OWASP: Top 10 Mobile Application Risks
Table of Contents
The OWASP Top 10 Mobile Application Risks includes the most critical vulnerabilities that criminals can exploit
As the saying goes, good things come to those who wait. Eight years later, the OWASP Foundation has published a new version of its Top 10 Mobile Application Risks. This list classifies and ranks the principal vulnerabilities in the billions of smartphones we use daily.
In the last eight years, the world has changed dramatically, and in few areas this is more evident than in the use of mobile phones. Today, smartphones are practically a technological continuation of our bodies. We use them in all areas of our lives, from professional and business relationships to personal and family ones. Many critical aspects of our lives are stored on these devices: confidential information about our work, banking and health data, intimate photos and messages… The list could go on and on.
What is the unintended consequence of the relevance of mobile phones in our lives? Mobile applications have become a priority target for cybercriminal groups.
That is why OWASP, a non-profit foundation that has become a global benchmark in cybersecurity knowledge generation, has updated its Top 10 Mobile App Risks to adapt them to today’s threat landscape.
Below, we will break down each of the 10 vulnerabilities that make up the OWASP Mobile Top 10 in its 2024 version.
Main changes in the Top 10 Mobile App Risks compared to 2016
The transformation that mobiles have undergone in recent years has been transferred to the Top 10 Mobile Application Risks. So much so that the most critical vulnerability in the 2016 Top 10, improper platform use, does not even appear on the 2024 list. What other aspects can we highlight?
- Four new vulnerabilities have been added, two of which have been classified as the two most essential risks present in mobile today: improper use of credentials and inadequate supply chain security.
- As many as four vulnerabilities from the Top 10 Mobile App Risks 2016 have been merged into two single vulnerabilities in 2024. Thus, insecure authentication and insecure authorisation have come to be considered as a single vulnerability. While code manipulation and reverse engineering now make up the category of insufficient binary protections.
- Three vulnerabilities remain in the Top 10 Mobile App Risks. However, they dropped in the ranking compared to 2016: insecure communication, insecure data storage and insufficient cryptography. Particularly notable is the case of insecure data storage, which has moved from being the second most crucial vulnerability in 2016 to ninth place in the Top 10 Mobile App Risks of 2024.
- In addition to platform misuse, poor-quality code was another risk that fell out of the OWASP ranking. At the same time, the superfluous functionality vulnerability has been reworded to create a new, more generic category: security misconfiguration.
How do the Top 10 Mobile Application Risks work?
Each of the ten vulnerabilities that make up the Top 10 Mobile Application Risks include:
- Threat actors.
- Attack vectors.
- Security weaknesses: including prevalence and detectability of vulnerability exploitation.
- Technical and business impact.
- Indicators to detect that a mobile application may be vulnerable.
- Recommendations to prevent the vulnerability.
- Examples of attack scenarios.
Let us go through the different vulnerabilities that comprise OWASP Top 10 Mobile Application Risks individually.
M1. Misuse of credentials
Exploitation: Easy
Detectability: Easy
Technical impact: Severe
Business impact: Severe
Why does this category rank first in the Top 10 Mobile Application Risks? OWASP warns that exploiting and misusing encrypted credentials is a relatively simple task, mainly because automated attacks can be carried out using publicly available tools. To what end? To gain unauthorised access to critical information and functionality of mobile applications.
Exploiting this vulnerability can lead to data theft, theft of people’s privacy, use of the extracted information to commit economic fraud, and damage to the reputation of companies and citizens who have been victims of an attack.
How can this vulnerability be prevented?
A mobile application audit can identify all issues related to poor credential management. For example, OWASP allows the detection of encrypted credentials in the source code of a mobile app.
The four leading indicators that an application may suffer from poor credential management are:
- Encrypted credentials.
- Insecure transmission of credentials.
- Insecure credential storage.
- Weak user authentication.
The two best ways to prevent this mobile app security risk are:
- Avoid using hard-coded credentials in a mobile app’s code and configuration files.
- Secure and appropriately use user credentials by storing, transmitting, and authenticating them.
For example, encrypting them when transmitting them, not storing credentials on the mobile, implementing rigorous authentication protocols and regularly updating the API keys.
M2. Inadequate supply chain security
Exploitation: Average
Detectability: Difficult
Technical Impact: Severe
Business Impact: Severe
Supply chain attacks are one of the most dangerous trends in today’s threat landscape. When it comes to mobile applications, a malicious actor can manipulate an app’s functionality by exploiting vulnerabilities in its supply chain. For what purpose? To steal data, spy on a citizen via their mobile phone, or even take control of the device.
Criminals can also exploit vulnerabilities in third-party libraries to access mobile applications or server backends. This allows them not only to access and manipulate sensitive data but also to carry out denial-of-service attacks.
As a result, OWASP Top 10 Mobile Application Risks shows that exploiting security flaws in the supply chain can lead to:
- Data breaches.
- Malware infections can be used to steal information from mobile devices or carry out malicious activities.
- Unauthorised access to the app’s servers or the user’s device.
- The entire application system is compromised and may even cause the application to shut down.
Given the level of criticality of the consequences we have just outlined, it should be no surprise that exploiting this kind of vulnerability can lead to financial losses, severe reputational damage, supply chain disruption and even legal problems.
How do you prevent this vulnerability?
Unlike the category that ranks first in OWASP Top 10 Mobile Application Risks, supply chain security issues are challenging to detect. That’s why it’s critical to audit apps developed by other companies and your apps that use third-party components or rely on libraries.
To assist in the detection of supply chain vulnerabilities, OWASP identifies four primary reasons why they occur:
- Security issues in third-party components, such as libraries.
- Malicious insider threats are caused by oversight or failure to apply appropriate security controls.
- Poor security testing and security validation. For example, the developer has not subjected the mobile application to an in-depth security audit.
- Lack of security awareness of the professionals developing the applications.
In light of these causes, OWASP Top 10 Mobile Application Risks proposes five significant steps to prevent supply chain vulnerabilities:
- Opt for a secure development model from design and throughout the entire software lifecycle.
- Implement secure application signing and distribution processes to prevent malware distribution.
- Use only validated third-party libraries and components in development.
- Implement security controls for application updates, patches and releases before they are made public.
- Perform supply chain security audits to detect vulnerabilities before they are exploited.
M3. Insecure authentication and authorisation
Exploitation: Easy
Detectability: Average
Technical impact: Severe
Business impact: Severe
First, we must point out the difference between authentication and authorisation. The former identifies a user, while the latter checks the user’s permission level to perform a specific action.
The Top 10 Mobile Application Risks warns that authentication and authorisation vulnerabilities are usually exploited through automated attacks using available tools or tools that are custom-developed to exploit a given vulnerability. The most commonly used techniques are the deployment of malware and the use of botnets.
Malicious actors carry out exploitation in two primary ways:
- They bypass the app’s authentication, sending requests directly to the backend server so that no direct interaction with the app takes place.
- They log into the app as if they were a legitimate user, bypassing the authentication check, then look for a vulnerable endpoint and execute administrator functions.
User authentication and authorisation problems can lead to the execution of over-privileged functionality and actions, which can lead to the theft of sensitive information and even the destruction of systems.
How can this vulnerability be prevented?
To facilitate the detection of vulnerabilities in authentication and authorisation systems, OWASP proposes a series of indicators that may be useful for developers and cybersecurity specialists:
- Direct Object Reference Vulnerabilities (DORVs), which can indicate that user authorisation is not being properly checked.
- Hidden endpoints, which have not been subjected to authorisation checks.
- Transmission of user roles or permissions to a backend as a result of a request.
- Execution of a request for backend API services without providing a token.
- Storing passwords on mobile.
- Weak password policy.
- Use of features such as FaceID and TouchID.
In terms of prevention, the Top 10 Mobile Application Risks suggests:
- Avoid insecure design patterns.
- Strengthen authentication, assuming that client-side authentication controls can be circumvented by malicious actors, strengthening controls on the server side.
- Prevent insecure authorisation, e.g. by requiring backend systems to verify the roles and permissions of authenticated users or by enforcing server-side authorisation controls.
M4. Insufficient validation of input and output data
Exploitation: Difficult
Detectability: Easy
Technical Impact: Severe
Business impact: Severe
The Top 10 Mobile Application Risks alerts developers to insufficient validation and sanitisation of data from external sources, such as user input or network data. Why? They can introduce critical security vulnerabilities.
So, applications that do not perform efficient data validation risk SQL injection, command injection or cross-site scripting (XSS) attacks. Through these attacks, criminals can steal and manipulate data, execute malicious code that causes the application to stop working, and eventually compromise the application and take control of it.
How do you prevent this vulnerability?
OWASP’s Top 10 Mobile Application Risks lists five major causes of this vulnerability:
- Lack of user input validation exposes the app to injection attacks.
- Poor output data sanitisation can allow criminals to execute malicious scripts.
- Failure to consider specific validation requirements based on the data context may allow path-based attacks.
- Failure to perform data integrity checks may lead to data corruption or illegitimate modifications.
- Lack of secure coding practices.
To prevent vulnerabilities related to the validation of data input and output, the Top 10 Mobile Application Risks proposes:
- Validate and sanitize user input.
- Apply restrictions on the length of input data.
- Debug output data to prevent XSS attacks.
- Employ secure coding techniques and practices.
- Perform context-based validation of data, avoiding cross-path attacks.
- Check data integrity and prevent data corruption.
- Conduct regular mobile application security audits. Pentesting services and auditing the application code can also be essential.
M5. Insecure communication
Exploitation: Easy
Detectability: Average
Technical impact: Severe
Business impact: Moderate
The applications we have installed on our mobile phones exchange information with several remote servers. This means that a malicious actor can intercept and modify data transmission if the application has obsolete encryption protocols or is transmitted in plain text. For what purpose? Obtain sensitive information, impersonate the victim to carry out fraud, and intercept user credentials and tokens that are a double authentication factor to access specific applications.
How can insecure communication vulnerabilities be exploited?
Malicious actors detect flaws in SSL/TLS cryptographic protocols or their implementation in the application:
- Outdated or misconfigured protocols.
- Acceptance of self-signed, revoked, expired SSL certificates…
- Inconsistency in the use of protocols, since some workflows do have them, but others do not.
How can this vulnerability be prevented?
This category of the Top 10 Mobile Application Risks is vast, as it encompasses all kinds of data transmissions and includes all the communication technologies used by our mobiles: TCP/IP, WiFi, Bluetooth, NFC, etc.
Therefore, in addition to carrying out a security audit of mobile applications, it may also be essential to conduct analyses of specific technologies such as Bluetooth, for which BSAM, the Bluetooth Security Assessment Methodology developed by Tarlogic, can be used.
OWASP proposes a series of best practices specific to iOS and Android, as well as multiple general recommendations that help reduce weaknesses linked to insecure mobile application communications:
- Assume that the network layer is insecure and, therefore, susceptible to eavesdropping by attackers.
- Apply SSL/TLS to the mobile application’s transport channels to transmit sensitive information to a backend API or web service.
- Implement an encryption layer to any sensitive data before delivering it to the SSL channel.
- Be aware of external entities, such as social networks. And use SSL versions when an application executes a routine through the browser.
- Use robust and industry-compliant cipher suites.
- Use certificates signed by trusted providers. Never allow self-signed certificates and fix certificates for security-conscious applications.
- Require SSL chain verification.
- Verify the identity of the endpoint server before establishing secure communication.
- Alert users via the interface if the mobile application detects an invalid certificate.
- Never send sensitive information through alternative channels, such as SMS messages.
- Apply a separate layer of encryption to sensitive data before it goes over the SSL channel.
- Perform mobile application security audits to analyze the application’s traffic and check if some traffic passes through plaintext channels.
M6. Inadequate privacy controls
Exploitation: Average
Detectability: Easy
Technical impact: Low
Business impact: Severe
Privacy controls on mobile applications are essential to protect users’ information, from their names to their credit card details, email addresses, and political views.
As we see in many cyber-attacks that occur week after week, citizens’ data is one of the main targets for criminals. Why? With this information, they can carry out extortion and financial fraud and damage the reputation of their victims.
Hence, although the exploitation of vulnerabilities in privacy controls may not significantly impact an application’s functioning, the consequences can be severe, both for the company that has developed the app and its users. Companies can be exposed to legal problems, as data protection is strictly regulated through regulations such as the GDPR.
How can this vulnerability be prevented?
OWASP Top 10 Mobile Application Risks identifies three main scenarios that can lead to inadequate privacy controls and thus expose sensitive user information:
- Data is being stored and communicated insecurely.
- Poor authentication and authorization to access data.
- Internal attacks on the app sandbox.
To prevent privacy breaches for citizens using mobile apps, OWASP recommends conducting a security audit that analyses all personally identifiable information assets and answers questions such as “Is all personally identifiable information processed by the app necessary? And thus, delete all private data that is not essential for the app’s operation.
In addition, it is also advisable not to store or transfer sensitive information unless it is indispensable. If it is stored, it must be protected by an effective authentication and authorisation system.
Threat modeling can also be invaluable in determining the most likely avenues of exploitation and taking action to prevent them.
Furthermore, the Top 10 Mobile Application Risks recommends performing static and dynamic analysis to detect bugs and weaknesses before malicious actors successfully exploit them.
M7. Insufficient binary protections
Exploitation: Easy
Detectability: Easy
Technical impact: Moderate
Business impact: Moderate
Application binaries are critical assets because they may contain secrets such as commercial API keys or are valuable in themselves, for example, because they contain pre-trained AI models.
In addition to accessing the information in the binaries, some attackers may try to manipulate them to bypass app security controls, for example.
OWASP also warns that there is a possibility that copies of legitimate apps can be created with malicious code and distributed through app shops to take advantage of users’ trust.
Hence, the Top 10 Mobile App Risks identifies three main types of attacks against app binaries:
- Reverse engineering to find critical information such as passwords or exploitable vulnerabilities in the backend.
- Manipulation of the code in order to bypass payment firewalls or license checks.
- Manipulating the application to contain malicious code.
These attacks can cause financial costs to developers, which can be substantial if a company’s intellectual property is exposed, especially if this intellectual property ends up in the hands of competitors. Moreover, if malware-infected copies of legitimate applications are distributed, their reputation will be irreparably affected.
How can this vulnerability be prevented?
OWASP Top 10 Mobile Application Risks recommends that developers inspect their application binaries using, paradoxically, the same tools that criminals use and that can be easily found.
Beyond this inspection, there are three main ways to deal with attacks successfully:
- Obfuscation makes the app binary incomprehensible, which makes it possible to repel reverse engineering attacks.
- Obfuscation, applying local security controls on the backend and performing integrity checks to prevent malicious actors from breaking the application’s security mechanisms.
- Integrity checks to detect redistribution and modification of app binaries.
Removing unauthorised copies of apps that may be available in app shops is also relevant.
M8. Security misconfiguration
Exploitation: Difficult
Detectability: Easy
Technical impact: Severe
Business impact: Severe
Mobile applications can be compromised by misconfigured security controls and permissions, which attackers can exploit to access sensitive information or perform various malicious actions.
According to OWASP Top 10 Mobile Application Risks, the most common attack vectors related to configuration issues are:
- Configurations are insecure.
- Inadequate access controls that allow unauthorised users to access sensitive data.
- Weak or poorly implemented encryption or hashing algorithms.
- Failure to use secure communication protocols, enabling man-in-the-middle attacks.
- Insecure storage of passwords and API keys.
- Insecure file permissions.
- Misconfigured session management, allowing attackers to impersonate legitimate app users.
OWASP warns that security configuration problems are common in mobile applications and can facilitate access to sensitive data of citizens and companies, lead to identity theft, cause economic losses, and even paralyze the affected apps, affecting the regular activity of the companies that use them.
How can this vulnerability be prevented?
To detect security configuration problems, the Top 10 Mobile Application Risks recommends subjecting apps to comprehensive security audits, in which the source code is reviewed, and applications are subjected to security tests.
Also, in the area of prevention, app developers should implement secure app coding and configuration practices:
- Check that default settings are secure.
- Do not use default credentials or store app files with weak permissions.
- Follow the principle of least privilege.
- Securely configure the network.
- Disable debugging functions.
- Limit the attack surface by exporting only those activities, services and vendor containers that need to be exported.
M9. Insecure data storage
Exploitation: Easy
Detectability: Average
Technical impact: Severe
Business impact: Severe
As noted above, obtaining sensitive critical data is one of the main targets of cybercriminals today. Therefore, application developers must implement good practices for secure storage and robust information encryption.
Among the common attack vectors, the Top 10 Mobile App Risks highlights:
- Unauthorized access to a device’s file system.
- Exploitation of weak encryption.
- Interception of data transmissions.
- Malware or malicious applications installed on a device.
- Social engineering techniques to trick people into providing access to data.
Insecure data storage can help criminals compromise user accounts, manipulate an application’s data, access an app’s resources such as configuration files or cryptographic keys, and damage users’ trust in the company that developed the application.
The consequences of this kind of attack can be economic, competitive, and reputational, but they are also legal.
How can this vulnerability be prevented?
The Top 10 Mobile Application Risks recommends developers to implement:
- Robust encryption algorithms that protect sensitive data.
- Secure communication protocols, securing the information transmitted between the app and backend servers.
- Secure data storage mechanisms, preventing unauthorized users from accessing data.
- Robust access controls.
- Data input validation and sanitization techniques to prevent data injection attacks.
- Secure session management techniques.
- Regular updates and patching of all dependencies.
M10. Insufficient cryptography
Exploitability: Average
Detectability: Average
Technical impact: Severe
Business impact: Severe
OWASP warns that if an application’s cryptography is insecure or insufficient, malicious actors can undermine the confidentiality, integrity and authenticity of the application’s information. The Top 10 Mobile Application Risks emphasises attacks against algorithms, manipulation of cryptographic processes or leakage of encryption keys. It also points out that criminals can exploit weak encryption to steal personal data for fraud and exploit vulnerabilities in cryptographic libraries.
What are the consequences of attacks exploiting cryptographic weaknesses? Exfiltration of confidential information, financial loss, legal problems due to non-compliance with encryption regulations, and even intellectual property theft.
How can this vulnerability be prevented?
As with other categories, the Top 10 Mobile Application Risks suggests developers to follow encryption best practices:
- Use secure, industry-accepted encryption algorithms.
- Select encryption keys of appropriate length.
- Use secure key management techniques and protect against unauthorized access.
- Implement encryption processes with care, using industry-validated cryptographic frameworks.
- Store encryption keys securely.
- Use secure transport layer protocols to transmit encrypted data across networks.
- Use strong validation and authentication mechanisms.
- Regularly update the application and cryptographic components, mitigating any identified vulnerabilities.
- Conduct security tests such as advanced penetration tests and source code audits to detect and remediate vulnerabilities.
- Consider recommendations and best practices developed by global reference organizations such as the US NIST.
- Use cryptographically secure hashes.
- Perform salting to add an extra layer of security and make attacks more difficult.
- Use cryptographic key derivation functions.
What other risks should be considered?
Beyond the categories that make up the Top 10 Mobile Application Risks, the team that compiled it briefly points out other vulnerabilities that, although they are not part of the ranking, should be taken into account in the future:
- Data leakage.
- Encrypted secrets.
- Insecure access control.
- Path overwriting.
- Unprotected endpoints.
- Insecure sharing.
In short, the new version of the OWASP Top 10 Mobile Application Risks adapts this list to the changes that have taken place in the threat landscape over the last eight years.
As a result, this ranking renews its role as a reference tool for mobile application developers and cybersecurity experts globally. It helps to put the spotlight on the principal risks and vulnerabilities in the current landscape and helps companies build a safer mobile app ecosystem for businesses and citizens.
In addition, the Top 10 Mobile App Risks highlights the importance of developers implementing good security practices from design, subjecting apps to regular mobile app security audits, conducting source code audits and using advanced penetration testing to check the security of mobile apps.
This article is part of a series of articles about OWASP
- OWASP methodology, the beacon illuminating cyber risks
- OWASP: Top 10 Web Application Vulnerabilities
- IoT and embedded devices security analysis following OWASP
- OWASP FSTM, stage 1: Information gathering and reconnaissance
- OWASP FSTM, stage 2: Obtaining IOT device firmware
- OWASP FSTM, stage 3: Analyzing firmware
- OWASP FSTM, stage 4: Extracting the filesystem
- OWASP FSTM, stage 5: Analyzing filesystem contents
- OWASP FSTM step 6: firmware emulation
- OWASP FSTM, step 7: Dynamic analysis
- OWASP FSTM, step 8: Runtime analysis
- OWASP FSTM, Stage 9: Exploitation of executables
- IoT Security assessment
- OWASP API Security Top 10
- OWASP SAMM: Assessing and Improving Enterprise Software Security
- OWASP: Top 10 Mobile Application Risks