The Problem with Hardcoded Keys
Hardcoded API keys are one of the most common and dangerous security vulnerabilities in mobile applications.
Why It's Critical
When API keys are embedded in your app:
- Anyone can extract them through reverse engineering
- They can be used to access your backend services
- Rotating keys requires a new app release
- You may be liable for unauthorized usage
Real-World Impact
- Payment fraud: Attackers use extracted payment gateway keys
- Data breaches: Backend APIs exposed to unauthorized access
- Service abuse: Rate limits bypassed, costs incurred
- Compliance violations: PCI DSS 3.4, 6.5.3 failures
Detection Methods
Attackers use these techniques to extract keys:
Static Analysis
# Simple string search
strings app.apk | grep -i "api_key\|secret\|token"
# Using apktool
apktool d app.apk
grep -r "sk_live\|pk_live" ./app/
Dynamic Analysis
- Network traffic interception
- Memory inspection
- Hooking with Frida
Secure Alternatives
1. Backend Proxy
Route all API calls through your backend:
- Keys stay on server
- Additional authentication layer
- Rate limiting control
2. Secure Enclave Storage
Use platform secure storage:
- Android Keystore
- iOS Secure Enclave
- Hardware-backed when available
3. Runtime Key Retrieval
Fetch keys at runtime:
- Authenticate user first
- Retrieve time-limited tokens
- Rotate regularly
4. Environment-Based Configuration
Use build-time configuration:
- Different keys per environment
- CI/CD integration
- No keys in source control
Best Practices
- Never commit keys to version control
- Use secret management tools (HashiCorp Vault, AWS Secrets Manager)
- Implement key rotation policies
- Monitor for key exposure (GitHub secret scanning)
- Regular security audits
Detect hardcoded secrets in your app. Start a free scan.