The App Store Has an API Key Problem and "Move Fast" Culture Is to Blame
Sixty-three percent of iOS AI chatbot apps studied are leaking secrets in network traffic. Not as a theoretical risk. In actual observable traffic. Right now.
Context: This Is a Classic Problem Wearing New Clothes
Hardcoded credentials are not a new vulnerability class. Security folks have been pulling API keys out of mobile apps since mobile apps existed. What's new here is the blast radius. When someone leaked a database password in 2014, the attacker got your data. When someone leaks an LLM API key in 2026, the attacker gets your compute budget — and depending on your upstream provider's rate limits (or lack thereof), that bill can spike to thousands of dollars before anyone notices an anomaly.
The researchers looked at 444 iOS AI chatbot apps and found 282 of them leaking keys or tokens via plaintext network traffic. Some backends required no authentication at all. That's not just a misconfiguration — that's an architectural decision someone made, shipped, and presumably never revisited.






