What is the OWASP Mobile Top 10 (2024)?
The OWASP Mobile Top 10, most recently updated in 2024, is a periodically updated list published by the Open Web Application Security Project (OWASP) that highlights the most critical security risks affecting mobile applications. This list is a reference for developers, security professionals, and organizations seeking to understand where mobile app security failures are most common and impactful.
By consolidating trends from research, industry reports, and real-world incident data, OWASP delivers actionable guidance for mitigating vulnerabilities that plague a wide spectrum of devices and app platforms. The Top 10 is a consensus-driven prioritization of the most prevalent and damaging threats.
Each item in the list represents a category of risk, such as insecure authentication or cryptographic failures, rather than a single vulnerability. The intent is to help stakeholders focus remediation resources on weaknesses that statistically lead to the majority of exploitation and breaches in mobile ecosystems.
In this article:
In this article:
Mobile applications face distinct security challenges due to their deployment environment, platform constraints, and user interaction models. Unlike web applications that operate within browser sandboxes, mobile apps run directly on devices with access to local storage, sensors, and APIs. This expands the attack surface and introduces threats like insecure local data storage and abuse of device permissions.
Mobile platforms also enforce different security models. For example, Android and iOS use app sandboxing and permission systems, but their implementation varies, affecting how vulnerabilities can be exploited. Moreover, the mobile ecosystem relies heavily on third-party SDKs and APIs, which can introduce risks if not properly vetted or updated.
Additionally, mobile apps often operate in untrusted networks, such as public Wi-Fi, making transport layer security critical. Threats like reverse engineering and app repackaging are also more prevalent, since attackers can directly access the application binaries. These differences require tailored security practices that go beyond traditional web application threat models.
M1: Improper Credential Usage
Improper credential usage in mobile apps includes storing passwords, API keys, tokens, or sensitive secrets insecurely, whether in plain text on the device, embedded in source code, or transmitted without proper safeguards. Threat actors exploit these weaknesses to extract credentials, potentially gaining unauthorized access to back-end services or impersonating legitimate users.
A significant aspect of mitigating improper credential usage is rigorous credential management. Securely storing confidential tokens using trusted platform-provided keystores, enforcing encrypted network communications, and deploying mechanisms to rotate or revoke exposed credentials all reduce the attack surface. Developers must also avoid hardcoding secrets and should use environment variables or secure vault solutions instead.
M2: Supply Chain Security Weaknesses
Supply chain security weaknesses arise when mobile app development depends on third-party libraries, SDKs, frameworks, or external components that themselves may introduce vulnerabilities. Compromised or malicious dependencies can inject backdoors, enable data exfiltration, or trigger privilege escalations, often outside the auditing scope of the primary app team.
Mitigating supply chain risks requires continuous monitoring and validation of all dependencies, both at build time and throughout the app's lifecycle. Employing tools for software composition analysis, verifying source integrity with digital signatures, and maintaining an up-to-date inventory of included packages can significantly limit this attack vector.
M3: Insecure Authentication and Authorization Failures
Authentication and authorization failures in mobile apps enable attackers to bypass login mechanisms, escalate privileges, or access restricted functions. Common flaws include weak password policies, predictable session tokens, improper multi-factor authentication (MFA) implementations, and inadequate user input validation. Authorization failures may occur when client-side logic governs access controls, allowing adversaries to tamper with requests.
Developers must implement robust server-side checks for authentication and authorization, leveraging secure tokens, strong hashing techniques, and time-limited authentication cookies. Session management should include automatic expiration and revocation under suspicious activity, with sensitive operations requiring re-authentication.
M4: Input and Output Validation Weaknesses
Poor input and output validation allow attackers to inject malicious payloads, such as SQL, JavaScript, or OS commands, or manipulate data in ways that compromise application integrity. On mobile devices, this risk expands to include untrusted inter-app communications, misuse of intents (in Android), or unvalidated external content.
To address these vulnerabilities, every data entry point (forms, files, external sensors, and network inputs) requires strict integrity checks. Application code must sanitize outbound data to prevent information leaks through logs, error messages, or inter-process communications.
M5: Insecure Network Communication
Insecure network communication results from mobile apps transmitting sensitive data over unprotected channels, using obsolete protocols, or failing to verify the authenticity of remote endpoints. This leaves data in transit vulnerable to eavesdropping, man-in-the-middle (MITM) attacks, and unauthorized content modification, especially over public Wi-Fi or mobile networks where interception is easy.
Mitigation involves enforcing the latest secure transport protocols, such as TLS 1.2+ with strong cipher suites, performing certificate pinning to ensure endpoint authenticity, and never downgrading to insecure fallback connections. Developers must avoid transmitting sensitive payloads over non-encrypted HTTP and should monitor network libraries for protocol updates and deprecation announcements.
M6: Privacy Control Failures
Privacy control failures occur when mobile applications over-collect, mishandle, or expose users’ personal data. Common pitfalls include requesting unnecessary permissions, leaking personally identifiable information (PII) via logs or analytics, and failing to obtain explicit user consent. These oversights not only violate regulatory requirements such as GDPR or CCPA but also erode user trust and increase the risk of identity theft or social engineering attacks.
Remediation starts with data minimization: collect and process only what is essential, and strictly define data retention policies. Sensitive operations should be isolated, logged securely, and accompanied by transparent privacy notices and just-in-time consent prompts.
M7: Insufficient Binary and Code Protection
Lack of robust binary and code protection allows attackers to reverse engineer app executables, extract embedded secrets, or modify functionality to circumvent security controls. Threats include static analysis, dynamic instrumentation, repackaging attacks, and runtime code injection, often used to propagate malware or harvest sensitive data directly from compromised code.
To defend against binary tampering, developers should apply obfuscation, anti-debugging techniques, integrity checksums, root/jailbreak detection, and secure boot mechanisms at both compile and runtime stages. Regularly updating binaries and removing extraneous debug information limit exposure.
M8: Security Misconfigurations
Security misconfigurations are accidental weaknesses introduced through incorrect app settings, flawed deployment procedures, or improper use of platform features. Examples include exposing debug endpoints, shipping apps with verbose logging enabled, failing to set correct file permissions, or using debug certificates for production releases. Attackers can discover and exploit these missteps to enumerate internal workings, escalate privileges, and access data.
Mitigation requires rigorous configuration management practices, adherence to platform security guides, and environment-specific settings for development, test, and production phases. Automated security scanning, integrated directly into CI/CD pipelines, can help catch misconfigurations early.
M9: Insecure Data Storage Practices
Improper data storage exposes sensitive user data, including session tokens, private files, or health records, through improper use of local device storage, unprotected databases, or insecure external media. Mobile app data is often accessible to both legitimate users and malicious actors upon device compromise (for example, via physical theft or malware), especially when encryption, access controls, or OS-level protections are missing or misapplied.
Preventing insecure storage involves leveraging trusted platform storage APIs, enabling strong encryption for all at-rest data, and restricting file access to only the required app components. Storing sensitive records exclusively on the back-end, with minimal temporary caching on the device, further limits exposure.
M10: Cryptographic Weaknesses and Misuse
Cryptographic weaknesses stem from using obsolete algorithms (such as MD5 or SHA-1), implementing cryptography incorrectly, or managing keys insecurely. Consequences include compromised confidentiality, broken authentication, or unauthorized data modification. Common mistakes include static keys hardcoded in binaries, reusing initialization vectors, or failing to verify cryptographic library implementation correctness.
Vigilant key management and a commitment to modern, well-tested cryptographic APIs are mandatory to prevent these failures. Automatic library updates, deprecation of weak algorithms, and adherence to industry standards (like NIST or OWASP MASVS) fortify app resilience against attack.
Uri Dorot
Uri Dorot is a senior product marketing manager at Radware, specializing in application protection solutions, service and trends. With a deep understanding of the cyber threat landscape, Uri helps companies bridge the gap between complex cybersecurity concepts and real-world outcomes.
Tips from the Expert:
In my experience, here are tips that can help you better strengthen mobile app security beyond the OWASP Mobile Top 10 guidance:
1. Instrument app telemetry for threat intelligence: Go beyond basic logging and integrate mobile-specific telemetry (e.g., jailbreak/root status, device fingerprinting, app lifecycle anomalies) into SIEM or mobile fraud detection platforms. This data creates a feedback loop that helps detect evolving threats and attacker tooling targeting the app in the wild.
2. Use Canary values to detect unauthorized access: Place non-functional “canary” tokens or values in app memory or storage, such as fake API keys or decoy credentials, and monitor if they are ever used in API calls. If seen, it signals app tampering, reverse engineering, or credential extraction attempts.
3. Deploy dynamic runtime policy enforcement: Use frameworks like App Shielding or RASP (Runtime Application Self-Protection) to implement runtime policy controls that adapt to the execution context; e.g., disabling features or blocking execution when running on an emulator, debugger, or compromised OS environment.
4. Implement binary watermarking and signature tracing: Add non-obvious watermarks and unique build-time signatures to binaries to track distribution, detect unofficial repackaging, and validate attribution if a compromised version surfaces. This helps in legal, forensic, and anti-piracy contexts.
5. Run controlled adversarial testing with mobile-focused red teams: Periodically engage mobile-aware red teams to simulate real-world attacker behaviors such as repackaging, MITM attacks on Wi-Fi, memory scraping on rooted devices, or abuse of third-party SDKs. These practical tests go beyond automated scans to find systemic weaknesses.
The 2024 OWASP Mobile Top 10 reflects a shift from vulnerability-centric categorization (as seen in 2016) to a risk-based taxonomy that emphasizes root causes and systemic weaknesses. While the 2016 list included granular items like “Insecure Data Storage” or “Improper Platform Usage,” the 2024 version consolidates overlapping issues and introduces broader categories like “Supply Chain Security Weaknesses” and “Privacy Control Failures.”
Some 2024 categories subsume multiple 2016 items. For example, “Improper Credential Usage” in 2024 encompasses “Insecure Authentication,” “Insecure Data Storage,” and “Insecure Communication” from the earlier list. Similarly, “Security Misconfigurations” now includes former issues like improper platform usage and debugging exposure.
New categories introduced in 2024, such as “Supply Chain Security Weaknesses,” respond to evolving threats tied to dependency management and third-party code. These were not explicitly covered in 2016, despite their increasing relevance. Meanwhile, 2016’s “Client Code Quality” and “Code Tampering” have been integrated under broader themes like “Insufficient Binary and Code Protection.”
Here are some of the ways that organizations can better protect themselves from the risks described by the OWASP Mobile Top 10.
1. Use a Robust API and Bot-Protection Layer Across Mobile Back-end Services
To reduce the risk of unauthorized access and automated attacks, organizations should deploy a dedicated API gateway that implements strong authentication controls, rate limiting, and bot-detection mechanisms. These defenses limit exploitability from credential stuffing, scraping, or brute-force attacks, and provide visibility into unusual request patterns.
API gateways act as the first checkpoint for back-end resources, shielding the app’s core business logic and sensitive endpoints from direct exposure to untrusted network traffic. Integrating bot detection further hardens defenses by identifying anomalous traffic signatures, enforcing CAPTCHAs, or requiring advanced client verification for sensitive actions.
2. Adopt a Security-First SDLC Approach for Mobile Development
Embedding security throughout the software development lifecycle (SDLC) is essential for anticipating and addressing mobile-specific threats before deployment. This approach starts with threat modeling for every new feature, continues with secure coding practices during development, and includes regular code reviews focused on identifying weaknesses relevant to OWASP Top 10 risks.
Security-aware SDLCs also mandate comprehensive testing, including automated static and dynamic analysis, dependency checks, and penetration reviews, prior to app release. Beyond technical controls, a security-first SDLC involves cross-functional collaboration: developers, QA testers, product managers, and security teams work together to define requirements, prioritize risk mitigation, and enforce rapid feedback loops.
3. Implement Least-Privilege and Strict Permission Models
Restricting app privileges and enforcing granular permission models minimize the damage that can result from a single vulnerability. Apps should request only the permissions strictly necessary for operation, a principle known as least privilege. Over-privileged apps are more susceptible to privilege escalation, data leakage, or lateral movement attacks, especially if a component is compromised or misconfigured.
Permission requests should be justified to users with clear notifications, and sensitive operations isolated using platform capabilities like Android’s runtime permissions or iOS’s entitlements. Regular permission reviews, conducted alongside functional audits, ensure that new features do not inadvertently expand the app’s attack surface.
4. Enforce Strong Authentication and Session Management Controls
Strong authentication begins with secure password requirements, adaptive multi-factor authentication (MFA), and resilient session token designs that resist replay and tampering. Mobile apps must avoid storing credentials locally, should transmit authentication data exclusively over encrypted channels, and must reject weak or default configurations inherited from underlying frameworks.
Proper session management demands automatic logout on inactivity, explicit session revocation paths, and secure handling of cookies or access tokens. Session identifiers should be both unpredictable and time-limited, and sensitive scopes (such as financial or personal data) may warrant additional verification steps.
5. Use Modern Cryptographic Standards and Secure Key Handling
Mobile application cryptography must follow contemporary standards, such as AES-256, RSA-2048+, or ECC curves, and leverage vetted libraries maintained by reputable communities. Custom cryptographic routines and obsolete algorithms are leading root causes for data breaches due to implementation flaws and cryptanalysis advances. Key material should never be hardcoded or bundled with app binaries.
Keys should use mobile OS-secured storage such as Android KeyStore or Apple’s Secure Enclave, ensuring sensitive operations like decryption or signing never expose secrets to the general memory space. Regular rotation, retirement of deprecated algorithms, and continuous monitoring for cryptographic library vulnerabilities help sustain high assurance levels.
6. Harden Mobile Build Pipelines and Dependency Supply Chains
Securing the mobile app supply chain starts with locking down build environments: access should be restricted, actions audited, and sensitive secrets excluded from version control. Automated scanning tools can detect vulnerabilities in third-party libraries, expired certificates, or malicious code injections before they reach production builds.
Using signed dependencies, monitoring project repositories for insecure updates, and employing vulnerability management platforms all guard against indirect attacks. Post-build, apps should be distributed exclusively via validated channels, like the official Play Store or App Store, to prevent exposure from tampered APKs or IPAs.
7. Apply Continuous Monitoring and Behavior-Based Detection
Static defenses are not sufficient against adaptive mobile threats. Continuous behavioral monitoring via runtime application self-protection (RASP), anomaly detection systems, or integrated security analytics helps detect suspicious patterns, such as privilege escalations, data exfiltration, or unauthorized network activity. Early warning systems notify operational teams of in-progress attacks, enhancing incident response and containment.
Behavioral analytics extend to fraud detection, device integrity checks, and telemetry collection for advanced forensics. Regularly updated detection logic, informed by real-world attack scenarios, ensures monitoring is resilient against new exploitation techniques and integrates seamlessly with existing mobile operations tooling.
8. Validate All Client-Side Inputs and Sanitize Outputs
All client-side data, whether sourced from user input, inter-app messages, or external APIs, should be treated as potentially hostile and systematically validated for type, length, format, and range. Input validation blocks injection attacks, malformed payloads, and resource abuse attempts that can destabilize the app or back-end services.
Output sanitization ensures sensitive data is not disclosed in logs, UI elements, or IPC boundaries, protecting against inadvertent leakage or cross-app compromise. Automated input/output validation frameworks, ongoing fuzz testing, and periodic audit of validation logic contribute to a strong, layered defense against mobile security risks.
Mobile application security extends well beyond the device. While OWASP Mobile risks include issues such as insecure local storage, weak cryptography, and supply chain weaknesses, many of the most damaging mobile attacks target the back-end services that mobile apps rely on, such as APIs, authentication endpoints, payment workflows, and user data services. Attackers frequently abuse mobile APIs for credential stuffing, account takeover, automated scraping, business logic abuse, and denial-of-service conditions that degrade availability. Radware helps organizations reduce these risks by securing the mobile application’s web-facing infrastructure and API layer, where most large-scale exploitation occurs.
Radware API Protection is especially relevant for securing mobile back-end services against OWASP Mobile risks tied to authorization failures, input validation weaknesses, and exposed or undocumented endpoints. It enables runtime API discovery to identify shadow or unmanaged APIs, supports schema validation and positive security enforcement, and helps detect abnormal API behavior patterns often associated with mobile abuse. This strengthens protection against attacks that exploit mobile-to-API trust gaps, such as parameter tampering, object-level authorization bypass, and unsafe API consumption.
To defend mobile experiences against automated abuse and account takeover activity, Bot Manager helps block scripted traffic used for credential stuffing, fake account creation, scraping, and inventory abuse—behaviors frequently observed against mobile login and transaction workflows. Cloud WAF Service adds another layer of protection by filtering malicious inputs and blocking exploit attempts targeting mobile application backends, including common injection and misconfiguration-driven attacks. For availability and resilience during large traffic surges or deliberate disruption, Cloud DDoS Protection Service helps maintain service continuity, ensuring mobile apps remain usable even when backend services are targeted. Together, these solutions provide a layered approach to mobile application security by protecting the infrastructure, APIs, and workflows that mobile apps depend on, reducing risk while preserving performance and user trust.