
Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through network traffic.
In many cases, you can tell the path simply by monitoring what your app sends: a plaintext API key, a reusable token, or a backend server that accepts the request without a key at all.
The person who obtains it can submit a model request in the developer’s account, and the developer pays the invoice. Three months after researchers alerted developers, only 28% had fixed the issue.
This study by researchers at Wake Forest University is the first detailed study of the iOS problem. This is impressive, in part because the effort involved in peeping was so low. The team used the tools they had built. LLM key lensmonitors app traffic and pulls credentials as it passes through. No need to jailbreak or crack the app.
The key is the secret that allows your app to call services like OpenAI and Google Gemini. If you embed this in your app, it will be exposed with every request your app makes.
All 282 cases fell into one of three groups:
- Plaintext key (54 apps): The key is sent open and readable from a single captured request.
- No key required (92 apps): The app routes requests through a server that responds to anyone without checking who is asking the question. Open relay to paid AI accounts.
- Renewable tokens (136 apps, most common): The app distributes temporary access tokens instead of raw keys. Although this is supposed to be a more secure approach, the tokens were leaked within the same traffic and were usually still valid at the time they were captured. Some were more than temporary, as the cases below demonstrate.
For 28 of the 54 plaintext key apps, the same request also exposed the apps’ hidden system prompts, behind-the-scenes instructions that define how the assistant behaves and how the product works. One catch, two prizes.
The breach affected at least 10 AI providers, the most common being OpenAI, and spanned 13 app categories. Productivity apps were the largest group. Health and fitness apps had the highest breach rate. In particular, nothing was leaked from financial and medical apps. Most of the affected apps were small, but not all. One of them had over 2 million user ratings.

This is not theoretical money. Stolen AI keys facilitate a practice known in the industry as LLM jacking, where an attacker runs someone else’s key to gain free model access. Sysdig has calculated that in a worst-case scenario, if your credentials are stolen, your AI costs could exceed $46,000 per day.
The researchers notified all 282 developers and waited three months. Only 28% were clearly correctable.
The remaining 23% were still wide open. The leaked access was working. The rest were offline, unreachable, or returning errors. Token apps were often the worst. A popular app with over 100,000 ratings had access tokens set to expire in 2125 years, or 100 years.
Another app’s 1-hour token was still working 128 days after it expired.
This fix is old advice that most people didn’t follow. Don’t put the key in the app. It routes AI calls through its own servers, has those servers verify who is calling, and revoke keys that have already been compromised.
The researchers are also calling on AI providers to label client-side keys as insecure in their documentation and flag keys that are suddenly used on thousands of devices, and they hope Apple will examine this during its App Store review.
The pattern is familiar. A 2025 study by LM-Scout found similar insecure AI wiring across Android apps, automatically penetrating 120 of them. A major audit, Leaky Apps, extracted secret information from thousands of Android and iOS apps and found that key revocations routinely failed, leaving old keys alive even after developers deleted them.
Other companies are investigating similar holes in the broader LLM app ecosystem. Even with the AI rush, that habit hasn’t changed. We now charge tokens for leaked keys, which increases the amount charged.
There is one caveat. The two-thirds number is the floor. The actual percentage is likely to be even higher, as many apps completely block interception and this study only covered the US App Store in late 2025.
