Signature identified as hardcoded secret/password

[activesince93]

We use Data Theorem for mobile app security. Based on the latest security report for our app, Data Theorem identified AZURE_AUTHENTICATOR_APP_RELEASE_SIGNATURE` as a hardcoded secret/password.

Here is the warning message shared by Data Theorem,

Data Theorem’s mobile analyzer reverse-engineered the App and identified keys, passwords, and/or secrets hardcoded in the App's binaries. These keys/passwords/secrets should never appear in the App and could potentially compromise the security of your data.

and the recommendation (possible solution) for the same,

Remove the identified key, passwords, and/or secrets immediately from the App. Anything compiled into the App’s binaries should be considered public, even if the App is obfuscated. There is no way to guarantee the safety of secrets embedded in Apps; thus, they need to be omitted. If the App depends on the secret to communicate with a backend, consider an authentication model in which each client receives a unique secret. Furthermore, if this issue was found in a production release, the hardcoded secret should be revoked and should never be used again.

So, we wanted to know if this should be considered as a security issue or a false alarm.

[guru2010j]

Hello @Microsoft team,

We're encountering the same problem with our application, wondering whether it should be classified as a security concern or merely a false alarm.