All I can say is….
Oh dearie me.
So ~2% of the sample has hard-coded secrets … oucchhh, but I was expecting an higher percentage (don’t know why).
The tool is very interesting, but it would be preferable to be able to run it locally. So apps could be tested before going to the store and avoid having any issue/secret exposed on the “recent” page (when testing apps that are not yet public). Either way thanks for the tool.
I have a feeling that if you ask someone if their app has any hardcoded secrets in it, they’ll probably know: The problem is more likely that they simply don’t know that people can do bad things with it.
Yes, you are right.
I was looking at it from the perspective of someone who has to test the app before “allowing” it to be published on the store, it should be a step on the “checklist”.
Would be more interested in an exact breakdown of API keys (which are required to be there, e.g. Twitter) vs “actual secrets”. I suspect Twitter is at the top of that table for a harmless reason.
This article is useless, it doesn’t tell us the impact of those secrets/keys and it doesn’t differentiate clearly between secret/key and “secret” (both terms taken verbatim from the post). For what it’s worth, the title is clickbait too.