Multiple Security and Privacy Flaws in DeepSeek iOS Mobile App
nowsecure.com> Unencrypted Data Transmission
> Weak & Hardcoded Encryption Keys
> Insecure Data Storage
you know they're not kidding when they said that deepseek is just a side-project...
> However, there are multiple reasons why companies might send data to servers in the current country including performance, regulatory, or more nefariously to mask where the data will ultimately be sent or processed.
thought i'm very glad to see it's demonized, as long as it can force these companies changing their mindset abt security
i talked abt this problem elsewhere[Exposed DeepSeek database leaking sensitive information, including chat history](https://news.ycombinator.com/item?id=42871371):
> this industry in china is so young, many devs and orgs don't understand what will happened if they shutdown the firewall or expose their database on the internet without a password, they just, can't think of it, need someone to remind them
3DES .. no other explanation than this was an intentional choice to allow the traffic to be inspected/harvested by big red
I believe 3DES is just being used for obfuscation? If they used the latest cipher and gave each user per-session keys then a reverse engineer could still access the data since the app itself must have the key to read the data.
re: big red, the sensitive traffic (but not all sadly), is communicated over HTTPS which should already protect you from eavesdroppers. My understanding is that the use of 3DES is just another layer of obfuscation to make it harder to abuse their app's private web APIs even if someone used a self-signed cert to MITM HTTPS. It's HTTPS that should be protecting your data in transit.
Basically I think this is a big nothing burger but would love to understand why I'm wrong. Though poor use of encryption certainly doesn't give me positive vibes on the developers.
agreed the 3DES is a difficult choice to explain. To top it off the encryption key was hardcoded in the .ipa, the IV was null and then reused.
android also insecure?
Yes, the Android app has multiple vulnerabilities but we focused this report on iOS (it took nearly 40 hours to write the report). Our recommendation is people avoid using the mobile apps. If you want to test the model, I'd suggest Hugging Face/ollama or a hosted solution (multiple companies are now offering that).