Skip to main content

Hard-Coded Secrets

Why is this important?

All modern applications rely on certain secrets to run. These secrets may be database connection strings, API keys, or cryptographic keys. Keeping these secrets safe is critical to the security of the application.

If secrets are part of your source code, then the whole team has access to them. Worse, if the code is public, then everyone has access to them. Code can be public, if it's on a public Github repository, or bundled with your application, e.g. your Android app. This has led to many high-profile breaches.

Fixing Hard-coded Secrets

Option A: Don't hard-code cryptographic keys

Hard-coded encryption key in a mobile application are considered public knowledge and provide no security.

  1. Go through the issues that GuardRails identified in the PR.

  2. Look for patterns like this:

    new SecretKeySpec("hard-coded-key".getBytes(), "AES");
  3. Replace any hard-coded key with retrieving a new value securely using Android KeyStore (see more information below).

  4. Test the app and make sure that all is working well.

More information: