OWASP-M TOP 10

Summary

OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. OWASP-M Top Ten classifies mobile security risks and provides developmental controls to reduce their impact or likelihood of exploitation. The last version reviewed is 2016.

Definitions

Definition	Requirements
OWASPM10-M1. Improper platform usage	266. Disable insecure functionalities 320. Avoid client-side control enforcement 330. Verify Subresource Integrity 348. Use consistent encoding
OWASPM10-M2. Insecure data storage	173. Discard unsafe inputs 185. Encrypt sensitive information 229. Request access credentials 030. Avoid object reutilization 032. Avoid session ID leakages 046. Manage the integrity of critical files
OWASPM10-M3. Insecure communication threat agents	206. Configure communication protocols 223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy 030. Avoid object reutilization
OWASPM10-M4. Insecure authentication	132. Passphrases with at least 4 words 153. Out of band transactions 319. Make authentication options equally secure 328. Request MFA for critical systems 335. Define out of band token lifespan 357. Use stateless session tokens
OWASPM10-M5. Insufficient cryptography	151. Separate keys for encryption and signatures 185. Encrypt sensitive information 224. Use secure cryptographic mechanisms 361. Replace cryptographic keys
OWASPM10-M6. Insecure authorization	373. Use certificate pinning 031. Discard user session data 035. Manage privilege modifications
OWASPM10-M7. Poor code quality	157. Use the strict mode 164. Use optimized structures 172. Encrypt connection strings 345. Establish protections against overflows 348. Use consistent encoding
OWASPM10-M8. Code tampering	262. Verify third-party components 326. Detect rooted devices 374. Use of isolation methods in running applications 037. Parameters without sensitive data
OWASPM10-M9. Reverse engineering	172. Encrypt connection strings 184. Obfuscate application data 050. Control calls to interpreted code
OWASPM10-M10. Extraneous functionality threat agents	154. Eliminate backdoors 323. Exclude unverifiable files

Last updated

2023/09/18