DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers
1 min read
Summary
A China-based firm called DeepSeek has surged to the top of the free apps category on the Apple Store with its open-source AI chatbot, which rivals the performance of market-leader OpenAI.
However, mobile security company NowSecure has found a number of security flaws with the app, including the transmission of sensitive data over unencrypted channels.
This means that data is readable by, and can be tampered with, anyone who can monitor the traffic, and Apple usually encourages developers to use encryption for such communications.
Furthermore, the data is sent to servers controlled by ByteDance, the Chinese company that owns TikTok, and while some of it is encrypted, it can be decrypted on the servers and cross-referenced with user data to identify users and track their queries and usage.
In addition to the secure flaw, the NowSecure audit found that the app uses a deprecated symmetric encryption scheme, with identical symmetric keys for every iOS user, which are stored on the device.
