Cybersecurity Company Warns Businesses to Avoid Popular AI App Due to Security Vulnerabilities

A leading cybersecurity company is cautioning businesses and organizations against using a popular app from the generative AI company DeepSeek, citing multiple security vulnerabilities that could compromise users’ data.

DeepSeek App Fails to Protect User Data

The DeepSeek app, which recently topped the Apple App Store in January, transmits data unencrypted over the internet and insecurely stores usernames, passwords, and other credentials, according to an analysis by mobile app security firm NowSecure.

Vulnerabilities Found in Mobile App, Not AI Models

The vulnerabilities found affect the mobile app through which many users access DeepSeek’s AI models, not the models themselves, which can also be run locally on a user’s device or through a separate hosting platform.

Risk to Companies and Consumers

"NowSecure wrote, "Because mobile apps change quickly and are a largely unprotected attack surface, they present a very real risk to companies and consumers." DeepSeek is high-profile, but not unique, as many other popular apps have faced similar security concerns.

iPhone Version Disables Important Security Feature

Analyzing the DeepSeek app’s performance on real phones, NowSecure found that the iPhone version came with an important security feature designed by Apple turned off. This feature, App Transport Security (ATS), prevents sensitive data from being sent over unencrypted channels.

Lack of Encryption Exposes Users to Man-in-the-Middle Attacks

The lack of encryption could make users susceptible to man-in-the-middle attacks, where someone with control over the network on which the device is communicating is able to view or modify communications between the user and DeepSeek’s servers.

Sensitive Information Cached Unencrypted

NowSecure also found that in some instances the DeepSeek app was caching sensitive information, including username and password, in an unencrypted file on the device that could potentially be reviewed by an attacker who gained physical or remote access to the device.

Additional Vulnerabilities

Other vulnerabilities NowSecure identified are more common among mobile apps. For example, the analysts determined that DeepSeek collects a variety of data about the network and device the app is operating on that can be combined with other information and used by data brokers, or potentially even more nefarious actors, to track and monitor a user.

Government Banning DeepSeek

The NowSecure report comes as several governments are banning their employees from using DeepSeek due to security vulnerabilities and the fact that the company is based in China.

State-Level Bans

On Monday, New York Governor Kathy Hochul announced that state employees were barred from using DeepSeek’s models on their devices. Congress is currently considering a bill that would implement a similar ban at the federal level, and the governments of South Korea, Australia, and Taiwan have already blocked access to DeepSeek’s models on official devices.