Wake Forest — 282 iOS AI Apps Leak LLM API Keys in Network Traffic
AI relevance: Leaked LLM API keys enable LLMjacking — attackers run inference on the developer's account, racking up potentially tens of thousands of dollars in charges — and expose system prompts that reveal proprietary product logic.
What the Research Shows
- Wake Forest University researchers tested 444 AI chatbot apps on the US App Store and found 282 (63.5%) exposed API keys, replayable tokens, or open relays in network traffic.
- The team built LLMKeyLens, a passive traffic analysis tool that extracts credentials without jailbreaking or reverse-engineering the app.
- Three leak categories: plaintext keys (54 apps), no-key-needed open relays (92 apps), and replayable tokens (136 apps — the most common).
- For 28 of the 54 plaintext-key apps, the same request also exposed the app's hidden system prompt — the proprietary instructions defining the assistant's behavior.
- The leaks span at least ten AI providers (OpenAI most common) and 13 app categories. Health and fitness had the highest leak rate; one app had over 2 million user ratings.
- After three months of notification, only 28% of developers fixed the issue. Another 23% remained wide open. One popular app's "temporary" token was set to expire in the year 2125.
- Stolen keys feed LLMjacking — Sysdig calculated a worst-case scenario where stolen credentials could run up $46,000/day in AI charges.
Why It Matters
This is the first in-depth study of LLM credential exposure on iOS, and it reveals a pattern the industry has seen before with Android (LM-Scout, 2025) but at a larger scale. The AI rush has not changed developer habits — it has raised the bill, because a leaked key is now charged per token. The low fix rate (28% after 90 days) suggests most developers do not understand the exposure or do not prioritize it.
What To Do
- Developers: Never embed API keys in client apps. Route AI calls through your own server with proper authentication. Revoke any key already leaked.
- AI providers: Label client-side keys as unsafe in documentation. Flag keys that suddenly receive requests from thousands of distinct devices.
- App stores: Consider screening for plaintext API key patterns during review.
- Security teams: Monitor your AI provider dashboards for unexpected usage spikes that could indicate key compromise.