The mobile application contains hardcoded sensitive values such as API keys, encryption keys, passwords, or backend URLs embedded directly in the source code or binary.
An attacker could extract hardcoded secrets through reverse engineering to gain unauthorized API access, decrypt sensitive data, or access backend systems directly.
Remove all hardcoded secrets from application code. Retrieve secrets from secure backend services at runtime. Use environment-specific configuration managed securely. Implement key management solutions for cryptographic keys.