News
Hacker goldmine: over 110,000 iOS apps expose hardcoded secrets, research finds
March 2025 by CyberNews
Apple’s App Store is considered the gold standard for security, but Cybernews researchers analyzed 156,080 randomly selected iOS apps – around 8% of the apps present on the App Store – and uncovered a massive oversight: 71% of them expose sensitive data, including API keys, cloud storage credentials, and financial information.
The security of iOS apps remains under-researched, and this is the first research of this kind at scale.
Key findings of this research:
Over 816,000 secrets were found, with an average of 5.23 exposed secrets per app.
Out of 94,240 storage bucket instances found hardcoded in iOS applications (with some apps containing multiple storage bucket endpoints), 836 of these endpoints (0.89%) were accessible without authentication, exposing 406TB of user files, personal data, and documents.
2,218 Firebase instances (4.34%) had misconfigured authentication, leaking 19.8 million records (33GB of data), including user session tokens and backend analytics, almost all of these instances hosted in the US.
More than 51,000 apps misuse Google’s Firebase database, making user data vulnerable to easy theft.
Why this matters:
For cybersecurity teams: hardcoded secrets introduce a major attack vector, allowing threat actors to move laterally across networks, compromise cloud services, and exfiltrate data with minimal effort.
For developers: Many developers rely on hardcoded credentials without realizing the risks. Secure coding practices, automated secret scanning, and environment variable management must be prioritized to prevent exposure.
Even high-profile apps could be leaking sensitive data without developers or businesses realizing it – and clearly, Apple has a blind spot when it comes to this.
Cybernews security researcher Aras Nazarovas warns: "Despite iOS apps being perceived as secure, many developers still leave key vulnerabilities exposed, like hardcoded credentials. This creates an easy entry point for attackers to exploit, even without advanced skills. With Apple pulling Advanced Data Protection for UK users, the lack of strong encryption worsens the issue, increasing the risk of data breaches, unauthorized access, and long-term security fallout."
The security of iOS apps remains under-researched, and this is the first research of this kind and scale. The research was conducted between July 2024 – January 2025.
Methodology
The researchers analyzed iOS app versions available from October 2-16, 2024 using OSINT and Reverse Engineering techniques. Without de-obfuscating or decompiling, researchers found a massive number of plaintext secrets stored in IPA archives. They also examined cloud bucket and Firebase endpoints for authentication gaps. The research was conducted between July 2024 – January 2025.
