...
Hard coding sensitive information also increases the need to manage and accommodate changes to the code. For example, changing a hard-coded password in a deployed program may require distribution of a patch [Chess 2007].
Noncompliant Code Example
...
GERONIMO-2925, GERONIMO-1135 describes a vulnerability in the WAS CE tool, which is based on Apache Geronimo. It uses the Advanced Encryption Standard (AES) to encrypt passwords but uses a hard-coded key that is identical for all the WAS CE server instances. Consequently, anyone who can download the software is provided with the key to every instance of the tool. This vulnerability was resolved by having each new installation of the tool generate its own unique key and use it from that time on.
Related Guidelines
MSC18-C. Be careful while handling sensitive data, such as passwords, in program code | |
Hard-coded Password [XYP] | |
CWE-259. Use of hard-coded password | |
| CWE-798. Use of hard-coded credentials |
...
Hard coded information can be easily obtained on Android by using the apktool to decompile an application or by using dex2jar to convert a dex file to a jar file.
Bibliography
11.2, Outbound Passwords: Keep Passwords out of Source Code | |
Unsafe Mobile Code: Database Access | |
9.4, Private Object State and Object Immutability |
...