OWASP Mobile Top 10
What is OWASP Mobile Top 10?
The OWASP Mobile Top 10 (2024 edition) documents the most prevalent and impactful security vulnerabilities in mobile applications, based on data from CVE databases, security research, and real-world penetration testing engagements. The 2024 list: M1 Improper Credential Usage, M2 Inadequate Supply Chain Security, M3 Insecure Authentication/Authorization, M4 Insufficient Input/Output Validation, M5 Insecure Communication, M6 Inadequate Privacy Controls, M7 Insufficient Binary Protections, M8 Security Misconfiguration, M9 Insecure Data Storage, M10 Insufficient Cryptography. Mobile security testing against the OWASP Mobile Top 10 is a standard pre-launch requirement for fintech, healthcare, and enterprise apps.
Related terms
OWASP Mobile Top 10, frequently asked questions
The OWASP Mobile Top 10 is a regularly updated list of the 10 most critical security risks specific to mobile applications. It is published by the Open Web Application Security Project (OWASP) and is widely used as the reference framework for mobile security testing, penetration testing scope definition, and regulatory compliance checklists in fintech and healthcare.
The Mobile Top 10 addresses risks specific to native iOS and Android apps: insecure local data storage (SQLite databases, Keychain misuse), binary protection (reverse engineering resistance, certificate pinning), and platform-specific authentication patterns. The Web Top 10 covers server-side vulnerabilities (injection, XSS, CSRF) that apply to web applications and mobile apps' backend APIs.