Apple often promotes the App Store as a secure place to download apps. The company highlights strict reviews and a closed system as key protections for iPhone users. That reputation now faces serious questions.

New research shows that thousands of iOS apps approved by Apple contain hidden security flaws. These flaws can expose user data, cloud storage and even payment systems. 

The issue is not malware; it’s poor security practices baked directly into the app code.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.

APPLE WARNS MILLIONS OF IPHONES ARE EXPOSED TO ATTACK

What researchers discovered inside iOS apps

Security researchers at Cybernews, a cybersecurity research firm, analyzed the code of more than 156,000 iPhone apps. That represents about 8% of all apps available worldwide.

Here is what they found:

• Over 815,000 hidden secrets inside app code
• An average of five secrets per app
• 71% of apps leaked at least one secret

These secrets include passwords, API keys and access tokens. Developers place them directly inside apps, where anyone can extract them. According to Cybernews researcher Aras Nazarovas, this makes attackers’ jobs much easier than most users realize.

What are hardcoded secrets in simple terms?

A hardcoded secret is sensitive information saved directly inside an app instead of being protected on a secure server. Think of it like writing your bank PIN on the back of your debit card. Once someone downloads the app, they can inspect its files and pull out those secrets. Attackers do not need special access or advanced hacking tools. Both the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation warn developers not to do this. Yet it is happening at a massive scale.

Cloud storage leaks exposed huge amounts of data

One of the most serious problems involves cloud storage. More than 78,000 iOS apps contained direct links to cloud storage buckets. These buckets store files such as photos, documents, receipts and backups. In some cases, no password was required at all. Researchers found:

• 836 storage buckets are fully open to the public
• Over 76 billion exposed files
• More than 406 terabytes of leaked data

This data included user uploads, registration details, app logs and private records. Anyone who knew where to look could view or download it.

APPLE PATCHES TWO ZERO-DAY FLAWS USED IN TARGETED ATTACKS

Firebase databases were also left open

Many iOS apps rely on Google Firebase to store user data. Cybernews found more than 51,000 Firebase database links hidden in app code. While some were protected, over 2,200 had no authentication. That exposed:

• Nearly 20 million user records
• Messages, profiles, and activity logs
• Databases that are mostly hosted in the U.S.

If a Firebase database is not locked down, attackers can browse user data like a public website.

Payment and login systems were at risk too

Some of the leaked secrets were far more dangerous than analytics or ads. Researchers discovered secret keys for:

• Stripe, which handles payments and refunds
• JWT authentication systems that control logins
• Order management tools used by shopping apps

A leaked Stripe secret key can allow attackers to issue refunds, move money or access billing details. Leaked login keys can let attackers impersonate users or take over accounts.

AI and social apps were among the worst offenders

Some of the apps with the largest leaks were related to artificial intelligence. According to VX Underground, security firm CovertLabs identified 198 iOS apps leaking user data. The worst known case was Chat & Ask AI by Codeway. Researchers say it exposed chat histories, phone numbers and email addresses tied to millions of users. Another app, YPT – Study Group, reportedly leaked messages, user IDs and access tokens. CovertLabs tracks these incidents in a restricted repository called Firehound. The full list of affected apps has not been publicly released, and researchers say the data is limited to prevent further exposure and to give developers time to fix security flaws.

MALICIOUS GOOGLE CHROME EXTENSIONS HIJACK ACCOUNTS

Why Apple’s App review can miss hidden security risks

Apple reviews apps before they appear in the App Store. However, the review process does not scan app code for hidden secrets. If an app behaves normally during testing, it can pass review even if sensitive keys are buried inside its files. This creates a gap between Apple’s security claims and real-world risks. Removing leaked secrets is not simple for developers. They must revoke old keys, create new ones and rebuild parts of their apps. That can break features and delay updates. Even though Apple says most app updates are reviewed within 24 hours, some updates take weeks. During that time, vulnerable apps can remain available.

CyberGuy contacted Apple for comment, but did not receive a response before publication.

Ways to stay safe right now

You cannot easily inspect an app for hidden secrets. Apple does not provide tools for that. Still, you can reduce your risk and limit exposure by being selective and cautious. These steps help reduce the risk if an app leaks data behind the scenes.

1) Stick to established app developers

Well-known developers tend to have stronger security teams and better update practices. Smaller or unknown apps may rush features to market and overlook security basics. Before downloading, check how long the developer has been active and how often the app is updated.

2) Review and limit app permissions

Many apps ask for more access than they need. Location, contacts, photos and microphone access all increase the risk of data leaks. Go into your iPhone settings and remove permissions that are not essential for the app to work.

3) Delete apps you no longer use

Unused apps still retain access to data you shared in the past. They may also store information on remote servers long after you stop opening them. If you have not used an app in months, remove it. Here’s how: Open Settings, tap General, select iPhone Storage, and scroll through the list of apps to see when each one was last used. Tap any app you no longer need and select Delete App to remove it and reduce ongoing data exposure.

4) Be cautious with personal and financial details

Avoid entering sensitive information unless it is absolutely necessary. This includes full names, addresses, payment details and private conversations. AI apps are especially risky if you share deeply personal content.

5) Use a password manager for every account

A password manager creates strong, unique passwords for each app and service. This prevents attackers from accessing multiple accounts if one app leaks data. Never reuse passwords tied to your email address.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

6) Change passwords tied to exposed apps

If an app uses your email address for login, change that password immediately. Do this even if there is no confirmation of a breach. Attackers often test leaked credentials across other services.

7) Consider using a data removal service

Some leaked data ends up with data brokers that sell personal information online. A data removal service can help find and remove your details from these databases. This reduces the chance that exposed app data gets reused for scams or identity theft.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

8) Monitor your accounts for unusual activity

Watch for unexpected emails, password reset notices, login alerts, or payment confirmations. These can signal that leaked data is already being abused. Act quickly if something looks off.

9) Pause use of risky AI and chat apps

If you use AI apps for private conversations, consider stopping until the developer confirms security fixes. Once data is exposed, it cannot be pulled back. Avoid sharing sensitive details with apps that store conversations remotely.

Kurt’s key takeaways

Apple’s App Store still offers important protections, but this research shows it is not foolproof. Many trusted iPhone apps quietly expose data due to basic security mistakes. Until app reviews improve, you need to stay alert and limit how much data you share.

How many apps on your iPhone have access to information you would not want exposed? Let us know by writing to us at Cyberguy.com.

CLICK HERE TO DOWNLOAD THE FOX NEWS APP

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter. 

Copyright 2026 CyberGuy.com. All rights reserved.