Thousands of iPhone apps expose data inside Apple App Store

Apple often promotes the App Store as a secure place to download apps. The company highlights strict reviews and a closed system as key protections for iPhone users. That reputation now faces serious questions.

New research shows that thousands of iOS apps approved by Apple contain hidden security flaws. These flaws can expose user data, cloud storage and even payment systems. 

The issue is not malware; it's poor security practices baked directly into the app code.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter.

APPLE WARNS MILLIONS OF IPHONES ARE EXPOSED TO ATTACK

Security researchers at Cybernews, a cybersecurity research firm, analyzed the code of more than 156,000 iPhone apps. That represents about 8% of all apps available worldwide.

Here is what they found:

These secrets include passwords, API keys and access tokens. Developers place them directly inside apps, where anyone can extract them. According to Cybernews researcher Aras Nazarovas, this makes attackers' jobs much easier than most users realize.

A hardcoded secret is sensitive information saved directly inside an app instead of being protected on a secure server. Think of it like writing your bank PIN on the back of your debit card. Once someone downloads the app, they can inspect its files and pull out those secrets. Attackers do not need special access or advanced hacking tools. Both the Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation warn developers not to do this. Yet it is happening at a massive scale.

One of the most serious problems involves cloud storage. More than 78,000 iOS apps contained direct links to cloud storage buckets. These buckets store files such as photos, documents, receipts and backups. In some cases, no password was required at all. Researchers found:

This data included user uploads, registration details, app logs and private records. Anyone who knew where to look could view or download it.

APPLE PATCHES TWO ZERO-DAY FLAWS USED IN TARGETED ATTACKS

Many iOS apps rely on Google Firebase to store user data. Cybernews found more than 51,000 Firebase database links hidden in app code. While some were protected, over 2,200 had no authentication. That exposed:

If a Firebase database is not locked down, attackers can browse user data like a public website.

Some of the leaked secrets were far more dangerous than analytics or ads. Researchers discovered secret keys for:

A leaked Stripe secret key can allow attackers to issue refunds, move money or access billing details. Leaked login keys can let attackers impersonate users or take over accounts.

Some of the apps with the largest leaks were related to artificial intelligence. According to VX Underground, security firm CovertLabs identified 198 iOS apps leaking user data. The worst known case was Chat & Ask AI by Codeway. Researchers say it exposed chat histories, phone numbers and email addresses tied to millions of users. Another app, YPT - Study Group, reportedly leaked messages, user IDs and access tokens. CovertLabs tracks these incidents in a restricted repository called Firehound. The full list of affected apps has not been publicly released, and researchers say the data is limited to prevent further exposure and to give developers time to fix security flaws.

MALICIOUS GOOGLE CHROME EXTENSIONS HIJACK ACCOUNTS

Apple reviews apps before they appear in the App Store. However, the review process does not scan app code for hidden secrets. If an app behaves normally during testing, it can pass review even if sensitive keys are buried inside its files. This creates a gap between Apple's security claims and real-world risks. Removing leaked secrets is not simple for developers. They must revoke old keys, create new ones and rebuild parts of their apps. That can break features and delay updates. Even though Apple says most app updates are reviewed within 24 hours, some updates take weeks. During that time, vulnerable apps can remain available.

CyberGuy contacted Apple for comment, but did not receive a response before publication.

You cannot easily inspect an app for hidden secrets. Apple does not provide tools for that. Still, you can reduce your risk and limit exposure by being selective and cautious. These steps help reduce the risk if an app leaks data behind the scenes.

Well-known developers tend to have stronger security teams and better update practices. Smaller or unknown apps may rush features to market and overlook security basics. Before downloading, check how long the developer has been active and how often the app is updated.

Many apps ask for more access than they need. Location, contacts, photos and microphone access all increase the risk of data leaks. Go into your iPhone settings and remove permissions that are not essential for the app to work.

Unused apps still retain access to data you shared in the past. They may also store information on remote servers long after you stop opening them. If you have not used an app in months, remove it. Here's how: Open Settings, tap General, select iPhone Storage, and scroll through the list of apps to see when each one was last used. Tap any app you no longer need and select Delete App to remove it and reduce ongoing data exposure.

Avoid entering sensitive information unless it is absolutely necessary. This includes full names, addresses, payment details and private conversations. AI apps are especially risky if you share deeply personal content.

A password manager creates strong, unique passwords for each app and service. This prevents attackers from accessing multiple accounts if one app leaks data. Never reuse passwords tied to your email address.

Next, see if your email has been exposed in past breaches. Our No. 1 password manager pick includes a built-in breach scanner that checks whether your email address or passwords have appeared in known leaks. If you discover a match, immediately change any reused passwords and secure those accounts with new, unique credentials.

Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.

If an app uses your email address for login, change that password immediately. Do this even if there is no confirmation of a breach. Attackers often test leaked credentials across other services.

Some leaked data ends up with data brokers that sell personal information online. A data removal service can help find and remove your details from these databases. This reduces the chance that exposed app data gets reused for scams or identity theft.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren't cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It's what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com.

Get a free scan to find out if your personal information is already out on the web: Cyberguy.com.

Watch for unexpected emails, password reset notices, login alerts, or payment confirmations. These can signal that leaked data is already being abused. Act quickly if something looks off.

If you use AI apps for private conversations, consider stopping until the developer confirms security fixes. Once data is exposed, it cannot be pulled back. Avoid sharing sensitive details with apps that store conversations remotely.

Apple's App Store still offers important protections, but this research shows it is not foolproof. Many trusted iPhone apps quietly expose data due to basic security mistakes. Until app reviews improve, you need to stay alert and limit how much data you share.

How many apps on your iPhone have access to information you would not want exposed? Let us know by writing to us at Cyberguy.com.

Sign up for my FREE CyberGuy Report
Get my best tech tips, urgent security alerts, and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide - free when you join my CYBERGUY.COM newsletter. 

Copyright 2026 CyberGuy.com. All rights reserved.