OWASP Mobile Top 10

Introduction

The OWASP Mobile Top 10 is a list of the most critical security risks affecting mobile applications, published by the OWASP Foundation. It provides a structured overview of common vulnerabilities in Android and iOS apps and is widely used by developers, security teams, and penetration testers as a reference.

Unlike the OWASP Top 10 for web applications, this list focuses on mobile-specific attack surfaces such as:

• Local data storage
• Incorrect trust assumptions about the client
• Reverse engineering
• Mobile authentication models
• Integration of third-party SDKs

Link: https://owasp.org/www-project-mobile-top-10/

Relevance for Penetration Testing

Mobile applications operate in an inherently untrusted environment:

• Attackers may have full control over the device
• Applications can be extracted and analyzed
• Network traffic can be intercepted and manipulated
• Runtime manipulation (e.g. hooking, instrumentation) is possible

As a result, no security assumptions should be made about the client. A key practical insight is: the mobile application is often not the actual attack surface, but rather the frontend of a risk that resides in the backend.

In particular for:

• Authentication (M3)
• Authorization
• Communication security (M5)

the actual vulnerabilities are typically located in APIs or backend systems. The mobile app primarily acts as a transport and attack vector, even though secure local data handling remains relevant.

The OWASP Mobile Top 10 reflects this reality, but also mixes mobile-specific and backend-related risks. This should be considered when interpreting the categories. Nevertheless, it is commonly used to structure mobile security assessments.

Relation to Other OWASP Standards

The OWASP Mobile Top 10 should be used in combination with other OWASP projects:

• OWASP Mobile Security Testing Guide (MSTG)
• OWASP Mobile Application Security Verification Standard (MASVS)

While the Mobile Top 10 primarily defines risk categories, MSTG and MASVS provide:

• Concrete testing methodologies
• Verifiable security requirements
• Implementation guidance

OWASP Mobile Top 10 (2024)

### M1: Improper Credential Usage

Description

Improper handling or storage of credentials within the application.

Typical Issues

• Hardcoded API keys or secrets
• Storage of credentials in plaintext
• Insecure token handling

Impact

Attackers can extract credentials and use them for unauthorized access.

### M2: Inadequate Supply Chain Security

Description

Security risks introduced through third-party components and dependencies.

Typical Issues

• Use of outdated libraries
• Inclusion of vulnerable or compromised SDKs
• Missing integrity validation

Context

This area is becoming increasingly important.
Modern mobile applications often integrate numerous external components, such as:

• Analytics
• Advertising
• Tracking
• Payment

Developers often have no visibility into the source code of these components, especially for proprietary SDKs.
This creates a structural risk, as security-relevant behavior lies outside of their control.

Impact

Compromise via third-party components without directly attacking the application.

### M3: Insecure Authentication / Authorization

Description

Flawed or insufficient authentication and authorization mechanisms.

Typical Issues

• Missing server-side validation
• Insecure session management
• Weak authentication requirements

Context

In practice, these issues are usually backend problems, not app problems.
The mobile application merely exposes them.

Impact

Unauthorized access to user accounts and functionality.

### M4: Insufficient Input / Output Validation

Description

Improper validation of input and output data.

Typical Issues

• Injection vulnerabilities
• Unsafe handling of external data
• Missing sanitization

Impact

Application manipulation or execution of malicious input.

### M5: Insecure Communication

Description

Insecure communication between app and backend.

Typical Issues

• Missing or weak TLS
• Improper certificate validation
• Lack of certificate pinning

Context

Here as well, the root cause often lies in the interaction with the backend.
The app is primarily the entry point for attacks such as Man-in-the-Middle.

Impact

Man-in-the-Middle attacks and data exposure.

### M6: Inadequate Privacy Controls

Description

Insufficient protection of personal or sensitive data.

Typical Issues

• Excessive data collection
• Lack of transparency
• Improper handling of personal data

Impact

Privacy violations and regulatory risks (e.g. GDPR).

### M7: Insufficient Binary Protections

Description

Missing protections against reverse engineering and tampering.

Typical Issues

• No code obfuscation
• Missing root/jailbreak detection
• No integrity checks

Impact

Attackers can analyze the application and bypass security controls.

### M8: Security Misconfiguration

Description

Misconfiguration within the application or platform.

Typical Issues

• Debug features enabled in production
• Insecure default settings
• Misconfigured permissions

Impact

Increased attack surface and easier exploitation.

### M9: Insecure Data Storage

Description

Insecure storage of sensitive data on the device.

Typical Issues

• Plaintext storage
• Use of insecure storage locations
• Missing encryption

Context

The distinction from M1 (Credentials) is often blurred in practice.
For example, storing a password in plaintext is both a credential and a storage issue.

Impact

Local attackers can extract sensitive data.

### M10: Insufficient Cryptography

Description

Incorrect or insecure use of cryptographic mechanisms.

Typical Issues

• Outdated algorithms
• Poor key management
• Custom cryptography implementations

Context

There are also overlaps here, particularly with:

• M1 (Credential Handling)
• M9 (Data Storage)

Cryptographic weaknesses often amplify other vulnerabilities.

Impact

Security mechanisms can be broken or bypassed.

Conclusion

The OWASP Mobile Top 10 provides a concise and practical overview of the most relevant security risks in mobile applications.

It is particularly useful for:

• Initial risk assessments
• Structuring security reviews
• Raising awareness among development teams

For in-depth security analysis, it must be combined with advanced methodologies and manual testing.