The use of the 3DES algorithm in the DeepSeek app poses significant security risks due to its outdated and insecure nature. Here are the detailed risks associated with using 3DES:
1. Insecurity of 3DES: The Triple DES (3DES) encryption algorithm is widely considered insecure and deprecated. It was once a standard for secure data encryption, but it has been superseded by more secure algorithms like AES due to its vulnerabilities. Using 3DES makes the encrypted data susceptible to decryption by attackers, compromising user privacy and data integrity[2][4][9].
2. Hardcoded Encryption Keys: DeepSeek's implementation of 3DES involves hardcoding encryption keys within the app's code. This practice is highly insecure because it allows potential attackers to extract these keys from the app, thereby gaining access to decrypt any data encrypted with them. Hardcoded keys eliminate the security benefits of encryption, as they can be easily discovered and exploited[4][9][10].
3. Reuse of Initialization Vectors (IVs): The reuse of initialization vectors (IVs) in conjunction with 3DES further weakens the encryption. IVs are meant to be unique for each encryption operation to prevent attacks that rely on patterns in encrypted data. Reusing IVs makes it easier for attackers to deduce the encryption key or exploit weaknesses in the encryption process[1][9].
4. Data Exposure and Manipulation: Since DeepSeek also disables App Transport Security (ATS) on iOS, which prevents sensitive data from being sent over unencrypted channels, the app transmits some data without any encryption at all. This exposes users to both passive and active attacks, where data can be intercepted and manipulated[1][7][10].
5. Privacy and Data Sovereignty Concerns: The transmission of user data to servers managed by ByteDance, a Chinese company, raises concerns about data governance under Chinese jurisdiction. This includes the potential for warrantless surveillance and data misuse, which are significant privacy risks for users[5][6].
In summary, the use of 3DES in DeepSeek, combined with hardcoded keys and reused IVs, significantly undermines the security and privacy of user data. These vulnerabilities make the app a target for cyber threats and data breaches, highlighting the need for more robust encryption practices and better data governance.
Citations:
[1] https://thehackernews.com/2025/02/deepseek-app-transmits-sensitive-user.html
[2] https://www.indiatoday.in/technology/news/story/deepseek-r1-recent-findings-reveal-multiple-security-flaws-in-ios-app-2677442-2025-02-10
[3] https://hiddenlayer.com/innovation-hub/deepsht-exposing-the-security-risks-of-deepseek-r1/
[4] https://www.linkedin.com/pulse/encryption-crisis-ai-lessons-from-deepseeks-security-failures-faux-tx7re
[5] https://blog.devolutions.net/2025/02/cybersecurity-newsflash-researchers-find-security-vulnerabilities-in-deepseek-for-ios/
[6] https://sbscyber.com/blog/deepseek-ai-dangers
[7] https://www.cybersecurityintelligence.com/blog/deepseek-exposes-sensitive-data-8245.html
[8] https://www.infosecurity-magazine.com/news/deepseek-r1-security/
[9] https://approov.io/blog/deepseek-apps-security-failures-how-approov-could-have-prevented-the-damage
[10] https://krebsonsecurity.com/2025/02/experts-flag-security-privacy-risks-in-deepseek-ai-app/