保護DataHogo
Security Encyclopedia/OWASP Mobile Top 10
criticalCWE-798M1:2024

Improper Credential Usage

Hardcoded API keys, passwords, or tokens directly in mobile app source code — easily extracted by decompiling the app bundle.

How It Works

Mobile apps are distributed as packages that can be decompiled. Any credentials hardcoded in the source are trivially extractable. This includes API keys, Firebase config, backend tokens, or database passwords embedded in the code. Attackers use tools like jadx (Android) or class-dump (iOS) to extract these secrets in minutes. Unlike server code, mobile code runs on the attacker's device.

Vulnerable Code
// config.ts
export const API_KEY = 'sk_live_abc123xyz';
export const DB_PASSWORD = 'supersecret';
export const STRIPE_KEY = 'sk_live_stripe_key';
Secure Code
// config.ts
import Config from 'react-native-config';
export const API_KEY = Config.API_KEY;
// Keys stored in .env, not committed to repo
// Sensitive ops happen on the backend, not mobile

Real-World Example

In 2022, researchers found thousands of mobile apps on Google Play with hardcoded AWS credentials. One app alone exposed access to S3 buckets containing 10 million user records. The keys were found using simple string searches in the decompiled APK.

How to Prevent It

  • Never hardcode secrets in mobile source code
  • Use environment variables loaded at build time
  • Move sensitive operations to backend APIs
  • Use platform-specific secure storage (Keychain/Keystore)

Affected Technologies

MobileReact NativeFlutter

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Mobile Supply Chain Security

medium

Vulnerable SDKs, outdated native libraries, or compromised third-party modules in your mobile app introduce security risks from your dependencies.

CWE-1395M2:2024

Insecure Authentication/Authorization

high

Mobile apps with weak authentication — storing sessions insecurely, missing token refresh, or authorization checks only on the client side.

CWE-287M3:2024

Insufficient Input/Output Validation

medium

Mobile apps that don't validate user input or sanitize output are vulnerable to injection attacks, data corruption, and unexpected behavior.

CWE-20M4:2024

Insecure Communication

high

Mobile app transmits sensitive data over HTTP instead of HTTPS, or accepts invalid SSL certificates — enabling man-in-the-middle attacks on public WiFi.

CWE-319M5:2024