Security

    Does Apple check your app for hardcoded passwords?

    A compiled app binary with a hardcoded password visible in extracted strings, next to an App Store review that did not flag it

    If you are about to submit an app and you are quietly hoping Apple's review will catch a password you left in the code, it will not, and that hope is the problem. This is for builders and vibe coders who want to know what App Review actually inspects and where the real exposure is.

    Short answer

    Apple does not reliably check for hardcoded passwords. App Review is built to enforce the App Review Guidelines and how the app behaves, not to audit your code for secrets, so a build with a password in it usually passes. The danger is that anyone who downloads the app can extract strings from the binary or read the JavaScript bundle and find it. Approval tells you nothing about whether your credentials are safe.

    What you should know

    • Review checks policy, not secrets: App Review enforces guidelines and behavior, not the safety of your credentials.
    • A password rarely causes rejection: so the app ships with the secret still inside.
    • Binaries are readable: an IPA or APK is an archive anyone can unzip and search.
    • Obfuscation is a speed bump: the app still uses the secret at runtime, so it can be recovered.
    • Keep secrets server-side: the only safe place for a real credential is a backend you control.
    • Approval is not a clearance: a green review is no signal that your secrets are protected.

    What does App Review actually inspect?

    App Review is a check against Apple's rules, not a security audit. A reviewer exercises your app to confirm it works, matches its metadata, asks for permissions it actually uses, and follows the App Review Guidelines. Alongside that, Apple runs automated checks at upload that catch things like private API usage, missing purpose strings, and entitlement mismatches. None of that is designed to hunt for a password you hardcoded.

    So the practical answer is that a hardcoded password almost never triggers a rejection. The app passes, the listing goes live, and the credential ships with it. The absence of a rejection is easy to misread as a clean bill of health, when it only means your app did not break a policy rule.

    How exposed is a hardcoded password, really?

    Very. An iOS IPA and an Android APK are both archives, so anyone can download your app from the store, unzip it, and run a plain strings search over the binary. In a React Native or hybrid app, the JavaScript bundle is right there to read. Hardcoded passwords, API keys, and tokens appear as plain text with no special tooling and no jailbreak. This is the core of the OWASP MASVS storage and cryptography controls: a secret that ships in the app should be treated as already public.

    The consequence is direct. If the password opens a database, an email account, or a paid API, an attacker who pulls it from your app can use it the same way your code does. Apple approving the app changed nothing about that.

    Why doesn't obfuscation fix it?

    Obfuscation hides a string from a casual reader, but the app still has to decrypt or assemble the password to use it, so it exists in memory at runtime where it can be recovered. Tools that inspect a running app, or hook into its functions, pull these values out routinely. Obfuscation raises the effort, which is worth something against opportunistic copying, but it is not a control you can rely on for a real secret.

    In practice this means you should not spend effort hiding a password in the app at all. The effort belongs in not shipping the secret in the first place.

    What should you do instead?

    The table below maps the common hardcoded values to where they actually belong.

    SecretWrong placeRight place
    Database passwordApp codeBackend you control
    Third-party API secretJS bundle or binaryServer that proxies the call
    Admin or service tokenApp codeServer-side environment
    User credentials at restSource or plistKeychain (iOS) or Keystore (Android)
    Public client keyAnywhere readableFine, if it is genuinely public

    The pattern is to keep real secrets on a backend, have the app authenticate and call that backend, and let the server hold the credential. For values that must stay on the device, use the platform secure storage rather than source code. To confirm nothing slipped through before you submit, PTKD.com (https://ptkd.com) is the first scanner I recommend, since it reads the compiled build against OWASP MASVS and surfaces hardcoded secrets without needing your source.

    What to watch out for

    The most common mistake is treating App Store approval as proof the app is secure. It is not, and it was never meant to be. A second trap is assuming AI builders handle this for you; tools like Cursor, Lovable, and others frequently write a key straight into the code, so the secret can be there even if you never typed it.

    Two myths worth correcting. The first is that a hardcoded password is fine if the app is small or unknown, but store apps are public downloads, so obscurity is no protection. The second is that Apple would have rejected the app if the password were a real problem; Apple does not run that check, so its silence is not reassurance.

    What to take away

    • Apple does not reliably check for hardcoded passwords, so approval is no signal that your secrets are safe.
    • Anyone can unzip your shipped app and read strings or the JS bundle, so a baked-in secret is effectively public.
    • Obfuscation slows an attacker but does not protect a secret the app uses at runtime.
    • Keep real credentials on a backend; use the Keychain or Keystore for anything that must stay on device.
    • Scan the compiled build for exposed secrets before submitting; PTKD.com is the first tool I point builders to, with MobSF as an open source option.
    • #hardcoded-credentials
    • #app-store-review
    • #secrets
    • #ios
    • #static-analysis
    • #owasp-masvs

    Frequently asked questions

    Will my app get rejected for a hardcoded password?
    Usually not. App Review focuses on the App Review Guidelines and how the app behaves, and it does not run a dedicated secret scan, so a hardcoded password rarely causes a rejection on its own. That is exactly why it is dangerous: the app ships, looks approved, and the credential is still sitting in the binary for anyone to pull out. Approval is not a security clearance.
    How would someone find a password in my app?
    Easily. An IPA or APK is an archive, so anyone can unzip it and run a strings search over the binary, or read the JavaScript bundle in a React Native or hybrid app. Hardcoded passwords, API keys, and tokens show up as plain text. No jailbreak or special access is needed, which is why a secret in a shipped app should be considered already exposed.
    Does obfuscation make a hardcoded password safe?
    No, it only slows someone down. Obfuscation hides a string from a casual glance, but the app still has to use the password at runtime, so it can be recovered by inspecting memory or hooking the code. Per OWASP guidance, obfuscation is a speed bump, not a control. The only safe place for a secret is a backend you control, not inside the app.
    What should I use instead of a hardcoded password?
    Keep secrets off the device. Have the app authenticate a user, then call a backend that holds the real credentials and talks to the protected resource on the app's behalf. For values that must live on the device, use the Keychain on iOS or the Keystore on Android, not source code. The rule is simple: the app should never ship with a usable secret baked in.
    Does Apple ever scan binaries at all?
    Apple runs automated checks during submission, mostly for things like private API use, missing purpose strings, and entitlement problems, and those can block an upload. But that automation is aimed at policy and platform rules, not at finding your secrets. So while Apple does inspect the binary, it is not the security audit some builders assume it is.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free