[labguy10001]

The key problem is, Android is a front-end technique. Everything you put in code/resource is transparent. But so many developers treat it like back-end and believe it's save to put sensitive info inside...

[revelation]

The key problem is thinking anything the client does is secure, or even worse, that it may be trusted. A developer that hasn't grasped this very simple fact will inevitably not only screw up the client side (i.e. exposing AWS credentials), but also the server side.

[yogo]

Exactly, rule number 1 is always that client data cannot be trusted.

[gtaylor]

This isn't specific to Android, as you can pull symbols out of many kinds of binaries with some work.

Being silly with you credentials can hurt you, regardless of the platform or using a compiled or interpreted environment.

[majiaguan]

I believe this vulnerability is existing for IOS apps, too. Trustlook they may only focus on Android

[jug6ernaut]

This vulnerability exists with EVERY client application. It is just much easier to obtain the applications with android(as opposed to IOS) which is the only reason i can assume Trustlook focused on android.

This isnt as much a "vulnerability" as it is a complete miss understanding of security and the technology they are using. Everything on the client side should be assumed as obtainable.