On June 22, research by security experts at Wake Forest University revealed a prevalent issue upsetting several AI-based iPhone apps, leaking credentials due to poor configuration settings, thereby questioning the iOS app security and increasing use of AI on mobile phones.
The findings come at a time when AI tools are appearing in almost every type of smartphone app. From writing assistants and study aids to productivity and health platforms, developers are racing to add large language models (LLMs) to their products.
However, according to researchers, security is not always keeping pace with innovation. Their analysis suggests that many developers are still struggling to integrate AI services safely, leaving the door open for attackers to misuse expensive AI resources and gain access to backend systems.
The Hidden Risks Behind AI Security
To better understand how AI services are being connected to mobile apps, the research team built a framework called LLMKeyLens. Instead of looking at source code, the tool examines the traffic moving between an app and the AI systems it relies on.
Researchers started with more than 5,600 AI-related applications listed on the US App Store. After filtering out apps that were inaccessible or no longer functional, they narrowed the list to 444 applications with confirmed AI-powered features.
The findings were quite alarming.
In more than half of the applications that were checked, credentials or backend access methods that can be exploited were detected. Specifically, in 282 apps, vulnerabilities were spotted, while 146 applications turned out to be fully exploitable.
The fact is that the threat doesn’t concern obscure applications with low rating counts only. The vulnerable platforms had millions of ratings and belonged to various daily-use categories, such as education, productivity, lifestyle, entertainment, utilities, and fitness.
The most alarming matter was the direct exposure of credentials. There were cases when apps transferred API keys in plaintext to the provider of AI services. Such an exposure of API key leakage makes the process of interception relatively easy, as well as using AI services by hackers.
“The vulnerability’s impact extends from niche Apps to popular apps with hundreds of thousands of users,” the researchers noted.
Researchers discovered that there were cases of exposing proprietary prompts along with API keys. The other thing that caused the researchers to pay attention was authentication tokens.
To increase iOS app security, developers usually transfer credentials to the backend server, but some of those implementations were insufficient. Therefore, tokens can be intercepted and reused for gaining unauthorized access to the AI services via the backend system.
Researchers also discovered dozens of apps that successfully hid their API keys, but left backend endpoints open to anyone who knew where to find them. In those cases, the backend effectively became a free relay to paid AI services.
The findings add to growing concerns around AI security, particularly as companies continue integrating AI capabilities into consumer applications at an unprecedented pace.
Security Problems Persist Despite Warnings
Perhaps the most surprising finding was what happened after developers were notified. Following responsible disclosure practices, the researchers contacted all 282 affected app developers and allowed a 90-day period for fixes.
Three months later, they checked the apps again. Only 78 applications addressed the reported issues.
That means nearly three-quarters of the vulnerable apps remained exposed even after developers had been informed. Some problems were especially severe. The researchers found authentication tokens that remained valid for months because expiration settings had never been implemented.
One token reportedly had a validity period of more than 100 years. Consequently, the findings refute the misconception that credential transfer to backend servers guarantees enhanced security.
While hiding API keys may be essential, this practice does not constitute a silver bullet in ensuring mobile application security.
As long as there is no appropriate authentication and authorization, such systems can become vulnerable. In essence, enhancing the iOS app security means much more than relocating credentials.
It entails protecting the whole process of communication between end-users, applications, and AI providers. In addition, according to the researchers, the mentioned issues reveal some gaps in the realm of mobile app security as a whole as Artificial Intelligence is becoming an integral part of modern apps.
To resolve the mobile app security issue, researchers suggest applying more stringent authentication and authorization procedures. Moreover, it would be advisable for the representatives of AI providers to provide explicit instructions on the safe use of their services.
Additionally, the researchers propose to incorporate into the review process the automatic scanning of applications’ code for insecure credential usage by introducing special instruments by Apple Inc.
Moreover, this research demonstrates the increasing problem that the industry is facing at the moment. While companies try to introduce new AI-powered apps, security issues do not always have high priority.
Thus, the gap between innovations and security is becoming more and more evident, and it will be increasingly hard to ignore it as AI becomes more popular. For researchers, this means that credentials’ protection can no longer be viewed as something only developers have to think about.
In order to ensure better LLM security, AI systems, and iOS app security, efforts from developers, AI companies, and platform owners will be needed.
Inside Telecom provides you with an extensive list of content covering all aspects of the tech industry. Keep an eye on our Intelligent Tech sections to stay informed and up-to-date with our daily articles.
