Researchers find hundreds of iOS apps leaking AI credentials
Researchers from Wake Forest University analysed 444 iOS applications with LLM features and found 282 (64%) that exposed exploitable credentials or backend access mechanisms, according to a paper published on arXiv (2606.12212). The team built a framework called LLMKeyLens to intercept app traffic and identify provider-specific API keys, JWT tokens, and unauthenticated backend endpoints for services including OpenAI, Google Gemini, Anthropic, and DeepSeek. Of the 282 vulnerable apps, 146 were classified as fully exploitable. After responsible disclosure and a 90-day waiting period, only 78 apps (28%) had remediated the issues, per the paper.
Research and findings
Researchers built a framework called LLMKeyLens to analyze how iPhone applications integrate with large language model services including OpenAI, Google Gemini, Anthropic, and DeepSeek, per a paper published on arXiv (2606.12212). Starting from more than 5,600 AI-related apps collected from the US App Store, the team assembled a final dataset of 444 iOS applications with confirmed LLM-powered features after filtering out inaccessible or non-functional apps.
Scale of exposure
Of the 444 applications analyzed, 282 apps (64%) exposed LLM-related credentials or backend access mechanisms; 146 of those were classified as fully exploitable. The vulnerable applications spanned 13 categories including productivity, entertainment, lifestyle, education, utilities, and health and fitness. Some affected apps carried user ratings in the millions, per the paper.
Three leakage patterns
The researchers identified three primary patterns. The first and most severe involved apps embedding plaintext API keys directly in outbound requests to AI providers, enabling immediate credential theft via traffic interception; some of these apps also exposed proprietary system prompts alongside the keys. The second pattern involved improperly configured JWT bearer tokens: developers moved API keys to backend servers and issued tokens to clients, but tokens could be intercepted and replayed to access AI services through the backend proxy. The third pattern involved unauthenticated backend proxies: 92 apps correctly hid their API keys server-side but required no authentication before processing requests, turning the backend into an open AI relay for anyone who knew the endpoint URL.
Disclosure and remediation
Following responsible disclosure, the team notified developers of all 282 vulnerable apps and retested after a 90-day window. Only 78 apps (28%) fixed the reported issues. In several cases tokens remained valid for months due to missing expiration controls; one JWT was issued with a validity period exceeding 100 years, per the paper.
Practitioner recommendations
The researchers recommend that developers enforce proper authentication and authorization on backend services, noting that hiding the API key server-side is insufficient without access control. They also suggest AI providers publish clearer reference implementations for secure integrations, and that Apple incorporate automated credential-leak detection into App Store review to catch insecure AI integrations before apps reach users.
Scoring Rationale
The paper delivers concrete, at-scale empirical findings - 282 of 444 tested apps (64%) exposed LLM credentials, with 146 fully exploitable and a mere 28% fix rate post-disclosure. This is actionable for developers integrating AI APIs into mobile apps and surfaces a systemic, quantified security gap in the iOS AI ecosystem. Scope is specific to iOS and to app-level credential handling rather than a platform-level vulnerability, placing it in the notable tier.
Practice with real Logistics & Shipping data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all Logistics & Shipping problems
