OWASP Top Ten Mobile Vulnerabilities

white iphone 5 c on black surface

OWASP also published in 2016 the top 10 mobile vulnerabilities:

  1. Improper Platform Usage: misuse of a platform feature or failure to use platform security controls
  2. Insecure Data Storage: occur when development teams assume that users or malware will not have access to a mobile device’s filesystem and subsequent sensitive information in data-stores on the device
  3. Insecure Communication: when the solution transmits its data, it must traverse the mobile device’s carrier network and the internet. Threat agents might exploit vulnerabilities to intercept sensitive data while it’s traveling across the wire
  4. Insecure Authentication: poor or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app
  5. Insufficient Cryptography: either data that is not encrypted or poor key management
  6. Insecure Authorization
  7. Client Code Quality: An attacker will typically exploit vulnerabilities in this category by supplying carefully crafted inputs to the victim. These inputs are passed onto code that resides within the mobile device where exploitation takes place. Typical types of attacks will exploit memory leaks and buffer overflows.
  8. Code Tampering: an attacker will exploit code modification via malicious forms of the apps hosted in third-party app stores. The attacker may also trick the user into installing the app via phishing attacks
  9. Reverse Engineering: An attacker will typically download the targeted app from an app store and analyze it within their own local environment using a suite of different tools.
  10. Extraneous Functionality: There is a high likelihood that any given mobile app contains extraneous functionality that is not directly exposed to the user via the interface. Most of this additional code is benign in nature and will not give an attacker any additional insight into backend capabilities. However, some extraneous functionality can be very useful to an attacker

Scroll to Top