Context-Inappropriate Capability
Medium
- Confidence
- 95% confidence
- Finding
- The Android example demonstrates obtaining long-lived Alibaba Cloud AccessKey credentials in a mobile-client context, which is unsafe because mobile apps are distributed to untrusted devices and can be reverse engineered, instrumented, or memory-inspected. Even though the snippet uses environment variables, that does not make the credentials safe on Android and it normalizes a static-credential model that conflicts with least-privilege mobile design.
