DeepSeek iOS应用中发现了多个安全漏洞，其中包括发送未加密数据。

The DeepSeek iOS app has been found to have multiple security vulnerabilities, despite consistently ranking high on the App Store charts and remaining one of the most popular downloaded apps.

The latest findings are far worse than the previously exposed vulnerabilities involving an unauthenticated database that leaked chat logs and other sensitive information...

Previous Concerns About DeepSeek

Although we mentioned it before, for most people, DeepSeek appeared out of nowhere, becoming the top downloaded app on iPhones overnight.

AI researchers were shocked by the app's functionality, which required far less hardware than comparable chatbots, leading to a stock market plunge for several US AI companies.

However, concerns about security and privacy soon arose. The Italian data protection agency questioned whether the application complied with European privacy laws, and Ireland raised similar issues. US officials are also investigating potential national security threats.

It was later discovered that the company had accidentally left a database containing over a million log entries unsecure. These logs included chat history and keys.

DeepSeek iOS App Has Multiple Security Vulnerabilities

Mobile security firm NowSecure found multiple security vulnerabilities in the DeepSeek iPhone app, including the failure to use Apple's built-in Application Transport Security (ATS) system. ATS is designed to ensure that sensitive personal data is only sent via encrypted channels, but NowSecure found that DeepSeek had disabled this feature.

The DeepSeek iOS app globally disables Application Transport Security (ATS), a platform-level protection mechanism on iOS that prevents sensitive data from being sent over unencrypted channels. Because this protection measure is disabled, the app can and does send unencrypted data to the internet.

The company stated that although the exposed data appears seemingly insignificant, it could easily be combined to de-anonymize users.

While individual data points don't constitute a high risk, the aggregation of many data points over time rapidly leads to easy identification of individuals. The recent Gravy Analytics data breach demonstrates that this data is being collected at scale and can effectively de-anonymize millions of people.

The company uses an outdated encryption method known to have flaws when encrypting data.

The app partially employs broken encryption algorithms (3DES), making it a poor choice for protecting data confidentiality.

Furthermore, the data collected by the app can be used to identify potential espionage targets.

A user using the latest iPad and leveraging a cellular data connection registered with FirstNet (the US public safety broadband network operator) would likely be considered a prime target for espionage activities.

Remember, DeepSeek iOS app collects dozens of data points and also gathers related data from millions of other apps, which can be easily purchased, combined, and correlated to rapidly de-anonymize users.

The long analysis concludes that the DeepSeek iOS app is insecure and points out that the Android version has even lower security.

Although the DeepSeek application is technically impressive and testing its features can be fun, we advise against using it for any real-world tasks involving personal data leaks. You should assume that DeepSeek can identify you and view your interaction content.

We are still in the early stages of security researchers examining the app, so more security and privacy issues are likely to be discovered. I personally have removed it from my iPhone and recommend others do the same.