An In-depth Guide to the OWASP Mobile Top 10

Your app is secure, right? Think again. 

There are at least 10 vulnerabilities that could be lurking in your code, waiting to be exploited. This reality underscores the importance of mobile app security in the dangerous world of today.

The 2024 Verizon Mobile Security Index revealed that 62% of business network authentications now come from mobile devices. This, along with the widespread use of remote work models, makes mobile apps an important way for hackers to get into networks. 

Fortunately, by identifying and tackling the top 10 mobile security vulnerabilities outlined by the Open Worldwide Application Security Project (OWASP), you may greatly strengthen your app’s defenses and safeguard user data.

What is OWASP Mobile Top 10?

OWASP is an open-source organization, developed for the sole purpose of securing modern-day applications. OWASP was launched 22 years ago and has since become an industry standard releasing updates on the most common vulnerabilities mobile and web applications face today. 

OWASP collaborates with 40+ organizations across the world to identify mobile vulnerabilities and releases the “OWASP Mobile Top 10” highlighting the top 10 mobile application vulnerabilities. 

The Consequences of Neglecting Mobile App Vulnerabilities

Several incidents due to mobile application vulnerabilities have occurred over the last 6 years. Some from large companies affect millions of users across the world. One of the most prominent is the British Airways Mobile app breach, which affected not only the application but its website as well.

ParkMobile App Breach (2021)

In 2021, a mobile application used across the U.S. for parking management, ParkMobile, was breached, exposing the Personally Identifiable Information(PII) (email addresses, phone numbers, license plate numbers and vehicle information) of over 21 million users.

The threat actors exploited a vulnerability in a third-party solution used in the applications’ infrastructure, granting the actors access to its database containing all its users’ data. 

The breach raised concerns not only due to the number of customers affected but also the amount of stolen PII and their possible usage: Phishing attacks, identity theft, etc.

British Airways Mobile App Breach (2018)

In 2018, approximately 400,000 British Airways customers were affected by a breach of its customers’ PII stolen.

The threat actors accessed the mobile app’s backend through an unsecured third-party vendor account with no multi-factor authentication (MFA). 

Using these administrative credentials the attackers found plain text files containing approximately 100,000 payment card details of its customers.  

British Airways was fined 20 million pounds for this breach. Drawing international attention due to the scale of the attack and exploitation of systems British Airways was unaware of.

Guide to OWASP Mobile Top 10 2024 Vulnerabilities

The “OWASP Mobile Top 10 2024” highlights the most common and current vulnerabilities faced by modern mobile applications:

Table of contents

1. M1: Improper Credential Use
2. M2: Inadequate Supply Chain Security
3. M3: Insecure Authentication/Authorization
4. M4: Insufficient Input/Output Validation
5. M5: Insecure Communication
6. M6: Inadequate Privacy Controls
7. M7: Insufficient Binary Protections
8. M8: Security Misconfiguration
9. M9: Insecure Data Storage
10. M10: Insufficient Cryptography

M1: Improper Credential Usage

What it is:

This vulnerability relates to hardcoded credentials, insecure credential transmission and insecure credential storage. An example of this vulnerability is the British Airways breach. 

How to detect it:

• Review application code and configuration files for Hardcoded Credentials.
• Review credential management for both third-party services and mobile applications.
• Inspect network traffic for secure credential transmission.

How to prevent it:

• Do not hardcode credentials into the app source code. 
• Utilize tools like Spectral to scan your system for vulnerabilities.
  

M2: Inadequate Supply Chain Security

This risk targets SDKs, third-party libraries, vendors, credentials as well as any external systems the app interacts with. If the supply chain is compromised it could allow threat actors to inject malicious code, create backdoors and even take over the mobile app.

How to detect it:

• Vet third-party libraries/solutions.
• Include SAST and DAST testing in the development process.
• Use Software Composition Analysis (SCA) tools to scan third-party libraries for vulnerabilities. 

How to prevent it:

• Implement security controls for app updates, patches and releases.
• Establish a vetting process for third-party libraries.

M3: Insecure Authentication/Authorization

What it is:

Once threat actors find any vulnerabilities in either the authentication or authorization scheme, they can exploit it in two ways:

• Bypass the authentication and submit requests to the backend server. 
• Authenticate into the application but utilize weak endpoint authorization to gain access.

How to detect it:

• Look out for anonymous backend API execution.
• Test backend functionality (POST/GET) access with least-privileged roles to verify authorization weak points.

How to prevent it:

• Reinforce server-side authentication and authorization.
• Ensure that mobile applications ported from web applications follow the same authentication process, maintaining consistent web application security.

M4: Insufficient Input/Output Validation

Failing to validate and sanitize input/output data, puts your application at risk of being exploited by attacks: SQL injections, Command Injections etc as well as your application inadvertently exposing confidential data.

How to detect it:

• Perform Input/Output validation
• Test for data integrity.

How to prevent it:

• Use context-specific validation.
• Use tools like Sonarqube, Spectral, and Veracode to perform SAST/DAST.

M5: Insecure Communication

What it is:

Most modern applications use some level of cryptographic protocols. However, there may be flaws in implementation: depreciated protocols, accepting bad SSL certificates or inconsistencies (partially encrypted workflows). Any of these flaws could allow threat actors to intercept communications.

How to detect it:

• Identify application traffic going through plaintext channels.
• Check for bad SSL certificates (self-signed, revoked, expired, wrong host…)

How to prevent it:

• Implement up-to-date TLS/SSL on communication channels.
• Use certificates signed by a trusted CA provider.

M6: Inadequate Privacy Controls

What it is:

This vulnerability focuses on how this PII is stored and transmitted by your mobile application. Breaches resulting in the theft of PII not only affect your users but also have heavy regulatory and financial consequences. 

How to detect it:

• Check the app for compliance violations.
• Review all systems in the app that use PII, for vulnerabilities.

How to prevent it:

• Perform routine privacy assessments on your application.
• Require only necessary data from users.

M7: Insufficient Binary Protections

What it is:

All mobile applications are vulnerable to binary attacks. Binary attacks can occur in two types: reverse engineering(decompiling and scanning the application for secrets, algorithms and vulnerabilities) and code tampering (removing licenses, circumventing paywalls…).

How to detect it:

• Use automated tools to perform SAST/DAST on your application.
• Verify the binary’s digital signature integrity.

How to prevent it:

• Encrypt sensitive parts of your app binary code.
• Implement Runtime Application Self-Protection(RASP) solutions.
• Implement binary obfuscation.

M8: Security Misconfiguration

Source

What it is:

“Security Misconfiguration” is the eighth vulnerability in the “OWASP Mobile Top 10”. This vulnerability exploits mistakes in configuration due to human error. 

How to detect it:

• Review application source code.
• Identify security bottlenecks ( default usernames, unencrypted storage and communication protocols…)
• Identify any testing features/systems in production.

How to prevent it:

• Implement the principle of least privilege, granting access to only what is needed.
• Utilize automated security tools to scan for security misconfigurations and vulnerabilities.

M9: Insecure Data Storage

What it is:

From poor data encryption to insecure secure data storage practices. This risk exploits vulnerabilities that could expose stored data.

How to detect it:

• Identify poor access controls in your system.
• Review stored data or unencrypted parts.

How to prevent it:

• Implement strong encryption.
• Implement secure session management techniques.
• Employ proper access controls.

M10: Insufficient Cryptography

What it is:

This risk exploits vulnerabilities that expose stored your mobile application, through flaws in cryptographic implementation.

How to detect it:

• Identify weak encryption algorithms in your application
• Review implementation of cryptographic protocols.
• Review key management for your application.

How to prevent it:

• Implement robust encryption algorithms.
• Pair security tools with scanning tools like Spectral to achieve all-round coverage.
• Follow secure key management practices.
• Avoid customized encryption.

Comparing OWASP Mobile Top 10: 2016 vs. 2024

The OWASP Mobile Top 10 lists from 2016 and 2024 show big changes in mobile security risks. This development emphasizes the importance for developers and organizations to monitor mobile dangers and change their security practices.

Source

Re-ranked categories

• 2024: Insecure Communication moved from (M3) to (M5)
• 2024: Insecure Data Storage moved from (M2) to (M9)
• 2024: Insecure Cryptography moved from (M5) to (M10)

Added Categories

• M1: Improper Credential Usage 
• M2: Inadequate Supply Chain Security 
• M4: Insufficient Input/Output validation 
• M6: Insufficient Privacy Controls

Updated Categories

• M3: Insecure Authentication/Authorization

Merged(2016) :  Insecure Authentication (M4) & Insecure Authorization (M6)

• M7: Insufficient Binary Protections

Merged(2016) : Code Tampering (M8) & Reverse Engineering (M9)

• M8: Security Misconfiguration 

Rewording(2016) : Extraneous Functionality (M10)

Securing the Mobile Landscape

We have explored how OWASP Mobile Top 10 vulnerabilities help DevOps teams identify and address major security issues in mobile applications. Understanding these vulnerabilities, their potential impact, and available remediation options allows you to proactively strengthen your mobile security.

However, security is an ongoing journey, not a one-time event. Consider leveraging advanced security platforms like Spectral to stay ahead of evolving threats. By automating security testing, providing real-time alerts, and continuously monitoring your codebase, Spectral empowers developers to deliver secure and reliable mobile applications..Take the first step towards a more secure mobile future. Schedule a demo with Spectral today.