The OWASP Mobile Top 10 Project is a community-driven effort to identify and prioritize the most critical security risks to mobile applications. The project is led by the OWASP Mobile Application Security (MAS) Project, which is a global community of security professionals dedicated to improving the security of mobile applications.
Security Brigade’s Mobile Application Penetration Testing Service leverages the OWASP Mobile Top 10 Project as one of the standards that we benchmark customer applications against.
The latest version of the OWASP Mobile Top 10 was released in 2023. It includes the following risks:
- Insecure Authentication/Authorization – This risk occurs when mobile apps do not properly authenticate or authorize users. This can allow unauthorized users to access sensitive data or perform unauthorized actions.
- Insecure Communication – This risk occurs when mobile apps do not properly secure their communications. This can allow attackers to intercept or modify sensitive data.
- Inadequate Supply Chain Security – This risk occurs when mobile apps are not properly secured against attacks that target the supply chain. This can include attacks on third-party components, such as libraries and frameworks.
- Inadequate Privacy Controls – This risk occurs when mobile apps do not properly protect the privacy of user data. This can include collecting or storing more data than is necessary, or sharing data with third parties without user consent.
- Improper Credential Usage – This risk occurs when mobile apps do not properly manage user credentials. This can include storing credentials in cleartext, or using weak passwords.
- Insufficient Input / Output Validation – This risk occurs when mobile apps do not properly validate input and output data. This can allow attackers to inject malicious code or data into the app.
- Security Misconfiguration – This risk occurs when mobile apps are not properly configured for security. This can include using default passwords, or enabling unnecessary features.
- Insufficient Cryptography – This risk occurs when mobile apps do not use cryptography properly. This can include using weak encryption algorithms, or storing keys in cleartext.
- Insecure Data Storage – This risk occurs when mobile apps do not properly store sensitive data. This can include storing data in plaintext, or using insecure storage mechanisms.
- Insufficient Binary Protections – This risk occurs when mobile apps are not properly protected against reverse engineering and tampering. This can allow attackers to extract sensitive data from the app, or modify the app to perform malicious actions.
The risks in the OWASP Mobile Top 10 are ranked based on their severity, exploitability, and likelihood of occurrence. The top three risks, Insecure Authentication/Authorization, Insecure Communication, and Inadequate Supply Chain Security, are considered to be the most critical risks to mobile applications.
The OWASP Mobile Top 10 is a valuable resource for mobile app developers, security professionals, and anyone else who is interested in improving the security of mobile applications. The project provides detailed information about each of the risks, as well as recommendations for how to mitigate them.
History of OWASP Top 10 Mobile Application Security Risks
The OWASP Mobile Top 10 has been updated several times since it was first released in 2016. The changes in the latest version reflect the evolving threat landscape and the increasing complexity of mobile applications.
One of the most significant changes in the latest version is the addition of the risk of Inadequate Supply Chain Security. This risk is becoming increasingly important as mobile apps become more complex and rely on a wider range of third-party components.
Another significant change is the reordering of the risks. In the previous version, the risk of Improper Credential Usage was ranked as the most critical risk. However, in the latest version, this risk has been moved to the fifth position. This is because the other risks, such as Insecure Authentication/Authorization and Insecure Communication, are considered to be more critical.
In addition to the OWASP Mobile Top 10 Project, there is also a OWASP Top 10 for Web Application Security Risks.