Secure Your App in 2024 – OWASP Top 10 Mobile Risks Explained

The OWASP Top 10 Mobile provides an overview of the critical security risks mobile app providers should keep an eye on in 2024.

In 2024, nobody needs to explain how important mobile apps are for any business. What’s more, with the number of connected devices in the world growing practically by the minute, mobile IoT apps have an important role to play.

With such widespread use, mobile apps are very susceptible to security breaches, and ignoring the security aspect of a digital product and hoping for the best is no longer a viable strategy. In the evolving digital world, safeguarding one’s business interests and maintaining customer trust is crucial for staying competitive. 

To concentrate their cybersecurity efforts, companies should first be aware of the challenges and the risks that lurk in the digital space, and the OWASP Top 10 Mobile list is the first step in the right direction.

Mobile app security is not just about protecting technical assets. Fundamentally, it is about safeguarding a company’s reputation and customer data and possibly avoiding legal repercussions. Data breaches exposing sensitive user information or a company’s intellectual property not only result in financial losses, but severely damage customer trust. 

With that in mind, it is very important that we have and nurture communities of security experts who will look into the common issues one might run into in the digital world. The OWASP Foundation is one of those communities. Through freely available resources like articles, methodologies, community-led projects, and conferences, the foundation actively works on enhancing digital security. 

To help you digest the biggest mobile dangers of 2024, we provide a simplified overview of OWASP’s risks and their implications for businesses.

The OWASP Top 10 mobile risks list for 2024 presents a refined perspective on the evolving landscape of mobile security threats. Each entry on the list is focused on a specific area of concern, emphasizing the importance of a proactive security mindset. 

However, security breaches in real life typically don’t happen on account of a company’s susceptibility to a single risk from OWASP’s list. Often, attackers will exploit multiple weaknesses and leverage social engineering attacks to reach their malicious goals. The examples we provide indicate that a specific risk was acted upon, but we should note that interpretations may vary and that often, only the affected company knows the true cause of a breach.

A new entry on the OWASP list, improper credential usage is such a critical issue that it immediately earned the status of the number one security risk for this year. Hardcoded or poorly managed credentials that are not encrypted are very common and very easy to take advantage of. 

A famous example of this type of exploit happened to Uber in 2017 when the company reported that the personal information of 57 million users and 600,000 drivers was exposed because hackers discovered a hardcoded Amazon S3 Datastore key in a private GitHub repository used by Uber developers. 

By gaining unauthorized access to a person’s credentials (i.e. mobile banking PINs, Token OTPs, email passwords, etc.), malicious actors can employ automated attacks or other methods that result in data breaches, privacy loss, and various fraudulent activities. Businesses face severe repercussions, such as reputation damage, fraud, information theft, and unauthorized access to data. 

Avoiding hardcoded credentials in the app source or any configuration file, encrypting data transmission, and handling storage securely, together with regular updates of API keys and tokens. There are plenty of static and dynamic code analysis tools for mobile platforms that can help you detect some of the issues.

It is also very important to employ strong authentication protocols to protect against unauthorized access and ensure data integrity. If you want to look into this further, OWASP has a cheat sheet on how to implement proper authentication, including different protocols.

Another new entry on the list and also a very common issue is inadequate supply chain security. According to OWASP, supply chain security refers to the entire ecosystem used for developing and distributing mobile apps. This includes third-party libraries, SDKs, vendors, and processes like coding, testing, and distributing. 

Failing to implement security measures throughout the process and in some of the mentioned components, we can easily risk serious vulnerabilities in mobile applications, allowing attackers to insert malicious code or exploit third-party libraries. For example, this happened with the EventBot malware discovered in 2020. The malware bypassed security measures by exploiting third-party libraries and SDKs within Android apps to steal user data and financial information.

These kinds of attacks can potentially lead to data breaches, malware infections, and in some cases, complete control of the device. Businesses may face financial losses, reputational damage, legal consequences, and interruptions in the delivery of goods or services. 

To prevent such scenarios, it’s crucial to implement secure coding practices and conduct thorough testing and code reviews. Also, when picking third-party libraries and components, focus on the community around it, the proactiveness of the maintainers, and the quality of the support. Employing all of this will form a certain level of protection that is crucial in battling this risk.

Keeping your dependencies up to date is also a must, or even better, automating the update process with the available tools. Last but not least, establish robust and secure app signing processes that protect your app signing keys and certificates.

What used to be two separate entries on the list is now one merged entry that is higher on the security risk ranking. Insecure authentication and authorization expose mobile applications to unauthorized access and data breaches. 

Attackers can exploit these vulnerabilities to perform actions posing as legitimate users or access sensitive data. This can seriously impact a business’s reputation, leading to information theft and financial losses. From a technical perspective, in worst-case scenarios, this can also lead to destroying an entire system. 

Prevention includes avoiding weak authentication patterns, avoiding offline authentication, and relying on server-side security. Integrating robust authentication mechanisms like multi-factor authentication to ensure data integrity and protect sensitive user information is also a must. In some cases, improper usage of features like biometric authentication can also make for insecure authentication.

Another new entry on the list, insufficient input/output validation occurs when an app fails to properly validate data from untrusted sources, leading to the execution of malicious input. This common risk in mobile apps can lead to severe security issues, such as data breaches, SQL and command injection attacks, and unauthorized data manipulation. 

Exploiting these risks can severely impact an organization’s reputation through data breaches and system failures, eating away at customer trust. It can also lead to legal issues and financial penalties for not adhering to data protection laws.

The necessary thing to do is implement the required validation on both the client and the server side, employing whitelisting approaches and sanitizing data to prevent the execution of harmful input. Also, it’s important to conduct regular security assessments like code reviews and penetration tests.

This is one of the rare entries ranked lower than in the last year’s release. This is a good sign because it means that the risk is being addressed to some capacity. Nonetheless, insecure communication remains a serious issue. It poses a risk by allowing attackers to intercept or alter data transmitted by mobile applications.

Exploiting insecure communication and leaking sensitive data can result in a privacy violation, which compromises the user’s confidentiality and has legal repercussions for businesses.

Implementing end-to-end encryption, using secure protocols like TLS, and regularly updating security certificates are effective strategies. The OWASP web page provides a short list of very concrete best practices for iOS and Android that you can follow to make your app more secure.

If you are interested in a more technical approach, you can check out our article on preparing your Android app networking for a penetration test or the one about SSL pinning on iOS.

Inadequate privacy controls are another new addition to OWASP’s list of mobile risks to keep an eye on. Privacy controls protect Personally Identifiable Information (PII) such as names, addresses, financial data, and sensitive personal details from unauthorized access.

Attackers target this information to commit fraud, steal funds, blackmail, or damage critical data. All of this can have a negative impact on user trust and potentially result in regulatory fines, which depend on the number of affected users. The technical impact of this risk is low but not ignorable. 

Businesses can mitigate this risk by implementing robust data access controls, conducting regular privacy assessments, and ensuring compliance with privacy laws and regulations.

Previous entries known as M8: Code Tampering and M9: Reverse Engineering are now one combined entry. We can see that the risk itself moved up in the ranking, which makes it even more important to be aware of. 

Insufficient binary protection makes mobile applications vulnerable to reverse engineering and tampering. While somewhat similar, there are important differences between the two. Reverse engineering involves analyzing a system to understand its operation without accessing its documentation or designs. Tampering, on the other hand, refers to unauthorized alterations or manipulations of a system or software to change its behavior or outcomes. Both can lead to intellectual property theft and compromise app integrity.

What makes these kinds of exploits dangerous is the fact that attackers may alter app binaries to unlock paid features or simply evade security layers in specific parts of the application. Businesses face significant risk if intellectual property, such as algorithms or AI models, is leaked or stolen by competitors. It is also important to note that all apps are vulnerable to binary attacks.

Protection involves using code obfuscation techniques, implementing tamper-detection mechanisms and root detection, and securing application code against unauthorized modifications. Some useful libraries and tools that can help with this are Google Play Integrity API for Android and the detailed OWASP documentation for iOS.

Previously known as M10: Extraneous Functionality, this entry has jumped from number ten to number eight in the risks list. While perhaps it is not so easy to exploit, it is a risk we should nonetheless be aware of, especially considering the move in its ranking.

To illustrate, in 2022 Microsoft discovered a high-severity vulnerability in the TikTok Android application, which could have allowed attackers to compromise user accounts with a single click. Luckily, TikTok responded promptly to Microsoft’s notification by releasing a fix. This example shows how improper security configuration (M8) (in this case, of Android’s WebView) and DeepLink validation (M4) can cause significant harm in the authentication/authorization flow (M3).

Security misconfiguration can expose mobile apps to various attacks, leading to unauthorized access and data breaches. This can also cause some application downtime and disrupt a business, which can have a negative effect on the finances and cause brand damage.

Regular security audits, adherence to secure coding practices, and ensuring proper configuration of security settings can help mitigate these risks. A common pitfall is failing to review default configurations of tools and frameworks.

This entry demonstrates some general improvement in app development, as it dropped from number two to number nine. However, insecure data storage practices can still bring forth significant security risks. For example, this happened to UnderArmour’s MyFitnessPal app in 2018. The breach involved unauthorized access due to insecure data storage and affected 150 million users, exposing their usernames, email addresses, and hashed passwords. 

Unauthorized access to the device’s file system and interception of data transmission can compromise user privacy and data integrity. 

Encrypting stored data, ensuring secure data handling practices, and conducting thorough security testing are key ways of handling these risks. These tactics will also give a boost to your business because organizations that have experienced data breaches or have become known for practicing insecure data storage have a competitive disadvantage in today’s market. Customers will always prioritize and favor competitors with stronger data security records. This is another instance where penetration tests can be a valuable asset. 

The last entry on the list and another one that fell in the rankings. Insufficient cryptography in mobile applications involves exploitations by various threat agents who take advantage of the fact that many mobile application developers don’t have the proper know-how on how to implement and use cryptography and hash functions the way they are intended. Or, even worse, try to implement it from scratch.

These agents target weak encryption, lack of HTTPS, key management flaws, and cryptographic vulnerabilities to decrypt data, manipulate cryptographic processes, or gain unauthorized access. 

To address these risks, it’s essential to use strong encryption algorithms and implement secure cryptographic practices. Regular updates and security audits can also help mitigate vulnerabilities and strengthen the overall security layer around your business. On the OWASP web page, you can find best practices about industry-standard processes of handling keys, hash functions, validation and authentication, and more.

The OWASP Top 10 mobile risk ranking is just one of many open-source tools that businesses can use to improve their digital security. However, no tool or framework can be a cure-all without embracing a proper security mindset. 

When we foster a culture of security, it impacts every aspect of a business. We build this culture by recognizing that security is a continuous journey that requires ongoing vigilance, adaptation, and commitment to best practices. The OWASP list and other tools and best practices serve as a vital compass here, guiding us through the complexities of the digital world toward a future where security and business objectives are tightly linked. 

Each of these vulnerabilities presents unique challenges but also opportunities for businesses to enhance their security measures, protect sensitive data, and reinforce their commitment to being a trusted service provider for their user base.

If you want to check how exposed your digital assets are to potential threats, the best way is to employ a hacker’s perspective. Here’s what you need to know about pentesting.