Published
- 6 min read
By Allan D - Editor, AI Security Wire
Two-Thirds of Tested iOS AI Apps Expose LLM API Keys via Traffic
Two-thirds of iOS AI apps tested by Wake Forest University researchers exposed working LLM credentials through their network traffic, according to a paper published on arXiv in June 2026. The study, “Mind your key: An Empirical Study of LLM API Credential Leakage in iOS Apps,” is the first systematic investigation of this class of vulnerability on iOS. The numbers are bad. What is worse is the remediation: three months after the research team notified developers, 72% of the affected apps remained exploitable.
What the Study Measured
The researchers built a dataset of 444 iOS applications, narrowed from 1,092 candidates through a filtering process that confirmed each app made genuine LLM API calls. They then ran each app through LLMKeyLens, a dynamic analysis tool they developed for this purpose.
LLMKeyLens works by intercepting the app’s network traffic and applying provider-specific extraction patterns to identify LLM credentials as they pass by. No jailbreak, no binary decryption. If an app embeds its credentials in a way that surfaces during normal use, LLMKeyLens finds it. After extracting a credential, the tool confirms it is still valid by making a live request to the provider.
Of the 444 apps, 282 exposed at least one exploitable credential. Ten or more AI providers appeared in the results. OpenAI was the most common. The leakage spanned 13 app categories.
Three Leakage Patterns
The researchers identified three distinct failure modes, each with different technical causes and different implications for remediation.
JWT-based token leakage (48% of affected apps): Many apps use JSON Web Tokens to authenticate calls to their own backend, which then calls the AI provider. The vulnerability here is not in the JWT format itself but in how the tokens are issued and managed. One app set its token expiry to the year 2125, a hundred-year pass. Another’s one-hour token was still valid 128 days after it had nominally expired. If the backend accepts any token issued against a known key, an attacker capturing the JWT from one session can reuse it indefinitely.
Unauthenticated backend proxy access (33%): Some apps route AI requests through a developer-controlled server, which seems like the right architecture. The problem is that 33% of affected apps left that proxy server with no authentication at all. Any client that can reach the server’s endpoint can send model requests and charge them to the developer. No credential to steal; just call the endpoint.
Plaintext API key transmission (19%): The most direct failure mode: apps that put the raw provider API key in their network requests. Of the 54 apps using this pattern, 28 also transmitted their system prompt alongside the key. One capture yielded two prizes: the credential and the proprietary instructions defining what the assistant does.
Scale and Exposure
Productivity apps made up the largest single category among affected apps. Health and fitness apps had the highest proportional leak rate. Finance and medical apps, notably, showed no leakage. The researchers speculate that higher regulatory scrutiny in those verticals may explain the difference.
The apps affected are not exclusively tiny products. One in the dataset had over two million user ratings. The credential exposure is not a long-tail problem limited to indie developers building fast.
The financial exposure when credentials leak is documented. LLMjacking is the practice of using stolen AI provider credentials to run model inference without paying for it. Sysdig’s research into this attack class estimated worst-case exposure of more than $46,000 per day from a single credential set. The demand is real: automated scanners actively probe application traffic and public code repositories for valid API keys, and valid LLM keys command a price in underground markets.
The Remediation Gap
The research team disclosed all 282 vulnerabilities and waited three months before publishing their analysis. What they found when they re-tested:
- 28% had clearly fixed the issue
- 23% remained exploitable with working credentials
- The rest had gone offline, become unreachable, or returned errors
The 23% figure is the concerning one. These are developers who received a disclosure, acknowledged it (in at least some cases), and left their users’ financial exposure open. The JWT apps were often the worst offenders: if the underlying token generation logic is not fixed, rotating a key buys only temporary relief.
The research team frames this as a systemic problem, not a collection of individual mistakes. The AI provider documentation does not, in most cases, prominently warn developers against client-side key embedding. App Store review does not screen for it. The developer who embeds a key in their app is often following a “quick start” code sample that shows exactly that pattern.
What Security Teams Should Look For
On the developer side: The correct architecture is consistent and not new. The API key goes on a server you control. The mobile app authenticates to your server, not to the AI provider directly. Your server validates the caller before forwarding to the model. Client-side keys are exposed keys.
For JWT-based authentication patterns specifically: enforce short expiry, validate the token server-side on every request, and confirm the token’s issuing credential has not been revoked. A token that expires in 2125 is not a token; it is a permanent credential embedded in a different format.
For incident response and threat hunting: LLMjacking activity from leaked mobile app credentials tends to look like sudden spikes in API usage from IP addresses not associated with your known client base. Provider dashboards for OpenAI, Anthropic, Gemini, and others expose usage by key; anomalous consumption patterns are detectable. Set spend alerts.
For app security teams doing mobile assessments: The LLMKeyLens methodology is straightforward. Intercepting HTTPS traffic from a test device during normal app use, then searching for known API key formats, is something any mobile security assessment can add. The Wake Forest paper lists provider-specific key patterns as part of its framework documentation.
The Android ecosystem has the same problem. The LM-Scout study in 2025 found identical credential leakage patterns across Android apps and automatically exploited 120 of them. The Leaky Apps audit pulled secrets from thousands of Android and iOS apps. This study is the first to document systematic iOS exposure. The pattern is consistent: the AI rush is adding new credential classes to mobile apps faster than secure integration practices are following.
References
- Mind your key: An Empirical Study of LLM API Credential Leakage in iOS Apps — Pinran Gao et al., Wake Forest University, arXiv:2606.12212
- The Hacker News: 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study
Frequently Asked Questions
- What did the Wake Forest LLM API key leakage study find?
- Researchers tested 444 iOS AI chatbot apps and found 282 of them (63%) exposed exploitable LLM API credentials through their network traffic. The leakage fell into three patterns: JWT-based token leakage (48%), unauthenticated backend proxy access (33%), and plaintext API key transmission (19%). Ten or more AI providers were affected, with OpenAI the most common. Three months after responsible disclosure, only 28% of the affected apps had fixed the problem.
- What is LLMKeyLens and how does it work?
- LLMKeyLens is a dynamic analysis framework developed by the research team at Wake Forest University. It detects LLM API credential leakage by intercepting an app's network traffic, applying provider-specific extraction patterns, and actively confirming whether extracted keys are valid. It requires neither source code access nor binary decryption, meaning it can be run against any iOS app without jailbreaking the device.
- What financial risk does LLM API key leakage create?
- A stolen LLM API key can be used to run model inference at the developer's expense, a practice known as LLMjacking. Sysdig's previous research calculated a worst-case scenario in which a stolen credential set could accumulate over $46,000 per day in AI charges. Beyond direct financial loss, plaintext-key leaks in this study also exposed app system prompts in 28 of 54 cases, revealing proprietary AI configuration details alongside the credential.