Android AI apps leak Google secrets the most, 700TB of files already exposed
Android developers are still hardcoding secrets, while attackers exploit them in the wild. Cybernews has analyzed 1.8 million Android apps on the Google Play Store and found that most AI apps leak an average of five secrets.
-
72% of Android AI apps contained at least one hardcoded secret.
-
68% of the hardcoded secrets pertained to Google Cloud Project Identifiers and API Keys
-
LLM API Keys were mostly secured, with mainly low-risk LLM API Keys found hardcoded.
-
Android AI apps exhibit similar dangerous tendencies to hardcoded secrets found in iOS apps, as Cybernews investigated in 2025.
Hardcoding secrets is the practice of embedding sensitive information, such as API keys, passwords, or encryption keys, directly into source code. It has long been identified as one of the worst security practices. Still, it refuses to die.
Cybernews's latest research shows that AI apps on the Google Play Store are leaking hardcoded secrets and cloud endpoints, putting users at risk or, in some cases, even potentially allowing attackers to empty their digital wallets.
Seventy-two percent of the analyzed apps contained at least one hardcoded secret. On average, an AI app leaks 5.1 secrets, and 81.14% of the detected secrets were related to Google Cloud Project identifiers, endpoints, and API keys.
To make matters worse, an investigation found that hundreds of AI apps had already been breached. Leaky instances of Firebase and Google Cloud Storage have already exposed over 200 million files, totaling nearly 730TB of user data.
Secrets already exploited in the wild
Our researchers found that hundreds of AI Android apps with hardcoded secrets had already been breached by automated exploits.
They identified 285 Firebase instances missing authentication entirely, leaving them openly accessible to anyone. Collectively, these databases leaked 1.1GB of user data.
The team is sure that the instances were already compromised. In 42% of cases, the researchers found a table explicitly named “poc,” shorthand for “proof of concept.”
Other indicators of compromise were also uncovered. Some databases contained a user table populated with an admin account using emails like [email protected].
In the analysis, our researchers noticed that multiple indicators of compromise often occur in the same instance. This suggests that attacks are automated, with multiple threat actors indiscriminately scanning and exploiting the same instance.
Just as concerning, many of these databases remained unsecured even after clear signs of compromise.
“Detected indicators of compromise show a widespread issue of automated exploits against misconfigured Firebase databases. It also indicates that these instances are largely unmonitored, as they are not secured,” explained the Cybernews research team.
The team identified that misconfigured Google Cloud Storage buckets exposed more than 200 million files, amounting to over 720TB of data. On average, each exposed bucket contained 1.55 million files and 5.5TB of data.
Google secrets were leaked the most
More than 81% of all detected secrets were related to Google Cloud projects. In total, our researchers identified 197,092 unique secrets, averaging 5.1 per app, of which just 0.96 were not connected to Google.
On their own, most of the leaked credentials are not necessarily dangerous if access controls are configured correctly. But they do expand the attack surface. Google’s API keys, however, are sensitive, as they are used to authenticate requests to various APIs, granting access to Google’s services.
Other leaked secrets are tied to non-Google services, including AWS credentials, AI service API keys, custom backends, marketing platforms, and databases.
The second most common category of embedded identifiers belonged to Facebook, primarily app IDs and client tokens, which are frequently hardcoded for analytics, login, and advertising integrations.
The diversity of exposed secrets was also striking. The scan detected 3,185 distinct types of secrets.
These leaked APIs could steal your money
While many exposed secrets are low risk, a smaller subset presents real danger for users. Some of the leaked APIs are tied to services that handle money, communications, analytics, and customer data.
Platform and communication APIs, such as Twitter, Braze, and Intercom, enable attackers to impersonate apps, interact with users, and access personal data.
Leaked keys could potentially be used to act on behalf of users, extract profiles and activity histories, send unauthorized messages or push notifications, and manipulate or delete user accounts.
Analytics and monitoring APIs, including Singular, Applyze, and Sentry, expose internal visibility into apps. Attackers could extract or alter marketing performance data, manipulate engagement and monetization metrics, and access diagnostic logs that might contain sensitive information.
The most severe exposures involved financial and rewards infrastructure. For example, Shopiroller keys allow manipulation of loyalty programs and transaction histories, potentially enabling direct abuse of in-app rewards.
At the highest risk level were Stripe live secret keys, which provide complete control over payment backends, including charging users, issuing refunds, creating fake invoices, and routing funds to attacker-controlled accounts.
Your AI conversations are safe: not many LLM API’s were leaked
Despite the sensitivity of large language model integrations, our researchers found surprisingly few exposed LLM API keys in the wild. The numbers suggest that LLM API keys are not being hardcoded at scale, at least not compared to cloud infrastructure identifiers or analytics tokens.
Only a handful of keys tied directly to major LLM providers were detected across the entire dataset, and most of the leaked keys posed low risk.
In typical configurations, leaked LLM API keys could allow an attacker to submit new requests but do not provide access to historical prompts, responses, or stored conversations. In practical terms, that sharply limits the potential impact of an attack.
Among the most leaked APIs were OpenAI’s, with Google Gemini next, followed by Claude.
Hardcoded secrets show poor hygiene
While scanning app code, our researchers detected 26,424 hardcoded Google Cloud endpoints. At first glance, this suggests a massive attack surface. However, in reality, two-thirds of those endpoints no longer existed. The buckets had been deleted, renamed, or the projects shut down entirely.
Of the remaining endpoints, 8,545 buckets still existed but required authentication, meaning they were not publicly accessible. A similar pattern was observed with Firebase instances.
Curious what others think about this story? Contribute your thoughts to the debate below.
This points to a different kind of problem. Not mass exposure, but poor hygiene. Apps routinely ship with references to cloud infrastructure that no longer exists, creating noise for defenders and an opportunity for attackers.
A similar pattern emerged with Firebase, where a large share of hardcoded references pointed to resources that were no longer active.
Methodology
During the research, the Cybernews research team surveyed 1.8 million Android apps from the Google Play Store using generic keywords and filtered results with N-gram-based Keyword Expansion to form a dataset of AI keywords.
“Once a sufficient number of keywords were discovered, the 1.8M app dataset was filtered for apps that mention the use of AI or other AI-application related keywords,” the team explained.
The final dataset consisted of 38,630 Android apps that explicitly claim to use AI. Researchers downloaded every app, then decompiled and scanned it using a custom-built script to detect hardcoded secrets and service endpoints.
Once extracted, every potential credential underwent nearly a month of validation and false-positive elimination.
For the final part of the process, the researchers assessed real-world impact. Using exposed Google Project IDs, they scanned associated Firebase Realtime Databases and Google Cloud Storage buckets for broken access controls.
This allowed the team to examine what data these apps may actually store and expose in practice, without relying on privacy policies or developer claims.
“This was done in order to analyze what kinds of data these apps may store without relying on descriptions or promises laid out in privacy policies or terms and conditions,” our researchers explained.
iOS app research showed similar tendencies
The current results on Android AI apps echo a massive study of hardcoded secrets in iOS apps.
Crucially, the researchers found no statistically significant increase in the number of hardcoded secrets in Android AI apps compared to iOS apps. Apps on both platforms share the same dangerous trend of hardcoding secrets into applications’ code.
Previously, Cybernews researchers scanned 156,000 iOS apps, uncovering more than 815,000 hardcoded secrets, including thousands that are highly sensitive and could lead directly to breaches or data leaks.
As with Android AI apps, 70.9% of iOS apps contained hardcoded secrets, with each iOS app leaking 5.52 secrets on average, most of which are related to Google Cloud.
Researchers found 836 Google Cloud Storage buckets collectively leaking 76 billion files. This resulted in 406TB of exposed data, or an average of 90 million files, with 485GB per open bucket.
Research timeline
Start of research: September 16th, 2025
Researching Play Store for generic apps: September 23rd, 2025
Filtering for AI apps: From October 7th to 14th, 2025
Downloading and scanning AI apps: From October 29th to November 3rd, 2025
Removing false positives: November 11th to December 1st, 2025
Scanning Firebase and Google Cloud storage buckets: From December 1st to 3rd, 2025
Unlock more exclusive Cybernews content on YouTube
