Recent research has uncovered a significant security vulnerability in AI-powered iOS applications, with a substantial number leaking large language model (LLM) API credentials through network traffic. This exposure places developers at risk of unauthorized access and potential abuse of their LLM accounts and associated cloud resources.
Widespread Credential Leakage in AI iOS Apps
An empirical study analyzing 444 free, LLM-enabled iOS apps from the US App Store revealed that 282 of these applications—approximately 64%—leaked exploitable LLM credentials when their network traffic was intercepted during standard usage. These vulnerable apps span 13 different categories, encompassing both niche tools and highly popular applications with over two million user ratings. This indicates that credential leakage is a pervasive issue across the iOS app ecosystem.
To systematically investigate this threat, researchers developed a dynamic analysis framework named LLMKeyLens. Unlike static binary analysis, LLMKeyLens observes iOS apps during runtime. The methodology involved installing each app on physical devices, routing their traffic through a man-in-the-middle (MITM) proxy, and utilizing a custom root certificate to decrypt HTTPS flows. Testers then activated the app’s AI features with controlled prompts to monitor for credential exposure.
The study identified three primary patterns of credential leakage:
- Plaintext API Keys: Fifty-four apps transmitted static LLM provider keys directly in HTTP headers or query strings to endpoints such as api.openai.com or generativelanguage.googleapis.com. In many instances, these requests also included sensitive system prompts, meaning a single interception could reveal both a reusable key and the proprietary business logic driving the app’s AI behavior.
- Unauthenticated Backend Proxies: Ninety-two apps utilized backend proxies without requiring any authentication on those endpoints. This effectively created unauthenticated LLM relays that anyone could access once they knew the URL and basic JSON schema.
- JSON Web Tokens (JWTs): The most common pattern involved 136 apps leaking bearer tokens used to authenticate against intermediate backends. Many of these tokens remained valid for extended periods, allowing for replay attacks and continued unauthorized inference access. Critical flaws in JWT token management were observed, including missing expiration dates, tokens valid for up to 100 years, and servers accepting already expired tokens. Even attempts to implement short-lived token patterns were undermined by weak enforcement, effectively reducing them to static secrets.
On the defensive side, only 143 out of 444 apps implemented any form of interception resistance. The most common protection method—bypassing the system HTTP proxy—was defeated in 81% of cases when researchers switched to VPN-based transparent traffic capture. Robust multi-layer defenses, such as custom payload encryption and anti-debugging checks, were rarely employed.
This widespread credential leakage underscores the urgent need for developers to adopt secure coding practices and implement robust security measures to protect sensitive information. As AI integration in mobile applications continues to grow, ensuring the confidentiality and integrity of API credentials is paramount to safeguarding both user data and developer resources.
