A recent investigation reveals troubling vulnerabilities in the security of iOS applications. Cybernews researchers analyzed over 156,000 apps and found that a whopping 71% of them leak at least one secret. On average, each app’s code exposed over five secrets, some of which could jeopardize user data if exploited by malicious actors.
The core issue stems from a practice known as “hardcoding,” where sensitive information like API keys, passwords, and encryption tokens are embedded directly into an app’s source code. This makes the information easily accessible to anyone who examines the app’s code.
The impact of hardcoded secrets can be severe. Many of the exposed secrets help apps authenticate and interact with third-party services like Google Cloud, Facebook and ad platforms. Some of the leaks, such as database URLs and cloud storage access keys, could enable attackers to steal or delete user data. For example, over 78,000 apps revealed identifiers that could grant access to cloud storage services like Amazon S3 or Google Cloud, according to Cybernews. With weak or absent security measures, attackers could manipulate or destroy stored files, putting personal user information at significant risk.
The investigation also uncovered other high-risk exposed secrets, including unique identifiers for Google services and Facebook integration tokens. Such leaks could enable attackers to impersonate apps or launch phishing attacks. Notably, OAuth client IDs—used for user authentication—are frequently leaked and could allow attackers to hijack sessions or mislead users into granting unauthorized access to their accounts.
The frequency of these leaks highlights a serious problem for mobile security. A report from GitGuardian found that over 23 million hardcoded secrets were committed to GitHub in 2024 alone. Given that many developers continue to make this error, it presents a growing risk that attackers are eager to exploit at scale.
As these vulnerabilities remain prevalent, the urgency for developers to adopt more secure coding practices has never been clearer. Protecting sensitive data from exposure is critical in safeguarding users’ privacy in today’s digital landscape.
