The Coding Sprite

AI tools.

Don’t get me wrong, I really enjoy using them. They help me write Swift faster, explain weird compiler errors, and occasionally remind me that yes, I did in fact forget to import a framework. But the more I’ve learned about cybersecurity, the more I’ve realised that AI tools can leak your code in ways that aren’t obvious at all.

And if you’re an iOS developer like me, building apps that handle real user data, that’s a problem worth paying attention to.

The Convenience Trap

AI tools are designed to be helpful. That’s the whole point. You paste in a chunk of code, ask a question, and boom, instant clarity. It feels like having a senior engineer sitting next to you, minus the awkward “did you really write it like that?” eyebrow raise.

But here’s the catch: Every time you paste code into an AI tool, you’re sending it to a server you don’t control, to god knows where.

That means:

• Your code leaves your machine
• It gets stored (sometimes temporarily, sometimes not)
• It may be used to improve the model
• It may be seen by humans during quality checks
• It may be logged for debugging

The “It’s Just a Small Snippet” Lie

This is the one that got me.

I used to think: It’s fine, I’m only pasting a few lines. Nothing sensitive.

But here’s the thing about code: Context is everything.

A “small snippet” can still reveal:

• API endpoints
• Authentication logic
• Database structure
• Business rules
• Proprietary algorithms
• Internal naming conventions
• Secrets hidden in plain sight (we’ve all seen a rogue API key in a config file)

Even something as innocent as a model struct can give away more than you think.

And if you’re working on a client project or anything under NDA? That’s a whole different level of risk.

The Accidental Data Leak

Here’s a scenario that happens more often than people admit:

You’re debugging something weird. You copy a chunk of code. You paste it into an AI tool. You ask, “Why is this crashing?”

Except… that chunk of code includes:

• A user’s email
• A test credit card number
• A token you forgot to scrub
• A real URL pointing to a staging server

You didn’t mean to leak anything. But you did. And the AI tool now has it.

The “Shadow Dataset” Problem

This is the part nobody likes to think about.

Even if an AI tool says it doesn’t store your data long‑term, the reality is:

• Logs exist
• Backups exist
• Monitoring systems exist
• Human reviewers exist
• Model training pipelines exist

And once your code enters any of those systems, you can’t pull it back out.

It becomes part of a shadow dataset — not intentionally malicious, just the natural byproduct of how large AI systems work.

So What Can We Do?

Here’s what I’ve started doing, and it’s made a huge difference:

1. Never paste code directly from your project

Copy it into a scratch file first. Remove anything sensitive. Then paste it into the AI tool.

2. Use local AI tools when possible

There are great on‑device models now that never send data anywhere. They’re not perfect, but they’re safe & I highly recommend looking into this to give it a go.

3. Treat AI like an intern

Helpful, enthusiastic, but absolutely not someone you trust with production secrets.

4. Check your company’s policies

If you’re working for a client or employer, they may already have rules about this and breaking them can get messy fast.

5. Assume everything you paste could become public

If that thought makes you uncomfortable, don’t paste it.

AI Isn’t the Enemy — Carelessness Is

I’m not here to scare you away from using AI. I use it most days even accidentally now with a quick google search when I forget the -ai tag in my search. It’s an incredible tool at times.

But like any tool, it comes with risks — especially for developers.

AI isn’t going anywhere. But neither is our responsibility to keep our code — and our users — safe.

And honestly? Being aware of the risks doesn’t make AI less magical. It just makes you a smarter, safer developer.