Fluid Attacks Database

OWASP-M TOP 10

Last updated: 2023/09/18

OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. OWASP-M Top Ten classifies mobile security risks and provides developmental controls to reduce their impact or likelihood of exploitation. The last version reviewed is 2016.

Control-Requirement Mapping

Definition	Requirements
M1. Improper platform usage	266. Disable insecure functionalities 320. Avoid client-side control enforcement 330. Verify Subresource Integrity 348. Use consistent encoding
M2. Insecure data storage	173. Discard unsafe inputs 185. Encrypt sensitive information 229. Request access credentials 030. Avoid object reutilization 032. Avoid session ID leakages 046. Manage the integrity of critical files
M3. Insecure communication threat agents	206. Configure communication protocols 223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms 336. Disable insecure TLS versions 338. Implement perfect forward secrecy 030. Avoid object reutilization
M4. Insecure authentication	132. Passphrases with at least 4 words 153. Out of band transactions 319. Make authentication options equally secure 328. Request MFA for critical systems 335. Define out of band token lifespan 357. Use stateless session tokens
M5. Insufficient cryptography	151. Separate keys for encryption and signatures 185. Encrypt sensitive information 224. Use secure cryptographic mechanisms 361. Replace cryptographic keys
M6. Insecure authorization	373. Use certificate pinning 031. Discard user session data 035. Manage privilege modifications
M7. Poor code quality	157. Use the strict mode 164. Use optimized structures 172. Encrypt connection strings 345. Establish protections against overflows 348. Use consistent encoding
M8. Code tampering	262. Verify third-party components 326. Detect rooted devices 374. Use of isolation methods in running applications 037. Parameters without sensitive data
M9. Reverse engineering	172. Encrypt connection strings 184. Obfuscate application data 050. Control calls to interpreted code
M10. Extraneous functionality threat agents	154. Eliminate backdoors 323. Exclude unverifiable files

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.