A Wake Forest University research team analyzed 444 iOS apps with LLM features and found 282 exposing exploitable credentials. These were plaintext API keys and authentication tokens visible in network traffic, accessible to anyone running a packet capture.
What Happened
Researchers examined iOS apps advertising AI or LLM functionality using standard network interception techniques. They found that 282 apps (63% of the sample) transmitted credentials that could be captured and reused. These vulnerable apps included productivity tools and consumer services.
The exposure types fell into two categories:
- Direct LLM API keys: Apps directly calling OpenAI, Anthropic, or similar services with API keys embedded in requests.
- Custom backend tokens: Apps routing through developer-owned infrastructure but leaking authentication tokens granting backend access.
55% of the leaking apps used custom backends that failed to provide a security boundary.
Timeline
This is a systemic failure pattern as teams rushed to add AI features:
- 2022-2023: LLM APIs become commercially available. Developers integrate ChatGPT and similar services into apps.
- Early 2024: Researchers begin analyzing iOS apps with LLM features.
- Mid-2024: 282 apps with credential exposure identified. Coordinated disclosure begins, notifying developers.
- Post-disclosure: 28% of developers successfully remediated through credential revocation or access control enforcement. The remaining 72% either didn't respond or implemented ineffective fixes.
Which Controls Failed
Missing Client-Side Secret Protection
The main failure was treating mobile apps as trusted environments. Developers embedded API keys as if deploying to a secure server, ignoring that every iOS app binary can be decompiled and network requests intercepted.
Failures included: No secret detection in the build pipeline, no runtime detection of credential exposure, and no assumption that client code is hostile.
Insufficient Backend Authentication
For the 55% using custom backends, the architecture seemed secure—client talks to your server, your server talks to the LLM API. But authentication between client and backend was flawed:
- Static tokens that never rotated
- Bearer tokens with no expiration
- No device binding or client attestation
- No rate limiting tied to authenticated identity
An attacker could replay a captured token indefinitely from any device.
No Secrets Management Lifecycle
Even apps that initially secured credentials failed to rotate them. API keys issued during development remained active in production. Only 28% of developers had a process for credential rotation.
What Standards Require
OWASP ASVS v4.0.3
Requirement 2.10.4: "Verify that secrets, API keys, and passwords are not included in the source code or in source code repositories."
Requirement 6.4.1: "Verify that sensitive data held in memory is overwritten with zeros as soon as it is no longer required."
PCI DSS v4.0.1
Requirement 6.2.4: Prevent or mitigate common software attacks, including hardcoded credentials.
Requirement 8.6.3: Application accounts and credentials must be used only for specific applications and not shared.
NIST 800-53 Rev 5
IA-5(7): "Ensure that unencrypted static authenticators are not embedded in applications or access scripts."
Lessons and Action Items
1. Implement Backend-for-Frontend Pattern
Never call third-party APIs directly from mobile clients. Your architecture should be:
Mobile App → Your Backend → LLM API
Action: If you currently call OpenAI/Anthropic/other LLM APIs directly from iOS/Android, refactor through a backend proxy immediately.
2. Implement Per-User Token Issuance
Issue tokens per authenticated user session:
- Generate tokens on login
- Expire after 24 hours (or less for sensitive operations)
- Bind to device fingerprint where possible
- Implement effective token revocation
Action: Audit your token issuance code. Ensure you can revoke a single user's tokens without redeploying.
3. Add Secret Detection to CI/CD
Integrate tools that scan for API keys before code reaches production:
- GitHub secret scanning
- GitGuardian or similar for private repos
- Pre-commit hooks blocking commits with patterns like
sk-[a-zA-Z0-9]{32}
Action: Add a pre-commit hook this week. Make it block the commit.
4. Test Your Apps Like an Attacker
Run your iOS app through a proxy (Charles, Burp Suite, mitmproxy) and examine every API call:
- Can you see API keys in headers or request bodies?
- Can you replay captured tokens from a different device?
- Can you modify request parameters to access other users' data?
Action: Make this part of your security testing checklist before every release.
5. Build a Credential Rotation Playbook
Document your process for rotating credentials:
- How do you generate new API keys?
- How do you update backend configuration?
- How do you force mobile clients to refresh tokens?
- What's your rollback plan if rotation breaks production?
Action: Write this playbook now. Test your rotation process in staging quarterly.
The Wake Forest research exposed a systemic failure in securing mobile apps with AI features. 63% of analyzed apps leaked credentials because developers treated mobile clients as trusted environments. Your app is likely in that 63% unless you've specifically architected against it. Start with the backend-for-frontend pattern. Everything else is secondary.



