Many developers still embed sensitive access tokens and API keys into their mobile applications, putting data and other assets stored on various third-party services at risk.
A new study performed by cybersecurity firm Fallible on 16,000 Android applications revealed that about 2,500 had some type of secret credential hard-coded into them. The apps were scanned with an online tool released by the company in November.
Hard-coding access keys for third-party services into apps can be justified when the access they provide is limited in scope. However, in some cases, developers include keys that unlock access to sensitive data or systems that can be abused.
