The popular generative AI app, DeepSeek, faces scrutiny following a report by cybersecurity firm NowSecure detailing several security vulnerabilities that could compromise user data. The app, which rapidly climbed the Apple App Store charts in January, reportedly transmits data unencrypted and insecurely stores sensitive credentials.
Unencrypted Data Transmission and Storage
NowSecure’s analysis reveals alarming security flaws within the DeepSeek mobile app, the primary access point for many users interacting with the company’s AI models. Critically, the iOS version disables Apple’s App Transport Security (ATS), a crucial feature designed to prevent sensitive data transmission over unencrypted channels. This lapse allows the app to send data unencrypted, exposing users to potential man-in-the-middle attacks where malicious actors can intercept and manipulate communications between the user and DeepSeek’s servers. Furthermore, the app insecurely caches sensitive information, including usernames and passwords, in an unencrypted file on the device, creating a vulnerability for attackers with physical or remote access.
Data Collection and Tracking Concerns
Beyond these critical vulnerabilities, NowSecure also identified data collection practices that raise privacy concerns. The app collects various data points about the user’s network and device, information that could be exploited by data brokers or malicious actors for tracking and monitoring purposes. This data collection, while common among mobile apps, adds another layer of risk for DeepSeek users.
Government Bans and Security Concerns
The NowSecure report comes amid growing concerns about DeepSeek’s security practices and its Chinese origins. Several governments, including New York State, have banned the app’s use on government devices. Federal legislation is currently under consideration in the US to implement a similar ban, and countries like South Korea, Australia, and Taiwan have already blocked access to DeepSeek’s models on official devices.
Implications for Businesses and Individuals
These security vulnerabilities pose significant risks for both businesses and individual users. Organizations relying on DeepSeek’s AI models should carefully evaluate the security implications and consider alternative solutions. Individuals using the app should be aware of the potential data exposure and take precautions to protect their personal information.
Conclusion: Proceed with Caution
While DeepSeek offers powerful AI capabilities, the identified security vulnerabilities warrant serious consideration. Users should exercise caution and await further information from DeepSeek regarding addressing these concerns before continuing to use the app. The ongoing government bans and security scrutiny underscore the importance of prioritizing data security and privacy when using AI-powered applications.
