At Codified Security we view the OWASP Mobile Top 10 as key to helping mobile developers understand and improve app security, all users are able to choose to test their mobile apps against the OWASP Mobile Top 10.
M1 Improper Platform Usage
M1 covers the misuse of features or failures to use built in security controls on the Android or iOS platform. M1 covers vulnerabilities such as misuse of TouchID, the Keychain, Android intents, platform permissions or some other security control that is part of the mobile OS.
M2 Insecure Data Storage
M2 combines M2 & M4 from the OWASP Mobile Top Ten 2014. This covers exposed data, failure to use proper storage measures, unintended data leakage, and failure to use any cryptography.
M3 Insecure Communication
This covers poor handshaking, use of outdated SSL or TLS, weak negotiation, cleartext communication of sensitive data or assets.
M4 Insecure Authentication
M4 covers methods and controls for authenticating the end user or bad session management, such as failing to identify the user at all when that should be required, failure to maintain the user’s identity when it is required, or any weaknesses in session management.
M5 Insufficient Cryptography
M5 covers implementation failures of cryptography for sensitive data and information.
M6 Insecure Authorisation
M6 covers failures in authorisation (e.g., authorisation decisions in the client side or forced browsing). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).
M7 Client Code Quality
M7 covers “Security Decisions Via Untrusted Inputs” from OWASP Mobile Top 10 2014, its scope is secure coding issues on the client side e.g. buffer overflows, format string vulnerabilities, and any code-level issue where it’s possible to re-write the client side code.
M8 Code Tampering
M8 covers binary patching, modification of local resource, method swizzling, method hooking, and dynamic memory modification. When the app is installed on a user’s mobile device, the client side code and local data is available. Attackers may change the code, change the contents of memory dynamically, change or replace the system APIs that the app uses, or modify the app’s data. This may give attackers a direct method of changing the purpose of the app for personal or monetary gain.
M9 Reverse Engineering
M9 covers analysis of the binary to determine its source code, libraries, algorithms, and other assets. Reverse engineering tools such as IDA Pro, Hopper, otool, may give the attacker context on the logic and structure of the app. This may be used to exploit other vulnerabilities in the app, as well as revealing information about back end servers, cryptographic constants and ciphers, and intellectual property.
M10 Extraneous Functionality
Developers may keep backdoors, debug modes or other development environment security controls that need to be removed before a production release. For example, a developer may accidentally include a password as a comment in a hybrid app or disable 2-factor authentication during testing.