If you’re at all into technology, you’ve been bombarded by the release of an incredible open-source AI chatbot by the company DeepSeek.

The DeepSeek chatbot has (rightfully)put all the big American AI players (OpenAI, Google, Meta, Nvidia, etc.) on the back foot. The DeepSeek models (there are two primary models and six smaller ones) are incredibly powerful even though they were developed on underpowered hardware (since the good stuff can’t be sold to certain countries).

And the fact that these models are open source is incredible. You can run the smaller models on local hardware (even laptops), and that’s probably the safest way to run DeepSeek, since their app is not exactly what you would call “secure”.

Troubling Security Gaps

Last week a security company called NowSecure reported on some troubling (but apparently intentional) security issues in the DeepSeek app (which has topped the rankings on both Apple’s and Google’s app stores).

From NowSecure’s published report:

Key Risks Identified

1. Unencrypted Data Transmission: The app transmits sensitive data over the internet without encryption, making it vulnerable to interception and manipulation.
2. Weak & Hardcoded Encryption Keys: Uses outdated Triple DES encryption, reuses initialization vectors, and hardcodes encryption keys, violating best security practices.
3. Insecure Data Storage: Username, password, and encryption keys are stored insecurely, increasing the risk of credential theft.
4. Extensive Data Collection & Fingerprinting: The app collects user and device data, which can be used for tracking and de-anonymization.
5. Data Sent to China & Governed by PRC Laws: User data is transmitted to servers controlled by ByteDance, raising concerns over government access and compliance risks.

The first risk (unencrypted data transmission) means that all the information sent to and from the app is sent “in the clear”, where it can be read (or even modified) on its way to its destination. Its destination, by the way, are servers controlled by ByteDance, which hasn’t endeared itself to the US government recently. The sending of unencrypted data is not an accident, either. It is fairly trivial to encrypt data in 2025, and according to NowSecure the ability to send encrypted data is globally disabled throughout the entire iOS app.

The encryption keys are another very troubling basic oversight. Hardcoded encryption keys (which are identical for every installed version of the iOS app) mean that a single key will decrypt data for every single user of the iOS app. Additionally, the type of encryption used was shown to be crackable all the way back in 2016.

Additionally, there are multiple different types of user and device fingerprinting present, which help DeepSeek know a lot about who each user is. The data sent even includes the devices name, which often defaults to a user’s name followed by the device name.

Combining this information with data from other sources and it becomes incredibly easy to narrow down individual users, and the lack of encryption means that viewing or tweaking their interactions with DeepSeek become trivial.