A request carried what looks like a long-lived credential (in a header, URL, or body).
How it's exploited
A credential that also sits hardcoded in the binary was observed leaving the device on the wire. It is now extractable two ways: strings on the APK, or one captured request.
Why it matters
The secret must be treated as fully public; abuse happens from infrastructure you do not control.
How to fix it
Rotate the secret immediately.
Move the authenticated call server-side; issue short-lived, user-scoped tokens to the client instead.