Thousands of iPhone apps expose data within Apple’s App Store
NEWNow you can listen to News articles!
Apple often promotes the App Store as a safe place to download apps. The company highlights strict reviews and a closed system as key protections for iPhone users. That reputation now faces serious questions.
New research shows that thousands of Apple-approved iOS apps contain hidden security flaws. These flaws can expose user data, cloud storage, and even payment systems.
The problem is not malware; They are bad security practices built directly into the application code.
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
APPLE WARNS THAT MILLIONS OF IPHONES ARE EXPOSED TO ATTACKS
Cybernews researchers discovered that many iOS apps store sensitive secrets directly within the app files, where they can be easily extracted. (Kurt “CyberGuy” Knutsson)
What researchers discovered inside iOS apps
Security researchers at Cybernews, a cybersecurity research company, analyzed the code of more than 156,000 iPhone applications. That represents about 8% of all apps available worldwide.
This is what they found:
- More than 815,000 secrets hidden within the application code
- An average of five secrets per application
- 71% of apps leaked at least one secret
These secrets include passwords, API keys, and access tokens. Developers place them directly inside applications, where anyone can extract them. According to Cybernews researcher Aras Nazarovas, this makes the attackers’ job much easier than most users realize.
What are coded secrets in simple terms?
An encrypted secret is sensitive information stored directly within an application rather than protected on a secure server. Think of it like writing your bank’s PIN on the back of your debit card. Once someone downloads the app, they can inspect your files and extract those secrets. Attackers do not need special access or advanced hacking tools. Both the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation warn developers not to do this. However, it is happening on a massive scale.
Cloud storage leaks exposed huge amounts of data
One of the most serious problems has to do with cloud storage. More than 78,000 iOS apps contained direct links to cloud storage buckets. These repositories store files such as photographs, documents, receipts, and backups. In some cases, no password was required. The researchers found:
- 836 storage depots are completely open to the public
- More than 76 billion exposed files
- More than 406 terabytes of leaked data
This data included user uploads, registration details, application logs, and private logs. Anyone who knew where to look could view or download it.
APPLE FIXES TWO ZERO-DAY FLAWS USED IN TARGETED ATTACKS
This chart shows the most common types of encrypted secrets found within iOS apps, with Google-related keys appearing most frequently, according to Cybernews research. (Cybernews)
Firebase databases were also left open.
Many iOS apps depend on Google Firebase to store user data. Cybernews found more than 51,000 links to Firebase databases hidden in the application code. While some were protected, more than 2,200 had no authentication. What he explained:
- Almost 20 million user registrations
- Messages, profiles and activity logs.
- Databases that are mostly hosted in the US.
If a Firebase database is not locked, attackers can explore user data like a public website.
Payment and login systems were also at risk
Some of the leaked secrets were much more dangerous than analytics or ads. Researchers discovered secret keys to:
- Stripe, which manages payments and refunds
- JWT authentication systems that control logins.
- Order management tools used by shopping apps
A leaked Stripe secret key can allow attackers to issue refunds, move money, or access billing details. Leaked login keys can allow attackers to impersonate users or take over accounts.
AI and social apps are among the worst offenders
Some of the apps with the biggest leaks were related to artificial intelligence. According to VX Underground, security company CovertLabs identified 198 iOS apps that were leaking user data. The best-known case was Codeway’s Chat & Ask AI. Researchers say it exposed chat histories, phone numbers and email addresses linked to millions of users. Another app, YPT – Study Group, allegedly leaked messages, user IDs, and access tokens. CovertLabs tracks these incidents in a restricted repository called Firehound. The full list of affected apps has not been made public, and researchers say data is limited to prevent further exposure and give developers time to fix security flaws.
HIKING ACCOUNTS FROM MALICIOUS GOOGLE CHROME EXTENSIONS
This example shows how sensitive keys, such as Google API credentials and Stripe payment secrets, can be stored directly within an iOS app’s files, where they are easy to extract. (Cybernews)
Why Apple’s App Review May Miss Hidden Security Risks
Apple reviews apps before they appear in the App Store. However, the review process does not scan the application code for hidden secrets. If an application behaves normally during testing, it may pass the review even if there are sensitive keys hidden within its files. This creates a gap between Apple’s security claims and real-world risks. Removing leaked secrets is not easy for developers. They must revoke old keys, create new ones, and rebuild parts of their applications. That can break features and delay updates. Although Apple says most app updates are reviewed within 24 hours, some updates take weeks. During that time, vulnerable applications may remain available.
CyberGuy contacted Apple for comment but did not receive a response before publication.
Ways to stay safe right now
You can’t easily inspect an application for hidden secrets. Apple doesn’t provide tools for that. Still, you can reduce risk and limit exposure by being selective and cautious. These steps help reduce the risk if an application leaks data behind the scenes.
1) Stick to established app developers
Well-known developers tend to have stronger security teams and better updating practices. Smaller or unknown applications can rush features to market and overlook basic security issues. Before downloading, check how long the developer has been active and how often the app is updated.
2) Review and limit app permissions.
Many applications request more access than they need. Location, contacts, photos, and microphone access increase the risk of data leakage. Go to your iPhone settings and remove permissions which are not essential for the application to work.
3) Delete apps you no longer use
Unused apps still retain access to data you shared in the past. They can also store information on remote servers long after you stop opening them. If you haven’t used an app in months, delete it. Here’s how: Open Settingstap Generalselect iPhone storageand scroll through the list of apps to see when each was last used. Tap any app you no longer need and select Delete application to remove it and reduce ongoing data exposure.
4) Be careful with personal and financial data
Avoid entering sensitive information unless absolutely necessary. This includes full names, addresses, payment details and private conversations. AI applications are especially risky if you share deeply personal content.
5) Use a password manager for each account
A password manager creates strong, unique passwords for each app and service. This prevents attackers from accessing multiple accounts if an app leaks data. Never reuse passwords linked to your email address.
Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.
6) Change passwords linked to exposed applications
If an app uses your email address to log in, change that password immediately. Do this even if there is no confirmation of a breach. Attackers often test leaked credentials on other services.
7) Consider using a data deletion service
Some leaked data ends up with data brokers who sell personal information online. A data removal service can help find and remove your data from these databases. This reduces the possibility of exposed app data being reused for scams or identity theft.
While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for removal services data nation and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.
8) Monitor your accounts for unusual activity
Be on the lookout for unexpected emails, password reset notices, login alerts, or payment confirmations. These may indicate that leaked data is already being abused. Act quickly if something seems strange.
9) Pause the use of risky chat and artificial intelligence applications
If you use AI apps for private conversations, consider stopping them until the developer confirms security fixes. Once data is exposed, it cannot be removed. Avoid sharing sensitive details with apps that store conversations remotely.
Kurt’s Key Takeaways
Apple’s App Store still offers important protections, but this research shows that it is not foolproof. Many trusted iPhone apps silently expose data due to basic security flaws. Until app reviews improve, you should remain vigilant and limit the amount of data you share.
How many apps on your iPhone have access to information that you wouldn’t want exposed? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE News APP
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
Copyright 2026 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.