Code Room
On-callMediumoc-g152
Subject Credential leakLevel Mid–Senior~35 minCommon in Security interviewsIndustries Technology, Software development

Question

A security researcher reports that your shipped Android app binary contains a hardcoded backend API key with broad server-side privileges (it can read any user's records, not just the signed-in user's). They decompiled the APK to find it. Your API gateway logs show a spike of requests using that key from non-mobile user-agents and scripted patterns, enumerating user IDs sequentially. The key has been in every app release for ~8 months. You can't instantly force all users to update the app. How do you triage, contain, and remediate this embedded-secret leak?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.