Apple has long promoted the App Store as a secure platform for downloading applications, highlighting its rigorous vetting process as a critical safeguard for iPhone users. However, recent findings have cast serious doubts on this reputation.
A study revealed that thousands of Apple-approved iOS apps carry hidden security vulnerabilities that could put user data, cloud storage, and payment systems at risk. The core issue isn’t malware but rather poor security practices integrated into the app’s code.
Researchers from CyberNews conducted an analysis of over 156,000 iPhone apps, which accounts for about 8% of all apps globally. The results were concerning:
- More than 815,000 hidden secrets were identified in the app code.
- On average, each app contained five secrets.
- About 71% of the apps leaked at least one secret.
These “secrets” include sensitive information like passwords and access tokens that developers embedded directly in their apps. Aras Nazarovas, a researcher from CyberNews, noted that this makes it quite easy for attackers, often without users even realizing the risks involved.
Understanding Hard-Coded Secrets
Hard-coded secrets refer to sensitive data stored within the app rather than securely on a server. It’s akin to jotting down your PIN on your debit card. Users can extract these secrets just by inspecting the app files, and attackers don’t need advanced hacking skills to do it. Both the Cybersecurity and Infrastructure Security Agency and the FBI have cautioned developers against this practice, but it remains widespread.
Data Leaks Linked to Cloud Storage
Another significant issue revolves around cloud storage. More than 78,000 iOS apps had unsecured links to cloud storage areas, housing files like photos and documents. Researchers uncovered:
- 836 storage buckets exposed.
- Over 76 billion public files.
- More than 406 terabytes of sensitive data leaked.
This data includes everything from user uploads to personal records, accessible to anyone who knows where to find it.
Impact of Unsecured Firebase Databases
Many iOS apps depend on Google Firebase for data storage. CyberNews found over 51,000 links to Firebase databases within app code. Although some were secured, over 2,200 links were not authenticated. This exposure made accessible:
- Roughly 20 million user records.
- Messages, profile information, and activity logs.
If unsecured, these databases allow attackers easy access to sensitive data.
Risks to Payment and Login Systems
Some leaked secrets are particularly alarm-bell-worthy. Researchers found keys belonging to payment systems and login processes, such as:
- Stripe for managing payments.
- JWT for user authentication.
- Order management tools in shopping applications.
If these keys are compromised, attackers could manage payments and access personal accounts.
AI and Social Apps as Major Risks
AI-related apps are among the largest culprits for data leaks. Notably, 198 iOS applications identified by CovertLabs were observed leaking user data. One troubling case was Codeway’s Chat & Ask AI, which exposed chat histories and personal information of millions.
Challenges in App Review Process
While Apple reviews apps before their launch, the review doesn’t check the underlying code for hidden vulnerabilities. If an app functions correctly during testing, it may receive approval—even if sensitive information is embedded within. This gap highlights the difference between Apple’s security claims and actual risks.
Steps to Enhance Your Security
While you can’t easily check for hidden secrets in apps, you can take steps to mitigate risks:
1) Choose Established Developers
Familiar developers typically have better security practices. Check the developer’s history and the frequency of their app updates.
2) Review App Permissions
Many apps request permissions that aren’t necessary for their functions. Go to your iPhone settings and restrict these permissions if possible.
3) Delete Inactive Apps
Unused apps may still access previously shared data. Regularly review and remove apps you no longer use.
4) Protect Personal Info
Be cautious about entering sensitive information. AI apps can be particularly risky in this regard.
5) Use a Password Manager
Password managers create unique, strong passwords for your accounts, helping protect against breaches.
6) Change App Login Passwords
If your app uses your email for logging in, change that password immediately, even if you haven’t noticed any breaches.
7) Consider a Data Deletion Service
Some leaked data could end up with data brokers. These services can help remove your information from various databases.
8) Monitor Your Accounts
Be alert for unusual activity, such as unexpected emails or login alerts, which may suggest your data has been compromised.
9) Refrain from Using Risky AI Apps
If you’re using AI apps for private communications, consider pausing until security issues have been addressed.
Final Thoughts
While Apple’s App Store provides some significant protections, this research indicates that vulnerabilities exist. Users should remain vigilant, carefully consider the data they share, and be cautious when downloading apps.
