Distinguished paper award at ACM CCS 2025

Name	SBA Research Cookie
Provider	SBA Research
Purpose	Saves the settings of the visitors selected in the cookie box.
Cookie name	sba-research-cookie
Cookie runtime	1 year

Name	YouTube
Provider	YouTube
Purpose	Used to unblock YouTube content.
Privacy policy	https://policies.google.com/privacy
Host(s)	google.com
Cookie name	NID
Cookie runtime	6 months

Name	Vimeo
Provider	Vimeo
Purpose	Used to unblock Vimeo content.
Privacy policy	https://vimeo.com/privacy
Host(s)	player.vimeo.com
Cookie name	vuid
Cookie runtime	2 years

October 16, 2025

David Schmidt, PhD student at CD-Lab AsTra, Sebastian Schrittwieser, key researcher at SBA Research and head of the CD-Lab, and Edgar Weippl, scientific director at SBA Research and full professor for security & privacy at the University of Vienna, received the Distinguished Paper Award at ACM CCS 2025 (A*-rated) for their work Leaky Apps: Large-scale Analysis of Secrets Distributed in Android and iOS Apps.

In their study, they analyzed 10,331 Android and iOS applications to examine how sensitive data such as API keys and cryptographic material is embedded in binaries and app bundles. Their results show that apps from both ecosystems leak secrets, with iOS apps showing a higher tendency to expose sensitive data. They also found that while developers remove secrets in later versions, they frequently forget to revoke the credentials, leaving them open to misuse.

David Schmidt presented the paper on October 15, 2025, at CCS in Taipei, Taiwan.

Abstract

Mobile apps store various types of secrets to support their functionalities. These include API keys, and cryptographic material to authenticate users and access backend services. Once distributed, attackers can reverse-engineer the apps, and these secrets become accessible, posing risks such as data leaks, and service abuse.

In this paper, we conduct a large-scale analysis of 10,331 Android and iOS apps to study how secrets are embedded in mobile apps. Our methodology involves extracting and validating credentials from app bundles and comparing the types and frequency of embedded secrets across Android and iOS to identify systematic differences between the two ecosystems. To assess temporal dynamics, we re-analyze apps released in 2023 after their updates in 2024.

Our findings show that apps not only leak secrets required for functionality but also unintentionally include sensitive information like markdown documentation, and dependency management files.

We discovered 416 functional credentials across 65 services, including 13 Git credentials that grant access to 218 public and 2,440 private repositories. Our analysis reveals that iOS apps are more likely to expose secrets, although information leaks exist in both Android and iOS apps. Finally, we show that even if developers remove embedded credentials in later versions, they frequently forget to revoke them, leaving the credentials exploitable.

Link

Conference

News