Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
Just days after Google tightened restrictions on Gemini API keys to prevent unauthorized AI use, researchers have found hundreds of iPhone AI apps that expose the digital credentials used to access AI services such as OpenAI and Gemini.
-
Google may have tightened the Gemini API key rules, but the problem is still widespread Researchers found 282 of 444 iPhone AI apps exposed credentials or insecure access methods.
-
Exposed keys can be expensive and dangerous Attackers could abuse OpenAI, Gemini, and other AI services at developers’ expense, disrupt apps, or steal hidden system prompts.
-
Fixes have been slow Despite being notified, only 28% of affected developers had properly fixed the issue after 90 days.
Those credentials act like passwords, allowing apps to communicate with AI models and generate responses. If exposed, they can be copied and reused by outsiders, leaving developers with the bill for the resulting AI usage.
A study from Wake Forest University analyzed 444 iOS apps with large language model (LLM) functionality and found that almost 282 of them exposed exploitable credentials or other methods for accessing AI services.
Apps containing potential vulnerabilities spanned 13 categories, with productivity apps accounting for the largest number of affected applications (143).
Entertainment (35), Lifestyle (24), Utilities (22), Education (13), and health and fitness (7) followed behind.
In terms of vulnerability rates, Health and Fitness performed worst, with almost half of the apps containing flaws. Around 40% of productivity apps were affected, compared with roughly a quarter of lifestyle and entertainment apps.
While the researchers did not publicly identify the affected apps, they noted that the issue was not confined to obscure software: 15% had accumulated more than 1,000 user ratings, while the most popular affected app had more than 2.3 million ratings.
The researchers concluded that “LLM API key leakage is a widespread and systemic issue in the iOS ecosystem,” affecting both niche applications and widely used consumer apps.
Google has previously warned that old API keys can become dangerous once the Gemini API is enabled, generating substantial costs for developers.
Acknowledging the issue, Gemini blocked requests from unrestricted standard keys from June 19th to reduce abuse and surprise cloud charges.
Among apps that communicated directly with AI providers, OpenAI accounted for the largest number of exposed credentials, appearing in 42 vulnerable apps, while Google’s Gemini was identified in 7 apps.
Researchers also found exposed credentials linked to Anthropic’s Claude, OpenRouter, DeepSeek, Mistral, Baidu, ERNIE, Poe, Zhipu AI, DeepAI, and Writesonic.
Three types of security failures
Researchers identified three types of security failures that could allow outsiders to access or abuse AI services paid for by app developers.
The impact could include unexpected AI usage charges, abuse of developer accounts, service disruption, and the theft of proprietary AI instructions and business logic.
Hackers could also find exposed keys on websites, apps, repositories, and elsewhere, and rack up the bills, causing severe financial damage with little to no warning.
In 92 cases, apps accepted requests without any authentication at all, allowing researchers to interact with AI services without providing credentials.
In practice, that meant anyone who discovered the exposed service could potentially use it at the developer’s expense.
Another 136 apps exposed authentication tokens that could be reused to access developer-operated AI services.
In 54 cases, apps transmitted AI service credentials directly in requests sent to providers such as OpenAI and Gemini, allowing researchers to extract and validate the credentials from intercepted traffic.
In nearly half of those cases, researchers also discovered exposed system prompts – the hidden instructions used to shape how AI assistants behave.
According to the paper, “plaintext API key exposure, though less frequent (19%), incurs the highest risk due to unrestricted access.
Moving AI keys off devices isn’t enough
The study found that many developers appear to follow industry advice by keeping AI API keys off users’ devices by routing requests through their own servers.
However, researchers concluded that simply moving credentials away from the app does not eliminate the risk.
“Over half of leaked apps (55%) route LLM traffic through customer developer backends, making provider-side mitigations alone insufficient,” the study noted.
The researchers found that many of these systems relied on weak authentication or exposed access tokens, undermining the security benefits of moving AI credentials off users’ devices.
Another 67 apps used cloud platforms such as Firebase, Google Cloud Run, and AWS, while 60 communicated directly with AI providers.
Low remediation rate
All 282 affected developers were notified of the flaws, but when the researchers retested 90 days later, only 28% had successfully fixed them through credential revocation or improved access controls.
The study concludes that the “low remediation rate reflects the complexity of mitigating this vulnerability.”
Has your password leaked?
According to the paper, persistent vulnerabilities were most commonly linked to unauthenticated AI services and flawed authentication implementation, suggesting that developers need more guidance on securely deploying AI-focused applications.
Earlier this year, Cybernews reported that thousands of exposed Google API keys could be abused to access Gemini AI services, in some cases generating substantial costs for developers.
Unlock more exclusive Cybernews content on YouTube.
