Two-Thirds of iPhone AI Chatbot Apps Are Bleeding API Keys

Most iPhone AI chatbot apps are leaking the keys to their own paid model accounts. That is the takeaway from a study of 444 iOS apps in the category, where researchers intercepted network traffic and found 282 of them — just under 64% — handing over a working path to paid AI services.

The failure modes were embarrassingly simple.

In many apps, the API key sat in plaintext inside outbound requests, readable to anyone running a proxy against their own device. Others shipped reusable bearer tokens that never rotated. A subset went further and pointed at backend proxy servers that accepted model requests with no authentication header at all. Point a script at the endpoint, send a prompt, get a response billed to the developer.

What that means in practice: an attacker can drain a developer's OpenAI, Anthropic, or other provider credit, run abuse traffic through the developer's identity, or stand up a free public mirror of a paid model until the bill spikes or the upstream provider revokes the key.

None of this is novel. Hardcoded secrets in mobile apps have been a finding in OWASP's Mobile Top 10 for years, currently tracked as M1: Improper Credential Usage. The twist is volume. The AI app gold rush has produced a long tail of wrapper apps where the entire product is a thin client around someone else's model, and the developer's API key is the only thing standing between the user and the bill.

The study did not name individual apps. It also did not break down which upstream providers were most commonly exposed, though chatbot apps in this category overwhelmingly route to a small set of commercial LLM APIs.

For the developers shipping these apps, the fix is not subtle. Keys belong on a server you control, behind an authenticated proxy that enforces per-user rate limits and request quotas. Mobile clients should never hold a provider key directly. If you must call a third-party API from the device, use short-lived, scoped tokens issued by your own backend after authenticating the user.

Regulatory exposure here is thinner than in a typical breach — no consumer PII is necessarily involved — but FTC Section 5 unfairness claims have reached app developers before for failing to secure credentials that enabled downstream harm, and EU developers face GDPR Article 32 obligations on security of processing if any user prompts are logged on the leaky backend.

What affected users should do:

• Assume prompts sent through free or cheap iOS chatbot wrappers are being logged somewhere you cannot see. Do not paste credentials, medical details, or employer-confidential text into them.
• Prefer first-party clients from the model vendor (OpenAI, Anthropic, Google) over third-party wrappers when the conversation content is sensitive.
• If a chatbot app suddenly stops working, that is often the upstream provider revoking a leaked key rather than a bug. Treat it as a signal about the developer's security posture.