[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fI-DQnSp_jNe1bHcKN4UcR9cPdTD-XoE7cIWEjozh2ek":3},{"article":4,"iocs":50},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"8a651e71-321a-4dec-a1ec-7f92791705ac","282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study","282-ios-ai-apps-leak-api-keys-and-open-ai-proxy-access-in-network-traffic-study-cf4749","Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic. In many cases, the path in was visible just by watching what the app sent: a plaintext API key, a reusable token, or a backend server that accepted requests with no key at all. Whoever grabs it can send model requests on the developer's account,","A study by Wake Forest University researchers found that 282 out of 444 tested iOS AI chatbot apps exposed paid AI access through their network traffic. This included plaintext API keys, replayable tokens, or unsecured backend servers, allowing unauthorized users to incur costs on developer accounts. Despite notifications, only 28% of developers had fixed the issue after three months.","282 iOS AI apps leaked API keys and AI proxy access in network traffic.","282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study Swati KhandelwalJun 30, 2026API Security \u002F Mobile Security Researchers tested 444 AI chatbot apps for iPhone and found that 282 of them, nearly two-thirds, exposed paid AI access through their network traffic. In many cases, the path in was visible just by watching what the app sent: a plaintext API key, a reusable token, or a backend server that accepted requests with no key at all. Whoever grabs it can send model requests on the developer's account, and the developer pays the bill. Three months after the researchers warned the developers, only 28% had fixed it. The work, from researchers at Wake Forest University, is the first in-depth study of the problem on iOS. It is striking partly because of how little effort the snooping took. The team used a tool they built, LLMKeyLens, that watches an app's traffic and pulls out the credentials as they go by. No jailbreaking, no cracking the app open. The key is the secret that lets the app call a service like OpenAI or Google Gemini. Embed it in the app, and it is exposed with every request the app makes. All 282 fell into one of three groups: Plaintext keys (54 apps): the key is sent in the open, readable from a single captured request. No key needed (92 apps): the app routes requests through a server that answers anyone, with no check on who is asking. An open relay to a paid AI account. Replayable tokens (136 apps, the most common): the app hands out temporary access tokens instead of the raw key, the approach that is supposed to be safer, but the tokens leak in the same traffic and were usually still valid when captured. Some were not temporary at all, as the cases below show. For 28 of the 54 plaintext-key apps, the same request also exposed the app's hidden system prompt, the behind-the-scenes instructions that define what the assistant does and how the product works. One capture, two prizes. The leaks span at least ten AI providers, with OpenAI the most common, and reach across 13 app categories. Productivity apps were the biggest group; health and fitness apps had the highest leak rate. Finance and medical apps, notably, leaked nothing. Most affected apps were small, but not all of them: one had more than two million user ratings. This is not theoretical money. Stolen AI keys feed a practice the industry calls LLMjacking, where attackers run other people's keys to get free model access. Sysdig calculated a worst-case scenario in which stolen credentials could run up more than $46,000 a day in AI charges. The researchers notified all 282 developers and waited three months. Only 28% had clearly fixed it. Another 23% were still wide open; the leaked access was working. The rest had gone offline, become unreachable, or returned errors. The token apps were often the worst: one popular app, with over 100,000 ratings, set its access token to expire in the year 2125, a hundred-year pass. Another app's one-hour token still worked 128 days after it had expired. The fix is old advice that few followed: Do not put the key in the app. Route AI calls through your own server, make that server check who is calling, and revoke any key that has already leaked. The researchers also want AI providers to label client-side keys as unsafe in their documentation and to flag keys that suddenly get used by thousands of devices, and they want Apple to screen for this during App Store review. The pattern is familiar. A 2025 study, LM-Scout, found the same insecure AI wiring across Android apps and automatically broke into 120 of them. A larger audit, Leaky Apps, pulled secrets from thousands of Android and iOS apps and found developers routinely fail to revoke keys even after removing them, leaving the old ones live. Others have probed the broader LLM app ecosystem for similar holes. The AI rush has not changed the habit. It has raised the bill, because a leaked key is now charged with the token. One caveat: the two-thirds figure is a floor. Many apps blocked the interception entirely, and the study covers only the US App Store in late 2025, so the true rate is likely higher. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  API Security, Application Security, artificial intelligence, Cloud security, mobile security, Threat Intelligence, Vulnerability Management ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002F282-ios-apps-found-leaking-llm-api-keys.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhJ9nmTBu_vYBf5fRZV4Jc-qtFGPySofVDYHUd-9-ogdve-M4Qd4j7_CnH9Zmvln6O3nfXSsDqQiMoL3rDYBSXZSrXlkCnSWSQUdAYJX1PkRzmytlVaYAc2AyrFOCpo9doU58gO6Gl5fQ-0SZ5D3yGP2SspNgK0U4f5jViSBnY_PAMUOjr42Nt8OLrhnTsQ\u002Fs1600\u002Fllm-keys.jpg","2026-06-30T13:49:34+00:00","2026-06-30T16:00:27.566452+00:00",8,[18,21,23,26,28,30],{"name":19,"type":20},"OpenAI","product",{"name":22,"type":20},"Google Gemini",{"name":24,"type":25},"AI chatbot","technology",{"name":27,"type":25},"API key",{"name":29,"type":25},"access token",{"name":31,"type":20},"LLMKeyLens","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":32,"icon":34,"name":35,"slug":36},null,"Vulnerabilities","vulnerabilities",[38,40,45],{"category":39},{"id":32,"icon":34,"name":35,"slug":36},{"category":41},{"id":42,"icon":34,"name":43,"slug":44},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",{"category":46},{"id":47,"icon":34,"name":48,"slug":49},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[51],{"type":52,"value":53,"context":54},"malware","LLMjacking","Term used for the practice of attackers running other people's AI keys to get free model access."]