OWASP Top Ten Mobile Vulnerabilities

OWASP also published in 2016 the top 10 mobile vulnerabilities:

1. Improper Platform Usage: misuse of a platform feature or failure to use platform security controls
2. Insecure Data Storage: occur when development teams assume that users or malwareMalware, or malicious software, is a type of computer program designed to damage or disrupt a computer system. It can be spread through email attachments, downloads from the internet, and even USB drives. Researchers tend to classify malware into one or more sub-types (i.e. computer viruses, worms, Trojan horses, ransomware, spyware, adware, rogue software, wiper and keyloggers). will not have access to a mobile device’s filesystem and subsequent sensitive information in data-stores on the device
3. Insecure Communication: when the solution transmits its data, it must traverse the mobile device’s carrier network and the internet. Threat agents might exploit vulnerabilities to intercept sensitive data while it’s traveling across the wire
4. Insecure Authentication: poor or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app
5. Insufficient Cryptography: either data that is not encrypted or poor key management
6. Insecure Authorization
7. Client Code Quality: An attacker will typically exploit vulnerabilities in this category by supplying carefully crafted inputs to the victim. These inputs are passed onto code that resides within the mobile device where exploitation takes place. Typical types of attacks will exploit memory leaks and buffer overflows.
8. Code Tampering: an attacker will exploit code modification via malicious forms of the apps hosted in third-party app stores. The attacker may also trick the user into installing the app via phishingPhishing is a type of cyber attack that attempts to trick people into revealing sensitive information, such as passwords or credit card numbers. It usually involves sending an email or text message that appears to be from a legitimate source, but contains malicious links or attachments. The goal of the attacker is to gain access to the victim's personal data and use it for their own gain. Phishing attacks can be difficult to detect and should be taken seriously by all users. attacks
9. Reverse Engineering: An attacker will typically download the targeted app from an app store and analyze it within their own local environment using a suite of different tools.
10. Extraneous Functionality: There is a high likelihood that any given mobile app contains extraneous functionality that is not directly exposed to the user via the interface. Most of this additional code is benign in nature and will not give an attacker any additional insight into backend capabilities. However, some extraneous functionality can be very useful to an attacker