The mobile applications contained a URL that included credentials to a third party bug capture API. Access was restricted to pushing bug information.