DeepSeek R1 is the open-source AI from China that shocked the world last week. We learned that a startup with restricted access to high-tech AI chips was able to train a reasoning model as good as ChatGPT o1. This news tanked the stock market while the DeepSeek mobile app soared in the App Store, becoming the #1 free iPhone app.
Since the arrival of this impressive ChatGPT rival, I have told you to stay away from it — at least the iPhone, Android, and web versions. I explained that DeepSeek’s privacy policy clearly states that it sends all user data to China. Also troubling is the built-in censorship that stops DeepSeek from talking about topics that are sensitive to the Chinese government. Also, we learned that DeepSeek doesn’t have built-in safety protections as good as ChatGPT and others, which means the AI might help out with nefarious activities.
Finally, we saw signs that the first big DeepSeek hack probably occurred, as a research team found an unprotected database holding user data in plain text. Any hacker could have found that database and stolen its contents.
There’s now an even more concerning reason to remove DeepSeek from your iPhone or Android. The mobile apps have been caught sending sensitive user data, including chats with the AI, over an unsecured connection. The data is beamed to servers belonging to ByteDance, the Chinese company that created TikTok. But regardless of the destination, the unencrypted communication is troubling for security and privacy.
The news comes from the research team at NowSecure, which published its detailed findings in a blog post.
The security researchers found that DeepSeek purposely disabled the built-in App Transport Security (ATS) feature in iOS that would protect data transfers. Instead, user data is sent over the internet without encryption. Hackers who know how to intercept such data would be able to exploit the vulnerability.
The app does use some encryption, but the 3DES scheme it employs was deprecated nearly a decade ago. Also troubling is the use of encryption keys that are hardcoded into the app and, therefore, stored on the iPhone. The keys are symmetric and identical for every iPhone user. Once someone gets access to the key, they could use it to decrypt all the data.
If the security aspect isn’t troubling enough, you should also know the researchers looked at the kind of data the DeepSeek app collects. They concluded the app grabs large amounts of data that can be used to fingerprint users. The device name, the user’s real name, IP address and network details, and the user’s interactions with the app are collected. This information might be used to create profiles and track users online.
All the user data, whether protected or unprotected, is sent to ByteDance servers. We already knew all user data from DeepSeek apps was sent to China. It’s unclear why the data reaches ByteDance, but it doesn’t matter. The security issues above and the risks of the Chinese government wanting access to the data are good reasons to stop using DeepSeek on iPhone.
The same goes for Android, which researchers found to be even less secure, per ArsTechnica.
The security company minced no words in its conclusions. It’s recommending users immediately remove DeepSeek from the iPhone to protect their security and privacy:
NowSecure recommends that organizations remove the DeepSeek iOS mobile app from their environment (managed and BYOD deployments) due to privacy and security risks, such as:
Privacy issues due to insecure data transmission
Vulnerability issues due to hardcoded keys
Data sharing with third parties such as ByteDance
Data analysis and storage in China
NowSecure co-founder Andrew Hoog told Ars that the app is “not equipped or willing to provide basic security protections of your data and identity. There are fundamental security practices that are not being observed, either intentionally or unintentionally. In the end, it puts your and your company’s data and identity at risk.”
Given these findings, I’d say the only way to use DeepSeek to test the viral Chinese AI is to run it locally on a computer. That means installing DeepSeek on Mac and Windows, which will give you better security and protection, as the AI will run on the machine without a connection to the internet.
