Recent mobile applications from the Chinese artificial intelligence (AI) firm DeepSeek have consistently ranked among the top three “free” downloads for Apple and Google devices since their launch on January 25, 2025. However, specialists warn that several of DeepSeek’s design decisions — such as integrating hard-coded encryption keys and transmitting unencrypted user and device information to Chinese enterprises — pose numerous significant security and privacy threats.

Interest from the public in the DeepSeek AI chat applications surged after extensive media coverage indicated that the emerging Chinese AI company successfully matched the capabilities of state-of-the-art chatbots while utilizing only a small fraction of the specialized computing chips required by leading AI firms. At present, DeepSeek stands as the third most-downloaded “free” application on the Apple store, and #1 on Google Play.

DeepSeek’s swift ascent has drawn the attention of the mobile security firm NowSecure, a Chicago-based organization that assists clients in evaluating mobile applications for security and privacy vulnerabilities. In a detailed analysis of the DeepSeek application released today, NowSecure recommended organizations to eliminate the DeepSeek iOS mobile app from their systems due to security apprehensions.

According to Andrew Hoog, the founder of NowSecure, they have yet to complete a thorough examination of the DeepSeek application for Android devices, but there is little reason to assume its fundamental design would vary significantly.

Hoog informed KrebsOnSecurity that several aspects of the DeepSeek iOS app indicate the presence of underlying security and privacy concerns. To begin with, he mentioned that the app gathers a substantial amount of information about the user’s device.

“They are engaging in quite fascinating practices that border on advanced device fingerprinting,” Hoog remarked, highlighting that one feature of the app tracks the name of the device — which often defaults to the user’s name followed by the type of iOS device for many iOS gadgets.

As warned by NowSecure, the device details distributed, combined with the user’s Internet address and data collected from mobile advertising firms, could facilitate the deanonymization of DeepSeek iOS application users. The report notes that DeepSeek interacts with Volcengine, a cloud platform created by ByteDance (the developers of TikTok), though NowSecure stated it remains unclear whether the data merely employs ByteDance’s digital transformation cloud service or if the reported data sharing goes further between the two entities.

Perhaps even more alarming, NowSecure indicated that the iOS application transmits device information “in the clear,” lacking any encryption to safeguard the data. This implies that the information handled by the application could be intercepted, accessed, and even altered by anyone who has access to any networks carrying the application’s traffic.

“The DeepSeek iOS application globally disables App Transport Security (ATS), which is an iOS platform-level safeguard designed to prevent sensitive data from being transmitted over unencrypted channels,” the report noted. “Because this protection is turned off, the app can (and does) transmit unencrypted data across the internet.”

Hoog stated that the app does selectively encrypt certain sections of the responses received from DeepSeek servers. However, they also discovered it utilizes an insecure and now obsolete encryption algorithm known as 3DES (also referred to as Triple DES), and that the developers have hard-coded the encryption key. Hence, the cryptographic key necessary to decode those data fields can be extracted directly from the application.

There were additional, less alarming security and privacy concerns pointed out in the report, but Hoog expressed confidence that other, hidden security issues may be lurking within the app’s coding.

“When we observe individuals showing very basic coding mistakes, as one digs deeper, there are typically many more problems,” Hoog remarked. “There appears to be virtually no prioritization around security or privacy. Whether due to cultural factors, dictated by China, or a deliberate choice, collectively they suggest a significant lapse in security and privacy protocols, exposing companies to risk.”

Evidently, many others share this perspective. Axios reported on January 30 that U.S. congressional offices are being cautioned against using the application.

“[T]hreat actors are already exploiting DeepSeek to deliver harmful software and compromise devices,” stated the notice from the chief administrative officer of the House of Representatives. “To alleviate these risks, the House has implemented security measures to restrict DeepSeek’s functionality on all House-issued devices.”

TechCrunch reports that Italy and Taiwan have already taken steps to prohibit DeepSeek due to security worries. Bloomberg writes that The Pentagon has restricted access to DeepSeek. CNBC states that NASA also prohibited employees from utilizing the service, as did the U.S. Navy.

Apart from security issues related to the DeepSeek iOS application, there are indications that the Chinese AI company may not be handling the information it gathers from and about users responsibly. On January 29, researchers at Wiz discovered a publicly available database connected to DeepSeek that exposed “a significant volume of chat history, backend data, and sensitive information, including log streams, API secrets, and operational details.”

“More critically, the exposure permitted full database control and potential privilege escalation within the DeepSeek environment, without any authentication or protective measures from the outside world,” Wiz indicated. [Full disclosure: Wiz is currently an advertiser on this site.]

KrebsOnSecurity has reached out for comments regarding the report from DeepSeek and from Apple. This article will be updated with any substantial responses.