What they found: devs leave OAuth keys in the code By Richard Chirgwin, 19 Jun 2014 It's the app developer's equivalent of hiding the door keys under the mat: researchers from Columbia University have found Android apps containing the developers' secret keys.
That's a more serious issue than the old “don't re-use passwords”: the thousands of credentials embedded by developers, blithely assuming they're not visible to an end user, were OAuth tokens valid on other sites. As they researchers write in this paper:
ALIENWARE 17R3 Win 10 Pro x64 / Mac OS X El Capitan (10.11), IPad's, PCs,W 10 & W 8.1 R Pro. W 7 Pro ..Lenovo (VM:10) & Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Note 4) Beta Tester