My post yesterday about DeepSeek concerns was apparently just the start. There are apparently critical vulnerabilities in the DeepSeek iOS app.

According to this article, mobile security firm NowSecure has identified multiple critical security and privacy vulnerabilities in the DeepSeek iOS mobile app. This report delves into the most concerning security and privacy issues identified by NowSecure, the implications for enterprises and government agencies, and the recommended actions to mitigate the risks.

NowSecure’s analysis revealed a host of vulnerabilities that expose users to potential data breaches, surveillance, and regulatory non-compliance. The five most critical risks include:

• Unencrypted Data Transmission: The app transmits sensitive user data without encryption, making it vulnerable to interception and manipulation by attackers. This exposes users to man-in-the-middle (MITM) attacks, where attackers can eavesdrop or alter data in transit.
• Weak & Hardcoded Encryption Keys: DeepSeek employs outdated Triple DES encryption, which is known to be insecure. Additionally, it uses hardcoded encryption keys and reuses initialization vectors, violating basic cybersecurity best practices.
• Insecure Data Storage: Sensitive user information—including usernames, passwords, and encryption keys—is stored insecurely on the device. If an attacker gains access to the device, these credentials can be easily extracted and misused.
• Extensive Data Collection & Fingerprinting: The app collects extensive data on users and their devices, which can be used for tracking and de-anonymization. This level of data collection raises concerns about potential surveillance and profiling of users.
• Data Sent to China & Governed by PRC Laws: As I already alluded to yesterday, user data is transmitted to servers controlled by ByteDance, a company with direct ties to China. This raises legal and regulatory risks, as the data falls under Chinese jurisdiction, where privacy laws differ significantly from those in the US and EU.

This diagram from NowSecure illustrates the critical vulnerabilities in the DeepSeek iOS app:

For organizations that have adopted DeepSeek as part of their AI or productivity workflows, these security risks pose severe consequences, including: 1) potential exposure of sensitive data, 2) increased surveillance risk via the app’s aggressive data collection and fingerprinting techniques which can track and monitor users, 3) regulatory & compliance Issues via GDPR and other data protection regulations, and 4) potential reputational damage.

Given the immediate risk, NowSecure strongly advises organizations to take swift action, including:

• Remove the DeepSeek iOS App Immediately: Organizations should prohibit the use of DeepSeek within both managed (corporate devices) and BYOD (bring-your-own-device) environments.
• Explore Alternative AI Platforms: Companies and agencies should consider AI solutions with stronger security and privacy safeguards, such as self-hosted models or enterprise-grade alternatives.
• Monitor Mobile App Security Regularly: Businesses should implement continuous monitoring and testing of mobile applications to detect new security threats before they cause harm.
• Assess Compliance & Legal Risks: Organizations should review their data privacy policies to ensure they are not at risk of violating international data protection laws due to DeepSeek’s data-sharing practices.

In short, using the DeepSeek iOS app doesn’t just open a can of worms from a cyber perspective – more like an entire cannery of worms.

The article goes into considerable depth regarding the critical vulnerabilities in the DeepSeek iOS app – considerably more than I can give it justice here. Given everything I continue to read about DeepSeek, I wouldn’t touch it with a 39 and a half foot pole (some of you will know that reference). Despite that, DeepSeek is the top iOS app since January 25, 2025, having already been downloaded by millions, including enterprise and government users. Ruh-roh.

Hat tip to Gregory Bufithis for the reference on this article and more.

So, what do you think? Are you using the DeepSeek iOS app? Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.