This study presents the first systematic empirical analysis of sensitive information leakage—particularly hardcoded cryptographic keys and credentials—in Android applications. We analyze 14,665 popular APKs using a lightweight, regular-expression–driven static text-mining approach to identify potential keys at scale; manual verification confirms 575 candidate keys, of which 3,711 are active and directly exploitable. Our findings reveal the prevalence of hardcoded keys in high-popularity apps, characterize common storage anti-patterns (e.g., plaintext embedding in resources or code), and demonstrate real-world exploitability—including cloud service account takeover and large-scale data exfiltration. To systematically assess risk, we propose a quantitative evaluation framework that jointly models exploitability (e.g., key validity, service accessibility) and impact severity (e.g., data sensitivity, privilege scope). The work provides empirically grounded insights and a practical detection paradigm for improving mobile application key management practices.

Android apps can hold secret strings of themselves such as cloud service credentials or encryption keys. Leakage of such secret strings can induce unprecedented consequences like monetary losses or leakage of user private information. In practice, various security issues were reported because many apps failed to protect their secrets. However, little is known about the types, usages, exploitability, and consequences of app secret leakage issues. While a large body of literature has been devoted to studying user private information leakage, there is no systematic study characterizing app secret leakage issues. How far are Android app secrets from being stolen? To bridge this gap, we conducted the first systematic study to characterize app secret leakage issues in Android apps based on 575 potential app secrets sampled from 14,665 popular Android apps on Google Play. We summarized the common categories of leaked app secrets, assessed their security impacts and disclosed app bad practices in storing app secrets. We devised a text mining strategy using regular expressions and demonstrated that numerous app secrets can be easily stolen, even from the highly popular Android apps on Google. In a follow-up study, we harvested 3,711 distinct exploitable app secrets through automatic analysis. Our findings highlight the prevalence of this problem and call for greater attention to app secret protection.