Tootfinder

It sounds like that Tea app vulnerability (not the one where they had data just open to the world on Firebase, but a second problem) is what I describe in the first paragraph of this post.
You *can’t* rely on user-controlled devices to safely hold credentials that work for more than that one user—especially if the credentials live outside of something like a hardware security module, which they almost certainly do if your app is storing them.

Vendor Security
A few weeks ago I had to have a conversation with a vendor about credentials. Despite some push back from our side, they insisted that their Bearer Token style authentication key for HTTP requests was