Thousands of iOS apps leak sensitive data. Apple App Store security may not be as strong as you think
An in-depth Cybernews investigation has revealed a major security flaw in Apple’s App Store: more than 156,000 iOS apps contain hardcoded secrets, leaving sensitive information exposed and vulnerable to hackers. Researchers analyzed nearly eight per cent of the 1.8 million available apps and discovered over 815,000 instances where developers unintentionally left passwords, API keys, and encryption tokens embedded in the app’s code. Hackers could exploit these security lapses to breach user accounts and compromise personal data.
Aras Nazarovas
“Many people believe that iOS apps are more secure and less likely to contain malware. However, our research shows that many apps in the ecosystem contain easily accessible hardcoded credentials. We followed the trail and found open databases with personal data and accessible infrastructure,” said Aras Nazarovas, a security researcher at Cybernews.
 Apple security problem exposed. |
| Recommended |
| Biometric data poses growing security risks, experts warn
|
| Bullet-proof your data with the cutting-edge diskAshur Pro3
|
| Is your cybersecurity up to the challenge?
|
The investigation found that 71 per cent of the analyzed apps contained at least one hardcoded secret. This included more than 83,000 cloud storage addresses, 51,000 database access points, and thousands of security keys that hackers could exploit to steal sensitive user information.
“Some iOS developers just make it too easy for hackers,” Nazarovas said.
Apple is known for its strict App Store review process, but the Cybernews report highlights a serious oversight: Apple does not scan app code for hardcoded secrets before approving them. As a result, even approved apps can contain exposed passwords, API keys, or encryption keys in plaintext—making them easy for hackers to find and exploit.
One of the biggest risks involves cloud storage buckets, which apps use to store files, databases, and logs. The research found that 836 storage addresses required no password or authentication, exposing 406 terabytes of data—the equivalent of more than 200,000 full-length HD movies.
“Attackers could read, download or delete the data stored in the cloud. It usually includes registration data, user-uploaded files, backups, receipts, reports, app logs and other details,” Nazarovas said.
Financial data is also at risk. The researchers found 19 secret keys for Stripe, a major online payment processor. If exploited, hackers could issue fraudulent payments and refunds or access users’ billing details.
Another major finding was that 4.3 per cent of Firebase database links were unprotected, exposing 19.8 million private records. Firebase is a tool developers use to store user data, passwords, and app activity. If these database links aren’t properly secured, hackers can easily access personal data.
“If the Firebase endpoint has no authentication set up, or if authentication secrets are also leaked, malicious actors could access user data stored within the database,” Nazarovas said.
Beyond database leaks, the report also found that over 78,000 iOS apps expose cloud storage locations. Hackers could use these security gaps to send fake push notifications, manipulate in-app purchases, or take control of social media accounts linked to the affected apps.
Cybernews warns that cleaning up this mess won’t be simple. Developers must replace leaked passwords and security keys with new ones, but this could temporarily break app functionality.
“To resolve the issues of leaked credentials, new credentials need to be generated, and old ones need to be revoked. When credentials are revoked, they will break the functionality of the app that relies on accessing the affected service until the app is configured to use new credentials,” Nazarovas said.
This puts app developers in a tough spot: they can either take the vulnerable app offline immediately, risking service disruptions, or keep running an unsafe version while they work on a fix.
Apple says it reviews 90 per cent of app updates within 24 hours, but in some cases, approvals can take weeks, leaving security holes open for extended periods.
Cybernews warns that iPhone users cannot rely on Apple’s App Store to detect these security flaws. Until Apple enforces stricter reviews, users should take precautions to protect their data:
- Stick to well-known, reputable developers when downloading apps.
- Review app permissions carefully—deny access to contacts, location, or storage unless absolutely necessary.
- Delete apps you no longer use, especially those requesting personal data.
- Avoid entering sensitive details into unfamiliar apps.
With Apple controlling 53.1 per cent of the U.S. smartphone market, iOS security remains a critical issue. The report raises serious questions about whether Apple is doing enough to protect users—especially as thousands of apps continue to leak sensitive data.
For now, iPhone users should remain cautious—because Apple’s App Store security might not be as strong as they think.
| Science and Technology Desk
Explore more on Cybersecurity, Apple
The views, opinions, and positions expressed by our columnists and contributors are solely their own and do not necessarily reflect those of our publication.
Troy Media is dedicated to empowering Canadian community news outlets by providing independent, insightful analysis and commentary. Our mission is to support local media in fostering an informed and engaged public by delivering reliable content that strengthens community connections, enriches national conversations, and helps Canadians better understand one another.
