The 2024 OWASP Mobile Top 10

Image of someone holding a phone - Destination Certification

This year, the Open Worldwide Application Security Project (OWASP) released its update to the Mobile Top 10, a list of the top mobile application risks that we face. The last version of the list was published in 2016, and the eight years in between is essentially an eon in the tech space. In that time frame, there has been substantial change in mobile applications and the risks they face. The OWASP Mobile Top 10 list has been overhauled to bring it in line with these new challenges.

1. Improper credential usage

At number one, we have improper credential usage. One example is when credentials are hardcoded. If an adversary identifies improper credential usage in an app, they can easily exploit them and gain unauthorized access to sensitive parts of the app. This is a fairly common mistake that developers can detect via comprehensive security testing. They should look through both the configuration files and the source code to ensure that credentials haven’t accidentally been left in.

2. Inadequate supply chain security

If there are vulnerabilities in the mobile app supply chain, an attacker can use these to manipulate the functionality of an app that uses the vulnerable code. Examples include SDKs or third-party software libraries. If an attacker can exploit vulnerabilities in the supply chain, then they can introduce spyware, backdoors or other malicious code into an app that uses the code downstream. Supply chain vulnerabilities are often caused by not following secure coding practices, having inadequate code review processes in place, or insufficient testing. Developers must follow best practices in order to limit the chances of introducing vulnerabilities into the supply chain,

3. Insecure authentication/authorization

If an app has vulnerabilities in its authentication or authorization, attackers can exploit them to gain unauthorized access. Vulnerable authentication mechanisms may allow attackers to completely circumvent authentication and send requests to the app’s backend server. In the case of vulnerable authorization, a legitimate user may successfully complete their log in and then force their way toward resources that they should not be allowed to access. In both cases, app testers can use techniques like binary attacks to determine if there are weaknesses that may allow attackers to bypass authentication or authorization.

4. Insufficient input/output validation

If an app doesn’t validate and sanitize inputs appropriately, it can result in cross-site scripting (XSS) attacks, command injection and SQL injection. Improper output validation can lead to presentation vulnerabilities or data corruption. Following validation and sanitization best practices is critical for mitigating the risks posed by these issues.

5. Insecure communication

If an attacker can intercept the data that travels to and from apps, then they may be able to steal sensitive information. While modern apps tend to use TLS for encryption, it can easily be implemented insecurely. This can happen through only applying TLS to secure certain workflows, due to bad certificates, from using improper configurations, or from implementing deprecated protocols. Basic implementation flaws can be detected by inspecting the network traffic, but more complex flaws will require close study of the app’s configuration and overall design.

6. Inadequate privacy controls

Apps need to protect sensitive personal data. Network communication with the server, the app’s sandbox, backups, and logs are usually protected, but sources like the clipboard and URL query parameters are often overlooked by developers. When building apps, all of these potential sources of personal data must be secured in order to protect users from having their personal data exposed. Personal data is tightly regulated in many jurisdictions, so data breaches can also result in severe legal consequences for your organization.

7. Insufficient binary protections

Binaries can be alluring targets for attackers, especially if they contain something highly valuable, like sensitive data or a pre-trained AI model. Attackers can also use binaries to look for vulnerabilities as part of their preparations for an attack, or to add malicious code and then redistribute it. Attackers typically either tamper with code or reverse engineer the binaries as part of these attacks. Binary attacks can’t be completely prevented, but threat modeling can help your organization determine the appropriate countermeasures. These can include making the binary incomprehensible to prevent reverse engineering, as well as obfuscation to protect against manipulation.

8. Security misconfiguration

Common security misconfigurations include improper controls, permissions and settings, which can result in unauthorized access. Security misconfiguration is a broad category, so there are many different mechanisms that can be used to mitigate the risks. These include implementing secure baseline configurations, following the principle of least privilege, and limiting an application’s attack surface.

9. Insecure data storage

Insecure data storage can result from things like not managing user credentials appropriately, weak encryption, or insecure mechanisms for data storage. It can be protected against by using NIST-approved encryption algorithms with the appropriate implementations, and following best practices for secure data storage.

10. Insufficient cryptography

If cryptography is used incorrectly, it can impact the confidentiality, integrity and authenticity of data. Brute-force attacks and side-channel attacks are common examples of attacks against weak algorithms or improper implementations. The best defense is to use strong and up-to-date algorithms that have been implemented correctly. You also need to ensure that your keys are sufficiently long to prevent brute forcing, and that your keys are managed securely.

Image of the author

Cybersecurity and privacy writer.

Would you like to receive the DestCert Weekly via email?

Your information will remain 100% private. Unsubscribe with 1 click.

Page [tcb_pagination_current_page] of [tcb_pagination_total_pages]