AI-powered iOS applications are increasingly leaking Large Language Model (LLM) API credentials through network traffic, exposing developers to large-scale misuse of LLM accounts and cloud resources.
A recent empirical study of 444 LLM-enabled free iOS apps in the U.S. App Store found that 64%, or 282, leaked exploitable LLM credentials when their traffic was intercepted during normal use.
These vulnerable apps span 13 categories and include both niche tools and extremely popular apps with over 2 million user ratings, demonstrating that credential leakage is a broader ecosystem issue rather than a fringe issue.
AI iOS app leaks LLM credentials
To systematically map this threat, researchers built a dynamic analysis framework called LLMKeyLens that monitors iOS apps at runtime, rather than relying on static binary analysis.
Testers installed each app on a physical device, routed traffic through a man-in-the-middle (MITM) proxy, used a custom root certificate to decrypt HTTPS flows, and triggered the app’s AI features with controlled prompts.
Researchers identified exposed credentials by matching provider-specific patterns in network traffic and securely validating them with innocuous requests to confirm active access to LLM services.
The Wake Forest University study showed three major credential compromise patterns, all of which were clearly observable in network traffic captures.
The first and most direct involves a plaintext API key. 54 apps sent static LLM provider keys directly in HTTP headers or query strings to endpoints such as api.openai.com or generative language.googleapis.com.
In many of these cases, the same request also includes sensitive system prompts, and a single interception can reveal both reusable keys and the unique business logic driving the app’s AI behavior.
The second pattern revealed 92 apps that use backend proxies but do not require authentication on those endpoints, effectively creating unauthenticated LLM relays that anyone who knows the URL and basic JSON schema can call.
The third and most common pattern involves JSON Web Tokens (JWTs). 136 apps compromised bearer tokens used to authenticate to intermediate backends, but many of those tokens remained valid enough to be regenerated for continued inference access.
Researchers discovered serious flaws in JWT token management, including a lack of an expiration date, tokens valid for up to 100 years, and servers accepting tokens that have already expired.
Even when developers tried to follow the “short-lived token” pattern, weak enforcement effectively downgraded them to static secrets.
On the defensive side, only 143 out of 444 apps implemented some form of eavesdropping resistance, and when researchers switched to VPN-based transparent traffic capture, the most common protection, bypassing the system’s HTTP proxy, was disabled in 81% of cases.
Robust defenses in depth, such as custom payload encryption and anti-debug checks, are rare but extremely difficult to bypass.
Ninety days after responsible disclosure, only 78 of the 282 affected apps showed clear evidence of remediation, and 66 remained exploitable with little or no change.
Some developers have revoked keys or tightened backend authentication, while others have removed or abandoned their services without properly fixing their integrations.
Overall, our findings suggest that secure LLM integration on iOS is far behind in adoption. Developers frequently embed or indirectly expose credentials, providers continue to allow insecure client-side patterns, and app platforms do not systematically screen for AI-related disclosures.
Follow us on Google News, LinkedIn and X for instant updates.
