Despite its reputation for a walled garden approach and a rigorous app review process, Apple’s App Store does not evaluate the app code for hidden data leaks and hardcoded secrets.
A recent study reveals that many apps on Apple’s App Store leak hard-coded secrets and expose sensitive data such as cloud storage keys, API credentials, and even payment processor details. Some of these apps leave their endpoints completely unprotected, significantly increasing the risk of data breaches and security leaks for users.
Cybernews research, which analyzed over 156,000 iOS apps, uncovered more than 815,000 hardcoded secrets, many of which are extremely sensitive and could lead directly to data breaches or security leaks. On average, each app exposed 5.2 secrets, and 71% of apps leaked at least one secret.
The security of iOS apps remains under-researched, and this is the first research of this kind at scale.
Key findings of this research:
- Over 816,000 secrets were found, with an average of 5.23 exposed secrets per app.
- Out of 94,240 storage bucket instances found hardcoded in iOS applications (with some apps containing multiple storage bucket endpoints), 836 of these endpoints (0.89%) were accessible without authentication, exposing 406TB of user files, personal data, and documents.
- If you were to stream HD video, 406TB would allow you to watch for approximately 17 years of non-stop HD content.
- 2,218 Firebase instances (4.34%) had misconfigured authentication, leaking 19.8 million records (33GB of data), including user session tokens and backend analytics, almost all of these instances hosted in the US.
- This is the equivalent of 16 million photos from an iPhone.
- More than 51,000 apps misuse Google’s Firebase database, making user data vulnerable to easy theft.
- That’s more than the number of Starbucks locations worldwide – each one representing an app where sensitive data is at risk.
Potential consequences:
- Mass-scale exploitation: attackers can rapidly scan millions of apps, compromising multiple companies – including major multinationals with billions of users – in a short time.
- User tracking and service manipulation – thousands of leaked security keys could allow hackers to track users, alter app functionality, or disrupt services.
- Financial and data theft: some leaks are severe enough to let attackers make unauthorized payments, issue refunds, or access private messages.
Aras Nazarovas, Cybernews security researcher, warns: “Most people think iOS apps are secure, but developers are making it way too easy for hackers. Hardcoded credentials are like leaving the door wide open. Hackers don’t need advanced skills – just a look at the app and they can cause serious damage.”
Methodology
The researchers analyzed iOS app versions available from October 2-16, 2024 using OSINT and Reverse Engineering techniques. Without de-obfuscating or decompiling, researchers found a massive number of plaintext secrets stored in IPA archives. They also examined cloud bucket and Firebase endpoints for authentication gaps. The research was conducted between July 2024 – January 2025.
What are hardcoded secrets?
They are sensitive pieces of information – like passwords, API keys, or encryption keys – that are embedded directly into an app’s code instead of being stored securely. This makes them easy for hackers to find and exploit, potentially leading to data breaches, unauthorized access, and financial fraud.
Why this matters for your audience:
- Consumer impact – this affects everyday iPhone users who trust Apple to keep their data safe.
- Corporate accountability – Apple’s reputation is built on security – how did this massive oversight happen?
- National security risks – with a lot of the exposed data hosted in the US, the implications go beyond individual users to businesses and even government entities.
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
Cardano 
TRON 
Lido Staked Ether 
Toncoin 
Avalanche