The IT Nerd

Apple’s App Store is considered the gold standard for security, but Cybernews researchers analyzed 156,080 randomly selected iOS apps – around 8% of the apps present on the App Store – and uncovered a massive oversight: 71% of them expose sensitive data, including API keys, cloud storage credentials, and financial information.

The security of iOS apps remains under-researched, and this is the first research of this kind at scale. 

Key findings of this research:

• Over 816,000 secrets were found, with an average of 5.23 exposed secrets per app.
• Out of 94,240 storage bucket instances found hardcoded in iOS applications (with some apps containing multiple storage bucket endpoints), 836 of these endpoints (0.89%) were accessible without authentication, exposing 406TB of user files, personal data, and documents.
  • If you were to stream HD video, 406TB would allow you to watch for approximately 17 years of non-stop HD content.
• 2,218 Firebase instances (4.34%) had misconfigured authentication, leaking 19.8 million records (33GB of data), including user session tokens and backend analytics, almost all of these instances hosted in the US.
  • This is the equivalent of 16 million photos from an iPhone.
• More than 51,000 apps misuse Google’s Firebase database, making user data vulnerable to easy theft.
  • That’s more than the number of Starbucks locations worldwide – each one representing an app where sensitive data is at risk.

Potential consequences: 

• Mass-scale exploitation: attackers can rapidly scan millions of apps, compromising multiple companies – including major multinationals with billions of users – in a short time.
• User tracking and service manipulation – thousands of leaked security keys could allow hackers to track users, alter app functionality, or disrupt services.
• Financial and data theft: some leaks are severe enough to let attackers make unauthorized payments, issue refunds, or access private messages.

Methodology

The researchers analyzed iOS app versions available from October 2-16, 2024 using OSINT and Reverse Engineering techniques. Without de-obfuscating or decompiling, researchers found a massive number of plaintext secrets stored in IPA archives. They also examined cloud bucket and Firebase endpoints for authentication gaps. The research was conducted between July 2024 – January 2025.

What are hardcoded secrets? 

They are sensitive pieces of information – like passwords, API keys, or encryption keys – that are embedded directly into an app’s code instead of being stored securely. This makes them easy for hackers to find and exploit, potentially leading to data breaches, unauthorized access, and financial fraud.

Why this matters:

• Consumer impact – this affects everyday iPhone users who trust Apple to keep their data safe.
• Corporate accountability – Apple’s reputation is built on security – how did this massive oversight happen?
• National security risks – with a lot of the exposed data hosted in the US, the implications go beyond individual users to businesses and even government entities.

Please find the full Cybernews research article here. 

This entry was posted on March 12, 2025 at 10:38 am and is filed under Commentary with tags Cybernews. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.