Tech fans who flocked to try out DeepSeek will want to think twice about what the app is doing – just days after vulnerabilities were found in the iOS app, a research team at Security Scorecard has found similar privacy concerns in the Android app as well.
Despite the app’s rise in popularity after the release of the R1 reasoning model, several countries including Australia, Italy and Taiwan have banned it from use in government departments or on government devices amid privacy concerns. While the latest report from Security Scorecard doesn’t show any overtly malicious behavior, it does point to some overall poor security practices.
The concerns include sending user data to China, hardcoded keys, weak cryptography, and vulnerabilities to SQL injection attacks among others. Additionally, the report says that API keys, authentication tokens and passwords are stored in plaintext within application files which increases risks of unauthorized access and account takeover.
The app’s privacy policy details additional risky behavior such as collecting “text or audio inputs, prompts, uploaded files, feedback and chat history.” It also gathers technical information like IP addresses, operating system, device model and – most concerningly – “keystroke patterns or rhythms.” This last part is considered most intrusive as it can be used to infer both identity and behavior.
Security Scorecard analyzed the app and identified these issues based on the CWE (Common Weakness Enumeration) list. High risk weaknesses include things like hardcoded keys, SQL injection risks, improper file permissions, while analysis of DeepSeek’s Smali code revealed multiple anti-debugging techniques. If debugging is detected; the application force closes itself to prevent analysis.
The report also examines the likelihood of user behavior and device metadata being sent to ByteDance servers which would raise compliance issues with GDPR, CCPA and national security laws.
If you’re thinking about using Deepseek as your new AI tool, this report’s findings are more than enough reason to reconsider. Hopefully, its creators are able to fix some of these security issues soon before hackers, governments or other threat actors figure out how to exploit them.
