At Codified Security we view the OWASP Mobile Top 10 as key to helping mobile developers understand and improve app security, all users are able to choose to test their mobile apps against the OWASP Mobile Top 10.
M1 Improper Platform Usage
M1 covers the misuse of features or failures to use built in security controls, covering TouchID, the Keychain, intents on Android, permissions or some other security control that is part of the mobile OS. For more information see our article on OWASP Mobile Top 10 M1.
M2 Insecure Data Storage
M2 combines M2 & M4 from the OWASP Mobile Top Ten 2014 including data exposure, use of storage features, unintended data leakage, and failures to use cryptographic features. For more information see our article on OWASP Mobile Top 10 M2.
M3 Insecure Communication
This covers poor handshaking, use of outdated SSL or TLS, weak negotiation, cleartext communication of sensitive data or assets.
M4 Insecure Authentication
The focus of M4 are the authentication methods and controls of the end user, session management, or failing to identify the user at all when that should be required, failure to maintain the user’s identity when it is required, or any weaknesses in session management.
M5 Insufficient Cryptography
M5 covers implementation failures of cryptography for sensitive data and information.
M6 Insecure Authorisation
The focus of M6 is problems with authorisation (e.g., authorisation decisions in the client side or forced browsing). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).
M7 Client Code Quality
M7 covers “Security Decisions Via Untrusted Inputs” from OWASP Mobile Top 10 2014, its scope is secure coding issues on the client side.
M8 Code Tampering
M8 covers binary patching, modification of local resource, method swizzling, method hooking, and dynamic memory modification. When the app is installed on a user’s mobile device, the client side code and local data is available. Attackers may be able to manipulate the code, change the contents of the memory dynamically, change or replace the system APIs that the app uses, or modify the app’s data.
M9 Reverse Engineering
The focus of M9 is binary analysis with the aim of determining its source code, libraries, algorithms, and other assets. Reverse engineering tools that expose the business logic and architecture of the app. This may be used to exploit other vulnerabilities in the app, as well as revealing information about the back end, cryptographic constants and ciphers, and IP.
M10 Extraneous Functionality
Developers may keep backdoors, debug modes or other development environment security controls that need to be removed before a production release. For example, a developer may accidentally include a password as a comment in a hybrid app or disable 2-factor authentication during testing.