- Security researchers have discovered numerous mobile apps leaking sensitive data
- Private messages of over 20 million users are at risk
- The affected apps are categorized under the Firehound project
Apple often touts the security of its App Store as a reason to resist regulatory pressures to open its app ecosystem to competing stores. The argument suggests that Apple thoroughly vets its App Store for security, removing apps that mishandle user data. However, recent findings indicate that the App Store may not be as secure as it claims.
According to malware researchers VX Underground on X, the security firm CovertLabs is documenting iOS apps that leak user information. As of VX Underground’s post, 198 problematic apps have been identified, with many linked to artificial intelligence (AI).
The most egregious offender is an app called Chat & Ask AI by Codeway, which CovertLabs reports has exposed the complete chat history of approximately 18 million users—totaling 380 million messages—along with user phone numbers and email addresses. This information is reportedly “completely accessible to anyone who knows where to look,” which is particularly alarming given the sensitive data often shared with AIs, according to CovertLabs.
Another app, 'YPT – Study Group', was also implicated, with research showing that data from over two million users was compromised, including chat messages, AI tokens, user IDs, and keys, as noted by VX Underground.
CovertLabs has established a repository of affected apps, dubbed Firehound. Users can view redacted sample data to understand what information was leaked and which apps are most affected. Much of the data is sensitive and access is restricted, requiring interested parties to request permission.
CovertLabs encourages affected developers to contact them, after which the app will be removed from the repository and developers will receive guidance on securing their applications.
Impact on Users, Developers, and Apple
The prevalence of leaking apps—such as Chat & Ask AI, GenZArt, Kmstry, and Genie—being associated with AI is not unexpected. In the rush to capitalize on the AI boom, many developers may have compromised security measures to expedite their app launches.
However, some responsibility also lies with Apple. The company prides itself on the security of its App Store compared to the Google Play Store, which is often criticized for harboring more malicious and insecure apps than Apple’s platform.
Yet, this is not always the case. The existence of such vulnerable apps that have seemingly passed the App Store’s review process raises concerns about Apple’s oversight.
If you use any of the affected apps, it is advisable to stop immediately. While you cannot undo the data that has already been exposed, you can prevent further data leaks. Additionally, consider using one of the best password managers and change the passwords for any accounts associated with the email address used for the compromised apps. Inform others who may be using these apps about the potential risks.
It is hoped that the affected developers will secure their apps and that others will learn from these risks before it is too late.