Config files : Unsafe API secret storage

Classification

OWASP Top 10 2017

A3-Sensitive Data Exposure A5-Broken Access Control

OWASP Top 10 2021

A2-Cryptographic Failures A1-Broken Access Control

CWE

CWE-220 CWE-921

Overview

The API secret is explicitly set in the config file. These values can be used to access all of your account data.

The API secrets must be stored securely. They must not appear in your public repository. And you should also secure these values from extraction during decompilation.

References

Storing Secret Keys in Android
OWASP: Insecure Storage
Storage Options — developer.android.com
CWE-220: Storage of File With Sensitive Data Under FTP Root
CWE-921: Storage of Sensitive Data in a Mechanism without Access Control

MEDIUM

Config files : Unsafe API secret storage

Classification

Overview

References

DerScanner Severity Score

Do you want to fix Config files : Unsafe API secret storage in your application?

See also

Config files : Text4Shell Vulnerability

Config files : Incorrect directory deletion

Config files : Code injection