A cybersecurity company is warning businesses and organizations not to use a popular app from the generative AI company DeepSeek, saying that the program contains a number of security vulnerabilities that could compromise users’ data.
The DeepSeek app, which shocked the stock market when it moved to the top of the Apple App Store in January, transmits data unencrypted over the internet and insecurely stores usernames, passwords, and other credentials, according to an analysis by mobile app security firm NowSecure.
The vulnerabilities the firm found affect the mobile app through which many users access DeepSeek’s AI models, not the models themselves, which can also be run locally on a user’s device or through a separate hosting platform.
“Because mobile apps change quickly and are a largely unprotected attack surface, they present a very real risk to companies and consumers,” NowSecure wrote. “DeepSeek is high profile, but not unique.”
Analyzing the DeepSeek app’s performance on real phones, NowSecure found that the iPhone version came with an important security feature designed by Apple turned off.
“The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels,” the analysts wrote. “Since this protection is disabled, the app can (and does) send unencrypted data over the internet. ”
The lack of encryption could make users susceptible to man-in-the-middle attacks, where someone with control over the network on which the device is communicating is able to view or modify communications between the user and DeepSeek’s servers.
NowSecure also found that in some instances the DeepSeek app was caching sensitive information, including username and password, in an unencrypted file on the device that could potentially be reviewed by an attacker who gained physical or remote access to the device.
Other vulnerabilities NowSecure identified are more common among mobile apps. For example, the analysts determined that DeepSeek collects a variety of data about the network and device the app is operating on that can be combined with other information and used by data brokers, or potentially even more nefarious actors, to track and monitor a user.
The NowSecure report comes as several governments are banning their employees from using DeepSeek due to security vulnerabilities and the fact that the company is based in China.
On Monday, New York Governor Kathy Hochul announced that state employees were barred from using DeepSeek’s models on their devices.
Congress is currently considering a bill that would implement a similar ban at the federal level, and the governments of South Korea, Australia, and Taiwan have already blocked access to DeepSeek’s models on official devices.
