Sometimes mobile application developers leave sensitive data in the mobile app source code. They are not the company's crown jewels per se, but they are potential clues for malicious hackers to find them. It is a mistake to hardcode security components, such as security tokens or encryption keys, or privileged bits of code, such as API keys or proprietary algorithms, on the mobile device. Doing so may give malicious hackers the opportunity to steal those secrets by reverse-engineering the mobile app.
According to Jack Mannino, his penetration testing of a certain social app for mobile devices revealed that they had hardcoded OAuth tokens in their mobile app. If found and exploited, this vulnerability may have allowed hackers to log in as other users. A similar vulnerability in a banking application might have much more dangerous risks. Mannino also stresses that this type of mobile application code vulnerability is all too common.
Tony DeLaGrange agreed that the threat of reverse-engineering mobile app source code makes hardcoding sensitive information on the client side an unacceptable risk. To some extent, it's up to the mobile application developers to find ways to keep this code off the mobile device. However, mobile application testers can make a significant contribution by taking a forensic approach and "searching for private API keys, passwords and any known intellectual property that would be considered sensitive," he said.