk organizations to stop using the app immediately and consider alternatives such as self-hosting the DeepSeek AI model or using other AI tools with stronger security measures.
These findings emphasize the need for ongoing mobile app security monitoring. Mobile applications are a dynamic and often underestimated attack vector that can endanger intellectual property, corporate secrets, and even national security infrastructure. NowSecure's report serves as a crucial reminder of the hidden dangers in mobile apps and the importance of proactive security evaluations.
