A new study by Cybernews researchers has found that 71% of iOS apps leak sensitive data, including API keys, cloud storage credentials, and financial information. The analysis, which examined 156,080 randomly selected iOS apps — representing 8% of the Apple App Store — raises concerns about cybersecurity risks even under Apple’s stringent app evaluation guidelines.
The first large-scale research of its kind, Cybernews’ findings highlight significant vulnerabilities in hardcoded secrets stored within iOS applications.
Key Findings:
- Over 816,000 sensitive data exposures were found, averaging 5.23 exposed secrets per app.
- 406TB of user data — including files, personal data, and documents — was exposed through 836 publicly accessible storage bucket endpoints.
- 2,218 Firebase instances (4.34%) were misconfigured, exposing 19.8 million records (33GB of data), including user session tokens and backend analytics.
- More than 51,000 apps improperly use Google’s Firebase database, making user data vulnerable to theft.
To put this in perspective:
- 406TB of leaked data is equivalent to 17 years of continuous HD video streaming.
- The 19.8 million leaked records would equal about 16 million iPhone photos.
- The number of apps misusing Google’s Firebase database (51,000) is greater than the number of Starbucks locations worldwide—each one representing an app with potential security risks.
How the Study Was Conducted
Between Oct. 2-16, 2024, Cybernews researchers extracted and analyzed the code of the selected apps for hardcoded secrets. While they did not attempt to decompile or de-obfuscate the apps, they found a significant amount of sensitive data stored in plaintext files within app archives.
Researchers also checked cloud bucket and Firebase endpoints for authentication vulnerabilities. In addition to major leaks, they discovered:
- 79,000 Google Project IDs — used for routing API requests and managing Google Cloud resources.
- 79,000 Google App IDs — meant for tracking ads and usage statistics.
- 68,000 Client IDs, 43,000 Google AdMob App IDs, 37,000 Facebook App IDs, 20,000 Android Client IDs, and 17,000 Facebook Client Tokens were also exposed.
Watch How This Works
Cybernews warns that these vulnerabilities put millions of iOS users at risk, reinforcing the need for better security practices in app development.
For the full report, visit Cybernews’ research on iOS app security.