SShortSingh.
Back to feed

282 of 444 iOS AI Chatbot Apps Found Leaking API Keys in Network Traffic

0
·1 views

A study of 444 iOS AI chatbot apps found that 282 of them are exposing API keys or tokens through plaintext network traffic, with some backends requiring no authentication at all. The primary risk is financial: stolen API keys allow attackers to run up large bills on a developer's LLM account, potentially costing thousands of dollars before any anomaly is detected. Researchers note that apps with completely unauthenticated backends present an even greater threat than leaked keys, as they function as open proxies usable by anyone who discovers the endpoint. Security experts say the root cause is a widespread practice of building mobile apps that directly hold API credentials for paid upstream services, rather than routing requests through a secure, developer-controlled backend. The recommended fix — having the app authenticate to a developer's own backend, which then holds and uses the upstream key — is well-established but is evidently not being widely adopted in the current wave of AI app development.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

IT Tech Builds No-Install USB Diagnostic Toolkit to Skip Repetitive Setup

A developer and IT technician grew frustrated with repeatedly assembling diagnostic tools on every new machine or client site, prompting them to create a portable USB-based toolkit. The kit is built around a strict rule: all tools must run directly from the USB drive, install nothing on the host machine, and leave no trace after removal. It is organized into three functional areas — system health checks, network diagnostics, and user profile management — covering the most common IT troubleshooting scenarios. The author notes that using a fast USB 3.0 or higher drive is important, as slow hardware can make portable tools appear broken. While the toolkit can be assembled for free using existing portable utilities and built-in Windows commands, the author also packaged and released it commercially for $34 as a one-time download.

0
ProgrammingHacker News ·

Developer Translates Entire Rust Compiler Codebase Into C

A project called 'crustc' has emerged on GitHub, aiming to translate the entirety of rustc, the official Rust programming language compiler, into C. The work is being carried out by developer FractalFir, who published the project as an open-source repository. The effort represents a significant technical undertaking, given that rustc is a large and complex codebase written in Rust itself. Such a translation could have implications for bootstrapping Rust on systems where a native Rust compiler is unavailable. The project has begun attracting attention in the developer community, garnering early points and discussion on Hacker News.

0
ProgrammingDEV Community ·

AI Coding Skills: Why Structured Workflows Beat Simple Code Prompts

Most developers use AI coding assistants with simple one-line prompts, but this approach often produces inconsistent and shallow results. Developer Matt Pocock's open-source Skills repository proposes a better method: giving AI structured, reusable engineering workflows instead of ad-hoc instructions. These workflows guide AI through processes like writing Product Requirements Documents, test-driven development, systematic debugging, and architecture reviews. The approach mirrors how experienced software engineers actually think, making it useful for both greenfield projects and legacy codebases. By treating AI as a process-following collaborator rather than a code generator, developers can achieve more reliable, maintainable, and professionally structured outputs.

0
ProgrammingDEV Community ·

How a developer shipped a libmpv-based video player on the Mac App Store

Developer Reel, a local video player and library app for macOS, was successfully submitted to the Mac App Store despite most mpv-based players distributing outside it. The process took about a month from first commit to approval, with the biggest hurdle being a JIT-related crash caused by LuaJIT's memory allocator conflicting with App Store sandbox entitlement rules. The fix was a single build-flag change to disable Lua entirely, since the app never used mpv's scripting features, which also eliminated the need for two otherwise-required entitlements. Additional challenges included LGPL compliance with static linking, two sandbox traps that only surfaced after local testing, and a design rejection. The developer published the experience as a field guide for anyone integrating FFmpeg or libmpv into a sandboxed Mac app.

282 of 444 iOS AI Chatbot Apps Found Leaking API Keys in Network Traffic · ShortSingh