Wake Forest Study: 64% of LLM iOS Apps Leak Credentials

Sixty-four percent of iOS applications using large language model APIs exposed exploitable credentials in their network traffic, according to research from Wake Forest University reported by Help Net Security. Researchers analyzed 444 apps with confirmed LLM functionality and found 282 of them leaking secrets in ways that leave users and developers exposed.

The leaks fell into three patterns. The most common: 136 apps exposed JWT bearer tokens to backend proxies, tokens that often remained valid for extended periods. Ninety-two apps went further, operating unauthenticated backend endpoints that functioned as open LLM relays with no access control at all. Fifty-four apps simply sent plaintext API keys directly to providers like OpenAI and Gemini. In 28 cases, the leaked credentials also revealed system prompts, the hidden instructions developers use to shape app behavior.

The category with the highest leakage rate was Health & Fitness at 47%. The most popular single affected app had accumulated 2.3 million ratings. Over half of the 282 vulnerable apps routed LLM traffic through custom developer-operated backends, which matters because provider-side credential revocation alone cannot close these gaps.

After responsible disclosure to all 282 developers, the researchers retested after 90 days. Only 78 apps (28%) had demonstrably remediated the issue. Sixty-six apps, 23% of those notified, remained exploitable despite the disclosure window.

The honest caveat is that this is a snapshot of iOS only, leaving open the question of whether Android apps show similar patterns, and the study does not report confirmed real-world exploitation of the exposed credentials. But a 28% fix rate after coordinated disclosure is a signal about developer capacity, not developer intent, and the forward-looking opportunity is for API gateway tooling, pre-release credential scanning, and potentially App Store review guidelines to close the gap that individual developer notification clearly cannot.