DeepSeek, the Chinese AI startup that became the most downloaded app on the Apple App Store when released in the United States, is once again in the spotlight.
A new report from NowSecure found multiple security and privacy flaws in the DeepSeek app for iPhone and iPad users. Let’s look at the findings of this report to understand the risks that come with this particular AI model.
NowSecure takes a deep dive into DeepSeek’s user data management
A recent NowSecure mobile application security and privacy assessment found that the DeepSeek iOS app has some privacy and security problems. NowSecure urged enterprises to completely ban the DeepSeek app from environments and workplaces.
The main concern is data leakage. According to DeepSeek’s privacy policy, the company stores user data in China, where local laws mandate that companies share data with intelligence officials upon request.
A growing trend to ban DeepSeek internationally
NowSecure is not the only organization calling for DeepSeek to be banned. Recently, Bloomberg reported that “hundreds of companies,” especially those linked to government sectors, have restricted or passed swift bans against DeepSeek.
Italy was the first European country to ban DeepSeek, citing gaps in compliance with EU laws. Other countries in the region, such as Ireland, France, Belgium, and the Netherlands, are also investigating the app and considering similar actions.
Nadir Izrael, chief technology officer of the cyber firm Armis Inc., told Bloomberg that concerns about potential data leaks to the Chinese government and weak privacy safeguards are driving widespread projects to block DeepSeek.
The vulnerabilities NowSecure found in DeepSeek for iOS
NowSecure’s report focused mostly on DeepSeek’s own documentation. The company does not conceal that it sends data to Chinese servers. It explains in detail how encryption and user data management work. However, these documents are rarely read in full by users or even IT experts.
NowSecure said that they found several serious critical vulnerabilities in the DeepSeek iOS app. They claim that these put individuals, enterprises, and governments at risk.
One of the vulnerabilities is the use of unencrypted data transmissions. “The app transmits sensitive data over the internet without encryption, making it vulnerable to interception and manipulation,” researchers from Now Secure said.
Additionally, NowSecure found that DeepSeek’s encryption keys are “weak and hardcoded.” Its report said that the app uses outdated encryption, reuses initialization vectors, and uses hard-coded encryption keys — violating standard security practices and standards.
Username, password, and encryption keys are all stored insecurely, according to NowSecure, increasing the risk of credential theft.
Vulnerabilities that are common among AI brands
Similar concerns, especially regarding usernames and passwords and access security, have been raised for other AI brands as well. While this is not an excuse, it’s important to understand that the issue affects all AI companies.
Another vulnerability — which becomes evident when reading through DeepSeek’s Privacy Policy — is the vast amount of information that the app extracts from its users’ devices. This includes device and system data, IPs, user chat information, and much more. Moonlock can confirm that DeepSeek sends users’ data to China, where digital operations are governed by the laws of the People’s Republic of China (PRC).
“User data is transmitted to servers controlled by ByteDance, raising concerns over government access and compliance risks,” NowSecure said.
These vulnerabilities can be exploited by threat actors and may lead to the exposure of sensitive data, including prompt data, intellectual property, and confidential communications. Cookies and system operations on DeepSeek can also lead to an increased risk of surveillance.
Finally, while DeepSeek complies with Chinese laws, organizations embracing the technology face the risk of violating EU or US laws that are widely different from the digital laws of China.
Username, password, and encryption keys on DeepSeek
One of the most concerning vulnerabilities is how DeepSeek manages usernames, passwords, and encryption keys. NowSecure ran an analysis of sensitive data recovered in a cached database on the device (iPhone).
“In certain conditions, notably with physical access to an unlocked device, this data can be recovered and leveraged by an attacker,” NowSecure said.
The data is cached when developers use the NSURLRequest API to communicate with remote endpoints. “The API will, by default, cache HTTP responses in a Cache.db file unless caching is explicitly disabled,” researchers of NowSecure explained.
Additionally, a long list of Software Bill of Materials, back-end processes that can be leveraged for tracking, and IP and endpoints in the US linked to China are some of the red flags NowSecure found.
“In reviewing the sensitive APIs accessed and methods tracked, the DeepSeek iOS app exhibits behaviors that indicate a high risk of fingerprinting and tracking,” NowSecure concluded.
Is DeepSeek a risk for the average personal iPhone user?
While organizations, companies, and governments should take appropriate actions to secure their information, the average iPhone user is unlikely to be a prime target of the Chinese government.
However, we do recommend that individual users check the reports on the vulnerabilities discovered in DeepSeek and carefully read the fine print in the Terms of Services and the company’s Privacy Policy.
Popular Chinese apps that clash with the privacy and security practices of other countries are nothing new. TikTok, for example, has been banned in various countries and almost exiled from the US for the same reasons.
However, despite going through similar issues, including a lack of strong security and privacy, sending data to China, and how easily the PRC government can access that data, TikTok continues to be heavily used in the US. In fact, 1 in 3 American adults still use TikTok.
In the end, it is your personal decision whether to use DeepSeek or not, but make sure your decision is one you make after being properly informed. Understand that when you use DeepSeek on your iPhone, your personal, system, and device data is gathered. Some of it will end up in a Chinese server that can be accessed by the government at any time.
Is DeepSeek a risk to governments, companies, and organizations?
We agree with NowSecure that DeepSeek iOS poses a risk of data leaks to companies, governments, and organizations. However, there are other options for those who think DeepSeek brings value to the table.
Developers can leverage other versions of DeepSeek that have better privacy and security. For example, options include self-hosting (downloading the DeepSeek model from GitHub) or using DeepSeek versions provided by US companies like Microsoft.
Final thoughts: Always read the fine print
Risks of data leaks and how AI manages personal, business, or corporate data is not an issue exclusive to DeepSeek. It is relevant to all AI companies and models. Even the public free version of ChatGPT was banned by countless companies in the US upon release due to privacy concerns.
Whether you are a user, an employee working for a company, a developer, or an employee working for the government, we recommend that you carefully review the fine print of User Agreements and Terms of Services of DeepSeek and any AI app you are planning to use.
Remember that AI supply chains are complex, and models need to transfer data (your data) to different servers to operate. In this case, vulnerabilities found in the DeepSeek iOS app reveal that your data can indeed be sent and accessed by the Chinese government. Vulnerabilities do exist. Our advice? Always read the fine print.
This is an independent publication, and it has not been authorized, sponsored, or otherwise approved by Apple Inc. iPhone and iOS are trademarks of Apple Inc.
