Mackenzie Jackson - NDC Oslo 2023 Secrets like API keys, security certificates and other credentials are the crown jewels of our applications. They give access to our most sensitive information and systems like databases, cloud infrastructure and third party services. Despite being highly sensitive, these secrets are being leaked in our source code and compiled mobile applications. Throughout the presentation we will analyze two in depth research projects to show how mobile applications and specifically react native applications are leaking secrets. The presentation will be broken into three sections: Part 1 - How attackers find and exploit secrets We break down a collection of real life breaches where hackers discovered and exploited credentials to gain unlawful access into different services. Part 2 - Secrets in source code GitGuardian 2022 State of Secrets Sprawl report showed more than 6 million secrets were leaked publicly through source code in 2021 on GitHub.com. This number increased again in the (yet to be released) 2023 State of Secrets Sprawl Report. We will focus specifically on how many secrets were discovered inside react.js projects including the total number of secrets found, common secrets discovered and common files containing plain text secrets. Part 3 - Secrets on the play store The third section will review research into how many mobile applications on the Google Playstore are leaking secrets. The research reviews nearly 50,000 apk files which were downloaded from the Playstore and decompiled to reveal how many contained secrets. We show the overwhelming percentage of apps that contained plain text secrets and the types of secrets commonly found. Together these sections show that attackers are actively trying to find and exploit secrets in our applications and reveal two predominant ways they are getting leaked in public places. The presentation will finish with actionable steps developers can take to prevent secrets from leaking. Check out our new channel: NDC Clips: @ndcclips Check out more of our featured speakers and talks at https://ndcconferences.com/ https://ndcoslo.com/