Hardcoded API Key in Android App Exposes Government Identity Verification Service
The Risk
A postal service's Android app contained a hidden key that granted access to the national police check verification system. Anyone with this key could look up the full details of any police check certificate, including the person's full legal name, date of birth, home address, and criminal history result. The key was embedded in the app itself, meaning anyone who downloaded it had the access. If breached HR databases contained certificate reference numbers, those could be used to silently pull criminal background checks on individuals.
The Vulnerability
The Android app stored two API credentials for the police check verification backend. The credentials were encrypted, but the encryption key was itself hardcoded in the app's code. Recovering the actual API credentials was straightforward through reverse engineering.
The Attack
After extracting the API key from the app, a single request to the verification endpoint with a certificate reference number returned the full certificate metadata and a download link for the complete PDF.
The PDF contained the individual's full legal name, date of birth, residential address, and criminal history result. The reference numbers come from QR codes on police check certificates and do not expire.
The Impact
Permanent access to police check results for anyone whose certificate reference number is known. HR departments, recruitment platforms, and background check services routinely store these reference numbers.
A breach of any such database would convert stored references into live government identity queries. The API key had not been rotated weeks after the report was submitted.
Remediation
- Rotate both API credentials immediately.
- Move the API key server-side and require an authenticated user session.
- Add per-query authorization linking each lookup to a verified identity.
- Audit access logs for requests originating outside the app.