πŸš€ Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Hardcoded Credentials

Hardcoding secrets such as API keys, encryption keys, or sensitive credentials in mobile apps is a critical security risk because attackers can decompile or reverse-engineer the app to extract these secrets, even if obfuscated. This exposure can lead to unauthorised access to backend services, data breaches, and compromise of the app's integrity. Mobile apps operate in untrusted environments where users have full control over the device, making it unsafe to embed sensitive information.

Remediation

  • Fetch secrets securely at runtime from a trusted remote server after authenticating the app or user.
  • Use runtime integrity checks to detect rooted/jailbroken devices or debugging tools.
  • Use short-lived tokens that regularly refresh, minimising the impact of a leaked secret.

Metadata

  • Severity: medium
  • Slug: hardcoded-credentials

OWASP

  • M1:2024: Improper Credential Usage

Available Labs

Select a language to explore available labs for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing β€” fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.