Hundreds of AI-powered iOS apps found exposing credentials

Mobile app developers are packing AI features into everything from writing assistants to productivity tools and lifestyle apps. New research shows that securing access to those services remains a challenge.

LLM API credential leakage via network traffic interception (Source: Research paper)

Researchers from Wake Forest University analyzed 444 iOS applications with LLM features and found 282 that exposed exploitable credentials or backend access mechanisms. The affected apps covered 13 categories, including productivity, entertainment, lifestyle, education, utilities, and health and fitness.

LLM-powered applications reached 17 billion downloads in 2025 and accounted for 13% of all mobile app downloads.

“LLM API key leakage is a widespread and systemic issue in the iOS ecosystem, affecting 26% of analyzed Apps across diverse categories and developer types. The vulnerability’s impact extends from niche Apps to popular apps with hundreds of thousands of users,” the researchers noted.

The team began with more than 38,000 App Store listings before narrowing the dataset to 444 applications with confirmed LLM functionality. Among those apps, 64% exposed credentials or access mechanisms that remained exploitable during testing.

The issue was not confined to little-known applications. Fifteen percent of vulnerable apps had more than 1,000 user ratings, and the most popular affected app had accumulated more than 2.3 million ratings.

Among the vulnerable apps, 136 exposed authentication tokens, 92 allowed unauthenticated backend access, and 54 exposed plaintext API keys. In 28 of the plaintext key cases, the applications also exposed system prompts used by the underlying AI service.

Productivity apps accounted for the largest number of vulnerable applications, followed by entertainment and lifestyle apps. Health & Fitness recorded the highest leakage rate among the categories examined.

The largest group of vulnerable applications relied on custom developer-operated backends. Researchers identified 155 apps in that category. Another 67 used cloud platforms such as Firebase, Google Cloud Run, and AWS, while 60 communicated directly with AI providers.

“Over half of leaked Apps (55%) route LLM traffic through custom developer backends, making provider-side mitigations alone insufficient. Cloud platforms and direct API services account for comparable shares of leakage (23% and 21%, respectively), confirming that adopting a proxy architecture does not prevent credential exposure,” they added.

The issues were disclosed to the developers of all 282 vulnerable applications, and the apps were retested 90 days later.

“After responsible disclosure, 28% of vulnerable applications successfully remediated through credential revocation or access control enforcement. However, 23% remain exploitable due to either absence of remediation action (36 apps) or fundamentally flawed authentication implementations (30 apps),” they concluded.