Mobile Top 10
7.6 Mobile Top 10
The OWASP Mobile Top 10 is a list of the most prevalent vulnerabilities found in mobile applications. In addition to the list of risks it also includes a list of security controls used to counter these vulnerabilities.
This documentation project is an OWASP Lab project, aimed at security builders and defenders.
What is the Mobile Top 10?
The Mobile Top 10 identifies and lists the top ten vulnerabilities found in mobile applications. These risks of application vulnerabilities have been determined by the project team from various sources including incident reports, vulnerability databases, and security assessments. The list has been built using a data-based approach from unbiased sources, an approach detailed in the repository read-me.
- M1: Improper Credential Usage
- M2: Inadequate Supply Chain Security
- M3: Insecure Authentication/Authorization
- M4: Insufficient Input/Output Validation
- M5: Insecure Communication
- M6: Inadequate Privacy Controls
- M7: Insufficient Binary Protections
- M8: Security Misconfiguration
- M9: Insecure Data Storage
- M10: Insufficient Cryptography
The project also provides a comprehensive list of security controls and techniques that should be applied to mobile applications to provide a minimum level of security:
- Identify and protect sensitive data on the mobile device
- Handle password credentials securely on the device
- Ensure sensitive data is protected in transit
- Implement user authentication,authorization and session management correctly
- Keep the backend APIs (services) and the platform (server) secure
- Secure data integration with third party services and applications
- Pay specific attention to the collection and storage of consent for the collection and use of the user’s data
- Implement controls to prevent unauthorized access to paid-for resources (wallet, SMS, phone calls etc)
- Ensure secure distribution/provisioning of mobile applications
- Carefully check any runtime interpretation of code for errors
The list of mobile controls has been created and maintained by a collaboration of OWASP and the European Network and Information Security Agency (ENISA) to build a joint set of controls.
Why use it?
It is important to have awareness of the types of attack mobile applications are exposed to, and the types of vulnerabilities that may be present in any given mobile application.
The Mobile Top 10 provides a starting point for this training and education, and it should be noted that the risks to mobile applications do not stop at the Top 10; this list is only the more important ones and in practice there are many more risks.
In addition the Mobile Top 10 provides a list of controls that should be considered for mobile applications; ideally at the requirements stage of the development cycle (the sooner the better) but they can be applied at any time during development.
Mobile Top 10 versions
The Mobile Top 10 was first released in 2014, updated in 2016 with the latest version released in 2024.
The list of mobile application controls were originally published in 2011 by ENISA as the ‘Smartphone Secure Development Guideline’. This was then revised during 2016, released in February 2017, to inform the latest set of mobile application controls.
The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.
\newpage