Analysis of Encoded Credentials in Android Applications

Abstract

This paper presents the results of a large-scale study of the prevalence of encoded secrets, such as API keys and credentials, in 6165 Android applications obtained from the Google Play Store. Using the MobSF and Trufflehog tools, it was found that a significant number of applications contain sensitive data in the code, which poses serious security risks. In particular, encoded credentials of cloud providers such as Amazon Web Services and Google Cloud Platform were found, which can lead to unauthorized access, compromise of confidential information, resource abuse and financial losses. The analysis showed that the “Health and Fitness” category has the highest frequency of embedded secrets, followed by “News and Magazines”, “Music and Audio”, “Photography” and “Social Networks”. In applications in the “Communications” category that handle sensitive information, such as personal messages and multimedia, encrypted credentials create additional risks, including data interception, compromise of communication integrity, and denial-of-service attacks. The study also found issues with secret management and rotation, which hinders developers from implementing security best practices. This indicates the need to increase automation of secret discovery and update processes in mobile applications. The results also highlight the need to implement centralized solutions for managing sensitive information, such as secret management systems. To mitigate risks, the integration of DevSecOps solutions is proposed, which will ensure security at all stages of software development. In addition, the study emphasizes the importance of adhering to security standards, such as the OWASP Mobile Top 10, to minimize vulnerabilities in mobile applications.

Keywords: mobile application security, android security, data privacy, static analysis, improper credentials usage, OWASP Mobile, MobSF, Trufflehog.