Apps built with AI-driven app builders promise rapid development and ease of use. Yet the research shows that “lovable” apps may embed serious risks. The keyphrase “lovable apps” appears at the start and flows naturally. Even when users request “secure code”, many app creators rely on builder-platform logic rather than expert review. The result: apps with vulnerabilities and a false sense of security.
The Research Findings
Researchers at OX Security evaluated multiple AI app-builders including Lovable, Base44 and Bolt. They asked these platforms to produce a wiki-style app containing HTML editing features. All platforms delivered working apps. Yet each version contained stored-cross-site-scripting (XSS) vulnerabilities that allowed malicious actors to inject HTML, hijack sessions and steal data.
The research asked the builders to “secure” the code. The platforms produced only partial improvements when prompted. The built-in “Security Check: Passed” badges or scanners flagged vulnerabilities inconsistently. For example, Lovable’s scanner detected only about 66 % of issues. Bolt’s scanner failed to identify major defects. The researchers concluded that inconsistent detection fosters a false sense of safety among users, especially non-technical creators.
Why This Matters
Many of the users of AI app builders lack deep programming or security expertise. They trust the platform’s promise of rapid deployment and assume that built-in scanners equal real security. When those scanners miss key vulnerabilities, the final apps reach production with weak defences. At scale, this means many “lovable apps” could become attack vectors in enterprise and consumer ecosystems.
Moreover, the ease of publication means non-technical creators publish apps rapidly, often skipping manual review or third-party testing. Each app that slips through with a vulnerability adds cumulative risk to the ecosystem. Attackers can exploit those weaknesses to gain access, elevate privileges or steal sensitive data.
What Developers and Organisations Should Do
Any organisation building or deploying apps via AI platforms should treat them as custom software, not low-risk utilities. Developers must:
- Review and test generated code for vulnerabilities such as XSS, injection and broken authentication.
- Enable and enforce manual security-reviews, even when the builder claims “secure build”.
- Train end-users and creators to identify and mitigate potential risks rather than rely solely on automated checks.
- Enforce least-privilege permissions in deployed apps and monitor live usage for anomaly detection.
Conclusion
Lovable apps may be dangerous by design when AI-driven app-builders fail to embed robust security and users accept built-in “security scan” badges at face value. Organisations that rely on such platforms must treat every generated app as production software, perform proper security reviews and remain vigilant. Neglecting these steps could expose users and data to avoidable risks.
0 responses to “Lovable Apps May Be Dangerous by Design, Research Finds”