An academic study has found that LLM-powered iOS applications routinely expose API credentials that can be abused to access AI services.
Researchers discovered that nearly two-thirds of tested apps leaked credentials or exposed backend access mechanisms, with many vulnerabilities remaining unfixed months after disclosure.
A team of researchers in the US developed a framework called LLMKeyLens to analyze how iPhone applications integrate with large language model services such as OpenAI, Google Gemini, Anthropic, DeepSeek, and others. To conduct the study, the researchers first collected over 5,600 AI-related applications from Apple's App Store and manually evaluated a representative sample. After filtering out inaccessible, non-functional, or non-AI apps, they assembled a final dataset of 444 iOS applications with confirmed LLM-powered features.
The researchers then used LLMKeyLens to intercept application traffic and identify credentials transmitted between apps, backend servers, and AI providers. The system was designed to automatically detect provider-specific API keys, authentication tokens, and exposed backend endpoints, and to validate whether the leaked credentials could be abused.
arxiv.org
Of the 444 applications analyzed, 282 apps (64%) exposed LLM-related credentials or backend access mechanisms, and 146 of those were classified as fully exploitable. The vulnerable applications spanned numerous categories, including productivity, entertainment, lifestyle, education, utilities, and health and fitness. Some affected apps were highly popular, with user ratings reaching into the millions.
The study identified three primary leakage patterns.
- The first and most severe involved apps directly embedding plaintext API keys in requests sent to AI providers. In these cases, attackers who intercepted traffic could immediately obtain credentials from OpenAI, Gemini, or other providers and submit their own AI requests under the developer's account. Researchers found that some applications simultaneously exposed proprietary system prompts, revealing not only the credentials but also the instructions powering the app's AI functionality.
- The second pattern involved JWT bearer tokens, accounting for nearly half of all vulnerable apps. Developers often attempted to improve security by placing API keys on backend servers and issuing authentication tokens to clients. However, improperly configured tokens could still be intercepted and replayed to access AI services through backend proxies.
- The third category concerned unauthenticated backend proxies where developers had correctly hidden their API keys on a server but failed to require authentication before processing AI requests. Researchers found 92 apps that would accept arbitrary requests from anyone who knew the endpoint URL, effectively turning the backend into an open relay for AI services.
To evaluate the real-world impact, the researchers actively tested leaked credentials. Out of 421 applications that appeared to expose credentials, 282 remained actively exploitable, successfully returning AI-generated responses when replayed with benign requests.
Following responsible disclosure, the team notified developers of all 282 vulnerable applications and waited 90 days before retesting, finding that only 78 apps (28%) fixed the reported issues. In several cases, tokens remained valid for months because expiration mechanisms were missing or ignored. One application issued JWTs with a validity period exceeding 100 years.
The researchers argue that protecting LLM credentials requires more than simply moving API keys off the client. Developers must enforce proper authentication and authorization on backend services, while AI providers should offer clearer guidance and reference implementations for secure integrations. They also suggest that Apple could incorporate automated credential-leak detection into the App Store review process to identify insecure AI integrations before apps reach users.
Leave a Reply