Exposed: How DeepSeek Tracks You and Sends Data to ByteDance

Mobile applications play a crucial role in today’s digital landscape, handling vast amounts of sensitive user data. However, improper security implementations can expose users to data breaches, privacy violations, and cyber threats. This technical blog analyzes multiple security flaws in the DeepSeek iOS app, focusing on encryption vulnerabilities, insecure data storage, fingerprinting risks, and network traffic concerns.

1. Insecure Symmetric Encryption with Hardcoded Keys

Encryption is Only as Strong as Its Implementation

Encryption is a fundamental mechanism to protect data confidentiality and integrity. However, improper implementation can render it ineffective. The DeepSeek iOS app exhibits several weaknesses in its encryption approach:

• Use of a broken encryption algorithm (3DES): The app employs Triple Data Encryption Standard (3DES), which is deprecated due to known vulnerabilities and susceptible to brute-force attacks.

• Hardcoded encryption key: The encryption key is hardcoded within the app, making it easily retrievable through reverse engineering.

• Use of NIL for Initialization Vector (IV): The absence of a random IV reduces the encryption strength, making ciphertext predictable.

• Reuse of IV: If an IV is reused across multiple encryption instances, it significantly weakens security by allowing attackers to correlate encrypted data.

Reverse Engineering Analysis

Using r2ai (an AI-enhanced reverse engineering tool for radare2) and Frida (a binary instrumentation framework), security researchers analyzed the encryption function in the BDAutoTrackLocalConfigService service, particularly the saveUser call.

Frida Hook Output of Encryption Function

plaintextCopyEdit================ CCCrypt Call ================
Operation => kCCDecrypt
Algorithm => kCCAlgorithm3DES
Options => kCCOptionPKCS7Padding
Key size => 24
Key => MEMyNyRTU2
IV => None
Data input => 4pvOAF6luXJQ==
Data output => NjRjOWxNmFk

This confirms the use of an insecure symmetric encryption algorithm with a hardcoded key and missing IV, making the encryption ineffective against real-world attacks.

2. Insecure Data Storage: Username, Password, and Encryption Keys

Cached Sensitive Data in Local Storage

Analysis of the DeepSeek iOS app revealed that user credentials and encryption keys were stored insecurely in a cached database on the device. In scenarios where an attacker gains physical access to an unlocked device, this data can be easily extracted and exploited.

NSURLRequest API Caching Issue

The app uses NSURLRequest API to communicate with remote servers. By default, this API caches HTTP responses in a Cache.db file unless explicitly disabled by developers. This means sensitive data remains stored locally, creating a serious security risk.

3. Data Collection and Fingerprinting Risks

Fingerprinting: The Silent Privacy Violation

Modern mobile applications track user behavior, device information, and network metadata. While some tracking is necessary for app functionality, excessive data collection can pose serious privacy risks, particularly when combined with external data sources.

How Minimal Data Can Lead to Identity Exposure

Even seemingly harmless data points can reveal a user’s identity when correlated with other datasets. Consider the following scenario:

User 1 asks: "What Elements Are Commonly Used as Nanoparticles?"

• Data suggests they are a student researching nanotechnology.

User 2 asks the same question but:

• Uses a high-end iPad

• Is connected via FirstNet (a U.S. public safety broadband network)

• Uses a cellular data connection

These additional data points may categorize User 2 as a high-value target, increasing the risk of surveillance or cyber espionage.

Data Points Collected by the App

DeepSeek iOS collects extensive user data, including:

• Device name (potentially containing real names)

• OS version

• Language settings

• Network connection type (WiFi, Cellular, VPN, etc.)

• App usage statistics

Such data can be combined across multiple apps, making it easy to de-anonymize users and track them across different services.

4. Data Transmission to ByteDance's Volcengine

What Is Volcengine?

Volcengine is ByteDance’s cloud service platform, used for AI, analytics, and enterprise solutions. While ByteDance is headquartered in China, its cloud infrastructure spans multiple countries, leading to concerns about data sovereignty and access by foreign governments.

Network Analysis of Data Transmission

The DeepSeek app transmits sensitive user data to apmplus.volces.com/monitor/collect/c/perfor... Key concerns include:

• Volcengine’s connection to ByteDance: Data sent here could be accessed under Chinese data laws.

• Fingerprinting data (e.g., device name): This allows direct association between users and their devices, reducing anonymity.

5. Third-Party Data Sharing: Intercom SDK

The app integrates Intercom's iOS SDK, which further transmits user data to an external platform. Security researchers identified fingerprinting vectors in this data exchange, such as:

• Color scheme tracking

• Voice-over feature status (used for accessibility tracking)

• Left-to-right (LTR) language setting

These attributes may seem harmless but contribute to building a highly unique user fingerprint, enabling tracking across multiple apps and services.

6. Missing iOS Security Controls

iOS Security Protections Ignored

Apple provides various security features to protect app users, but DeepSeek fails to leverage them properly:

7. Network Traffic and Chinese Data Access Concerns

Traffic Routing Through U.S.-Based ByteDance Servers

While DeepSeek app’s network logs show data routing through U.S. IP addresses, reverse analysis reveals ByteDance ownership.

Example: DNS Resolution of ByteDance Server

plaintextCopyEditping apmplus.volces.com
PING apmplus.volces.com.queniusz.com (8.45.52.229)

• Geo-located in the U.S.

• Owned by Level 3 Communications (acquired by Lumen)

• Connected to ByteDance (China-based parent company of TikTok and Volcengine)

Implications for Enterprises and Government Agencies

Organizations using DeepSeek risk exposing:

• Intellectual Property (through AI model usage data)

• Government or Military Personnel Data (through device fingerprinting)

• User Privacy (via metadata tracking and third-party data sharing)

Conclusion: Why This Matters & Next Steps

The DeepSeek iOS app demonstrates critical security flaws that impact user data confidentiality, integrity, and privacy. Key takeaways include:

• Weak encryption (3DES, hardcoded key, missing IV) compromises data security.

• Insecure storage of sensitive data (credentials, encryption keys) increases attack risks.

• Fingerprinting and data tracking pose serious privacy concerns.

• Data transmission to ByteDance servers raises geopolitical and regulatory risks.

Recommendations for Developers

To address these risks, developers should:

• Use modern encryption standards (AES-256) with dynamic IVs and secure key storage.

• Disable automatic caching for sensitive data using NSURLRequest.

• Limit data collection and disclose API usage per Apple’s privacy policies.

• Implement App Transport Security (ATS) to enforce encrypted data transmission.

Final Thought

Security is not just about compliance; it's about protecting users from real-world threats. Apps like DeepSeek highlight the importance of thorough security testing before deployment. Enterprises and users must remain vigilant, ensuring that the apps they rely on respect both security best practices and user privacy.