One Article Review
| Source |  Techworm |
|---|---|
| Identifiant | 8647596 |
| Date de publication | 2025-02-08 20:50:19 (vue: 2025-02-08 15:53:33) |
| Titre | DeepSeek Sending Unprotected Sensitive User Data To TikTok\\'s Parent ByteDance |
| Texte | There are growing concerns about the security of the DeepSeek iOS app, as it may be transmitting unprotected user data to ByteDance, the parent company of TikTok.
According to US-based mobile security company NowSecure, who conducted a comprehensive security and privacy assessment of the DeepSeek iOS mobile app on actual iOS devices, found that the app uses unencrypted data transmission, weak and hardcoded encryption keys, insecure data storage, extensive data collection and fingerprinting, and sends unencrypted data to China.
The first and foremost issue highlighted by NowSecure is that the DeepSeek iOS app sends ome mobile app registration and device data over the internet without encryption, making it vulnerable to interception and manipulation.
For instance, a network attacker with privileged access (commonly known as a Man-in-the-Middle attack) could intercept and modify the data, compromising the app’s integrity and data security.
Although Apple has built-in platform protections to protect developers from introducing this flaw, according to NowSecure, the protection was disabled globally for the DeepSeek iOS app.
“When a user first launches the DeepSeek iOS app, it communicates with the DeepSeek\'s backend infrastructure to configure the application, register the device and establish a device profile mechanism. Even when the network is configured to actively attack the mobile app (via a MITM attack), the app still executes these steps which enables both passive and active attacks against the data,” the company wrote in a blog post published on Thursday.
Modern apps use data encryption to safeguard confidentiality and integrity, which requires proper implementation to protect user data.
However, the app relies on an insecure symmetric encryption algorithm (3DES), reuses initialization vectors, and hardcodes encryption keys, violating best security practices.
Additionally, the DeepSeek iOS app insecurely stores usernames, passwords, and encryption keys, increasing the risk of credential theft. The app also collects user and device data that can be used for tracking and de-anonymization.
Moreover, the app uses tens of data points, including organization ID, device OS version, and the language selected in the configuration. NowSecure notes that user data is sent to servers by Volcengine, a cloud service platform released by ByteDance in 2021.
Since ByteDance is governed by Chinese laws, it may be compelled to share the data it collects with the Chinese government, raising major surveillance and compliance concerns for enterprises and governments utilizing the app.
“The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels. Since this protection is disabled, the app can (and does) send unencrypted data over the internet,” N |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | “the 2021 3des about access according active actively actual added additionally against agencies algorithm also alternative although anonymization app app’s apple application applications apps are artificial assessment ats attack attacker attacks backend based being best blog both built byod bytedance can channels china chinese cloud collection collects commonly communicates company compelled compliance comprehensive compromising concerns conducted confidentiality configuration configure configured consider continuously could credential data deepseek developers device devices disabled disables does emerging enables encryption enterprises environments establish even executes extensive fingerprinting first flaw foremost found from globally governed government governments growing hardcoded hardcodes has highlighted however immediately implementation including increasing infrastructure initialization insecure insecurely instance integrity intelligence intercept interception internet introducing ios iphones issue keys known language launches laws level major making man managed manipulation may mechanism middle mitm mobile modern modify monitor moreover network notes nowsecure ome organization over parent passive passwords platform platforms points post practices prevents prioritize privacy privileged profile promptly proper protect protection protections published raising recommends register registration released relies remove requires reuses risk risks safeguard security selected send sending sends sensitive sent servers service share since steps storage stores suggests surveillance symmetric tens theft these thursday tiktok to us tracking transmission transmitting transport unencrypted unprotected use used user usernames users uses utilizing vectors version violating volcengine vulnerable weak when which who without wrote “when |
| Tags | Mobile Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.