CybersecurityHacking

iOS AI Apps Expose API Keys, Open AI Proxy Access

Analyst 207||Source: TheHackerNews
Smartphone displays AI chatbot interface on a clean, minimalist surface with a laptop in the background.
Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic.

Scope of the Wake Forest University analysis

Researchers at Wake Forest University examined 444 iOS apps from the US App Store in late 2025 and found 282 with exposed AI access in network traffic. The study focused on observable network behavior; it did not require jailbreaking or reverse-engineering the apps. The authors note the two-thirds figure is a lower bound because many apps blocked interception and the audit covered only the US storefront in a single time window.

How the credentials leaked — three clear patterns

The 282 vulnerable apps fell into three concrete categories. Fifty-four apps transmitted plaintext API keys: a single captured request revealed the secret key directly. Ninety-two apps accepted requests at a backend that performed no authentication — an open relay that any caller could use. The largest group, 136 apps, leaked replayable tokens: temporary access tokens were present in traffic and typically still valid when harvested. In 28 of the 54 plaintext-key apps, the same captured request also exposed the app’s hidden system prompt, the behind‑the‑scenes instructions that shape the assistant’s behavior.

Breadth of impact: providers, categories, and notable examples

The leaks touched at least ten AI providers, with OpenAI appearing most often in the captures. Vulnerable apps spanned 13 App Store categories: productivity apps were the largest single group by count, while health and fitness apps exhibited the highest leak rate. Finance and medical apps, by contrast, leaked nothing in the sample. Most affected apps were small, but the problem reached large products as well: one vulnerable app had more than two million user ratings.

Practical consequences: LLMjacking and runaway costs

The study links exposed credentials directly to the practice the industry calls LLMjacking, where attackers run requests on someone else’s paid account. The research cites a Sysdig calculation of a worst‑case scenario in which stolen credentials could generate more than $46,000 in AI charges per day. The researchers captured startling token misconfigurations: one popular app with over 100,000 ratings had an access token set to expire in the year 2125, and another app’s token that should have been valid for one hour still worked 128 days after its nominal expiry.

Developer response, recommended fixes, and vendor requests

The Wake Forest team notified all 282 developers and waited three months. Only 28% had clearly fixed the problem. Another 23% remained wide open, with leaked access still operational; the remainder went offline, became unreachable, or returned errors. The researchers reiterated long-standing guidance: do not embed keys in client apps, route AI requests through an authenticated server that enforces caller checks, and revoke any keys that have leaked.

The authors also urged platform and provider changes: label client‑side keys as unsafe in documentation, flag keys that suddenly get used by thousands of devices, and add screening for this class of leak during Apple’s App Store review.

What this means for technologists, Apple reviewers, and end users

  • Technologists and security teams: expect to audit mobile apps’ network behavior for embedded keys and tokens, enforce server‑side authorization, and include key‑revocation plans. The study shows simple interception tools can harvest usable credentials without app cracking.
  • Apple and App Store reviewers: the researchers explicitly asked Apple to add checks for client‑side AI keys during review; the audit demonstrates the feasibility and scope of the problem across many categories and providers.
  • End users: apps that appear small or casual can still expose paid AI access in the background; a captured credential can let an attacker run model requests on a developer’s paid account, with the developer paying the bill.

The Wake Forest study joins prior work that found the same wiring mistakes elsewhere: the 2025 LM-Scout analysis discovered insecure AI connections on Android and the Leaky Apps audit recovered secrets from thousands of Android and iOS apps. Together, these reports show a persistent pattern — developers continue to put keys or replayable tokens into client software, and many fail to revoke them even after removal.

The central, concrete question left by the data is how quickly and comprehensively app developers, platform reviewers, and AI providers will adopt the simple fixes the researchers recommend: move keys off the device, check callers server‑side, and treat sudden, massive key usage as a red flag. Until that happens, the study makes plain, inexpensive interception will continue to translate into real charges and real abuse.

https://thehackernews.com/2026/06/282-ios-apps-found-leaking-llm-api-keys.html

Ai SecurityEmerging ThreatsMobile SecurityAPI Key ExposureIos AppsWake Forest UniversityApp Store SecurityAI Proxy AccessCredential Leakage
Related Intelligence

Continue Reading

A well-lit computer workstation with a laptop and technical instruments in a clean, minimalist environment.

GuardFall Exposes AI Coding Agents to Shell Injection Risks

Researchers at Adversa AI have uncovered a shocking weakness, dubbed GuardFall, that lets advanced open-source coding agents slip past safety filters and execute destructive shell commands, exposing them to shell injection risks. This gap between text-based checks and shell execution leaves a trail of vulnerability wide open to exploitation.

Analyst 207
Modern office scene with people around a table, laptops, and a large screen displaying a blurred Teams interface.

Microsoft Bolsters Teams Security with Enhanced Bot Controls

Microsoft's new Teams admin policy gives you more control over third-party bots in meetings, allowing you to block unwanted guests and require explicit approval for external bots to join. This enhanced security feature can be easily managed for individual users or specific groups through the Teams Admin Center.

Analyst 207
Security professional stands before rows of computer screens, focused on a blank whiteboard.

Threat Management Fails to Keep Pace with Visibility Gains

Most organizations are drowning in threat intelligence, with an average of 14 distinct feeds, yet struggle to turn that visibility into action, with 61% unable to identify which vulnerabilities are most likely to be exploited. As a result, security teams waste 42% of their time on low-priority risks, highlighting a critical gap between threat awareness and effective management.

Analyst 207
Blurred Teams meeting on laptop screen in office setting with abstract overlays.

Microsoft Bolsters Teams Security with Enhanced Bot Protections

Microsoft is stepping up its Teams security game with enhanced bot protections, allowing admins to block third-party bots from joining meetings without approval. This new policy gives organizations greater control over who can access their meetings, helping to prevent malicious apps and unwanted disruptions.

Analyst 207