Automatically Detecting Checked-In Secrets in Android Apps: How Far Are We?
Kevin Li, Lin Ling, Jinqiu Yang, Lili Wei
TL;DR
This work addresses the problem of secrets checked into Android apps by evaluating three representative detection approaches (intrinsic value analysis, static analysis, and ML-based) adapted to APKs. Through a large-scale empirical study of 5,135 APKs, the authors identify 2,142 valid secrets across 2,115 apps, exposing the limitations of each method and their complementary strengths under obfuscation. They show that no single approach suffices, but a hybrid strategy—potentially augmented by string-group analysis—can improve recall and practicality for Android apps. The authors contribute a benchmark dataset and actionable insights that guide the development of Android-specific secret detectors with improved robustness and coverage.
Abstract
Mobile apps are predominantly integrated with cloud services to benefit from enhanced functionalities. Adopting authentication using secrets such as API keys is crucial to ensure secure mobile-cloud interactions. However, developers often overlook the proper storage of such secrets, opting to put them directly into their projects. These secrets are checked into the projects and can be easily extracted and exploited by malicious adversaries. While many researchers investigated the issue of checked-in secret in open-source projects, there is a notable research gap concerning checked-in secrets in Android apps deployed on platforms such as Google Play Store. Unlike open-source projects, the lack of direct access to the source code and the presence of obfuscation complicates the checked-in secret detection for Android apps. This motivates us to conduct an empirical analysis to measure and compare the performance of different checked-in secret detection tools on Android apps. We first conducted a literature review to find all the checked-in secret detection tools that can be applied to Android apps. Then, we evaluate three representative tools on 5,135 Android apps, comparing their performance and analyzing their limitations. Our experiment reveals 2,142 checked-in secrets affecting 2,115 Android apps. We also disclose that the current checked-in secret detection techniques suffer from key limitations. All of the evaluated tools can miss a significant number of checked-in secrets in Android apps. Nevertheless, we observed that the tools are complimentary, suggesting the possibility of developing a more effective checked-in secret detection tool by combining their insights. Additionally, we propose that analyzing string groups within methods containing checked-in secrets may provide a more effective strategy to overcome obfuscation challenges.