Is This App Safe? How to Spot AI-Built Software Before You Hand Over Your Data

A new app appears. The landing page is clean, the branding looks sharp, the signup flow is smooth. You enter your email, your name, maybe your phone number, maybe your card details. You get a welcome email. Everything feels normal.

Underneath, that app design and build might have been generated by AI in a weekend, deployed without a security review, and storing your data in a database that anyone on the internet can query.

This isn’t hypothetical. In 2025, around 13,000 people had their personal information exposed through apps built on a single AI app-building platform; most of them had no idea the services they trusted were AI-generated, let alone insecure. The exposed data included names, emails, addresses, payment records, and in some cases other API keys that opened the door to further compromise.

The uncomfortable reality is that the burden of figuring out whether an app is safe has quietly shifted onto end users. There’s no badge, no disclosure rule, no required security baseline before a service can start collecting your data.

So here’s a practical guide to spotting the warning signs and protecting yourself.

Why End Users Are Now in the Firing Line

How to Determine if an App is Safe

Before AI tools made app and software development accessible to anyone, the path from “idea” to “app collecting your personal data” went through professional engineers, code reviews, and at least some baseline security thinking. That wall is mostly gone.

Today, anyone with a prompt and a credit card can:

• generate a fully working web app in an afternoon
• connect it to a database
• collect signups
• charge for a subscription
• start storing real user data

None of those steps require the person to understand authentication, access control, encryption, or how to keep API keys out of public code. And the resulting app can look indistinguishable from one built by a serious team.

The hard part for users is that the surface gives almost nothing away.

Signals That an App Might Be AI-Built and Under-Secured

No single signal is proof. But when several stack up, it’s worth slowing down before signing up.

The Domain and Hosting

• Hosted on a builder subdomain. URLs ending in .lovable.app, .vercel.app, .netlify.app, .replit.app, .bolt.new, or similar suggest the app may be early-stage or AI-built. Not automatically insecure — plenty of legitimate apps run on these platforms — but worth treating with extra caution before handing over real data.
• Very new domain. A WHOIS lookup (free at sites like who.is) shows when the domain was registered. A site asking for payment details on a domain registered three weeks ago deserves more scrutiny than one with a five-year history.
• No clear company behind the product. No registered business name, no physical address, no team page, no LinkedIn presence for the founders. Real software usually has a paper trail.

The Branding and Copy

• Generic AI-flavoured naming. Names like “[Adjective][Noun].ai” or “[Verb]ly” combined with stock-feeling marketing copy. Not damning on its own, but a pattern.
• Hero images that look AI-generated. Slightly off hands, oddly perfect lighting, faces with the smooth uncanny look of generated portraits.
• Feature lists that read like a ChatGPT response. Three-bullet sections, identical sentence structures, every feature described in the same upbeat tone. Real product copy usually has more variation.

The Auth and Account Flow

• No two-factor authentication option. Any serious app handling personal data, payments, or business information should offer 2FA. Its absence is meaningful.
• Broken or weird login flows. Forgot-password emails that never arrive, confirmation emails from random Gmail addresses, signup forms that accept obviously invalid input. These often indicate broken auth design underneath.
• Asks for far more information than the product needs. A note-taking app asking for your date of birth and phone number on signup is a flag. The data is being collected because it can be, not because it has to be.

The Trust Signals That Should Be There

• No published privacy policy, or a clearly templated one. Look for specifics: what systems store your data, where they’re located, how long it’s kept, who it’s shared with. Generic templates with placeholder text suggest nobody thought hard about this.
• No security or trust page. Established apps usually have something — even a basic page covering encryption, data handling, and how breaches are reported.
• No working customer support channel. A support email that doesn’t reply, no live chat, no ticket system. If something goes wrong with your account, who do you contact?

The Practical Defence: Don’t Trust Apps With More Than They Need

Even with the best signal-spotting, you can’t always tell. So the realistic strategy is to assume any app might leak your data, and limit the damage if it does.

1. Use a Unique Password Every Time

This is the single highest-leverage habit a normal person can adopt. A password manager — Bitwarden, 1Password, Apple’s built-in Keychain, or your browser’s manager — generates a unique password per site and remembers it for you.

When (not if) one app gets breached, the leaked password is useless anywhere else.

2. Use Email Aliases

Services like Apple’s Hide My Email, Firefox Relay, SimpleLogin, or DuckDuckGo Email Protection let you create a different email address for every signup. They forward to your real inbox.

The benefit:

• If one alias starts getting spam or phishing, you know exactly which app leaked your address.
• You can shut off any alias instantly without affecting anything else.
• Attackers who buy leaked email lists can’t link your accounts together.

3. Use Virtual Card Numbers for Payments

If you’re entering payment details into something you don’t fully trust, virtual cards are your friend.

• Revolut, Wise, and most major banks now offer disposable or single-merchant card numbers.
• In the US, Privacy.com is popular for this.
• Apple Pay and Google Pay also tokenise your real card so the merchant never sees the actual number.

You can cap the spending limit, lock the card to one merchant, or kill it instantly if something looks off.

4. Be Selective About What You Upload

AI-built apps often store uploaded files in cloud storage buckets that are misconfigured to be publicly accessible. If you wouldn’t be comfortable with a document being viewable by anyone with a guessable URL, don’t upload it to a service you don’t trust.

This applies especially to:

• ID documents (passports, driver’s licences)
• Financial records
• Medical information
• Anything containing other people’s personal details

5. Watch for Targeted Phishing After Signup

The clearest sign you’ve signed up for a leaky app is a phishing email that’s too well-informed. If you start getting messages that reference:

• a real order number
• the actual amount you spent
• a specific feature of the service
• your real name combined with details only that service knew

…assume the service has been breached. Change your password there, rotate any payment card you used, and treat any “urgent action required” emails from that service as suspect for the next few months.

6. Check Have I Been Pwned Periodically

haveibeenpwned.com is a free service run by security researcher Troy Hunt. It tells you which known data breaches have included your email address. You can also subscribe to be notified if your address appears in a future breach.

It’s the closest thing to a smoke alarm for your digital life.

7. For Anything Financial or Health-Related, Prefer Boring Established Services

This advice sounds dull, but it’s statistically right. A ten-year-old company with an ugly website is almost always safer than a beautifully-designed app that launched last month — because the older company has had more time, more incidents, and more reasons to take security seriously.

For banking, insurance, healthcare, tax, or anything where a breach would seriously harm you, “exciting and new” is a feature you don’t actually want.

A Reasonable Mental Test Before You Sign Up

When you’re about to hand over your details to a service you don’t know well, run this quick check:

1. Could I find anyone responsible? Is there a real company behind it, with a name and an address?
2. Have I heard of this from a trustworthy source, or just an ad?
3. Does it offer 2FA?
4. Is it asking for more information than it actually needs?
5. If this app leaked everything I’m about to give it tomorrow, what’s my exposure?
6. Is the software or app built by a reputable company? Check the footer (right at the bottom) and see if it states who build it… See image below

If you can’t answer those comfortably, you don’t need to refuse, you just need to limit what you give. Use an email alias, a unique password, a virtual card, and the minimum information required.

What Should Change

End users shouldn’t have to be amateur security researchers to safely sign up for a service. The current state of things — where an AI-built app with no security review can collect your name, email, address, and payment details, and the only signal you get is a slightly-too-polished landing page — isn’t sustainable.

Eventually, this will likely shift through some combination of:

• regulation requiring disclosure of AI-generated software handling personal data
• platform-level security defaults that make basic mistakes harder to ship
• consumer trust marks for services that meet a security baseline
• insurance and liability pressure on businesses that deploy unreviewed AI-generated code

Until any of that arrives, the practical answer is the same as it’s always been with new technology: trust slowly, give up the minimum, and assume that what gets collected will eventually leak.

The good news is that the basic defences, unique passwords, email aliases, virtual cards, and a healthy scepticism — protect you against most of the damage even when an app does turn out to be insecure.

The bad news is that nobody else is going to do this for you.

Frequently Asked Questions