Automatically Detecting Checked-In Secrets in Android Apps: How Far Are We?

Mobile apps are predominantly integrated with cloud services to benefit from enhanced functionalities. Adopting authentication using secrets such as API keys is crucial to ensure secure mobile-cloud interactions. However, developers often overlook the proper storage of such secrets, opting to put them directly into their projects. These secrets are checked into the projects and can be easily extracted and exploited by malicious adversaries. While many researchers investigated the issue of checked-in secret in open-source projects, there is a notable research gap concerning checked-in secrets in Android apps deployed on platforms such as Google Play Store. Unlike open-source projects, the lack of direct access to the source code and the presence of obfuscation complicates the checked-in secret detection for Android apps. This motivates us to conduct an empirical analysis to measure and compare the performance of different checked-in secret detection tools on Android apps. We first conducted a literature review to find all the checked-in secret detection tools that can be applied to Android apps. Then, we evaluate three representative tools on 5,135 Android apps, comparing their performance and analyzing their limitations. Our experiment reveals 2,142 checked-in secrets affecting 2,115 Android apps. We also disclose that the current checked-in secret detection techniques suffer from key limitations. All of the evaluated tools can miss a significant number of checked-in secrets in Android apps. Nevertheless, we observed that the tools are complimentary, suggesting the possibility of developing a more effective checked-in secret detection tool by combining their insights. Additionally, we propose that analyzing string groups within methods containing checked-in secrets may provide a more effective strategy to overcome obfuscation challenges.