Hardcoded credentials in Android apps: Service exposure and category-based vulnerability analysis⋆ Olha Mykhaylova1,†, Taras Fedynyshyn1,† and Artem Platonenko2,*,† 1 Lviv Polytechnic National University, 12 Stepana Bandery str., 79013 Lviv, Ukraine 2 Borys Grinchenko Kyiv Metropolitan University, 18/2 Bulvarno-Kudriavska str., 04053 Kyiv, Ukraine Abstract This paper presents an extensive study of the security vulnerabilities in Android applications related to the hardcoding of sensitive credentials. A total of 6,165 APK files were downloaded from the Google Play Store and subjected to static analysis using Mobile Security Framework (MobSF). For each application, the “secrets” section, as identified by MobSF, was further examined using Trufflehog to detect and verify the presence of hardcoded credentials. The findings reveal a concerning prevalence of hardcoded credentials, with a significant portion of applications embedding sensitive information such as API keys and authentication tokens. The analysis identified various services for which credentials are frequently hardcoded, including cloud service providers, payment gateways, and third-party APIs. We also categorized the occurrence of hardcoded secrets by app type, analyzing the percentage of applications with exposed credentials across various Google Play categories. This study underscores the critical security risks posed by hardcoding secrets in mobile applications and provides insights into the scope and distribution of this vulnerability within the Android ecosystem. The results emphasize the need for stronger security practices in mobile app development, particularly regarding the secure management of sensitive information, and highlight potential areas of improvement in mobile application security. Keywords android security, mobile security, data privacy, static analysis, improper credentials usage, OWASP Mobile, MobSF, Trufflehog 1 1. Introduction malware that can compromise personal data. As a result, mobile applications present potential security threats, as Mobile devices, particularly smartphones, have undergone vulnerabilities within them may be exploited by attackers to constant evolution and are now the most common means gain unauthorized access to device resources, including for individuals to connect with others through phone calls sensitive user information [4]. or the Internet. Beyond communication, activities such as Therefore, mobile applications are a vital element of the document handling, video streaming, emailing, and gaming mobile ecosystem that necessitates further research to can also be easily performed on smartphones, making them develop effective security methods and tools aimed at more versatile and essential than ever. According to [1], mitigating the risks associated with their use. smartphones are expected to remain dominant, especially This study aims to conduct a large-scale static analysis with the advent of 5G and future 6G. of 6000+ Android applications from Google Play to identify Smartphones and the numerous applications that and evaluate the presence of hardcoded sensitive support various functions have become integral to modern information, such as API keys and credentials, using MobSF life. Individuals increasingly depend on mobile applications and Trufflehog. By detecting and analyzing these secrets, for a wide range of daily tasks, utilizing them multiple times the study seeks to assess the security practices of mobile app per day. The Apple App Store [2] and Google Play Store [3] developers, highlight potential vulnerabilities, and provide offer over eight million applications combined. However, insights into improving the management of sensitive data the provenance and security of these applications cannot within Android apps [5]. always be guaranteed. Despite the vetting procedures employed by Apple and Google before allowing apps into 2. Background and related work their respective stores, many mobile applications still exhibit vulnerabilities and pose significant security risks. 2.1. OWASP mobile Top 10 Notably, the data processed by these applications and The Open Web Application Security Project (OWASP) is a mobile devices are frequent targets for cybercriminals. nonprofit organization dedicated to enhancing software Mobile operating systems lack adequate tools to detect CPITS-II 2024: Workshop on Cybersecurity Providing in Information 0000-0002-3086-3160 (O. Mykhaylova); and Telecommunication Systems II, October 26, 2024, Kyiv, Ukraine 0009-0006-8233-8057 (T. Fedynyshyn); ∗ Corresponding author. 0000-0002-2962-5667 (A. Platonenko) † These authors contributed equally. © 2024 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). olha.o.mykhailova@lpnu.ua (O. Mykhaylova); fedynyshyn.taras@gmail.com (T. Fedynyshyn); a.platonenko@kubg.edu.ua (A. Platonenko) CEUR Workshop ceur-ws.org ISSN 1613-0073 206 Proceedings security through global collaboration and participation. 2.2. Related works OWASP provides a platform for leaders in industry, academia, and government to discuss and promote best The vulnerabilities of mobile applications, such as practices in computing. Among its initiatives is the authentication and authorization errors, data leakage, and maintenance of a list highlighting the Top 10 Mobile Risks their associated security risks—ranging from API to mobile applications. This list identifies key security vulnerabilities, weak authorization and authentication, threats, including risks to data, internal and external device client-side injection, poor server-side security, insecure data communications, and other vulnerabilities in mobile storage and transmission, improper session handling, to the applications. use of flawed or insecure encryption algorithms—pose The list of common cyber threats to mobile applications significant threats [7]. In today’s digital environment, users and their descriptions, as outlined by the 2024 OWASP often entrust their devices with sensitive information, Mobile Top 10: including financial and medical data, presenting a major cybersecurity challenge for mobile application developers  M1: Improper Credential Usage—threat agents and providers. Cybercriminals frequently target the data exploiting hardcoded credentials and improper processed by mobile applications and devices [8]. credential usage in mobile applications can include Additionally, the rise of mobile applications for the Internet automated attacks using publicly available or custom- of Things (IoT) has heightened the threat of wormhole built tools. attacks [9–13].  M2: Inadequate Supply Chain Security—refers to the NowSecure’s benchmark testing [14] revealed that 85% failure to secure third-party components, services, or of the applications examined contained one or more libraries integrated into mobile applications, which security risks. Over 50% of the analyzed applications can introduce vulnerabilities and increase the risk of exhibited vulnerabilities that compromised data protection compromise throughout the software supply chain. during transmission. Additionally, approximately one-third of the tested applications had issues related to their source  M3: Insecure Authentication/Authorization—treat code. Notably, Android applications were particularly prone agents that exploit authentication and authorization to code vulnerabilities, which could expose them to reverse vulnerabilities typically do so through automated engineering and other potential threats. attacks that use available or custom-built tools. According to [15], the most common security issues in  M4: Insufficient Input/Output Validation— mobile applications include improper platform usage, insufficient validation and sanitization of data from insecure data storage, insecure client-server external sources, such as user inputs or network data, communication, insecure authentication (e.g., traditional in a mobile application can introduce severe security password authentication imposes numerous limitations and vulnerabilities. is no longer considered secure or user-friendly for mobile  M5: Insecure Communication—refers to the failure to users, while biometric authentication has gained attention properly secure the transmission of sensitive data as a promising solution for enhancing mobile security), between the mobile app and external entities, such as insecure authorization, inadequate data encryption, poor servers or other devices, leading to potential code quality, code tampering, reverse engineering interception, tampering, or exposure of information. vulnerabilities, and extraneous functionality. The  M6: Inadequate Privacy Controls—refers to the advancement of modern mobile application development insufficient protection of users’ data within a mobile technologies necessitates the parallel evolution of methods application, leading to unauthorized access, exposure, and tools to ensure their security. For instance, forecasting or misuse of sensitive information such as location, mobile application security on time can help implement contacts, or other private data. preventive measures to reduce vulnerabilities and security  M7: Insufficient Binary Protection—refers to the lack risks [16]. Currently, there is a clear tension between the of proper defenses against reverse engineering or increasing number of mobile applications in use, along with tampering with the mobile app’s binary code, which the growing responsibilities they bear, and the inadequacy can allow attackers to modify, exploit, or redistribute of existing security methods and tools. the application maliciously.  M8: Security Misconfiguration—refers to the 3. Materials and methods improper configuration of security settings, permissions, and controls that can lead to For this study, a comprehensive dataset comprising 6165 vulnerabilities and unauthorized access. APK files was compiled from the Google Play Store [3]. This  M9: Insecure Data Storage—refers to the inadequate dataset was meticulously selected to represent a diverse protection of sensitive data stored on a mobile device, array of applications across different categories and which can lead to unauthorized access, data breaches, popularity tiers, thus ensuring a broad and representative or exposure if the storage mechanisms are not sample of the mobile application ecosystem. The collected properly secured. APKs underwent static analysis using the Mobile Security  M10: Insufficient Cryptography—threat agents who Framework (MobSF) [17], an established tool for assessing exploit insecure cryptography in mobile applications mobile application security. MobSF was utilized to perform can undermine the confidentiality, integrity, and an in-depth static analysis of each APK, focusing on the identification of potentially sensitive information embedded authenticity of sensitive information [6]. within the application’s code. The static analysis process 207 involved extracting a designated “secrets” section for each 3.2. Static analysis APK, which enumerates potential hardcoded secrets, including API keys, authentication tokens, and other Static analysis using MobSF is an essential technique for credentials. After the static analysis, the extracted “secrets” evaluating the security of mobile applications. MobSF is a sections were subjected to further scrutiny using Trufflehog versatile, open-source tool designed for the static analysis [18], a tool specialized in detecting secrets within codebases. of both Android and iOS applications, aimed at identifying Trufflehog was employed to validate the authenticity of the potential security vulnerabilities and insecure coding identified secrets and to discern genuine secrets from false practices. The process begins when an APK (Android positives. This secondary analysis aimed to provide a more Package Kit) file is submitted to MobSF. Due to the nature precise evaluation of the potential security risks associated of mobile application development, APKs must be with hardcoded credentials in the APKs. This disassembled and decompiled to allow for thorough methodological framework facilitated a rigorous examination. MobSF employs tools such as APKTool [21] examination of credential management practices within and jadx [22] to decompile the APK, transforming the mobile applications and offered valuable insights into the compiled bytecode into a more accessible, human-readable security implications of secret exposure in Android format. This step is crucial as it breaks down the application applications. into its constituent components, including the manifest file, resources, and code. Once the APK is decompiled, MobSF 3.1. Sample selection performs an in-depth analysis of the application’s code. The analysis focuses on several key areas: the detection of As of 2024, the Google Play Store hosts over 3.5 million sensitive data exposure, the identification of insecure applications [19]. Conducting a comprehensive assessment coding practices, and the discovery of known of all these applications would demand substantial server vulnerabilities. MobSF scans the code for hardcoded secrets, resources and considerable time. Consequently, this study such as API keys, credentials, and tokens, which can pose focused on analyzing a subset of the most popular significant security risks if exposed. Additionally, the tool applications. The initial step involved evaluating the evaluates the use of cryptographic algorithms and other popularity of mobile applications. Data on app downloads, security measures to ensure they are implemented correctly. segmented by country and category, was obtained from SimilarWeb [20]. At the time of the research, we identified 3.3. Secrets post-processing with Trufflehog 59,108 unique applications across 57 categories and 96 countries. Subsequently, APK files for these applications Trufflehog [18] is a specialized tool designed to identify were downloaded for analysis. Given the absence of a direct sensitive information, such as API keys, credentials, and method to download APK files from the Google Play Store, tokens, within codebases. Initially developed for Git third-party services such as APKCombo [18] were utilized. repositories, Trufflehog has proven [23] valuable in various Due to limitations in storage and computational resources, security contexts, including static analysis of mobile and the availability of APK files on third-party services, we applications and other software projects. Trufflehog’s core were able to download and analyze 6,165 APK files. functionality relies on two primary techniques: pattern The number of downloaded applications per Google matching and entropy-based analysis. The tool employs a Play category is listed in Table 1 which only includes 22 set of predefined regular expressions and heuristics to categories where at least 15 APK files were downloaded. detect patterns commonly associated with secrets. These patterns include a variety of credentials and tokens that are Table 1 often embedded directly within the application code. By App Category ID Number of downloaded APK’s leveraging these patterns, Trufflehog is capable of SPORTS 580 identifying a broad range of sensitive information that PARENTING 566 might otherwise be overlooked. In addition to pattern PHOTOGRAPHY 452 matching, Trufflehog utilizes entropy-based analysis to NEWS_AND_MAGAZINES 443 SOCIAL 438 assess the randomness of certain strings within the code. TOOLS 437 Strings with high entropy values are indicative of potential ENTERTAINMENT 417 secrets, as they are less likely to occur by chance in non- PRODUCTIVITY 352 sensitive data. This method enhances Trufflehog’s ability to COMMUNICATION 312 detect secrets that may not conform to established patterns AUTO_AND_VEHICLES 280 PERSONALIZATION 274 but still pose a risk of exposure. For each detected secret, BOOKS_AND_REFERENCE 246 Trufflehog provides detailed information on its location DATING 202 within the code, which facilitates targeted remediation MUSIC_AND_AUDIO 187 efforts. Trufflehog’s integration with other static analysis MAPS_AND_NAVIGATION 173 ART_AND_DESIGN 139 tools, such as MobSF, further enhances its utility. By BUSINESS 123 analyzing the “secrets” sections extracted by tools like BEAUTY 102 MobSF, Trufflehog can verify the authenticity of these EDUCATION 69 findings and assess which secrets are genuinely at risk. This MEDICAL 68 HEALTH_AND_FITNESS 28 integration provides a more comprehensive assessment of LIFESTYLE 17 an application’s security posture. 208 4. Results If these secrets are exposed through the application code, malicious actors can exploit them to gain This study conducted a comprehensive security analysis of unauthorized access to cloud resources. This can lead 6165 Android applications among 22 categories. The to unauthorized data access, data breaches, and analysis was performed using a combination of tools, potential compromise of sensitive user information including MobSF and Trufflehog to identify improper stored in the cloud [24]. credential usage according to the OWASP MobileTop 10  Increased Attack Surface—embedding secrets directly framework. The results of the vulnerability analysis provide in the application code increases the attack surface, valuable insights into the security posture of the selected making it easier for attackers to identify and exploit applications. vulnerabilities. Tools and techniques for reverse engineering can reveal these hardcoded secrets, 4.1. Hardcoded secret services allowing attackers to gain access to cloud services The research uncovered credentials for a variety of services, and escalate their attacks. and the frequency of each type of credential was recorded.  Misuse of cloud resources—once an attacker obtains Fig. 1 shows the number of revealed secrets per service. As hardcoded cloud credentials, they can misuse cloud we can see Twitter consumer key is the most popular resources for malicious purposes. This might include hardcoded credential. launching unauthorized instances, executing costly operations, or conducting activities that could incur significant financial charges to the cloud account. This can lead to unexpected costs and resource depletion, affecting both the application’s operation and its financial viability.  Compromise of application integrity—hardcoded secrets may also lead to the compromise of application integrity. If attackers can exploit these credentials to modify or interfere with cloud services, they may alter application functionality, inject malicious code, or disrupt the normal operation of the app. This can undermine user trust and damage the application’s reputation.  Difficulty in rotation and management—hardcoded secrets complicate the management and rotation of credentials. Ideally, secrets should be regularly rotated and updated to reduce the risk of long-term exposure. However, hardcoded secrets require manual intervention to update, leading to potential lapses in security and prolonged exposure if credentials are compromised.  Compliance and legal implications—hardcoding sensitive information in application code may also violate compliance regulations and legal requirements related to data protection and privacy. Regulations such as GDPR, HIPAA, and others mandate strict controls over the handling and protection of sensitive information. Exposing cloud credentials can result in non-compliance, legal repercussions, and fines. 4.2. Hardcoded secrets per app categories Figure 1: Number of found secrets per service The research demonstrates that applications in some Google Play categories have significantly different percentages of The research result shows some applications have cloud applications containing hardcoded secrets. Fig. 2 shows the provider secrets hardcoded. Hardcoding AWS (Amazon number of scanned applications, the number of applications Web Services) and GCP (Google Cloud Platform) secrets in where secrets were detected, and the percentage of such mobile application code pose significant security risks, applications per category. which can have serious implications for both the application and its users:  Unauthorized Access and Data Breaches—hardcoded secrets, such as API keys and authentication tokens, provide direct access to cloud services and resources. 209 user experience but can also damage the service provider’s reputation.  Account takeover and identity theft—hardcoded API tokens or credentials allow attackers to take control of user accounts. This results in unauthorized access, where malicious actors can lock users out of their accounts, send fraudulent messages, or perform unauthorized actions. Account takeovers can lead to identity theft, social engineering attacks, or the dissemination of harmful content through compromised accounts. 5. Conclusions Figure 2: Percentage of apps with hardcoded secrets per This study provides a comprehensive examination of category the prevalence and risks associated with hardcoded credentials within Android applications, highlighting a As Fig. 2 shows category with the largest number of critical security gap in mobile application development. hardcoded secrets is “Health and fitness”—21% of By analyzing 6,165 Android applications across various applications in this category have hardcoded secrets. In the categories using MobSF and Trufflehog, the research next four categories—“News and magazines”, “Music and revealed that a significant number of applications contain audio”, “Photography” and “Social” 12% of applications have hardcoded secrets, which pose substantial risks to user data hardcoded credentials. privacy and application integrity. The findings indicate that The important finding is that 10% of applications in the hardcoded cloud provider secrets, such as AWS and GCP category “Communication” have hardcoded secrets. credentials, are common, representing a serious Hardcoding secrets such as credentials and API tokens in vulnerability that may lead to unauthorized access, resource communication applications pose a variety of significant misuse, and potential data breaches. Specifically, security risks, which can lead to severe consequences for unauthorized access to sensitive data, compromise of both users and service providers. Communication apps, application integrity, and increased exposure to Denial-of- being highly sensitive due to their role in handling personal Service (DoS) attacks were identified as potential messages, calls, and media, are particularly vulnerable to consequences. attacks when secrets are embedded in the application code. Additionally, hardcoded secrets complicate the rotation Below are described some of the primary risks associated and management of credentials, making it difficult for with hardcoding secrets in such applications: developers to adhere to best practices for secure application  Unauthorized access to user data—hardcoded management. Applications in categories such as Health and credentials can be easily extracted by attackers using Fitness, News and Magazines, Music and Audio, reverse engineering techniques. This unauthorized Photography, and Social were particularly prone to access to API tokens or authentication keys may containing hardcoded secrets, with Health and Fitness enable malicious actors to intercept sensitive user applications exhibiting the highest occurrence. Notably, data, including personal messages, call logs, and communication applications were also found to have a high media files. Such breaches present substantial privacy prevalence of hardcoded secrets, posing unique risks due to risks, as compromised data may be used for identity their handling of sensitive personal information, including theft, surveillance, or exploitation. messages, calls, and media. This research underscores the urgent need for mobile  Compromise of communication integrity—the developers to adopt secure coding practices, particularly in integrity of communication services depends on credential management, to reduce the risk of data breaches secure transmission channels. Exposed hardcoded and protect user privacy. Implementing secure storage secrets undermine this integrity, allowing attackers solutions for sensitive information and regular auditing of to impersonate legitimate users or services. This code for potential hardcoded credentials should become creates opportunities for man-in-the-middle (MITM) standard practices within the industry. attacks, where communications may be intercepted, Additionally, frameworks and libraries should offer altered, or injected with malicious content without stronger guidance or automated tools for managing secrets user awareness, jeopardizing the authenticity and to mitigate the risks associated with credential exposure. confidentiality of the exchanged information. Future work could focus on expanding this analysis to  Service disruption and denial of service (DoS) examine the impact of hardcoded secrets on user behavior attacks—attackers with access to hardcoded secrets and engagement, or on developing automated tools to detect may exploit them to abuse communication services and mitigate the risks associated with these vulnerabilities by sending an excessive volume of requests or in real-time. This study ultimately reinforces the misusing APIs. Such actions can lead to Denial of importance of secure credential handling as a fundamental Service (DoS) attacks, disrupting services for aspect of mobile application security. legitimate users. This type of attack not only impacts 210 References Providing in Information and Telecommunication Systems, vol. 3421 (2023) 158–167. [1] C. Liu, et al., MobiPCR: Efficient, accurate, and strict [17] Mobile Security Framework (MobSF). URL: ML-based mobile malware detection, Future https://mobsf.github.io/docs/#/ Generation Comput. Syst. 144 (2023) 140–150. doi: [18] Trufflehog. URL: https://github.com/trufflesecurity/ 10.1016/j.future.2023.02.014. trufflehog [2] Apple Appstore. URL: https://www.apple.com/app- [19] How Many Apps in Google Play Store? (2024). URL: store/ https://www.bankmycell.com/blog/number-of- [3] Google Play. URL: https://play.google.com/store google-play-store-apps/ [4] O. Mykhaylova, et al., Mobile Application as a Critical [20] Similarweb Digital Intelligence: Unlock Your Digital Infrastructure Cyberattack Surface, in: Cybersecurity Growth. URL: https://www.similarweb.com/ Providing in Information and Telecommunication [21] Apktool – A Tool for Reverse Engineering Android Systems II, vol. 3550 (2023) 29–43. APK Files. URL: https://apktool.org/ [5] Y. Dreis, et al., Model to Formation Data Base of [22] jadx – Dex to Java Decompiler. URL: Internal Parameters for Assessing the Status of the https://github.com/skylot/jadx State Secret Protection, in: Workshop on [23] S. K. Basak, et al., A Comparative Study of Software Cybersecurity Providing in Information and Secrets Reporting by Secret Detection Tools, 2023 Telecommunication Systems, CPITS, vol. 3654 (2024) ACM/IEEE International Symposium on Empirical 277–289. Software Engineering and Measurement (ESEM), New [6] A. Horpenyuk, I. Opirskyy, P. Vorobets, Analysis of Orleans, LA, USA (2023) 1–12. doi: Problems and Prospects of Implementation of post- 10.1109/ESEM56168.2023.10304853. Quantum Cryptographic Algorithms, in: Classic, [24] O. Deineka, et al., Designing Data Classification and Quantum, and Post-Quantum Cryptography, vol. 3504 Secure Store Policy According to SOC 2 Type II, in: (2023) 39–49. Cybersecurity Providing in Information and [7] E. Zaitseva, et al., Identifying the Mutual Correlations Telecommun. Systems, vol. 3654 (2024) 398–409. and Evaluating the Weights of Factors and Consequences of Mobile Application Insecurity, Systems, 11(5) (2023). doi: 10.3390/systems11050242. [8] P. Zhu, et al., Using Blockchain Technology to Enhance the Traceability of Original Achievements, IEEE Trans. Eng. Manag. 70 (2023) 1693–1707. [9] S.-Y. Kuo, F.-H. Tseng, Y.-H. Chou, Metaverse Intrusion Detection of Wormhole Attacks based on a Novel Statistical Mechanism, Future Gener. Comput. Syst. 143 (2023) 179–190. [10] B. Zhurakovskyi, et al., Secured Remote Update Protocol in IoT Data Exchange System, in: Workshop on Cybersecurity Providing in Information and Telecommunication Systems, vol. 3421 (2023) 67–76. [11] V. Sokolov, et al., Method for Increasing the Various Sources Data Consistency for IoT Sensors, in: IEEE 9th International Conference on Problems of Infocommunications, Science and Technology (PICST) (2023) 522–526. doi: 10.1109/PICST57299. 2022.10238518 [12] O. Shevchenko, et al., Methods of the Objects Identification and Recognition Research in the Networks with the IoT Concept Support, in: Cybersecurity Providing in Information and Telecommunication Systems, vol. 2923 (2021) 277– 282. [13] V. Dudykevych, et al., Platform for the Security of Cyber-Physical Systems and the IoT in the Intellectualization of Society, in: Workshop on Cybersecurity Providing in Information and Telecommunication Systems, CPITS, vol. 3654 (2024) 449–457. [14] A Decade in, How Safe Are Your iOS and Android Apps? URL: https://www.nowsecure.com/blog/ 2018/07/11/adecade-in-how-safe-are-your-ios-and- android-apps [15] Understanding OWASP Mobile Top 10 Risks with Real-World Cases. URL: https://appinventiv.com/blog/owaspmobile-top-10- real-world-cases/ [16] S. Shevchenko, et al., Protection of Information in Telecommunication Medical Systems based on a Risk- Oriented Approach, in: Workshop on Cybersecurity 211