Exposed API Keys in Apps
The cluster discusses security risks of hardcoding or exposing API keys in mobile apps, web frontends, and client-side code, including how hackers can easily extract them from binaries or traffic, and debates on prevention methods like encryption or open-sourcing.
Activity Over Time
Top Contributors
Keywords
Sample Comments
it's security theater. if someone gets in again, they can download the api keys and own you that way.
Maybe the hackers found their API keys in the app binary.
Out of curiosity - do you think users/companies would feel secure knowing that the app uses a common API key?
It could be that the app uses the api key (despite it being disabled), and somehow someone was able to steal it. I hope it isn't sent in plain text.
Also recommend open sourcing the code so everyone can see that API keys aren't being stolen
Lots of mobile apps ship with API credentials in the binary. The whole thing runs on the honour system basically.
it doesn't contain private keys, arguably it contains irresponsible disclosures of various ways some large API users can predictably get their keys hijacked
You still have to be pretty careful it doesn't have access to any API keys it could decide to exfiltrate...
Most API requests are signed (using HMAC) with the API secret key, and do not actually include it, so no, probably. But certainly many other things could have been read if they were vulnerable.
Can't someone just steal the API key in a currently authorized app?