Mackenzie Jackson

Developer advocate - Security fanatic

Talk Title

Are your secrets secure – How mobile apps are leaking millions of credentials


Salle Blin




14:00 > 45 min


on Twitter

Secrets like API keys, security certificates and other credentials are the crown jewels of our applications. They give access to our most sensitive information and systems like databases, cloud infrastructure and third-party services. Despite being highly sensitive, these secrets are being leaked in our source code and compiled mobile applications.

Throughout the presentation, we will analyze two in-depth research projects to show how mobile applications and specifically android applications are leaking secrets. The presentation will be broken into three sections:

**Part 1 - How attackers find and exploit secrets**
We break down a collection of real-life breaches where hackers discovered and exploited credentials to gain unlawful access to different services. How the credentials were discovered, how they were exploited, and what the attackers were able to access / control.

**Part 2 - Secrets in source code**
GitGuardian's 2022 State of Secrets Sprawl report showed more than 6 million secrets were leaked publicly through source code in 2021 on This number increased again in the (yet to be released) 2023 State of Secrets Sprawl Report. We will focus specifically on how many secrets were discovered inside android projects including the total number of secrets found, common secrets discovered, and common files containing plain text secrets.

**Part 3 - Secrets on the play store**
The third section will review research into how many mobile applications on the Google Play Store are leaking secrets. The research reviews nearly 50,000 apk files which were downloaded from the Play Store and decompiled to reveal how many contained secrets. We show the overwhelming percentage of apps that contained plain text secrets and the types of secrets commonly found.

Together these sections show that attackers are actively trying to find and exploit secrets in our applications and reveal two predominant ways they are getting leaked in public places. The presentation will finish with actionable steps developers can take to prevent secrets from leaking.

Speaker Bio

Mackenzie is a developer advocate with a passion for DevOps and code security. As the co-founder and former CTO of a health tech startup, he learnt first-hand how critical it is to build secure applications with robust developer operations.
Today as the Developer Advocate at GitGuardian, Mackenzie is able to share his passion for code security with developers and works closely with research teams to show how malicious actors discover and exploit vulnerabilities in code.