Data leaks and hard -coded secrets that have been uncovered in iOS apps

Despite its call for a walled gardening and a strict app review process, Apple's App Store does not evaluate the app code for hidden data leaks and hard -coded secrets.

A recently carried out study shows that many apps in the App Store's App Store uncoded secrets and leaks of sensitive data such as cloud memory keys, API registration information and even payment processing details. Some of these apps leave their end points completely unprotected and significantly increase the risk of data injuries and security leaks for users.

Cybernew's Research, which analyzed over 156,000 iOS apps, discovered more than 815,000 hard -coded secrets, many of which are extremely sensitive and could lead directly to data injuries or security leaks. On average, each app revealed 5.2 secrets, and 71% of the apps have been leaked at least one secret.

The safety of iOS apps remains examined, and this is the first examination of this kind on a scale.

Important results of this research:

• Over 816,000 secrets were found, with an average of 5.23 free secrets per app.
• Of 94,240 memory -bucks instances in iOS applications (with some apps with several memory -bucket endpoints), 836 of these endpoints (0.89%) were accessible without authentication and unveiled 406 TB user files, personal data and documents.
• If you were streaming HD videos, you can view 406TB non-stop HD content for about 17 years.
• 2.218 Firebase instances (4.34%) had a misconfigured authentication and solved 19.8 million data records (33 GB data), including user session and backend analytics, almost all of them in the USA.
• This corresponds to 16 million photos from an iPhone.

• Google's Firebase database abuses more than 51,000 apps, which means that user data is susceptible to simple theft.

• This is more than the number of Starbucks locations worldwide – an app each endangered in which sensitive data are at risk.

Potential consequences:

• Exploitation in the mass scale: In a short time, attackers can quickly scan millions of apps and affect several companies – including the most important multinational companies with billions of users.
• User tracking and service manipulation – Thousands of leaked security key can enable hackers to pursue users, change app functions or to disrupt services.
• Financial and data theft: Some leaks are serious enough to make attackers not authorized payments, to issue reimbursements or to access private messages.

Aras Nazarovas, Cybernew's security researcher, warns: “Most people believe that iOS apps are safe, but developers make hackers too easy. Hardcoded login information can be opened wide like the door. Hackers do not need advanced skills – just a look at the app and they can cause serious damage. “

methodology

The researchers analyzed the iOS app versions, which are available from October 2 to 16, 2024 with Osint and reverse engineering techniques. Without de-sub-fuszen or disassembly, the researchers found a huge number of plain text secrets stored in IPA archives. They also examined Cloudbucket and Firebase endpoints on authentication gaps. Research was carried out between July 2024 – January 2025.

What are hard -encoded secrets?

They are sensitive information -such as passwords, API key or encryption key -that are embedded directly in the code of an app instead of being saved safely. This makes it easier for hackers to find and use, which may lead to data injuries, unauthorized access and financial fraud.

Why this is important for your audience:

• Effects on consumers – this affects the daily iPhone users who trust Apple to protect their data.
• Corporate responsibility – Apple's call is based on security – how did this massive supervision happen?
• National security risks – With many of the exposed data hosted in the USA, the effects of individual users on companies and even government agencies go out.