Black Hat | Def Con 2024
Are you attending Black Hat? Meet the Cobalt team and Core at booth #2913!
Black Hat | Def Con 2024
Are you attending Black Hat? Meet the Cobalt team and Core at booth #2913!

OWASP Mobile Top 10 2024 Update: Essential changes for security experts

May 17, 2024
Est Read Time: 6 min
Apporwa Verma

The Open Worldwide Application Security Project's OWASP Mobile Top 10 2024 final release is now available. 

Since 2003, OWASP has been providing regular updates on the latest cybersecurity vulnerabilities. The latest release represents the first major update since 2016. In 2024, credential usage, supply chain security and authentication/authorization issues top the list of leading mobile security risks. 

Here we'll walk you through an executive summary of the OWASP Mobile Top 10 report by listing today's leading smartphone cybersecurity threats and giving you a rundown of each risk. We'll summarize what each vulnerability is, how to detect it, and how to prevent it.

Biggest changes to vulnerabilities cybersecurity experts should know

The latest OWASP Mobile Top 10 report identifies these as the most important vulnerabilities to prevent:

  1. Improper credential usage
  2. Inadequate supply chain security
  3. Insecure authentication/authorization
  4. Insufficient input/output validation
  5. Insecure communication
  6. Inadequate privacy controls
  7. Insufficient binary protections
  8. Security misconfiguration
  9. Insecure data storage
  10. Insufficient cryptography

In addition to these risks, OWASP mentioned six noteworthy vulnerabilities that may be added in the near future:

  • Data leakage
  • Hardcoded secrets
  • Insecure access control
  • Path overwrite and path traversal
  • Unprotected endpoints (deeplink, activity, service, etc.)
  • Unsafe sharing

These vulnerabilities have some overlap with the categories that did make the top ten. For example, hardcoded secrets can contribute to improper credential usage vulnerabilities.

Let's take a closer look at the vulnerabilities that did make OWASP's top 10 list:

Top 10 mobile risks

For each vulnerability listed below, we'll summarize what it is, how to detect it, and how to prevent it. 

For more details, see OWASP's full report and Mobile Application Security Verification Standard (OWASP MASVS), which divides mobile app security into control groups representing the most critical attack surfaces. 

OWASP Mobile Top 10 vulnerabilities correspond to OWASP MASVS categories. For example, the first and third vulnerabilities on the list (improper credential usage and insecure authentication/authorization) correspond to the MASVS-AUTH control group, encompassing authentication and authorization mechanisms used by mobile apps.

1. Improper credential usage

What it is:

This risk relates to hardcoded credentials within the source code, insecure transmission and storage of credentials and weak authentication methods used. Additionally, improper use of credentials, including insecure transmission or storage, introduces further risks. These risks relate to hardcoded credentials within the source code, insecure transmission and storage of credentials, and the use of weak authentication methods.

How to detect it:

  • Look for hard coded credentials in mobile app source code and configuration files.
  • Identify credentials in mobile APK and .ipa files.
  • Monitor certificate pinning failures on backend server channels.

How to prevent it:

  • Avoid storing credentials in app source code.
  • Protect data at rest and in transit when apps are running.
  • Revoke and rotate API keys and access tokens rather than storing credentials on devices.
  • Use strong authentication protocols.

2. Inadequate supply chain security

What it is:

This threat stems from vulnerabilities in external, third-party tools such as codebases, software libraries, SDKs, and vendors. For instance, hackers can insert malicious code into codebases or build processes.

How to detect it:

  • Use automated tools to scan third-party codes for Common Vulnerabilities and Exposures (CVEs).

How to prevent it:

  • Follow best practices for coding, code review, and testing.
  • Use trusted and validated third-party tools.
  • Implement secure app signing and distribution processes.
  • Follow security controls to keep current with app updates.
  • Use automated tools to detect and manage incidents.

3.Insecure authentication/authorization

What it is:

This risk involves stealing user credentials to log into apps or penetrate backend servers. Attackers also may exploit poor access control.

How to detect it:

  • Test ability to execute high privilege functionality without authorization and authentication when apps are offline
  • Test authorization checks on backend hidden functionality, assuming that the hidden functionality will only be accessed by a user with the appropriate role
  • Test anonymous backend server functionality access without session tokens for POST/GET requests.

How to prevent it:

  • Implement server-side reinforcement over authentication and authorization controls.
  • Run mobile app attestation tests.

4. Insufficient input/output validation

What it is:

This risk stems from inadequate validation and sanitization of data from external inputs such as users or networks. Attackers may deploy methods such as SQL injection, command injection and cross-site scripting (XSS).

How to detect it:

  • Test for input validation.
  • Run routine security evaluations, including code reviews and pentesting.

How to prevent it:

  • Follow best practices for input validation and output sanitization.
  • Use context-specific validation.
  • Perform data integrity checks.
  • Follow secure coding practices.
  • Conduct routine security tests, including pentesting and code reviews.

5. Insecure communication

What it is:

This risk invites interception and modification of data transmitted between mobile applications and servers on device carrier networks or the internet. Hackers may use methods such as man-in-the-middle (MITM) attacks.

How to detect it:

  • Confirm correct SSL/TLS implementation with strong cipher suites for transmission channels to backend APIs, web services, and third-party entities such as analytics providers.
  • Use certificates from trusted certificate authority (CA) providers who apply certificate pinning.
  • Check app network security settings for vulnerabilities such as cleartext credentials or self-signed certificates.

How to prevent it:

  • Use certificate pinning supported by runtime application self-protection (RASP) security checks on devices and dynamic certificate rotation.

6. Inadequate privacy controls

What it is:

This risk exposes personally identifiable information (PII) such as names, email, or credit card data for purposes such as identity theft or extortion. Data can be compromised through means such as leaks (violation of confidentiality), manipulation (violation of integrity), or destruction (violation of availability).

How to detect it:

  • Check apps for compliance with privacy statutes and regulations.
  • Review apps for other vulnerabilities that could expose PII, particularly insecure data storage and communication, insecure authentication and authorization for data access, and insider attacks on app sandboxes.

How to prevent it:

  • Avoid unnecessary processing of PII.
  • Keep necessary storage and transmission of PII to a minimum, using proper authentication and authorization procedures.
  • Use static and dynamic security tools to identify common issues, such as sensitive data logging or leakage to clipboards and URL query parameters.

7. Insufficient binary protections

What it is:

This risk resides in unprotected machine code stored in app binary files. Attackers may seek to change app functionality, steal intellectual property, reverse engineer apps, or tamper with code for purposes such as bypassing paywalls.

How to detect it:

  • Use automated tools to scan app binary files.

How to prevent it:

  • Apply binary obfuscation.
  • Run integrity checks to detect and block code tampering.
  • Rotate API keys.

8. Security misconfiguration

What it is:

This risk emerges from improper configuration of security settings, permissions, or controls. For example, insecure default settings may open attack vectors. Other examples include misconfigured access control, weak encryption, insecure communication protocols, unprotected file storage, insecure file permissions, and misconfigured session management.

How to detect it:

  • Run a comprehensive security review, including configuration analysis, code review, and penetration testing.

How to prevent it:

  • Use secure default configurations and credentials.
  • Avoid insecure permissions.
  • Adhere to the least privilege principle, requesting only necessary permissions.
  • Secure networks by disallowing cleartext traffic and using certificate pinning.
  • Disable debugging and (on Android) backup mode.
  • Export only necessary activities, content providers, and services.

9: Insecure data storage

What it is:

This risk exposes stored data through vulnerabilities such as weak encryption, intercepted data transmissions, unauthorized access, or malware.

How to detect it:

  • Monitor local storage during app execution, flagging issues such as poor access controls, plaintext storage of passwords and keys, exposure of data through application logs or temporary files, or insecure caching,

How to prevent it:

  • Apply strong encryption.
  • Use secure data transmission.
  • Store sensitive data in secure locations inaccessible to unauthorized users.
  • Use proper access controls.
  • Implement data validation and sanitization.
  • Follow secure session management practices.
  • Keep current on third-party security updates, patches, and security news.

10: Insufficient cryptography

What it is:
This risk stems from sources such as weak encryption algorithms, short key lengths, inadequate salting, flawed encryption and decryption implementation, and leaked encryption keys or processes.

How to detect it:

  • Review encryption and decryption processes for conformity with established cryptography libraries and frameworks.
  • Avoid customized encryption.

How to prevent it:

  • Use strong encryption algorithms and sufficient key lengths.
  • Apply strong hash functions, salting, and Key Derivation Functions (KDFs).
  • Adhere to secure key management practices.
  • Follow correct encryption implementation guidelines.
  • Store keys securely.
  • Use secure transport layer protocols.
  • Apply strong validation and authentication methods.
  • Run security measures.
  • Keep security updates current.  

In conclusion, the OWASP Mobile Top 10 2024 serves as a critical roadmap for security professionals navigating the evolving landscape of mobile threats. By understanding and addressing the vulnerabilities outlined, developers and security practitioners can fortify their defenses against the most pressing risks.

State of Pentesting Blog CTA 2024
Back to Blog
About Apporwa Verma
7+ years experience in DAST, SAST, VAPT, Mobile and Web PenTest, DevSecOps, GRC, with a Masters degree in Computer Science and Information Security. More By Apporwa Verma

Related resources

A Pentester's Guide to Source Code Review
This blog post guides how to conduct a source code review project, focusing on advice for those new to the task. The post covers the purpose of a source code review, the process for conducting one, and the information needed to conduct a proper assessment.
Pentester Guides , Community
Blog
May 15, 2023
Read more
Part 3: Learning iOS App Pentesting and Application Security with Real-World Case Studies
Community
Blog
Sep 5, 2023
Read more
Source Code Review cover image
Source Code Review
Are you checking your new products for vulnerabilities in all capacities? Ninad Mathpati shares what you need to be doing during your Source Code Review and what attackers look for.
Pentester Guides , Community
Blog
Nov 9, 2022
Read more
see more

Never miss a story

Stay updated about Cobalt news as it happens