PTKDMobile App Security
Knowledge base / PTKD-CRED-SECRET
critical M1 MASVS-CRYPTO-1 static analysis PTKD-CRED-SECRET

Hardcoded secret in binary

A credential is embedded in the app and is trivially recoverable by unpacking it.

How it's exploited

Anyone can download your APK/IPA and run strings on it. A hardcoded API key, AWS credential, or private key is extracted in seconds and reused from an attacker's own scripts, far from your app's rate limits.

Why it matters

Cloud bills run up on your keys, backend data accessed as "the app", and rotation is painful because the secret ships inside every installed copy.

How to fix it

  1. Revoke and rotate the exposed secret now; assume it is public.
  2. Move the capability server-side: the app calls your backend, the backend holds the secret.
  3. For unavoidable client keys (analytics, maps), restrict them by package name/bundle id and scope them to the minimum permission.

References