[irfan]

The app uses parse.com API for all communication (and probably for all data storage) and I haven't seen it communicating with anything other than parse, getsentry and flurry services.

Does hacking the app means hacking parse.com?

[fmax30]

While i was messing around with another app , what i saw was that parse apps leak their clientkeys but not the application Id. I did look more into it . parse does some sort of hashing to make an iid which is sent with each request . I am pretty sure that the iid is made from the app key and the client key. I did mess around a lot with an app using parse with charles web proxy and a number of decompilation tools i plan to write about it soon. ( as soon as i get something concrete)

[fredsted]

Maybe the hackers found their API keys in the app binary.

[infinite_snoop]

Probably, I took it apart and had a quick look but couldn't find the key. I only had a quick scan of the Application and Activity classes though and did a search for Parse.initialize (where the key is passed in)

[infinite_snoop]

Ok, I took another look and all the Parse keys are in a very obvious place!

[infinite_snoop]

I'm interested in how you can conceal these API keys in Android, there does not seem to be any recommended approach.

Obscure methods like wrapping them up in C native code get mentioned. I'm assuming Proguard does not help?