The popular AI-powered iPhone app, DeepSeek, has come under scrutiny after being found to send data to Chinese-owned servers and collect extensive user data without proper encryption. Despite these serious concerns, the app has topped the US App Store charts since its launch in January 2025. DeepSeek, a generative AI app similar to ChatGPT, has been criticized for its lack of robust security measures.
Andrew Hoog, co-founder of the mobile security firm NowSecure, shared his concerns in a statement to Ars Technica. “[DeepSeek is] not equipped or willing to provide basic security protections of your data and identity,” Hoog stated. “There are fundamental security practices that are not being observed, either intentionally or unintentionally. In the end, it puts your and your company’s data and identity at risk.”
NowSecure, headquartered in Chicago, conducted a detailed analysis of DeepSeek’s iOS app and uncovered several alarming issues:
- Sensitive data is transmitted without encryption.
- User data is stored in an insecure manner.
- The app collects a large amount of user and device data.
- User data is sent to servers controlled by ByteDance, a China-based company.
While DeepSeek does use encryption, the app relies on the outdated 3DES encryption standard, which was deprecated in 2016 due to vulnerabilities that made it easily breakable. Furthermore, the app uses hard-coded symmetric encryption keys, meaning every user’s data relies on the same keys, which is a major security flaw.
Another concerning practice is DeepSeek’s disabling of Apple’s App Transport Security protocol, which typically enforces encryption for transmitted data. DeepSeek has not explained why this feature is disabled, and Apple has yet to comment on why apps are allowed to bypass this requirement.
Once user data reaches ByteDance-controlled servers, it is decrypted and stored, making it possible to identify specific users and track their activity. This practice raises significant privacy concerns, especially considering that ByteDance, like all Chinese companies, is subject to Chinese laws that require data access when demanded by the government. This is the same concern that has resulted in calls for ByteDance to sell TikTok in the US.
NowSecure continues to investigate DeepSeek, noting that its Android version is even less secure than the iOS app.
For a deeper dive into the security concerns surrounding DeepSeek, you can read the full report on Ars Technica: DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers.
