A new academic study has revealed widespread security weaknesses across AI-powered iPhone applications, with researchers discovering that 282 out of 444 AI chatbot apps (63.5%) exposed paid AI access credentials through network traffic.

The research, conducted by Wake Forest University, highlights how poor API key management practices are creating opportunities for attackers to abuse AI services at developers' expense.

In many cases, attackers could obtain access simply by monitoring application traffic, exposing API keys, reusable authentication tokens, or backend services that accepted requests without any authentication at all.

AI Credentials Exposed Across Hundreds of Apps

Researchers developed a tool called LLMKeyLens to analyze network traffic generated by AI-powered iOS applications.

Unlike traditional reverse engineering approaches, the method required:

  • No jailbreaking
  • No application modification
  • No code extraction
  • No binary analysis

Instead, the tool simply monitored network communications and extracted credentials transmitted by the applications.

The findings showed that 282 applications exposed AI service access through one of three common misconfigurations:

Exposure Type Apps Affected
Plaintext API Keys 54
No Authentication Required 92
Replayable Tokens 136

The most common issue involved reusable authentication tokens that could be intercepted and replayed to access AI services.

Plaintext Keys and System Prompts Exposed

Among the 54 applications exposing plaintext API keys, researchers found an additional risk.

In 28 cases, the same network requests also exposed the application's hidden system prompts — the internal instructions used to control AI assistant behavior.

This means attackers could potentially gain access to:

  • Paid AI service credentials
  • Proprietary prompts
  • Product logic
  • Internal application configurations

Researchers described this as obtaining "two prizes from a single capture."

Open Relays and Century-Long Tokens

Several findings highlighted particularly poor security implementations.

Researchers discovered:

  • Backend servers accepting AI requests without authentication
  • Tokens remaining valid long after expiration
  • Excessively long token lifetimes

One application with more than 100,000 user ratings issued tokens that remained valid until the year 2125.

Another application generated one-hour tokens that continued functioning 128 days after expiration.

These weaknesses effectively transformed paid AI infrastructure into publicly accessible services.

LLMJacking: The Growing Threat

The exposed credentials enable a growing abuse technique known as LLMJacking.

In LLMJacking attacks, threat actors steal API credentials and use them to access commercial AI models without paying for usage.

Consequences include:

  • Fraudulent AI usage charges
  • Increased cloud costs
  • Service disruptions
  • Account suspensions
  • Exposure of proprietary AI configurations

Security researchers previously estimated that abused AI credentials could generate more than $46,000 per day in unauthorized usage costs under worst-case conditions.

Multiple AI Providers Affected

The exposed applications relied on at least ten different AI providers.

The most commonly observed platforms included:

  • OpenAI
  • Google Gemini
  • Other commercial LLM providers

Affected applications spanned 13 categories, including:

  • Productivity
  • Education
  • Health and Fitness
  • Lifestyle
  • Business

Health and fitness applications recorded the highest exposure rate.

Interestingly, researchers found no credential leaks among the finance and medical applications included in the study.

Developers Slow to Respond

Researchers disclosed their findings to all 282 affected developers and waited three months before publishing results.

The response rate was concerning:

Status Percentage
Fixed 28%
Still Vulnerable 23%
Offline / Unreachable / Unknown 49%

Even after responsible disclosure, nearly a quarter of affected applications continued exposing credentials.

Recommended Mitigations

Researchers emphasized that preventing these exposures requires following long-established security practices.

Recommended measures include:

  • Never embed API keys inside mobile applications
  • Route AI requests through secure backend services
  • Authenticate every client request
  • Use short-lived access tokens
  • Rotate compromised credentials immediately
  • Monitor for unusual AI API consumption patterns
  • Restrict key permissions where possible

The researchers also called on AI providers to:

  • Clearly warn developers against client-side key usage
  • Detect abnormal key usage patterns
  • Improve security guidance for mobile integrations

Additionally, they suggested that Apple introduce automated App Store reviews capable of detecting exposed AI credentials before applications are published.

AI Security Problems Continue to Grow

The findings mirror previous research across Android and cross-platform AI ecosystems.

Earlier studies such as:

  • LM-Scout (2025)
  • Leaky Apps

identified similar patterns involving exposed API keys, hardcoded secrets, and improperly managed AI integrations.

Researchers argue that while AI adoption has accelerated dramatically, secure credential management practices have not kept pace.

The result is a growing attack surface where a single leaked key can quickly translate into significant financial losses.

Final Thoughts

The Wake Forest University study demonstrates that API key exposure remains one of the most widespread security weaknesses in AI-powered mobile applications.

With nearly two-thirds of analyzed AI chatbot apps exposing paid AI access, attackers continue to find opportunities to abuse commercial AI services through stolen credentials and replayable tokens.

As AI becomes embedded across consumer and enterprise applications, secure backend architectures, proper authentication controls, and proactive credential management are becoming essential requirements rather than optional security enhancements.