The DeepSeek Android app has been identified with several significant security vulnerabilities that pose considerable risks to users. Here are the specific vulnerabilities and their implications:
1. Unsecured Network Configuration: The app lacks proper network security measures, making it highly susceptible to Man-in-the-Middle (MitM) attacks. When users connect over public Wi-Fi or untrusted networks, attackers can intercept and manipulate data, potentially stealing login credentials, personal messages, and payment details. To mitigate this, DeepSeek could implement HTTPS with HSTS and use SSL pinning to validate server certificates[1].
2. No SSL Validation or Certificate Pinning: DeepSeek fails to validate SSL certificates, making it vulnerable to impersonation attacks. Hackers can impersonate trusted servers and intercept sensitive information, such as login credentials and personal data. Implementing SSL certificate pinning and strict SSL validation protocols can address this issue[1].
3. Weak Root Detection: The app's ineffective root detection allows attackers with root access to bypass security controls and extract sensitive data. Rooted devices are particularly vulnerable to malware and advanced cyberattacks. Strengthening root detection mechanisms with advanced security checks and integrating third-party libraries like SafetyNet can improve security[1].
4. Susceptibility to the StrandHogg Vulnerability: DeepSeek is vulnerable to the StrandHogg vulnerability, which enables malicious apps to hijack legitimate app tasks, displaying fake login screens to steal user credentials. This can lead to phishing and identity theft. Updating the app to target newer Android versions with improved security patches and implementing strict task affinity settings can mitigate this risk[1].
5. Exposure to the Janus Vulnerability: The app is exposed to the Janus vulnerability, allowing attackers to modify the app's APK file without breaking its digital signature, enabling malware injection. Implementing app integrity checks, using Google Play App Signing, and employing Android Application Signing can prevent unauthorized modifications[1].
6. Weak Encryption and Privacy Risks: The app uses weak encryption mechanisms, making user data susceptible to interception. It employs outdated cryptographic algorithms and lacks proper certificate pinning, which could allow attackers to exploit fake certificates and intercept traffic. This exposes users to identity theft, financial fraud, and unauthorized surveillance. Implementing robust encryption standards like end-to-end encryption (E2EE) or strong TLS protocols is necessary[3].
7. SQL Injection Risks and Hardcoded Keys: The app also faces SQL injection risks and uses hardcoded encryption keys, further weakening its security posture. These practices increase the risk of data breaches and unauthorized access[6].
8. Data Collection and Privacy Concerns: DeepSeek's app collects more permissions than necessary, gathering metadata and potentially tracking user behavior beyond what is disclosed in its privacy policy. This overreach could lead to unauthorized data harvesting and conflicts with privacy regulations like GDPR and CCPA[3].
These vulnerabilities highlight the need for DeepSeek to address its security and privacy issues to protect user data effectively.
Citations:
[1] https://www.appknox.com/blog/is-your-ai-app-safe-analyzing-deepseek
[2] https://blogs.cisco.com/security/evaluating-security-risk-in-deepseek-and-other-frontier-reasoning-models
[3] https://moxso.com/blog/deepseeks-android-app-flaws-privacy-risks
[4] https://approov.io/blog/deepseek-apps-security-failures-how-approov-could-have-prevented-the-damage
[5] https://www.infosecurity-magazine.com/news/deepseek-r1-security/
[6] https://securityscorecard.com/blog/a-deep-peek-at-deepseek/
[7] https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak
[8] https://thehackernews.com/2025/02/deepseek-app-transmits-sensitive-user.html
[9] https://uwaterloo.ca/information-systems-technology/news/deepseek-app-security-and-privacy-weaknesses
[10] https://www.nowsecure.com/blog/2025/02/06/nowsecure-uncovers-multiple-security-and-privacy-flaws-in-deepseek-ios-mobile-app/
[11] https://krebsonsecurity.com/2025/02/experts-flag-security-privacy-risks-in-deepseek-ai-app/