A new academic study has found that hundreds of AI powered chatbot applications available on Apple’s iOS platform are exposing sensitive credentials that could allow unauthorized users to access paid artificial intelligence services at the developers’ expense. Researchers from Wake Forest University analyzed 444 AI chatbot applications for iPhone and discovered that 282 of them, nearly two thirds of the total sample, leaked API credentials or provided unsecured access through their network communications. The findings mark the first comprehensive examination of this issue on iOS and indicate that many applications continue to rely on insecure methods for connecting with AI platforms. According to the researchers, the exposed information was obtained by monitoring application network traffic using a custom built tool named LLMKeyLens, without requiring jailbreaking or reverse engineering of the applications. Three months after responsible disclosure notifications were sent to affected developers, only 28 percent had implemented fixes, while many applications remained vulnerable to misuse.
The researchers identified three primary categories of security weaknesses across the affected applications. Fifty four apps transmitted plaintext API keys directly through network traffic, making the credentials visible from a single intercepted request. Ninety two applications routed requests through backend servers that accepted connections without validating the identity of the requester, effectively creating open relays that allowed anyone to access paid AI services without authorization. The largest group, consisting of 136 applications, relied on reusable access tokens that were intended to provide temporary authorization instead of exposing permanent API keys. However, these tokens were frequently intercepted during normal network communication and often remained valid long after they were expected to expire. In several cases, tokens described as temporary continued functioning months after their stated expiration date, while one application configured an access token to remain valid until the year 2125. The study also found that 28 of the 54 applications exposing plaintext API keys simultaneously revealed hidden system prompts that define how AI assistants behave and respond, allowing anyone intercepting the traffic to obtain both the authentication credentials and the application’s internal operating instructions. The researchers reported that the exposed credentials involved at least 10 AI service providers, with OpenAI appearing most frequently, and affected applications across 13 categories. Productivity applications represented the largest number of affected apps, while health and fitness applications recorded the highest rate of credential exposure. Finance and medical applications included in the research did not exhibit the same security weaknesses.
According to the study, the consequences extend beyond unauthorized access because exposed credentials can be abused in a practice commonly known as LLMjacking, where attackers use stolen API keys to consume AI services while the legitimate developer is billed for every request. Previous estimates from Sysdig suggested that large scale abuse of compromised AI credentials could generate more than 46,000 dollars in usage charges per day under worst case conditions. After notifying all 282 affected developers, the research team allowed a three month remediation period before reassessing the applications. Only 28 percent had clearly addressed the issue, while another 23 percent remained fully vulnerable with leaked credentials still functioning. The remaining applications had either become unavailable, returned errors, or could no longer be evaluated. The researchers emphasized that many of the vulnerable applications were developed by smaller organizations, although at least one affected application had accumulated more than two million user ratings, demonstrating that the issue is not limited to lesser known software.
The study recommends that developers avoid embedding API keys directly within mobile applications and instead route all AI requests through secured backend servers that authenticate users before processing requests. Researchers also advise developers to immediately revoke any credentials that have already been exposed rather than simply removing them from application code. In addition, the report encourages AI service providers to clearly identify client side API keys as insecure within their documentation and introduce monitoring mechanisms capable of detecting abnormal usage patterns, such as credentials suddenly being accessed from thousands of different devices. Apple was also urged to strengthen App Store review procedures by screening applications for insecure API implementations before publication. The findings follow previous research including the 2025 LM Scout study, which identified similar weaknesses across Android applications, and the Leaky Apps audit that uncovered thousands of exposed secrets across Android and iOS software. Researchers noted that while the current analysis covered only applications listed on the United States App Store during late 2025, many applications prevented traffic interception entirely, suggesting the actual number of vulnerable AI applications could be even higher than the study identified.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.





