Episode Notes: In this episode, we delve into the growing threat of secrets sprawl, particularly for mobile developers. The recent State of Secrets Sprawl 2025 report revealed a concerning 25% increase in hardcoded secrets exposed on GitHub in 2024, with 23.7 million new secrets leaked. We explore why mobile apps are particularly vulnerable, as they often contain API keys, authentication tokens, and other sensitive data that can be easily extracted from hardcoded source code, leading to API abuse, data breaches, and supply chain attacks. We discuss how hardcoded secrets are a major attack vector, with 58% of all leaked credentials in 2024 being generic secrets like passwords and database connection strings. The BeyondTrust API key breach, used by Chinese state-sponsored hackers to infiltrate the U.S. Treasury Department, highlights the real-world consequences. We examine the limitations of existing security measures:
- GitHub’s Push Protection is a good start but only prevents specific patterns of API keys from being pushed, missing many secrets like database credentials and encryption keys.
- Private repositories are not inherently safe, being 8x more likely to contain secrets than public ones.
- While helpful, secrets management tools alone are not a complete solution, with 5.1% of repositories using them still leaking secrets.
- Threats extend beyond source code, with 38% of exposed credentials in collaboration tools like Slack and Jira being classified as highly critical.
The episode then focuses on how mobile developers can protect their apps with runtime secrets protection:
- Dynamic API Key Injection: Using a server-side mechanism to inject keys at runtime instead of hardcoding. Solutions like Approov use mobile app attestation to deliver keys only to trusted app instances.
- Mobile App Attestation: Verifying that API requests come from genuine, untampered app instances, preventing abuse from repackaged apps and bots.
- Dynamic Certificate Pinning: Ensuring apps automatically update to the latest certificate pins to block Man-in-the-Middle (MitM) attacks.
- Detecting and Blocking Rooted or Jailbroken Devices: Using RASP (Runtime Application Self-Protection) to detect and respond to unauthorised modifications.
- Monitoring and Revoking Compromised Secrets: Automating secret rotation and revocation, as 70% of valid secrets detected in 2022 were still active in 2024.
Key Takeaway: Your app's security is only as strong as its weakest secret. Protecting API keys at runtime is crucial. Links:
- The State of Secrets Sprawl 2025 Report (GitGuardian):
- Securing Mobile Apps Analyst Guide for Approov (Intellyx): https://intellyx.com/wp-content/uploads/2024/09/Securing-Mobile-Apps-Analyst-Guide-for-Approov-FINAL.pdf
- Approov Website: www.approov.io
