Mind your key: An Empirical Study of LLM API Credential Leakage in iOS Apps
How iPhone apps leak secret keys that control expensive AI services
Researchers found that 282 out of 444 examined iPhone apps expose the secret credentials needed to access paid AI services like ChatGPT and Claude — allowing attackers to impersonate users and rack up charges on developers' accounts. Three months after alerting developers to the problem, 72% of vulnerable apps remained unfixed, suggesting the issue stems from deeper gaps in how developers are taught to build secure apps rather than simple oversights.
Leaked API credentials directly cost developers money through unauthorized AI service usage, and can expose user data if attackers access the accounts behind those keys. The findings reveal that platform-level safeguards and clearer security guidance from AI providers are needed — leaving the problem to individual developer awareness isn't working.