Penetration TestJan Kahmen9 min read

OWASP Mobile Top 10 - More Security for Mobile Applications

The OWASP Mobile Top 10 is a list of the most urgent vulnerabilities you should protect mobile applications from.

Table of content

Digitization brings with it countless benefits that you can take advantage of every day in your business. At the same time, the online world is less secure than it might seem at first glance. Cyber attacks are a serious threat to any business, not only costing you money but putting your most sensitive data at risk. To counteract this, you need the right security strategy. The Open Web Application Security Project (OWASP) provides you with the necessary approaches to make applications on the web secure.

The OWASP Project for more IT Security

The Open Web Application Security Project (OWASP) is a non-profit initiative based on the security knowledge of global experts. It is now internationally recognized as the leading organization for information systems security. As a non-profit organization, OWASP originated in the USA in 2004 and was also registered in Europe in 2011. Since then, members have been working to localize security vulnerabilities in web applications and services. One important concept is the OWASP Top Ten. It is a list of the most urgent vulnerabilities you should protect mobile applications from. This makes the OWASP Mobile Application Testing Guide an important tool for improved cybersecurity.

The OWASP Mobile Top 10 at a Glance

The OWASP Mobile Top 10 give you an overview of the ten most critical security risks to your apps and web applications. They show you which attack vectors to expect and how to protect against them.

1. Improper Platform Usage

The first item among the OWASP top 10 is improper platform usage. Platforms such as iOS, Android, or Windows Phone provide different capabilities and features that you can use. If the app does not use an existing function or even uses it incorrectly, this is called improper use. This can be, for example, a violation of published guidelines that affects the security of the app. Unlike the other items in the OWASP Mobile Top Ten, this aspect is not aimed exclusively at app developers. The problem with violating common conventions is that it allows for unintended misuse.

2. Insecure Data Storage

Insecure data storage as well as unintentional data leaks also fall under the OWASP Mobile Top Ten. Mobile application penetration testing tools help uncover such grievances. However, it does not necessarily have to be your SQL database. Manifest and log files, cookie storage or cloud synchronization can also be affected. By the way, this problem occurs so often that it should be an important part of your OWASP Mobile Security Checklist. The reason is almost always found in insufficiently documented or undocumented internal processes.

3. Insecure Communication

Your app transports data from point A to point B. If this transport is insecure, the risk increases. Here, too, the main mobile application penetration testing tools will help you. They support you in detecting faulty app-to-server or mobile-to-mobile communication. The biggest problem is the transfer of sensitive data from one device to another. This could be encryption, passwords, account details or private user information. If the necessary security measures are missing at this point, it is easy for hackers to access your data.

4. Insecure Authentication

Secure authentication adds another key security aspect to your OWASP Mobile Security Checklist. In fact, there are many different ways that the app can provide insecure authentication. A classic example is a back-end API service request that the mobile app executes anonymously without relying on an access token. Additionally, there are still apps that store passwords locally in clear text. To mitigate these potential risks, consider OWASP's recommendations.

5. Lack of Cryptography

The insecure use of cryptography can be observed in most app applications. This is almost always one of two problems: a fundamentally flawed process behind the encryption mechanisms or the implementation of a weak algorithm.

6. Insecure Authorization

Unlike authentication, authorization deals with the verification of an identified person. It verifies that the necessary authorizations are in place to perform certain actions. Of course, the two are closely related - yet both items belong separately on the OWASP Top 10 list. Both are mutually dependent, which is why a lack of authentication almost always leads to a lack of authorization. You need to secure these vulnerabilities as soon as possible to protect your sensitive corporate data from unwanted access.

7. Poor Client Code Quality

This item of the OWASP Top 10 refers to an explicit programming language. All vulnerabilities from code-level errors can provide attackers with a way inside. The main risk lies in the need to make localized changes to the code. In particular, insecure API usage or insecure language constructs are common problems that you need to fix directly at the code level.

8. Code Manipulation

From a technical perspective, any code on a mobile device is vulnerable to tampering. This is because the mobile code is running in a foreign environment. It is no longer under the control of your organization. Therefore, there are numerous ways to modify it at will. You should always consider these unauthorized changes in the context of business implications.

9. Reverse Engineering

Attackers who want to understand how your app works can use reverse-engineering to access all the information they need. Especially metadata, which is supposed to be a relief for your programmers, is a high risk. Basically, if you can clearly understand the string table of the binary or cross-functional analysis is possible, the app is considered at risk.

10. Extraneous Functionality

Hidden backdoor functionality or internal security controls are a common problem in mobile applications. The problem with them is that they are not only useful for developers, but also for hackers. This allows them, for example, to disable 2-factor authentication or change basic functionality.

The OWASP Mobile Testing Guide: Guide to better Nobile Security

Applications using the OWASP framework are generally considered secure. Once you follow this guide, you will benefit from a higher level of security than is present in most apps. The idea behind the OWASP Testing Guide is to provide you with processes, techniques and tools. In turn, you can use these for security testing of your mobile apps. The content from the OWASP Testing Guide is by no means mandatory for your organization. However, it makes sense to draw on this expert knowledge, as the OWASP Mobile Application Testing Guide is the foundation for your app security.

Mobile Penetration Testing: What Mobile Application Pentests Can Do

Regular infrastructure pentesting is the foundation of your app security. Even stand-alone apps should never be considered in isolation, because they are always part of a system. As soon as your mobile app communicates with a server, it's important to check for security vulnerabilities. This is best done with an infrastructure pentest and a targeted mobile pentest. The basis for the tests is the OWASP Mobile Security Testing Guide, which helps you to detect potential risks at an early stage. However, the exact process depends on your specific requirements, which is why the OWASP Mobile Security Testing Guide is a guideline, not a requirement.

Frida - Efficient, Portable and Secure

Frida is a toolkit for developers, security researchers and reverse engineering. It enables dynamic instrumentation while being scriptable, portable and free. Frida's goal is to empower the next generation of developer tools and make mobile applications more secure. This is based on fast and comprehensive analytics on a large scale.

We would be happy to inform you about other topics in the following articles:

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: