282 iOS AI Apps Leak API Keys, Exposing Developers to Unauthorized Usage

A recent security analysis of 444 AI chatbot applications available on the Apple App Store has uncovered a significant vulnerability: 282 of these apps, representing nearly two-thirds of those tested, are leaking critical API keys or proxy access credentials within their unencrypted network traffic. This widespread exposure means that attackers can easily intercept these sensitive keys, allowing them to impersonate developers and issue commands to AI models on their behalf, ultimately leading to unauthorized usage and potentially substantial financial costs for the developers.

The research, conducted by Wake Forest University, employed a custom tool named LLMKeyLens. This tool passively monitors an app's network communications, identifying and extracting API keys or reusable tokens without requiring any advanced techniques like jailbreaking or app reverse engineering. The findings reveal three primary categories of leakage: 54 apps exposed keys in plaintext, 92 apps routed requests through servers that lacked any authentication, and 136 apps, the most common category, leaked replayable tokens that often remained valid long after their intended expiration.

Beyond just API keys, the study also found that for 28 of the plaintext-key apps, the same network capture also revealed the app's hidden system prompt. These prompts are the underlying instructions that define an AI assistant's behavior and functionality, meaning attackers could potentially gain insight into the app's core logic and purpose in addition to gaining access to its AI services.

The affected applications span at least ten different AI providers, with OpenAI being the most frequently exposed. The leaks were distributed across 13 app categories, with productivity apps being the most numerous and health and fitness apps exhibiting the highest leak rates. While most affected apps were smaller in scale, one application with over two million user ratings was found to be vulnerable.

This exposure directly fuels a practice known as "LLMjacking," where threat actors leverage stolen AI keys for their own benefit, incurring costs on the developer's account. Security firm Sysdig has previously estimated that stolen credentials could lead to daily AI charges exceeding $46,000 in worst-case scenarios. The Wake Forest study highlighted the severity of the issue by noting that one app's access token was set to expire in the year 2125, and another app's supposedly one-hour token remained functional 128 days after its expiration.

Despite researchers notifying all 282 developers of the vulnerabilities three months prior to the study's publication, only 28% had demonstrably fixed the issue. An additional 23% remained completely vulnerable, with their leaked access still functional. The remaining developers were either unreachable, had taken their apps offline, or were returning errors, indicating a slow and inconsistent response to patching.

The recommended solution for developers is to avoid embedding API keys directly within mobile applications. Instead, AI requests should be routed through a secure backend server that can authenticate users and manage API key access. This approach ensures that leaked credentials do not grant direct access to paid services. Researchers also urge AI providers to better document the risks of client-side keys and to implement better monitoring for anomalous usage patterns, while also calling on Apple to enhance its App Store review process to detect such vulnerabilities.

This research follows similar findings in previous studies, such as the "LM-Scout" study in 2025 which identified similar insecure practices in Android applications, and the "Leaky Apps" audit that uncovered widespread credential exposure across both Android and iOS apps. The ongoing rush to deploy AI-powered applications appears to have exacerbated long-standing security oversights, with the added risk of direct financial implications due to the tokenized nature of modern AI service billing.