Mobile applications are everywhere—from managing your finances to unlocking your car. But with convenience comes risk. In 2016, OWASP (Open Web Application Security Project) released its Mobile Top 10 list to help developers and security professionals understand and mitigate the most common mobile security risks.
Though it’s been a few years, the 2016 version still holds significance as a foundational guide for mobile application security. Let’s explore what each item means, with examples and how developers can defend against them.
OWASP Mobile Top 10
M1: Improper Platform Usage
This includes misuse of platform features or failing to use platform security controls properly. Examples include incorrect use of Android intents or iOS Keychain.
Real-World Risk: An app that misuses Android’s WebView component could expose users to phishing or XSS attacks.
Mitigation: Follow platform security guidelines strictly, use secure communication channels, and validate all inputs.
M2: Insecure Data Storage
Sensitive data (passwords, tokens, personal info) stored insecurely on the device can be extracted if the device is compromised.
Real-World Risk: An attacker rooting a device can access data stored in shared preferences or SQLite without encryption.
Mitigation: Avoid storing sensitive data locally; use encrypted storage when absolutely necessary and rely on secure server-side storage.
M3: Insecure Communication
Apps often fail to properly encrypt network traffic, leaving it vulnerable to man-in-the-middle (MITM) attacks.
Real-World Risk: A banking app using HTTP instead of HTTPS can expose login credentials on public Wi-Fi.
Mitigation: Use HTTPS with certificate pinning and validate SSL certificates properly.
M4: Insecure Authentication
Weak authentication mechanisms or reliance on insecure session management can lead to unauthorized access.
Real-World Risk: An app that only checks client-side tokens for authentication can be easily spoofed.
Mitigation: Use multi-factor authentication, secure token handling, and server-side validation.
M5: Insufficient Cryptography
Using broken or weak cryptographic algorithms or implementing crypto incorrectly.
Real-World Risk: Encrypting data with hardcoded keys or outdated algorithms (like MD5) makes it easy to decrypt.
Mitigation: Use strong, well-vetted cryptographic libraries (e.g., AES, RSA, SHA-256) and store keys securely using Android Keystore or iOS Keychain.
M6: Insecure Authorization
This refers to improper enforcement of user privileges, where one user can access another user’s data or perform unauthorized actions.
Real-World Risk: An attacker accessing admin features by simply modifying app parameters.
Mitigation: Perform all authorization checks on the server side.
M7: Client Code Quality
This refers to poor coding practices such as buffer overflows, memory leaks, or code injection vulnerabilities.
Real-World Risk: Improper input handling that leads to code injection via untrusted sources.
Mitigation: Use secure coding practices, perform static and dynamic code analysis, and sanitize all user input.
M8: Code Tampering
The app binary can be modified and redistributed (e.g., with malware or ads inserted).
Real-World Risk: Modified APKs distributed through third-party stores that steal user data.
Mitigation: Use checksums, code obfuscation, and tamper detection techniques to ensure code integrity.
M9: Reverse Engineering
Attackers can decompile or disassemble an app to understand how it works and identify vulnerabilities.
Real-World Risk: An attacker reverse-engineers the app to extract API keys or business logic.
Mitigation: Obfuscate code and avoid hardcoding secrets in the binary.
M10: Extraneous Functionality
This includes debug code, backdoors, or hidden features left in the app accidentally.
Real-World Risk: A forgotten admin console in production that gives full access to app settings.
Mitigation: Review and strip all debugging and test code before release; enforce a secure SDLC.
Even though the list was released in 2016, these categories remain highly relevant. Many mobile breaches today stem from the very issues listed above. Modern apps are more connected and complex, which means secure design, secure coding, and secure testing are more critical than ever.
Tools & Resources
- MobSF (Mobile Security Framework) – Static and dynamic analysis
- OWASP MASVS & MSTG – Updated standards and testing guides
- Burp Suite / Frida / jadx – For dynamic analysis and reverse engineering
Mobile app developers can’t afford to treat security as an afterthought. OWASP’s Mobile Top 10 serves as a checklist of what not to miss. As mobile apps continue to evolve, foundational security practices must keep pace.If you’re building or securing a mobile app, take the time to map your threat model against these top 10 risks—and implement controls accordingly. A secure app is not just good engineering—it’s trust by design.