Back in May 2024 the final version of the updated OWASP Mobile Top 10 security threats was published. This is the beginning of a walk-through of both the latest list, and the way in which it's evolved over the intervening years.
First let's take a look at the latest list:
M1: Improper credential usage
M2: Inadequate supply chain security
M3: Insecure authentication / authorization
M4: Insufficient input / output validation
M5: Insecure communication
M6: Inadequate privacy controls
M7: Insufficient binary protection
M8: Security misconfiguration
M9: Insecure data storage
M10: Insufficient cryptography
There are a number of other vulnerabilities which did not make the final top 10, but which are noted as worthy of future consideration:
Data leakage
Hardcoded secrets
Insecure access control
Path overwrite and path traversal
Unprotected endpoints
Unsafe sharing
Some of these do have representation in previous incarnations of the top 10 list, so we'll start by looking at how this list has evolved.
OWASP provide this comparison table comparing the 2016 list with the 2024 list:
2016
2024
M1
Improper platform usage
Improper credential usage
New
M2
Insecure data storage
Inadequate supply chain security
New
M3
Insecure communication
Insecure authentication / authorization
M4 + M6
M4
Insecure authentication
Insufficient input / output validation
New
M5
Insufficient cryptography
Insecure communication
M3
M6
Insecure authorization
Inadequate privacy controls
New
M7
Client code quality
Insufficient binary protection
M8 + M9
M8
Code tampering
Security misconfiguration
M10
M9
Reverse engineering
Insecure data storage
M2
M10
Extraneous functionality
Insufficient cryptography
M5
Whilst M1 and M2 are most definitely new this year, M4 has some representation in previous lists. M6, whilst potentially being covered by generic references to insecure data handling, is validly extracted into a vulnerability in its own right this time around.
There are some interesting observations when we look a little further back, to the 2014 list:
2014
2016
2024
M1
Weak server-side controls
Insecure data storage
Inadequate supply chain security
M2
Insecure data storage on the device
Insecure data storage
Inadequate supply chain security
M3
Insufficient transport layer protection
Insecure communication
Insecure authentication / authorization
M4
Unintended data leakage
Insecure authentication
Insufficient input / output validation
M5
Poor authentication and authorization
Insufficient cryptography
Insecure communication
M6
Broken cryptography
Insecure authorization
Inadequate privacy controls
M7
Client-side injection
Client code quality
Insufficient binary protection
M8
Security decisions via untrusted inputs
Code tampering
Security misconfiguration
M9
Improper session handling
Reverse engineering
Insecure data storage
M10
Lack of binary protection
Extraneous functionality
Insufficient cryptography
From the 2014 list:
M1: Weak server-side controls
This was correctly moved out of the mobile specific list in 2016 as it's not mobile specific
However, not the inclusion of "Unprotected endpoints" as a notable vulnerability for future consideration.
M2: Insecure data storage on the device
This has persisted through all versions of the list as "Insecure data storage", although it's moved down.
M3: Insufficient transport layer protection
This has also survived through each version of the ist as "Insecure communication" and has moved down as well.
M4: Unintended data leakage
This was merged into M2: Insecure data storage in the 2016 list.
Note the inclusion of this in the list of items for future consideration.
M5: Poor authentication and authorization
This was split out into M4 and M6 in 2016, but has now been merged back into a single item again as M3 in 2024
M6: Broken cryptography
This has persisted through all versions as "Insufficient cryptography".
It's been relegated to M10 in 2024.
M7: Client-side injection
This was covered by M8: Code tampering in 2016.
It's now been merged into M7
M8: Security decisions via untrusted inputs
This was covered by M7: Code quality in 2016.
This would now fall under M4: Insufficient input / output validation (although this one is listed as new this year)
M9: Improper session handling
This was merged into M4 in 2016.
In 2024 it's covered by M3.
M10: Lack of binary protection
This has survived the redefinitions of the list, moving to M9: Reverse engineering in 2016, and now to M7: Insufficient binary protection.
From the 2016 list:
M1: Improper platform usage
This has been dropped.
Much of what this referred to is covered by other entries.
M10: Extraneous functionality
This has also been dropped.
This would potentially have included items such as those covered by "Unsafe sharing".
From the 2024 list:
M1: Improper credential usage
This is new
M2: Inadequate supply chain security
This is also new (and very welcome!)
M4: Insufficient input / output validation
This is new, but will include elements of M8 from 2014 and M7 from 2016
M6: Inadequate privacy controls
This is new
It would previously have been covered by the other data handling items, but has sufficient impact to be listed separately.
From the list of vulnerabilities notable for future inclusion:
Data leakage
This was listed separately as M4 in 2014
In 2016 it was merged into M2
This is now listed as M9 in the 2024 list
Consideration is being given to once against listing it as a separate vulnerability in its own right.
Hard coded secrets
There's some similarity here with M1 in 2024, which speaks of hard coded credentials in source code.
Insecure access control
Path overwrite and path traversal
Unprotected endpoints
This was listed as M1 in 2014, but was moved out of the mobile specific list in 2016 due to it not being mobile specific.
Clearly it's still sufficiently prevalent to warrant consideration in the mobile list.
Unsafe sharing
This would have been covered by M10: Extraneous functionality in 2016, and also in part by M4: Unintended data leakage in 2014, and therefore M2 and 2016 and M9 in 2024.
Again, it's being considered for listing as a separate and distinct vulnerability.
You'll see from the overlap between the current list (including the extra items under consideration) and the previous two lists that having the overall picture here is most helpful. Whilst the list is evolving, we can see evidence of previously removed items making their way back.
Next we'll start diving into the details of the items int he 2024 list.