Login
New mobile apps from the Chinese artificial intelligence (AI) company DeepSeek have remained among the top three “free” downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek’s design choices — such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies — introduce a number of glaring security and privacy risks.
Public interest in the DeepSeek AI chat apps swelled following widespread media reports that the upstart Chinese AI firm had managed to match the abilities of cutting-edge chatbots while using a fraction of the specialized computer chips that leading AI companies rely on. As of this writing, DeepSeek is the third most-downloaded “free” app on the Apple store, and #1 on Google Play.
DeepSeek’s rapid rise caught the attention of the mobile security firm NowSecure, a Chicago-based company that helps clients screen mobile apps for security and privacy threats. In a teardown of the DeepSeek app published today, NowSecure urged organizations to remove the DeepSeek iOS mobile app from their environments, citing security concerns.
NowSecure founder Andrew Hoog said they haven’t yet concluded an in-depth analysis of the DeepSeek app for Android devices, but that there is little reason to believe its basic design would be functionally much different.
Hoog told KrebsOnSecurity there were a number of qualities about the DeepSeek iOS app that suggest the presence of deep-seated security and privacy risks. For starters, he said, the app collects an awful lot of data about the user’s device.
“They are doing some very interesting things that are on the edge of advanced device fingerprinting,” Hoog said, noting that one property of the app tracks the device’s name — which for many iOS devices defaults to the customer’s name followed by the type of iOS device.
The device information shared, combined with the user’s Internet address and data gathered from mobile advertising companies, could be used to deanonymize users of the DeepSeek iOS app, NowSecure warned. The report notes that DeepSeek communicates with Volcengine, a cloud platform developed by ByteDance (the makers of TikTok), although NowSecure said it wasn’t clear if the data is just leveraging ByteDance’s digital transformation cloud service or if the declared information share extends further between the two companies.
Image: NowSecure.
Perhaps more concerning, NowSecure said the iOS app transmits device information “in the clear,” without any encryption to encapsulate the data. This means the data being handled by the app could be intercepted, read, and even modified by anyone who has access to any of the networks that carry the app’s traffic.
“The DeepSeek iOS app globally disables App Transport Security (ATS) which is an iOS platform level protection that prevents sensitive data from being sent over unencrypted channels,” the report observed. “Since this protection is disabled, the app can (and does) send unencrypted data over the internet.”
Hoog said the app does selectively encrypt portions of the responses coming from DeepSeek servers. But they also found it uses an insecure and now deprecated encryption algorithm called 3DES (aka Triple DES), and that the developers had hard-coded the encryption key. That means the cryptographic key needed to decipher those data fields can be extracted from the app itself.
There were other, less alarming security and privacy issues highlighted in the report, but Hoog said he’s confident there are additional, unseen security concerns lurking within the app’s code.
“When we see people exhibit really simplistic coding errors, as you dig deeper there are usually a lot more issues,” Hoog said. “There is virtually no priority around security or privacy. Whether cultural, or mandated by China, or a witting choice, taken together they point to significant lapse in security and privacy controls, and that puts companies at risk.”
Apparently, plenty of others share this view. Axios reported on January 30 that U.S. congressional offices are being warned not to use the app.
“[T]hreat actors are already exploiting DeepSeek to deliver malicious software and infect devices,” read the notice from the chief administrative officer for the House of Representatives. “To mitigate these risks, the House has taken security measures to restrict DeepSeek’s functionality on all House-issued devices.”
TechCrunch reports that Italy and Taiwan have already moved to ban DeepSeek over security concerns. Bloomberg writes that The Pentagon has blocked access to DeepSeek. CNBC says NASA also banned employees from using the service, as did the U.S. Navy.
Beyond security concerns tied to the DeepSeek iOS app, there are indications the Chinese AI company may be playing fast and loose with the data that it collects from and about users. On January 29, researchers at Wiz said they discovered a publicly accessible database linked to DeepSeek that exposed “a significant volume of chat history, backend data and sensitive information, including log streams, API secrets, and operational details.”
“More critically, the exposure allowed for full database control and potential privilege escalation within the DeepSeek environment, without any authentication or defense mechanism to the outside world,” Wiz wrote. [Full disclosure: Wiz is currently an advertiser on this website.]
KrebsOnSecurity sought comment on the report from DeepSeek and from Apple. This story will be updated with any substantive replies.
Waiting in the checkout line. Waiting to fall asleep. Waiting for your boring work call to finally end.
When you find yourself in these situations, do you usually have your phone in hand? And does it usually include scrolling through videos on TikTok? You’re far from alone! The app has 150 million users in the United States and more than a billion daily users worldwide.1
However, governments around the world believe that while you’re exploring the world through short-form video, unscrupulous characters are lurking in the background collecting your personal data. Here’s the real story behind TikTok bans and what they mean for you and your online privacy.
TikTok is owned by ByteDance, a Chinese company. Much of the data privacy unease surrounding TikTok is ByteDance’s opacity in their data mining practices. It’s unknown how much data it collects on users and what it does with that information. Since the Chinese government has a hand in many of the businesses based in the country, it’s unclear if the government is party to the mined data. Because many countries are tense politically with China, some governments are being cautious about limiting ByteDance’s access to personal information and potentially government secrets.
So far, various countries have banned TikTok from the work phones of government employees, including the United States, Australia, Canada, Taiwan, and various European Union members.2 India completely banned the app in the country in 2020. Various other countries with strict limits on self-expression have also attempted to forbid their citizens from accessing TikTok.
Montana became the first state to ban TikTok in May 2023. The governor cited “protecting Montanans’ personal and private data” as the reason behind the new bill, which is set to go into effect in January 2024.3
For the general population, bans of TikTok on government-issued devices will not affect your access to the platform Even for government employees, this just means that you can’t access the app from your work phone, laptop, or tablet. On your own time and your personal devices, you can still scroll to your heart’s content.
Montana’s TikTok bill could pick up steam with other states claiming to protect the PII of their citizens; however, the Montana law and any similar ones that may arise are likely to be scrutinized as a violation of freedom of speech. As of now, it’s unclear whether the bill – and future ones like it – will be invalidated due to a violation of the First Amendment.
How these TikTok bans and the news headlines may affect you is that they emphasize the necessity of social media best practices and guarding your personally identifiable information (PII) more closely.
Because it’s unclear how much and with whom TikTok is gathering and sharing your data, it’s best to play it safe and limit the amount you reveal about yourself on the app. Here are a few tips to give you peace of mind and improve your online privacy:
This is a good practice on any social media platform. Geo-tagging is a function where the app uses GPS to track your location and then publish it alongside your post. This feature may put your personal safety at risk, since stalkers can use the geotag, context clues, and video background to guess at your location.
TikTok, Facebook, Instagram, and gaming apps depend on advertisers’ dollars to make money. To provide users with the most relevant ads (and improve their chances of making a sale), companies gather information about you and build a profile based on your online comings and goings. Most apps that allow tracking must ask your permission first to do so. Always uncheck this box and disable ad tracking, because there’s no guarantee that the PII the ad company collects will stay a secret. Did you know that 98% of people have their personal information up for sale on the internet? Personal Data Cleanup is an excellent tool to erase your private details from the internet and keep it out of the hands of strangers.
Oversharing on social media may leave you vulnerable to social engineering schemes. This happens when a scammer gathers details about you and then tailor-makes a scam that’s likely to get your attention. For example, if your social media profiles make it clear that you’re an animal lover, a scammer may write a heartfelt post about needing donations to save their beloved pet.
A virtual private network (VPN) scrambles your online traffic, making it very difficult for someone to digitally eavesdrop on you or pinpoint your location. Plus, a VPN works on any device, not just desktops. So, while you scroll on a computer, tablet, or smartphone, a VPN can keep your internet traffic a secret.
Don’t worry: TikTok – the constant companion in times of boredom, transit, and when you’re in need of a laugh – isn’t going anywhere anytime soon. For the general population in most parts of the world, the app is staying put.
However, just because it’s not banned doesn’t mean that it’s 100% safe for your online privacy. Keep our tips in mind the next time you scroll through or post. To fully cover your bases and give you peace of mind, partner with McAfee+ Ultimate. This all-in-one service includes unlimited VPN for all your devices, Personal Data Cleanup, and more.
Laugh, cry, learn, and explore the world through TikTok with confidence in the security of your online privacy!
1TikTok, “Celebrating our thriving community of 150 million Americans”
2Associated Press, “Here are the countries that have bans on TikTok”
3CNN, “Montana governor bans TikTok”
The post Why Are Some Countries Banning TikTok? appeared first on McAfee Blog.
Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the software. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones.
In November 2022, researchers at Google’s Project Zero warned about active attacks on Samsung mobile phones which chained together three security vulnerabilities that Samsung patched in March 2021, and which would have allowed an app to add or read any files on the device.
Google said it believes the exploit chain for Samsung devices belonged to a “commercial surveillance vendor,” without elaborating further. The highly technical writeup also did not name the malicious app in question.
On Feb. 28, 2023, researchers at the Chinese security firm DarkNavy published a blog post purporting to show evidence that a major Chinese ecommerce company’s app was using this same three-exploit chain to read user data stored by other apps on the affected device, and to make its app nearly impossible to remove.
DarkNavy likewise did not name the app they said was responsible for the attacks. In fact, the researchers took care to redact the name of the app from multiple code screenshots published in their writeup. DarkNavy did not respond to requests for clarification.
“At present, a large number of end users have complained on multiple social platforms,” reads a translated version of the DarkNavy blog post. “The app has problems such as inexplicable installation, privacy leakage, and inability to uninstall.”
Update, March 27, 1:24 p.m. ET: Dan Goodin over at Ars Technica has an important update on this story that indicates the Pinduoduo code was exploiting a zero-day vulnerability in Android — not Samsung. From that piece:
“A preliminary analysis by Lookout found that at least two off-Play versions of Pinduoduo for Android exploited CVE-2023-20963, the tracking number for an Android vulnerability Google patched in updates that became available to end users two weeks ago. This privilege-escalation flaw, which was exploited prior to Google’s disclosure, allowed the app to perform operations with elevated privileges. The app used these privileges to download code from a developer-designated site and run it within a privileged environment.
“The malicious apps represent “a very sophisticated attack for an app-based malware,” Christoph Hebeisen, one of three Lookout researchers who analyzed the file, wrote in an email. “In recent years, exploits have not usually been seen in the context of mass-distributed apps. Given the extremely intrusive nature of such sophisticated app-based malware, this is an important threat mobile users need to protect against.”
On March 3, 2023, a denizen of the now-defunct cybercrime community BreachForums posted a thread which noted that a unique component of the malicious app code highlighted by DarkNavy also was found in the ecommerce application whose name was apparently redacted from the DarkNavy analysis: Pinduoduo.
A Mar. 3, 2023 post on BreachForums, comparing the redacted code from the DarkNavy analysis with the same function in the Pinduoduo app available for download at the time.
On March 4, 2023, e-commerce expert Liu Huafang posted on the Chinese social media network Weibo that Pinduoduo’s app was using security vulnerabilities to gain market share by stealing user data from its competitors. That Weibo post has since been deleted.
On March 7, the newly created Github account Davinci1010 published a technical analysis claiming that until recently Pinduoduo’s source code included a “backdoor,” a hacking term used to describe code that allows an adversary to remotely and secretly connect to a compromised system at will.
That analysis includes links to archived versions of Pinduoduo’s app released before March 5 (version 6.50 and lower), which is when Davinci1010 says a new version of the app removed the malicious code.
Pinduoduo has not yet responded to requests for comment. Pinduoduo parent company PDD Holdings told Reuters Google has not shared details about why it suspended the app.
The company told CNN that it strongly rejects “the speculation and accusation that Pinduoduo app is malicious just from a generic and non-conclusive response from Google,” and said there were “several apps that have been suspended from Google Play at the same time.”
Pinduoduo is among China’s most popular e-commerce platforms, boasting approximately 900 million monthly active users.
Most of the news coverage of Google’s move against Pinduoduo emphasizes that the malware was found in versions of the Pinduoduo app available outside of Google’s app store — Google Play.
“Off-Play versions of this app that have been found to contain malware have been enforced on via Google Play Protect,” a Google spokesperson said in a statement to Reuters, adding that the Play version of the app has been suspended for security concerns.
However, Google Play is not available to consumers in China. As a result, the app will still be available via other mobile app stores catering to the Chinese market — including those operated by Huawei, Oppo, Tencent and VIVO.
Google said its ban did not affect the PDD Holdings app Temu, which is an online shopping platform in the United States. According to The Washington Post, four of the Apple App Store’s 10 most-downloaded free apps are owned by Chinese companies, including Temu and the social media network TikTok.
The Pinduoduo suspension comes as lawmakers in Congress this week are gearing up to grill the CEO of TikTok over national security concerns. TikTok, which is owned by Beijing-based ByteDance, said last month that it now has roughly 150 million monthly active users in the United States.
A new cybersecurity strategy released earlier this month by the Biden administration singled out China as the greatest cyber threat to the U.S. and Western interests. The strategy says China now presents the “broadest, most active, and most persistent threat to both government and private sector networks,” and says China is “the only country with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to do so.”
FreshRSS