M1: Improper Credential Usage

Improper credential usage covers hardcoded secrets, weak credential lifecycles, and unsafe handling of session artefacts. Mobile binaries often ship with API keys, service passwords, or signing tokens embedded for convenience. Attackers reverse engineer the app, extract the secrets, and use them to impersonate the app or pivot into backend services. Poor credential hygiene also includes storing long-lived refresh tokens on the device or transmitting passwords without robust channel protection.

Typical Weakness Patterns

• Hardcoded API keys, client secrets, or admin passwords in the source tree or compiled binary.
• Embedding service accounts in configuration files bundled with the app.
• Reusing the same credentials across environments or failing to rotate leaked keys.
• Persisting primary credentials in shared preferences, plist files, or Keychain entries without hardware-backed protection.

Detection Cues

• Static analysis that searches for string literals matching key formats, JSON web tokens, or Base64 blobs.
• Dynamic testing that inspects network traffic and device storage for credentials sent or cached in plain text.
• CI/CD pipelines that compare builds for new or changed secrets using tools such as trufflehog, gitleaks, or custom regex scanners.

Mitigation

• Remove hardcoded secrets and replace them with secure token exchange patterns (e.g., Dynamic Client Registration, short-lived signed requests).
• Leverage hardware-backed storage (Android Keystore, iOS Secure Enclave) for any tokens that must remain on-device, and bind them to device/user properties.
• Enforce credential rotation, scope minimisation, and anomaly monitoring so exposed credentials cannot be abused quietly.
• Automate secret scanning in build pipelines and block releases whenever new credentials are detected.