An in-depth forensic analysis of DeepSeek’s mobile application for Apple’s iOS ecosystem has unearthed severe security lapses, the most egregious being its transmission of confidential user and device data across the internet without encryption—leaving it alarmingly susceptible to interception and malicious exploitation.
This scrutiny was conducted by NowSecure, which further uncovered that the application neglects fundamental security best practices while simultaneously amassing an extensive cache of user and device-specific metadata.
“The DeepSeek iOS app transmits specific mobile registration and device details over the web without utilizing encryption,” NowSecure reported. “This glaring vulnerability exposes transmitted data to both passive eavesdropping and active manipulation attacks.”
Further examination revealed multiple flaws in the app’s encryption protocols, including reliance on the outdated and insecure 3DES symmetric encryption algorithm, the hardcoding of cryptographic keys within the application’s code, and the repeated use of identical initialization vectors—practices that significantly undermine data security.
Adding to these concerns, the data is funneled into servers operated by Volcano Engine, a cloud computing and storage subsidiary under ByteDance, the Chinese conglomerate behind TikTok.
“The DeepSeek iOS app universally disables App Transport Security (ATS), an essential iOS security feature that enforces encrypted connections,” NowSecure further elaborated. “With ATS deactivated, the application is not only permitted to transmit unencrypted data but actively does so.”
These findings contribute to mounting concerns surrounding DeepSeek’s AI-powered chatbot service, even as it rapidly climbs the rankings of app stores across both iOS and Android platforms in numerous global markets.
Cybersecurity firm Check Point has observed cybercriminals leveraging DeepSeek’s AI engines—alongside Alibaba Qwen and OpenAI ChatGPT—to fabricate data-exfiltration malware, craft unrestricted and unmoderated content, and fine-tune scripts for large-scale spam campaigns.
“As threat actors employ advanced methods such as jailbreaking to circumvent security barriers and develop information-stealing malware, conduct financial fraud, and orchestrate spam operations, organizations must adopt preemptive cybersecurity measures to safeguard against the evolving risks posed by AI misuse,” Check Point cautioned.
Compounding these apprehensions, a recent investigative report by the Associated Press disclosed that DeepSeek’s website is configured to relay user authentication details to China Mobile, a state-controlled telecom entity blacklisted from U.S. operations due to national security concerns.
Much like TikTok, DeepSeek’s affiliations with Chinese entities have incited U.S. lawmakers to advocate for a sweeping prohibition on its usage across government-issued devices, citing the potential risk of data exfiltration to Beijing.
Notably, several nations—including Australia, Italy, the Netherlands, Taiwan, and South Korea—as well as government institutions in India and the United States—such as the U.S. Congress, NASA, the Navy, the Pentagon, and Texas state agencies—have already imposed restrictions on the app’s usage within official capacities.
DeepSeek’s meteoric rise has also rendered it a prime target for cyber onslaughts. Chinese cybersecurity firm XLab reported to Global Times that the service has endured sustained DDoS (Distributed Denial-of-Service) attacks, orchestrated by notorious Mirai-based botnets, hailBot and RapperBot, in recent weeks.
Simultaneously, cybercriminals have wasted no time in capitalizing on DeepSeek’s soaring popularity—crafting deceptive lookalike websites designed to distribute malware, investment fraud schemes, and cryptocurrency-related scams to unwitting users.F
