Hardcoding sensitive data in mobile app source code - Top ten threats to mobile enterprise security

Top ten threats to mobile enterprise security

Hardcoding sensitive data in mobile app source code

11 of 11

Sometimes mobile application developers leave sensitive data in the mobile app source code. They are not the company's crown jewels per se, but they are potential clues for malicious hackers to find them. It is a mistake to hardcode security components, such as security tokens or encryption keys, or privileged bits of code, such as API keys or proprietary algorithms, on the mobile device. Doing so may give malicious hackers the opportunity to steal those secrets by reverse-engineering the mobile app.

According to Jack Mannino, his penetration testing of a certain social app for mobile devices revealed that they had hardcoded OAuth tokens in their mobile app. If found and exploited, this vulnerability may have allowed hackers to log in as other users. A similar vulnerability in a banking application might have much more dangerous risks. Mannino also stresses that this type of mobile application code vulnerability is all too common.

Tony DeLaGrange agreed that the threat of reverse-engineering mobile app source code makes hardcoding sensitive information on the client side an unacceptable risk. To some extent, it's up to the mobile application developers to find ways to keep this code off the mobile device. However, mobile application testers can make a significant contribution by taking a forensic approach and "searching for private API keys, passwords and any known intellectual property that would be considered sensitive," he said.

11 of 11

More from this story

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: