do son 
A recent security and privacy assessment by NowSecure has uncovered multiple severe vulnerabilities in the DeepSeek iOS mobile app, raising serious concerns for individuals, enterprises, and government agencies. Given its rapid rise to the top of the iOS App Store since January 25, 2025, the app has already amassed millions of downloads, making its security flaws even more alarming. In response, several governments, including the U.S. military and state agencies, have swiftly banned the app to safeguard sensitive data.
NowSecure’s comprehensive analysis reveals a range of critical security and privacy issues, prompting the firm to urge enterprises to prohibit its use immediately.
The NowSecure report outlines several critical vulnerabilities, including:
- Unencrypted Data Transmission – DeepSeek transmits sensitive user data without encryption, leaving it vulnerable to interception and man-in-the-middle (MITM) attacks. NowSecure states, “The DeepSeek iOS app sends some mobile app registration and device data over the Internet without encryption. This exposes any data in the internet traffic to both passive and active attacks.”
- Weak and Hardcoded Encryption Keys – The app employs outdated Triple DES encryption, hardcodes encryption keys, and reuses initialization vectors (IVs), violating basic cryptographic security practices. The encryption algorithm chosen for this part of the application leverages a known broken encryption algorithm (3DES), making it a poor choice to protect data confidentiality.
- Insecure Data Storage – Usernames, passwords, and encryption keys are stored in an insecure manner, increasing the risk of credential theft. “Sensitive data was recovered in a cached database on the device, making it retrievable under certain conditions, notably with physical access to an unlocked device,” the report warns.
- Extensive Data Collection & Fingerprinting – DeepSeek engages in aggressive user and device tracking, collecting identifiers that can be used to de-anonymize individuals. Over time, aggregated data points can effectively identify a user, posing significant surveillance and privacy risks.
- Data Sent to China and Governed by PRC Laws – User data is routed to servers controlled by ByteDance, making it subject to Chinese data governance laws. This raises serious concerns about surveillance, regulatory compliance, and data sovereignty.
Beyond cybersecurity risks, the legal and geopolitical implications of DeepSeek’s data handling practices are also worrisome. Regulatory and compliance risks arise as user data is stored and processed in China under its legal framework, exposing organizations to potential surveillance and data access by foreign entities.
These concerns have led to immediate bans from multiple governments, enterprises, and security-sensitive industries, similar to past actions against other Chinese-linked applications.
The report warns that businesses and government agencies using DeepSeek face serious risks, including:
- Exposure of intellectual property and confidential data
- Increased risk of surveillance and foreign data access
- Regulatory violations due to PRC data processing laws
- Loss of control over sensitive corporate and government communications
To mitigate these risks, NowSecure strongly advises organizations to:
- Immediately remove DeepSeek iOS from corporate and BYOD (Bring Your Own Device) environments.
- Seek alternative AI platforms that adhere to strict mobile security standards.
- Continuously monitor all mobile apps to detect and mitigate emerging security threats.
NowSecure emphasizes that DeepSeek is not an isolated case, warning that many mobile apps introduce security risks. The firm urges organizations to implement rigorous mobile app security testing to prevent future breaches.
