Any credentials shall be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable.
Reverse engineering of devices and applications can easily discover credentials such as hard-coded usernames and passwords in software. Simple obfuscation methods also used to obscure or encrypt this hard-coded information can be trivially broken. Security-sensitive data that should be stored securely includes, for example, cryptographic keys, device identifiers and initialisation vectors. Secure, trusted storage mechanisms should be used such as those provided by a Trusted Execution Environment and associated trusted, secure storage.
Primarily applies to: Device Manufacturers, IoT Service Providers, Mobile Application Developers