Source: securityboulevard.com – Author: Richi Jennings
iPhone app sends unencrypted data to China—and Android app appears even worse.
DeepSeek has yet another privacy palaver. Researchers say its AI apps are horribly insecure. Outdated encryption, hardcoded keys and plain-text chattiness are just three of the problems they found.
And now, Congress wants to ban the app—just like they did to TikTok. In today’s SB Blogwatch, we ignore previous instructions.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: NNW.
Xi Knows if You’ve Been Bad or Good
What’s the craic? Natalie Andrews reports: Lawmakers Push to Ban DeepSeek App From U.S. Government Devices
“DeepSeek didn’t respond”
The legislation written by Reps. Darin LaHood, an Illinois Republican, and Josh Gottheimer, a New Jersey Democrat, is echoing a strategy that Congress used to ban … TikTok from government devices. … The two are the top Republican and Democrat respectively on a subcommittee of the House Select Committee on Intelligence.
…
The chatbot for the Chinese startup is now the most downloaded app in the U.S. … The chatbot app, however, has intentionally hidden code that could send user login information to China Mobile, … according to an analysis by Ivan Tsarynny, [which] pushed LaHood and Gottheimer to develop the legislation.
…
DeepSeek didn’t respond to a request for comment.
For the record, it’s Jonathan Greig: Lawmakers push for DeepSeek ban from federal devices over China concerns
“Flood of security reports”
Gottheimer compared the situation with DeepSeek to China’s control over TikTok’s algorithm and data, warning that the U.S. “cannot allow it to happen again.” … The congressmen claimed Americans are “sharing highly sensitive, proprietary information” like contracts and financial records with a platform allegedly controlled by the CCP, which they called a “known foreign adversary.”
…
The bill verbalizes some of the concerns raised by much of the business community since DeepSeek emerged — namely the issue of where data put into the platform is held. … Since it debuted last month, a flood of security reports and warnings have emerged related to the platform.
A flood? You’re not kidding. Our own Nathan Eddy mentions some more: DeepSeek AI Model Riddled With Security Vulnerabilities
“Major compliance risks”
DeepSeek-R1 is significantly more prone to security failures than leading AI models. … One of the most pressing concerns surrounding DeepSeek-R1 is its data storage location. [It] stores user interactions in China, raising significant regulatory red flags for organizations that must comply with data protection laws such as … GDPR [and] CCPA.
…
This could create major compliance risks, particularly for businesses operating in jurisdictions with strict cross-border data transfer regulations.
And here’s the latest winceworthy analysis. Here’s Andrew Hoog: Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App
“Governed by China”
[We] conducted a comprehensive security and privacy assessment of the DeepSeek iOS mobile app, uncovering multiple critical vulnerabilities that put individuals, enterprises, and government agencies at risk. These findings highlight the immediate need for organizations to prohibit the app’s use.
…
The app transmits sensitive data over the internet without encryption. [It] uses outdated Triple DES encryption, reuses initialization vectors, and hardcodes encryption keys. … Username, password, and encryption keys are stored insecurely. … User data is transmitted to servers controlled by ByteDance.
…
The issues listed above may lead to:
— Loss of intellectual property and sensitive data
— Compromised data integrity due to security flaws
— Tracking and surveillance from data collection
— Loss of control over data sent to and governed by China
Triple DES? Are you serious? Apple must share the blame, thinks ziddoap:
Obviously DeepSeek chose it by design, but the question is how it got past the app store reviewers. … Choosing an encryption algorithm that has been known to be insecure for a decade [is] either extreme carelessness or deceptive and malicious intent. Considering that use of the app store is … purportedly to keep users of iPhones secure, one would imagine that they would care.
And why is the data going to ByteDance? SeeUnknown thinks they know:
It is interesting that this DeepSeek app came out around the time that TikTok was supposed to be shutdown in the USA and now we know that DeepSeek is intimately tied to the ByteDance servers. It almost as if this DeepSeek thing was someone’s plan B.
Are you surprised, though? hdyoung isn’t:
Is there a single person on the planet making a Pikachu face about this? … At this point, the entire world knows that the Chinese government has access to pretty much anything.
…
The same goes for my own country (US), except I trust the US way more. Are they watching me? Definitely. But I’ve never been called to the local police station for “re-education” because my online posts were “disrupting society.”
So, that’s alright then? Fr00tL00ps ain’t got no time for that:
This complacency is the biggest problem of all, particularly for Gen Z and younger. They only know life in the digital world, where Western corporate practices have slowly eroded all manner of privacy: They don’t know any different and could not care less. Who can blame them when your only choice is … US tech giants abusing your data, or the Chinese government.
…
I applaud the courage and actions of the EU in leading the way in protecting its citizens from … the mass harvesting of private and personal data … by corporations today. Bravo. One can only hope that other jurisdictions take note, but I’m not going to hold my breath.
OK, but what about the government ban? Pascal Monett waxes apoplectic:
What the **** is wrong with the US Government? Government devices should only have government-approved applications. … Or am I supposed to infer that every government employee has admin access to his PC/phone and can install whatever they want?
…
Either government employees only have the stuff IT lets them, or it’s a free-for-all and DeepSeek is just another layer of insecurity on top of FaceBook, TikTok and a raft of other things that having absolutely nothing to do on a work computer/phone. So, which is it?
Meanwhile, should we switch to Android? mbac32768 did a static analysis of the DeepSeek Android app:
It does aggressive device fingerprinting, root detection, has anti-tampering mechanisms, bundles native code and has dynamic code loading and execution facilities. … None of which should be necessary for an app like this.
And Finally:
This is some amazing attention to detail
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Saradasish Pradhan (via Unsplash; leveled and cropped)
Recent Articles By Author
Original Post URL: https://securityboulevard.com/2025/02/deepseek-ai-app-security-privacy-richixbw/
Category & Tags: Application Security,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,DevOps,Endpoint,Governance, Risk & Compliance,Humor,Industry Spotlight,Malware,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Security Awareness,Security Boulevard (Original),Social – Facebook,Social – LinkedIn,Social – X,Spotlight,Threats & Breaches,Vulnerabilities,AI,AI (Artificial Intelligence),AI privacy,application-level encryption,Artificial Intelligence,Artificial Intelligence (AI),Artificial Intelligence (AI)/Machine Learning (ML),Artificial Intelligence Cybersecurity,Artificial Intelligence News,artificial intellignece,Artificial Stupidity,artificialintelligence,breach of privacy,Bytedance,California Consumer Privacy Act,California Consumer Privacy Act (CCPA),china,china espionage,China Mobile,China-nexus cyber espionage,Chinese,Chinese Communists,chinese government,Chinese Internet Security,Chinese keyboard app security,Congress,congressional legislation,cybersecurity artificial intelligence,Darin LaHood,Data encryption,Data encryption standards,Data Stolen By China,DeepSeek,DeepSeek AI,encryption,Josh Gottheimer,Large Language Models (LLM),Large language models (LLMs),LLM,llm security,No DeepSeek on Government Devices Act,Peoples Republic of China,Privacy,SB Blogwatch,TikTok,TikTok Ban,Unencrypted Data,US Congress – Application Security,Cloud Security,Cyberlaw,Cybersecurity,Data Privacy,Data Security,DevOps,Endpoint,Governance, Risk & Compliance,Humor,Industry Spotlight,Malware,Mobile Security,Most Read This Week,Network Security,News,Popular Post,Security Awareness,Security Boulevard (Original),Social – Facebook,Social – LinkedIn,Social – X,Spotlight,Threats & Breaches,Vulnerabilities,AI,AI (Artificial Intelligence),AI privacy,application-level encryption,Artificial Intelligence,Artificial Intelligence (AI),Artificial Intelligence (AI)/Machine Learning (ML),Artificial Intelligence Cybersecurity,Artificial Intelligence News,artificial intellignece,Artificial Stupidity,artificialintelligence,breach of privacy,Bytedance,California Consumer Privacy Act,California Consumer Privacy Act (CCPA),china,china espionage,China Mobile,China-nexus cyber espionage,Chinese,Chinese Communists,chinese government,Chinese Internet Security,Chinese keyboard app security,Congress,congressional legislation,cybersecurity artificial intelligence,Darin LaHood,Data encryption,Data encryption standards,Data Stolen By China,DeepSeek,DeepSeek AI,encryption,Josh Gottheimer,Large Language Models (LLM),Large language models (LLMs),LLM,llm security,No DeepSeek on Government Devices Act,Peoples Republic of China,Privacy,SB Blogwatch,TikTok,TikTok Ban,Unencrypted Data,US Congress
Views: 1