Hardcoded API Keys

Description

Secrets embedded in the mobile binary (API keys, client secrets, passwords) are trivial to recover via static analysis or simple string extraction. Once recovered, attackers can replay them from emulators, rooted devices, or headless clients to impersonate the app, bypass rate limits, or target backend services.

Examples

Extract Keys via Static Analysis

Decompile and search for secrets in resources and source:

apktool d app-release.apk -o app-src
rg -n "(?i)(api[_-]?key|secret|token)" app-src

# Or use jadx for code strings
jadx -r -d out app-release.apk
rg -n "AES|Bearer|sk_live|api_key" out

Simple Strings Extraction

strings -n 6 app-release.apk | rg -i "api[_-]?key|secret|token|sk_live"

Proof by Replaying Requests

Use the recovered key in a direct API call:

curl -H "X-API-Key: <EXTRACTED_KEY>" https://api.example.com/v1/profile

If the backend accepts the call without device binding, the key is exploitable.

Remediation

1. Remove hardcoded secrets
   • Never embed long‑lived secrets in the app; use server‑issued, short‑lived tokens after device attestation.
2. Bind tokens to device and user
   • Use DPoP, mTLS, or signed challenges so tokens are useless off‑device.
3. Harden backend controls
   • Enforce per‑device rate limits, anomaly detection, and kill‑switches for abused keys.
4. Secure build pipelines
   • Inject ephemeral config at runtime, scrub build artefacts, and scan releases with SAST/secret scanners pre‑publish.