LaunchDarkly Mobile Key
Service Name: LaunchDarkly
Service Description: LaunchDarkly is a feature management platform that enables teams to safely deliver and control software through feature flags. It allows developers to separate code deployments from feature releases, giving them control over who sees what features and when.
Service Address: https://launchdarkly.com/
Validation Type: API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants read-only access to LaunchDarkly feature flags specifically for mobile applications.
Secret Revokement URL: https://app.launchdarkly.com/settings/projects
Secret Example: mob-a1b2c3d4-e5f6-7890-a1b2-c3d4e5f67890
Suspicious Activity Investigation Instructions:
- Review LaunchDarkly audit logs for unusual access patterns or locations
- Check for unexpected feature flag changes or evaluations
- Monitor for unusual API requests using the mobile key
- Verify if the key has been used from unexpected geographic locations
- Look for abnormally high request volumes that could indicate abuse
Mitigation Instructions:
- Log in to your LaunchDarkly account
- Navigate to Account settings > Projects
- Select the project containing the compromised key
- Click on the "Environments" tab
- Find the environment with the exposed mobile key
- Click "Reset SDK key" for the mobile key
- Confirm the reset action
- Update the key in all legitimate mobile applications
- Consider implementing more restrictive targeting rules for sensitive flags