Published on

Top 10 Mobile App Threats (OWASP)

Authors
  • avatar
    Name
    Rosa Tiara
    Twitter

Introduction

Mobile apps are everywhere, on our phones, watches, cars, and even some refrigerators. As apps get smarter, attackers get smarter too. The OWASP Mobile Top 10 is a list of the most common and dangerous security risks in mobile applications.

OWASP stands for the Open Web Application Security Project. It is a global non-profit community that creates free resources to help developers, companies, and security professionals build safer software.

Before diving into the risks, it helps to know what to expect. In this blog, I will give a concise explanation of each OWASP Mobile Top 10 item and then shows examples for both Android and iOS.

The OWASP Mobile Top 10 (as of 2024)

1. Improper Credential Usage

This happens when an app stores, handles, or exposes credentials or secrets in insecure places or formats.

Android example:
Hardcoded API key in BuildConfig or strings.xml.

iOS example:
Storing passwords or tokens in UserDefaults instead of Keychain.

2. Inadequate Supply Chain Security

This happens when third-party libraries, SDKs, package sources, or build tools introduce vulnerabilities or malicious code into your app.

Android example:
Including an outdated ad SDK from an untrusted repository that has a known remote code execution bug.

iOS example:
Using a CocoaPod from an unverified fork that later gets hijacked and updated with malicious code.

3. Insecure Authentication and Authorization

This happens when the app does not properly verify user identities, session state, or permissions, allowing impersonation or privilege escalation.

Android example:
Allowing access to a protected activity via an unvalidated deep link so an attacker can bypass login.

iOS example:
Not validating session tokens on the server side and trusting a client-supplied token for sensitive actions.

4. Insufficient Input and Output Validation

This happens when an app accepts, processes, or renders data without checking that it is safe, correctly formatted, and from an expected source.

Android example:
Accepting Intents from other apps without checking origin or validating extras, leading to unexpected behavior or crashes.

iOS example:
Loading user-supplied HTML into WKWebView without sanitizing it, enabling script injection.

5. Insecure Communication

This happens when data in transit is not properly protected, allowing interception, tampering, or replay attacks.

Android example:
Making API requests over plain HTTP instead of HTTPS, exposing tokens and user data on the network.

iOS example:
Disabling App Transport Security (ATS) to allow insecure connections to a backend service.

6. Inadequate Privacy Controls

This happens when an app collects, logs, or exposes personal data without adequate protection, consent, or minimization.

Android example:
Writing GPS coordinates or user identifiers to Logcat or unsecured files.

iOS example:
Including user tokens or personal details in crash reports that are uploaded without redaction.

7. Insufficient Binary Protection

This happens when an app lacks measures to deter reverse engineering, tampering, or unauthorized modifications.

Android example:
Shipping an APK without code obfuscation or resource protection, making it easy to inspect and extract secrets.

iOS example:
Not using runtime protections or integrity checks, allowing attackers on jailbroken devices to modify the app binary.

8. Security Misconfiguration

This happens when application, platform, or deployment settings are left in insecure states due to incorrect defaults, missing restrictions, or incorrect permissions.

Android example:
Declaring exported activities or services in the manifest that accept external input but have no access checks.

iOS example:
Including overly broad entitlements in the provisioning profile or using NSAllowsArbitraryLoads without justification.

9. Insufficient Cryptography

This happens when encryption is implemented incorrectly, weak algorithms or keys are used, or cryptographic secrets are exposed.

Android example:
Encrypting data with AES using a hardcoded symmetric key stored in the app package.

iOS example:
Implementing custom encryption routines instead of using Keychain or CryptoKit, leading to predictable or reversible ciphertext.

10. Improper Platform Usage

This happens when developers misuse platform APIs or ignore built-in security features, defeating protections the platform provides.

Android example:
Writing files outside scoped storage or ignoring platform permission models, exposing data to other apps.

iOS example:
Overriding or relaxing platform protections such as allowing arbitrary loads or bypassing data protection classes.

Final Takeaway

Knowing these ten risks helps you spot insecure patterns in mobile apps and prioritize fixes. As a software engineer, particularly mobile, awareness is the first step toward building safer mobile applications!

Happy learning! 🎈