Specialists from Security Scorecard have uncovered a vulnerability in the mobile applications of Deepseek for iOS and Android. The company’s report highlights that while the applications do not display obvious harmful behavior, weak data protection measures and aggressive fee information pose risks for users.
An analysis of the Android version of Deepseek revealed the storage of API keys, passwords, and authentication tokens in an unencrypted form, making unauthorized access and account hijacking possible. The application also utilizes an outdated encryption algorithm vulnerable to attacks and is at risk of SQL injection.
Of particular concern is the app’s collection of detailed user information, including text and voice inputs, chat histories, uploaded files, IP addresses, and device model data. Researchers noted the use of “Keys of Key” dynamics technology, which can track user input patterns to identify individuals.
Furthermore, the application actively hinders code analysis through anti-tampering methods. Any attempts to debug the program are met with system debugging parameter checks and automatic closure, contrary to transparent development practices.
The transfer of data to China raises serious questions, as the app’s code contains libraries and services linked to Bytedance, potentially facilitating data sharing with the company. This raises concerns regarding compliance with international data protection standards like GDPR and CCPA.
In addition, the application requests permissions to access the internet, device state, and geolocation, expanding the scope of data collection. Analysis of external services connected to Deepseek revealed the utilization of third-party domains with low security levels, increasing the risks of data leakage.
Fear of Deepseek’s data handling practices has prompted several countries to impose bans on the app. New York recently prohibited the installation of Deepseek on government devices, while the South Korean Ministry of Defense blocked access to the service on its computers. Australia, Italy, and Taiwan have also taken steps to restrict Deepseek usage, with the US Congress considering a bill to ban the app on state devices.
Prior to this discovery, the Wiz Research team had identified a vulnerability in Deepseek’s infrastructure. An open Clickhouse database exposed confidential information such as chat histories, secret keys, and server data to potential unauthorized access.