Our work, “Leaky Apps: Large-scale Analysis of Secrets Distributed in Android and iOS Apps,” was honored with the Distinguished Paper Award at ACM CCS 2025 (ACM SIGSAC Conference on Computer and Communications Security). 

Leaky Apps: Large-scale Analysis of Secrets Distributed in Android and iOS Apps 

Mobile apps can embed sensitive data, e.g., API tokens used to communicate with remote services. While some of these secrets are intentionally included by developers, others unintentionally find their way into released apps. An example is Snapchat, which unintentionally leaked parts of its source code through its iOS app. 

In this paper, we analyzed 10,331 Android and iOS apps to discover secrets distributed in mobile apps and to answer the following research questions: 

• RQ1: What files do mobile apps contain?
• RQ2: What secrets do developers distribute in mobile apps?
• RQ3: How does the situation differ between Android and iOS apps? 
• RQ4: How did the situation change between 2023 and 2024? 

Methodology 

To answer these questions, we designed a static analysis that first extracts the files mobile apps contain. Since both the Android APK bundle and the iOS IPA bundle are essentially ZIP files, we can handle both formats similarly. 

For each file, we store metadata such as file name, path, and MIME type for further evaluation. For each non-text-based file, we use the strings utility to obtain a text representation. Afterwards, we use a modified version of trufflehog, a regex-based secret detection tool originally designed for Git repositories, to discover secret tokens. 

To remove false positives, we further validated the extracted tokens remotely. 

Results 

By analyzing file metadata, we showed that both iOS and Android apps contain unintentionally added files that can expose secrets, for example, Markdown documents with internal documentation, development scripts, or source files. 

Our regular-expression-based analysis returned 26,380 credentials, which we filtered with heuristics down to 10,164 credentials. We then validated these against remote endpoints and obtained 416 functional credentials across 65 services, including 13 Git credentials that granted access to 218 public and 2,440 private repositories. 

Our analysis reveals that more iOS apps leaked secrets, although information leaks exist in both Android and iOS apps. Thus, it is important to study apps from both platforms. 

Finally, we showed that even when developers remove credentials in later app versions, they often do not revoke them, leaving the credentials exploitable. 

To improve the current situation, we responsibly disclosed our findings to developers via the contact email addresses listed on the Google Play Store. In total, 77 developers replied: for example, 2 indicated they were already aware of the issue, 13 mentioned that they had already fixed it, and one noted that implementing a fix would be too expensive. 

Recommendations 

In general, we recommend that developers inspect the final app bundles they distribute to check whether any unnecessary files, potentially containing secret information, are included. We have published our analysis code on GitHub to help simplify this process.

Link to the paper: https://dl.acm.org/doi/10.1145/3719027.3765033