Research has revealed an extreme vulnerability within the Apple ecosystem. Reports exposed that 71 percent of the apps on the iOS App Store are leaking company secrets.

Hardcoding a secret is when sensitive information is embedded directly into the company’s source code. Information like cloud storage keys, passwords, and even data encryption keys will be stored within the code. It makes managing the business more convenient but poses a huge security risk if left unprotected.

Despite Apple’s reputation as being a highly secure environment, researchers discovered that many companies didn’t protect their hard-coded secrets within their code. After following the rabbit hole, they were able to discover entire unprotected databases, easily accessible infrastructure, and 815,000 hard-coded secrets for more than 156,000 apps.

The total amount of leaked data exceeds 406TB. This stems from 83,000-plus endpoints and 836 endpoints didn’t even require authentication. Secrets were even kept in plain text form, meaning hackers could have easily obtained this data.

Despite the majority of these secrets being marked as low sensitivity, many still contained sensitive data like payment processor data, keys to cloud storage, APIs, and more. Leaks containing this information could be devastating for any business.

According to the data, 71 percent of the App Store’s apps were leaking at least one secret. Shockingly enough, the average amount of secrets being leaked was 5.2.

“Some iOS developers just make it too easy for hackers,” said one researcher.

Cybernews obtained this data by analyzing 156,080 apps at random. This is roughly 8 percent of the alleged 1.8 million apps on the App Store. While it may not be a comprehensive sweep of every app on the platform, the sample size goes above and beyond expectations.

It’s also worth noting that the leaks could be much worse.

“These secrets alone are not enough to gain unauthorized access to protected resources, but they are often required to abuse other leaked secrets or to identify target endpoints. However, some other secrets, such as Firebase endpoints or cloud storage endpoints can be derived from project ID or other keys,” researchers said.