Mobile apps are predominantly integrated with cloud services to benefit from enhanced functionalities. Adopting authentication using secrets such as API keys is crucial to ensure secure mobile-cloud interactions. However, developers often overlook the proper storage of such secrets, opting to put them directly into their projects. These secrets are checked into the projects and can be easily extracted and exploited by malicious adversaries. While many researchers investigated the issue of checked-in secret in open-source projects, there is a notable research gap concerning checked-in secrets in Android apps deployed on platforms such as Google Play Store. Unlike open-source projects, the lack of direct access to the source code and the presence of obfuscation complicates the checked-in secret detection for Android apps. This motivates us to conduct an empirical analysis to measure and compare the performance of different checked-in secret detection tools on Android apps. We first conducted a literature review to find all the checked-in secret detection tools that can be applied to Android apps. Then, we evaluate three representative tools on 5,135 Android apps, comparing their performance and analyzing their limitations. Our experiment reveals 2,142 checked-in secrets affecting 2,115 Android apps. We also disclose that the current checked-in secret detection techniques suffer from key limitations. All of the evaluated tools can miss a significant number of checked-in secrets in Android apps. Nevertheless, we observed that the tools are complimentary, suggesting the possibility of developing a more effective checked-in secret detection tool by combining their insights. Additionally, we propose that analyzing string groups within methods containing checked-in secrets may provide a more effective strategy to overcome obfuscation challenges.

翻译：移动应用普遍与云服务集成，以利用增强功能。采用API密钥等密钥进行身份验证对于确保移动端与云端的安全交互至关重要。然而，开发者常忽视此类密钥的妥善存储，倾向于将其直接置于项目代码中。这些密钥被提交至项目仓库，易被恶意攻击者提取并利用。尽管许多研究者已针对开源项目中的已提交密钥问题展开调查，但关于部署在Google Play Store等平台上的Android应用中的已提交密钥，仍存在显著的研究空白。与开源项目不同，Android应用因缺乏源代码直接访问权限及存在代码混淆技术，使得已提交密钥的检测更为复杂。这促使我们开展实证分析，以衡量和比较不同已提交密钥检测工具在Android应用上的性能。我们首先通过文献综述筛选出所有可应用于Android应用的已提交密钥检测工具，随后在5,135个Android应用上评估了三款代表性工具，比较其性能并分析其局限性。实验共发现2,142个已提交密钥，影响2,115个Android应用。研究同时揭示当前已提交密钥检测技术存在关键局限：所有被评估工具均可能遗漏Android应用中大量已提交密钥。然而，我们发现这些工具具有互补性，表明通过整合其检测思路可能开发出更有效的检测工具。此外，我们提出通过分析包含已提交密钥的方法内的字符串组，或可为克服代码混淆挑战提供更有效的策略。