Apple iPhone is not safe – surely not from a company that claims, ‘Your iPhone is safe’ and ‘Safe by design’. The phone may be, but its App Store leaks your data like a sieve.
Vincentas Baubonis, head of cybersecurity research at Cybernews, led a large-scale investigation into iOS app security. He says Apple is not living up to its promise of safety, and users are lulled into a false sense of security.
The issue is that 70% of the sampled apps unlock access to sensitive user data. Some could allow full account takeovers. Others – like those found in fetish dating apps – have exposed private photos sent in confidence.
It’s a systemic failure, and Apple, with all its resources and security rhetoric, should be held to account. Baubonis.
Bad apps and bad actors
Cybernews researchers downloaded 156,000 iOS apps, about 8% of the App Store. They used automated analysis and reverse engineering—the same techniques used by attackers—to scan for secrets embedded directly in the app’s code—the kind of secrets developers should never store there.
- 94,240 hardcoded Storage Buckets, with 836 (0.89%) lacking authentication. These open instances exposed over 76 billion files, leaking 406TB of data.
- 51,098 Firebase URLs, of which 2,218 (4.34%) lacked authentication. These open instances exposed 19.8 million records, leaking 33GB of data, including user session tokens and backend analytics. Almost all of these instances are in the US.
- 8,439 Fabric API keys were exposed. Fabric, an order management system, uses these keys to manage, track, and fulfil orders.
- 3,343 live Branch keys exposed. Branch.io is a marketing platform that tracks campaigns and enables advanced deep linking.
Five niche dating apps – catering to LGBTQ+ users and kink communities exposed 1.5 million private user images in publicly accessible unprotected cloud buckets: intimate photos, identity verification selfies, even images flagged for violating platform rules. This is the kind of leak that can ruin lives, especially in countries where homosexuality is criminal.
Yet these apps passed Apple’s review process and remain live in the App Store
Baubonis says we shouldn’t mistake slick marketing for security. And we shouldn’t let Apple off the hook simply because the alternative might be worse. Apple’s tight control over its ecosystem gives it enormous power, but with that comes responsibility.
Until then, the walled garden may look pristine, but it’s full of weeds.
What about Google Play?
Cybernews did not investigate Google Play (at this time). Major tech companies like GitHub, Google, and AWS all have automated detection systems to catch exposed secrets in code. With its trillion-dollar valuation, Apple could easily implement the same, but it hasn’t.
Why not?
Now, we are in speculation territory because Apple will not comment on anything other than how great it is.
Cybernews speculates that it is due to three main things.
- Apple drinks its own Kool-Aid about its iPhone security.
- Apple’s app approval pipeline is enormous, and slowing it down to add deep security scanning might cut into App Store revenue, especially from free apps running on ad-driven models.
- Apple prefers to position itself as a hardware company with privacy baked in. It implies that what happens inside apps is the developers’ responsibility.
Apple already decides which apps can run on its devices, payment processing and what APIs are accessible. It should also ensure that the apps it approves don’t recklessly expose private user data to the internet.
CyberShack’s view: If Cybernews found that the Apple iPhone is not safe, surely Apple knows too
As a courtesy, Cybernews (any white hat hacker) makes its research available to the target company well before its publication. That allows time for its action and public response.
Cybernews has pointed out that the same tools it used are readily available and are the foundation of Google Play Store approvals.
Apple iPhone is not safe – no response, nada, zip, zilch.
As we wrote in DarkBERT is the most malicious dark web AI. It’s coming after you is now being trained on other LLMs, including one relevant to accessing the Apple walled garden. Apple may no longer be a safe haven.
Ironically, Android may be safer. Read Android vital security information you need to know.
These leaks go beyond simple password stealing or phishing and arm cybercriminals with a new level of destruction.
4 comments
Karen
Hi Charlie, I have read the information you posted on the iPhone is not safe…. What can I do for security for this issue please?
Love the show Charlie.
Kind regards
Karen
Ray Shaw
The key issue is to get new and stronger passwords and enable 2 factor authentication. Cybercriminals are always trying to get poisoned apps into the app store, and all you can do is be careful and never give them permissions they don’t need.
Antonio graziani
Hi
I listen to your show on 2GB every Saturday I am not that good with technology but I am learning.
I have a question I had a iPhone problem last week I am getting a lot of messages not real nice so the guy at phone place told me that my email address and details are on the dark web can u help me .
Thanks
Ray Shaw
I have passed this to Charlie, who may have some more sage advice. You don’t mention if you have SMS or email messages. If it is SMS, all you can do is report it as spam and block the sender’s number, or at worst, get a new phone number. If it is email, you can send these to junk and report them or get a new email address and gradually wean your friends and contacts off the old one.
Once your details are on the dark web, they are there forever. Please also ensure that you change all passwords to long and complex ones and implement 2-factor authentication. Don’t do this on your phone – use a Mac or PC and a good password manager like LastPass to help you.