Version 4.0: It’s time to say goodbye to false positives.

OWASP Mobile Top 10

Codified Security will help you secure your app against the OWASP Mobile Top 10.

OWASP Mobile Top 10

At Codified Security we view the OWASP Mobile Top 10 as key to helping mobile developers understand and improve app security, all users are able to choose to test their mobile apps against the OWASP Mobile Top 10.

M1  Improper Platform Usage

M1 covers the misuse of features or failures to use built in security controls on the Android or iOS platform. M1 covers vulnerabilities such as misuse of TouchID, the Keychain, Android intents, platform permissions or some other security control that is part of the mobile OS.

M2 Insecure Data Storage

M2 combines M2 & M4 from the OWASP Mobile Top Ten 2014. This covers exposed data, failure to use proper storage measures, unintended data leakage, and failure to use any cryptography.

M3 Insecure Communication

This covers poor handshaking, use of outdated SSL or TLS, weak negotiation, cleartext communication of sensitive data or assets.

M4 Insecure Authentication

M4 covers methods and controls for authenticating the end user or bad session management, such as failing to identify the user at all when that should be required, failure to maintain the user’s identity when it is required, or any weaknesses in session management.

M5 Insufficient Cryptography

M5 covers implementation failures of cryptography for sensitive data and information.

M6 Insecure Authorisation

M6 covers failures in authorisation (e.g., authorisation decisions in the client side or forced browsing). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).

M7 Client Code Quality

M7 covers “Security Decisions Via Untrusted Inputs” from OWASP Mobile Top 10 2014, its scope is secure coding issues on the client side e.g. buffer overflows, format string vulnerabilities, and any code-level issue where it’s possible to re-write the client side code.

M8 Code Tampering

M8 covers binary patching, modification of local resource, method swizzling, method hooking, and dynamic memory modification. When the app is installed on a user’s mobile device, the client side code and local data is available. Attackers may change the code, change the contents of memory dynamically, change or replace the system APIs that the app uses, or modify the app’s data. This may give attackers a direct method of changing the purpose of the app  for personal or monetary gain.

M9 Reverse Engineering

M9 covers analysis of the binary to determine its source code, libraries, algorithms, and other assets. Reverse engineering tools such as IDA Pro, Hopper, otool, may give the attacker context on the logic and structure of the app. This may be used to exploit other vulnerabilities in the app, as well as revealing information about back end servers, cryptographic constants and ciphers, and intellectual property.

M10 Extraneous Functionality

Developers may keep backdoors, debug modes or other development environment security controls that need to be removed before a production release. For example, a developer may accidentally include a password as a comment in a hybrid app or disable 2-factor authentication during testing.

Sign Up now to secure your mobile app

By signing up you agree to our Terms of Service.

OWASP Mobile Top 10

What to expect when you choose Codified Security

OWASP Top 10 mobile apps

Test your mobile app's client side

OWASP Mobile Top 10 app security testing

A report that shows your app's vulnerabilities with remediation advice

OWASP Top 10 Android apps

Custom security rules including PCI-DSS, HIPAA & OWASP Mobile Top 10

testing OWASP top 10 on mobile iOS

From $249 per test

See a sample report with OWASP Mobile Top 10 checks

Download report

Some of the companies we help keep secure:

Get in Touch

Please complete the form below. Someone from Codified Security will contact you within 24 hours.