PTKDMobile App Security
Knowledge base / PTKD-DYN-SECRET-TRANSIT
high M1 MASVS-CRYPTO-1 dynamic analysis PTKD-DYN-SECRET-TRANSIT

Hardcoded secret sent on the wire

A request carried what looks like a long-lived credential (in a header, URL, or body).

How it's exploited

A credential that also sits hardcoded in the binary was observed leaving the device on the wire. It is now extractable two ways: strings on the APK, or one captured request.

Why it matters

The secret must be treated as fully public; abuse happens from infrastructure you do not control.

How to fix it

  1. Rotate the secret immediately.
  2. Move the authenticated call server-side; issue short-lived, user-scoped tokens to the client instead.

References