Blog

OWASP Mobile Top 10 - Overview & Comparison

Back in May 2024 the final version of the updated OWASP Mobile Top 10 security threats was published. This is the beginning of a walk-through of both the latest list, and the way in which it's evolved over the intervening years.

First let's take a look at the latest list:

  • M1: Improper credential usage
  • M2: Inadequate supply chain security
  • M3: Insecure authentication / authorization
  • M4: Insufficient input / output validation
  • M5: Insecure communication
  • M6: Inadequate privacy controls
  • M7: Insufficient binary protection
  • M8: Security misconfiguration
  • M9: Insecure data storage
  • M10: Insufficient cryptography

There are a number of other vulnerabilities which did not make the final top 10, but which are noted as worthy of future consideration:

  • Data leakage
  • Hardcoded secrets
  • Insecure access control
  • Path overwrite and path traversal
  • Unprotected endpoints
  • Unsafe sharing

Some of these do have representation in previous incarnations of the top 10 list, so we'll start by looking at how this list has evolved.

OWASP provide this comparison table comparing the 2016 list with the 2024 list:

20162024
M1Improper platform usage Improper credential usageNew
M2Insecure data storageInadequate supply chain securityNew
M3Insecure communicationInsecure authentication / authorizationM4 + M6
M4Insecure authenticationInsufficient input / output validationNew
M5Insufficient cryptographyInsecure communicationM3
M6Insecure authorizationInadequate privacy controlsNew
M7Client code qualityInsufficient binary protectionM8 + M9
M8Code tamperingSecurity misconfigurationM10
M9Reverse engineeringInsecure data storageM2
M10Extraneous functionalityInsufficient cryptographyM5

Whilst M1 and M2 are most definitely new this year, M4 has some representation in previous lists. M6, whilst potentially being covered by generic references to insecure data handling, is validly extracted into a vulnerability in its own right this time around.

There are some interesting observations when we look a little further back, to the 2014 list:

201420162024
M1Weak server-side controlsInsecure data storageInadequate supply chain security
M2Insecure data storage on the deviceInsecure data storageInadequate supply chain security
M3Insufficient transport layer protectionInsecure communicationInsecure authentication / authorization
M4Unintended data leakageInsecure authenticationInsufficient input / output validation
M5Poor authentication and authorizationInsufficient cryptographyInsecure communication
M6Broken cryptographyInsecure authorizationInadequate privacy controls
M7Client-side injectionClient code qualityInsufficient binary protection
M8Security decisions via untrusted inputsCode tamperingSecurity misconfiguration
M9Improper session handlingReverse engineeringInsecure data storage
M10Lack of binary protectionExtraneous functionalityInsufficient cryptography

From the 2014 list:

  • M1: Weak server-side controls
    • This was correctly moved out of the mobile specific list in 2016 as it's not mobile specific
    • However, not the inclusion of "Unprotected endpoints" as a notable vulnerability for future consideration.
  • M2: Insecure data storage on the device
    • This has persisted through all versions of the list as "Insecure data storage", although it's moved down.
  • M3: Insufficient transport layer protection
    • This has also survived through each version of the ist as "Insecure communication" and has moved down as well.
  • M4: Unintended data leakage
    • This was merged into M2: Insecure data storage in the 2016 list.
    • Note the inclusion of this in the list of items for future consideration.
  • M5: Poor authentication and authorization
    • This was split out into M4 and M6 in 2016, but has now been merged back into a single item again as M3 in 2024
  • M6: Broken cryptography
    • This has persisted through all versions as "Insufficient cryptography".
    • It's been relegated to M10 in 2024.
  • M7: Client-side injection
    • This was covered by M8: Code tampering in 2016.
    • It's now been merged into M7
  • M8: Security decisions via untrusted inputs
    • This was covered by M7: Code quality in 2016.
    • This would now fall under M4: Insufficient input / output validation (although this one is listed as new this year)
  • M9: Improper session handling
    • This was merged into M4 in 2016.
    • In 2024 it's covered by M3.
  • M10: Lack of binary protection
    • This has survived the redefinitions of the list, moving to M9: Reverse engineering in 2016, and now to M7: Insufficient binary protection.

From the 2016 list:

  • M1: Improper platform usage
    • This has been dropped.
    • Much of what this referred to is covered by other entries.
  • M10: Extraneous functionality
    • This has also been dropped.
    • This would potentially have included items such as those covered by "Unsafe sharing".

From the 2024 list:

  • M1: Improper credential usage
    • This is new
  • M2: Inadequate supply chain security
    • This is also new (and very welcome!)
  • M4: Insufficient input / output validation
    • This is new, but will include elements of M8 from 2014 and M7 from 2016
  • M6: Inadequate privacy controls
    • This is new
    • It would previously have been covered by the other data handling items, but has sufficient impact to be listed separately.

From the list of vulnerabilities notable for future inclusion:

  • Data leakage
    • This was listed separately as M4 in 2014
    • In 2016 it was merged into M2
    • This is now listed as M9 in the 2024 list
    • Consideration is being given to once against listing it as a separate vulnerability in its own right.
  • Hard coded secrets
    • There's some similarity here with M1 in 2024, which speaks of hard coded credentials in source code.
  • Insecure access control
  • Path overwrite and path traversal
  • Unprotected endpoints
    • This was listed as M1 in 2014, but was moved out of the mobile specific list in 2016 due to it not being mobile specific.
    • Clearly it's still sufficiently prevalent to warrant consideration in the mobile list.
  • Unsafe sharing
    • This would have been covered by M10: Extraneous functionality in 2016, and also in part by M4: Unintended data leakage in 2014, and therefore M2 and 2016 and M9 in 2024.
    • Again, it's being considered for listing as a separate and distinct vulnerability.

You'll see from the overlap between the current list (including the extra items under consideration) and the previous two lists that having the overall picture here is most helpful. Whilst the list is evolving, we can see evidence of previously removed items making their way back.

Next we'll start diving into the details of the items int he 2024 list.