Hardcoded API keys in applications: API keys or other credentials may be hardcoded in web and mobile applications and subject to decompiling attacks, on internet of things devices, or in mobile apps.