AI-powered iOS applications are increasingly leaking large language model (LLM) API credentials through network traffic, exposing developers to large-scale abuse of their LLM accounts and cloud resources.
A recent empirical study of 444 free, LLM-enabled iOS apps from the US App Store found that 282 of them, or 64%, leaked exploitable LLM credentials when their traffic was intercepted during normal use.
These vulnerable apps span 13 categories and include both niche tools and highly popular apps with over two million user ratings, demonstrating that credential leakage is a widespread ecosystem problem rather than a fringe issue.
AI iOS Apps Leak LLM Credentials
To systematically map this threat, researchers built a dynamic analysis framework called LLMKeyLens that observes iOS apps at runtime instead of relying on static binary analysis.
Testers installed each app on physical devices, routed traffic through a man-in-the-middle (MITM) proxy, and used a custom root certificate to decrypt HTTPS flows, then triggered the app’s AI features with controlled prompts.
Researchers identified exposed credentials by matching provider-specific patterns in network traffic and safely validating them with benign requests to confirm active access to LLM services.
The study from Wake Forest University three primary credential leakage patterns, all of which were clearly observable in network traffic captures.
The first and most direct involves plaintext API keys: 54 apps sent static LLM provider keys directly in HTTP headers or query strings to endpoints such as api.openai.com or generativelanguage.googleapis.com.
In many of these cases, the same request also carried sensitive system prompts, meaning a single interception could reveal both a reusable key and the proprietary business logic that drives the app’s AI behavior.
The second pattern uncovered 92 apps that use backend proxies but fail to require any authentication on those endpoints, effectively creating unauthenticated LLM relays that anyone can call once they know the URL and basic JSON schema.
The third and most common pattern involves JSON Web Tokens (JWTs): 136 apps leaked bearer tokens used to authenticate against intermediate backends, and many of those tokens remained sufficiently valid to be replayed for continued inference access.
Researchers found critical JWT token management flaws, including missing expiration dates, tokens valid for up to 100 years, and servers accepting already expired tokens.
Even where developers attempted to follow “short-lived token” patterns, weak enforcement effectively downgraded them back to static secrets.
On the defensive side, only 143 of 444 apps implemented any form of interception resistance, and the most common protection bypassing the system HTTP proxy was defeated in 81% of cases once researchers switched to VPN-based transparent traffic capture.
Robust multi-layer defenses such as custom payload encryption and anti-debugging checks were rare but significantly harder to bypass.
Ninety days after responsible disclosure, only 78 of the 282 affected apps showed clear evidence of remediation, while 66 remained exploitable with little or no change.
Some developers revoked keys or tightened backend authentication, but others removed or abandoned services instead of properly fixing their integrations.
Overall, the findings suggest that secure LLM integration on iOS lags far behind adoption: developers frequently embed or indirectly expose credentials, providers still permit insecure client-side patterns, and app platforms do not yet systematically screen for AI-related secret leakage.
