Hello Apple Developer Community,
I recently encountered a serious security issue involving a third-party app development company that requested full JSON API key access to my Apple Developer account. After conducting research, I realized that granting this access would allow permanent backend control over my app—even after our contract ended.
Key Issue: • Third-party developers extract JSON API keys from client accounts. • These keys allow unrestricted backend access, even after being removed from the account. • With this access, they can: • Modify apps remotely • Interfere with financial settings • Restrict client access while maintaining their own backend control
Why This Matters: • This could be happening at scale, affecting many developers unknowingly. • It’s a major security risk—developers could be losing control of their apps without realizing it. • Apple’s policies do not explicitly warn against this kind of practice, which leaves developers vulnerable.
I Need Guidance: • Is there an official Apple security team I can report this to? • How can developers safeguard themselves from these kinds of exploits? • Does Apple have a protocol for auditing third-party developer activity within client accounts?
I have full documented evidence of this practice, including chat logs, emails, and technical breakdowns.
This is a serious issue that needs the right eyes on it.
Please advise on the next steps Apple recommends for reporting and addressing this vulnerability.
Kindly find my evidence below.
https://drive.google.com/drive/folders/1uZnAvJE48OazvSgMYr6-wSB1Ss5rF5r4
