Inzamam Nizam Jul 03, 2026

Researchers Find AI Security Flaws in Hundreds of iPhone Chatbot Apps

Key Takeaways

  • Researchers tested 444 iPhone apps offering AI chatbot features and found that nearly two-thirds of them 282 apps in total were leaking paid AI access credentials through their own network traffic.
  • No jailbreaking, reverse engineering, or hacking skills were required. Anyone who simply intercepted an app's traffic could pull out working API keys in plain sight.
  • These exposed keys are now fuelling a growing threat known as "LLMjacking," where attackers quietly hijack stolen credentials to run their own AI requests, leaving the original developer to foot the bill. In the worst-case scenarios across the industry, that bill can run past 46,000 dollars a day.
  • Even after developers were alerted to the problem, most didn't act. Three months on, only 28 per cent had actually fixed the vulnerability, leaving the majority still exposed.
  • These exposed keys are now fuelling a growing threat known as "LLMjacking," where attackers quietly hijack stolen credentials to run their own AI requests, leaving the original developer to foot the bill. 
  • Cloud security firm Sysdig has calculated that in worst-case scenarios, this kind of exploitation can run past $46,000 a day in AI charges. 

What Happened

Researchers at Wake Forest University tested 444 AI chatbot apps on the US App Store using a traffic-analysis tool they built called LLMKeyLens. By observing what each app sent over the network, no jailbreaking or reverse engineering required, they captured working credentials for paid AI services including OpenAI and Google Gemini in 282 apps.

The team described the finding as "a widespread and systemic issue in the iOS ecosystem," noting that the problem reached from niche apps to titles with hundreds of thousands of users. The leaks spanned at least ten AI providers and 13 app categories, with productivity apps the largest affected group and health & fitness apps showing the highest leak rate.

(Source: Mind your key: An Empirical Study of LLM API Credential Leakage in iOS Apps, Wake Forest University)

Three Ways the Apps Leaked

  • Plaintext API keys (54 apps): The provider's secret key was hardcoded into the app and sent in the clear; one intercepted request was enough to expose it. In 28 of these apps, that same request also revealed the app's hidden system prompt.
  • No authentication (92 apps): These apps used the right architecture, routing requests through their own server rather than the device. But the server accepted requests from anyone, turning it into an open relay billed to the developer's paid AI account.
  • Replayable tokens (136 apps): Even temporary tokens, meant to be the safer option, leaked in traffic and stayed valid long after capture. One app issued a token set to expire in 2125. Another's one-hour token was still working 128 days later.

The Response Gap

Only 28% had clearly fixed the issue three months after notification. A further 23% remained actively exploitable, with the leaked credentials still functional. The remainder had either gone offline, become unreachable, or returned errors, leaving their true status unresolved. 

A 2025 study known as LM-Scout uncovered the same insecure AI wiring across Android apps and was able to automatically break into 120 of them. A separate, larger audit called Leaky Apps extracted secrets from thousands of Android and iOS apps and found that developers routinely fail to revoke old keys even after removing them from an app, leaving the outdated credentials live and exploitable. 

The researchers also caution that their two-thirds figure is likely an undercount, since many apps blocked traffic interception entirely. It's also worth noting that the study covers only the US App Store as of late 2025, meaning the true global scale of the problem is likely higher still. 

What Developers Should Do

The fix is old advice, rarely followed: never embed API keys in client-side code, route all AI calls through a server you control, authenticate every request to that server, and revoke any credential that has ever shipped inside an app. Give importance to understanding what cybersecurity is and take proactive steps to maintain high security measures.

Recommendations for AI Providers and Apple 

Beyond developer fixes, the researchers recommend that AI providers take a more active role in prevention. This includes clearly labelling client-side embedded keys as inherently unsafe within their own documentation, and building in automatic detection for keys that suddenly show unusual activity, such as being used by thousands of devices at once.

Expert View

You don't need to break in when the door's already open. Every technique here- traffic interception, credential harvesting, token replay is beginner material in ethical hacking. That it still works at scale on live AI apps is the real story." 

- Inzamam Nizam, Cyber Security & Security Engineer, Edoxi Training Institute

"Most products that use security are not designed by anyone with security expertise. Security cannot be functionality-tested; no amount of beta testing will uncover security flaws, so the flaws end up in fielded products." 

  • Bruce Schneier, Renowned Security Technologist

What This Means for Security Professionals

The techniques identified in this study are not new; what has shifted is the value of the underlying target. AI credentials now rank among the most costly secrets an application can expose, driving increased demand for professionals capable of identifying and remediating precisely these vulnerabilities.

The findings align closely with established cybersecurity certification pathways. Edoxi's CEH Course addresses the traffic analysis and credential-based attack methods employed in this research. 

The CISSP Course covers the secure architecture principles that, if applied, would have prevented the majority of these exposures; the CND Course focuses on network defence and secure communications protocols; and the CSA Course develops the SOC monitoring capabilities required to detect a compromised key being exploited at scale. Professionals seeking a suitable entry point can explore the full range of cybersecurity courses available.

Cyber Security & Security Engineer

Inzamam Nizam is a Cyber Security & Security Engineer with over six years of experience in offensive cybersecurity, vulnerability research, and application security. His expertise includes mobile (iOS/Android), web, and network penetration testing, secure code review, red teaming, exploit development, and secure architecture assessments. Recognised in the SynAck Hall of Fame for discovering critical security vulnerabilities, he is passionate about helping organisations strengthen their security posture through practical, research-driven approaches. Throughout his career, Inzamam has led security assessments, adversary emulation exercises, and secure development initiatives across diverse industries, including banking and enterprise environments. He has contributed to innovative cybersecurity projects such as SPELL-BOUND, an open-source adversary emulation framework, GHOSTWARE AI, an AI-powered security assessment platform, and KAEDAE, a behaviour-based keylogger detection solution. Through his writing, he shares practical insights, emerging attack techniques, and defensive strategies to help security professionals stay ahead of the evolving threat landscape.

Tags
Technology
Education