> For the complete documentation index, see [llms.txt](https://docs.tryterra.co/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.tryterra.co/faq/help-topics/data-api-sdk/account-config-environments-and-going-live/vapt-security-findings-on-sdk.md).

# How do I handle VAPT findings against the SDK?

Common VAPT findings on the SDK, and how to handle each:

* **Hardcoded secrets:** usually the API key / dev ID passed during init from your own code. **Keep the API key on your backend, not in the client.**
* **`allowBackup=true` in the SDK module:** override it by setting `android:allowBackup=false` with `tools:replace` in your app manifest.
* **Flagged cipher modes:** these belong to a deprecated, inactive feature.
* **V2/V3 certificate signing:** controlled by your app's `signingConfigs`, not the SDK.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.tryterra.co/faq/help-topics/data-api-sdk/account-config-environments-and-going-live/vapt-security-findings-on-sdk.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.