Cybernews Study Finds 71% of iOS Apps Leak Sensitive Data
A new study by Cybernews researchers has found that 71% of iOS apps leak sensitive data, including API keys, cloud storage credentials, and financial information. The analysis, which examined 156,080 randomly selected iOS apps — representing 8% of the Apple App Store — raises concerns about cybersecurity risks even under Apple’s stringent app evaluation guidelines.
The first large-scale research of its kind, Cybernews’ findings highlight significant vulnerabilities in hardcoded secrets stored within iOS applications.
Key Findings:
- Over 816,000 sensitive data exposures were found, averaging 5.23 exposed secrets per app.
- 406TB of user data — including files, personal data, and documents — was exposed through 836 publicly accessible storage bucket endpoints.
- 2,218 Firebase instances (4.34%) were misconfigured, exposing 19.8 million records (33GB of data), including user session tokens and backend analytics.
- More than 51,000 apps improperly use Google’s Firebase database, making user data vulnerable to theft.
To put this in perspective:
- 406TB of leaked data is equivalent to 17 years of continuous HD video streaming.
- The 19.8 million leaked records would equal about 16 million iPhone photos.
- The number of apps misusing Google’s Firebase database (51,000) is greater than the number of Starbucks locations worldwide—each one representing an app with potential security risks.
How the Study Was Conducted
Between Oct. 2-16, 2024, Cybernews researchers extracted and analyzed the code of the selected apps for hardcoded secrets. While they did not attempt to decompile or de-obfuscate the apps, they found a significant amount of sensitive data stored in plaintext files within app archives.
Researchers also checked cloud bucket and Firebase endpoints for authentication vulnerabilities. In addition to major leaks, they discovered:
- 79,000 Google Project IDs — used for routing API requests and managing Google Cloud resources.
- 79,000 Google App IDs — meant for tracking ads and usage statistics.
- 68,000 Client IDs, 43,000 Google AdMob App IDs, 37,000 Facebook App IDs, 20,000 Android Client IDs, and 17,000 Facebook Client Tokens were also exposed.
Watch How This Works
Cybernews warns that these vulnerabilities put millions of iOS users at risk, reinforcing the need for better security practices in app development.
For the full report, visit Cybernews’ research on iOS app security.
More Stories Like This
AI and Translation Tech Are Transforming Accessibility in AV
As I virtually watched colleagues and friends jet off to Barcelona last month, I thought about the interconnected aspects of our world. We can hop on a plane in the U.S. and — within hours — be anywhere in the world. I have never been to Barcelona. In fact, have only been to one other […]
October 2024 Temperature Check Results: Security in the AV Industry
October was Cybersecurity Awareness Month, and with the AV industry’s increasing reliance on connected systems, the timing couldn’t have been better. From corporate boardrooms to large-scale event spaces, the security of AV systems has become a pressing issue in the industry. In our October Temperature Check, we asked industry professionals about their experiences with cybersecurity […]
Is AI a Threat or Opportunity? The Human Factor in Cybersecurity
BY: Theresa Payton Artificial Intelligence (AI) and cybersecurity have sparked an ongoing debate about whether they’re the ultimate duo or a dangerous combination. As someone who has spent years navigating cybersecurity, I see both sides. AI offers incredible opportunities but opens up new vulnerabilities that we, as cybersecurity professionals, must address. AI & Cybersecurity: The […]