Hundreds of AI-Powered iOS Apps Exposed LLM Credentials and Backend Access
Researchers at Wake Forest University found widespread credential leakage in AI-enabled iOS apps, reporting that 282 of 444 tested applications exposed exploitable access to LLM services or supporting backends during normal use. The affected apps spanned 13 categories, including productivity, education, utilities, entertainment, lifestyle, and health and fitness, and included both niche titles and highly popular apps with millions of ratings. The exposed data created opportunities for attackers to abuse developers’ LLM accounts, consume cloud resources, and access backend services.
The study identified three recurring failure patterns: plaintext API keys sent directly to LLM providers, unauthenticated backend proxy endpoints, and replayable JWT bearer tokens with weak or broken expiration controls. Researchers said many apps lacked effective protections against traffic interception, and common defenses could be bypassed through VPN-based transparent capture. After responsible disclosure and a 90-day retest, remediation remained limited: about 28% of vulnerable apps had fixed the issues, while dozens remained exploitable because developers made little change or relied on fundamentally flawed authentication designs.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
90-day retest finds limited remediation across affected iOS apps
After a 90-day retest following responsible disclosure, the researchers found remediation remained limited: 28% of vulnerable apps had fixed the issues, while many others remained exploitable due to no remediation or flawed authentication implementations.
Researchers responsibly disclose the iOS app credential leakage issues
After identifying the insecure LLM integrations, the researchers carried out responsible disclosure to affected parties before later retesting the apps.
Researchers analyze 444 LLM-enabled iOS apps and find widespread credential exposure
Researchers from Wake Forest University analyzed 444 iOS apps with confirmed LLM functionality and found that 282 exposed exploitable credentials or backend access mechanisms, including plaintext API keys, unauthenticated backend access, and replayable JWT bearer tokens.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Researchers Find 1,748 Valid API Keys Exposed Across Public Websites
Researchers from Stanford University, the University of California, Davis, and TU Delft found **1,748 valid API credentials** exposed across roughly **10,000 public webpages** after analyzing about **10 million websites**, revealing a broad secret-leakage problem outside traditional code repositories. The credentials, identified with TruffleHog and detailed in the study *Keys on Doormats: Exposed API Credentials on the Web*, provided access to services including **AWS**, **GitHub**, **Stripe**, and **OpenAI**. The exposed secrets were tied to multinational corporations, critical infrastructure operators, government agencies, and at least one global bank. Most of the exposed credentials were embedded in **JavaScript** resources, often inside bundled files generated by tools such as Webpack, creating direct paths into cloud infrastructure, payment systems, and software repositories. Researchers said AWS keys made up more than **16%** of verified exposures, and cited cases including cloud credentials linked to a global bank’s core infrastructure and firmware repository credentials associated with drones and remote-controlled devices, raising the risk of malicious firmware updates. After responsible disclosure, the number of exposed credentials dropped by about half within two weeks, but the study found such secrets often remain publicly accessible for an average of **12 months** and sometimes for years.
Apr 2, 2026
Large-Scale Data Exposures Driven by Misconfigured Cloud Datastores
Cybernews researchers reported multiple **data exposures caused by misconfigured back-end services**, including consumer mobile apps and a large unprotected database. Three widely downloaded Android AI photo identification apps—*Insect Identifier by Photo Cam*, *Dog Breed Identifier Photo Cam*, and *Spider Identifier App by Photo*—reportedly leaked more than **150,000** users’ data via a **Firebase misconfiguration** with inadequate authentication/access controls. Exposed data included email addresses, usernames, profile photos, notification tokens, and **GPS coordinates**; while passwords were not found, researchers noted the location data could enable stalking, doxxing, and targeted scams, and observed indications that automated bots had already discovered the exposed databases prior to the investigation. The apps were attributed to publisher **MobilMinds** (linked to **OZI Technologies**), and the developers reportedly did not respond to requests for comment. Separately, Cybernews identified an **unprotected Elasticsearch cluster** exposing approximately **8.7 billion records** associated with China, including names, birthdates, home addresses, national ID numbers, social media identifiers, usernames, and other account/platform details; the dataset also reportedly contained **plaintext credentials** and corporate/business records, suggesting long-term aggregation. The database’s ownership was not confirmed, but it was subsequently secured; researchers characterized the exposure as a systemic privacy risk potentially affecting hundreds of millions of individuals. Two additional items in the set describe individual bug-hunting writeups (e.g., bypassing mobile controls and abusing password reset/IDOR-style issues) but do not provide verifiable linkage to the specific Firebase/Elasticsearch exposures described above.
Mar 21, 2026
AI and LLM Security Risks: Malicious Test Artifacts, Side-Channel Leakage, and LLM-Assisted Code Review
Security researchers highlighted multiple ways **LLM adoption can introduce or amplify risk**, including both technical attacks and unsafe development practices. G DATA reported that a Git-hosted “detector” for the **Shai-Hulud worm** shipped with “test files” that were effectively *real malware*: scripts capable of deleting user directories and, in at least one case, uploading data to actual threat actors. The files were apparently intended to validate detection efficacy and may have been produced via AI-assisted “vibe coding,” where the model replicated malicious behavior one-to-one while comments claimed the code was only a simulation; although the test artifacts are not executed during normal tool operation, users could trigger damage by manually running them. Separate academic work summarized by Bruce Schneier described **side-channel attacks against LLM inference**, where data-dependent timing and token/packet-size patterns (including those introduced by efficiency techniques like speculative decoding) can leak information about user prompts even over encrypted channels. Reported impacts include inferring conversation topics with high accuracy and, in some settings, recovering sensitive data such as phone numbers or credit card numbers via active probing. In parallel, an SC Media segment discussed the operational upside of **LLM-driven secure code analysis**, citing results that improved security across hundreds of open-source projects but noting the importance of human validation and patching effort; an OSINT Team post provided a cautionary, practitioner-level example of how easily malware can be accidentally executed during analysis, reinforcing the need for disciplined handling and isolation when working with suspicious files.
Mar 21, 2026