Syracuse University was offering a course on Mobile Operating System (CSE 791) for Fall students in 2012 to explore the various mobile operating systems ; Apple iOS + Microsoft Windows Phone 7 in brief and Google Android in detail.
I was trying to explore various Cloud libraries that are available for the Google Android platform. First step was to use one such library ( I used Parse SDK for Android) and save/retrieve the data from the third party cloud storage provider. A simple app was created and demoed to the professor.
Next step was to explore Google Cloud Messaging (GCM) and Dropbox API to build sample apps and if it is possible to find any security flaws in the system. While I was building an Android app using the Dropbox API, I noticed that the API_KEY and API_SECRET were hardcoded inside the sample application and dropbox documentation warned the developers for a need to employ a mechanism to store them securely.
My experiment was to simply download 50 free apps from Google Play and generate a report on how many of them were actually hardcoding the (Key,Secret) inside the application.
The entire report was published on Hack Insight magazine of March 2013 Issue. The report can be downloaded from http://bit.ly/YMzSUT (Page 15-22).
Please feel free to add your comments on the report and what you feel about the issue. Also if you can provide a better mechanism to secure these two values from being exposed.