Mobile security researchers at NowSecure have identified critical security vulnerabilities within the DeepSeek iOS mobile app, a top-ranked AI application since its launch in late January 2025. These flaws could compromise sensitive user and organizational data, highlighting a pressing concern for enterprises, government entities, and millions of users worldwide.
The assessment uncovered several key vulnerabilities, including unencrypted data transmission, making user information vulnerable to Man-in-the-Middle attacks, and insecure storage of credentials and encryption keys. Additionally, the app's data transmission to Volcengine, a cloud platform by ByteDance, raises data governance and potential surveillance concerns. The app also bypasses iOS privacy controls like App Transport Security and lacks necessary Privacy Manifests, increasing risks of tracking and unauthorized data collection.
Security experts urge high-risk organizations to stop using the DeepSeek iOS app immediately. Although the Android version remains untested, similar vulnerabilities are presumed. Alternatives such as self-hosting the DeepSeek AI model or opting for more secure AI tools are recommended. This situation underscores the necessity for ongoing mobile app security monitoring, as mobile applications present a dynamic and often neglected attack surface that could endanger intellectual property, corporate secrets, and national security infrastructure.
NowSecure's findings aim to spotlight the hidden dangers in mobile applications and advocate for proactive security evaluations across digital platforms, emphasizing the critical need for vigilance in the rapidly evolving tech landscape.
