Why is this important?
All modern applications rely on certain secrets to run. These secrets may be database connection strings, API keys, or cryptographic keys. Keeping these secrets safe is critical to the security of the application.
If secrets are part of your source code, then the whole team has access to them. Worse, if the code is public, then everyone has access to them. Code can be public, if it's on a public Github repository, or bundled with your application, e.g. your Android app. This has led to many high profile breaches.
Fixing Hard-coded Secrets
Option A: Don't hard-code cryptographic keys
Hard-coded encryption key in a mobile application are considered public knowledge and provide no security.
- Go through the issues that GuardRails identified in the PR.
- Look for patterns like this:
new SecretKeySpec("hard-coded-key".getBytes(), "AES");