New dynamic app security testing now available.

OWASP Mobile Top 10

Codified Security will help you secure your app against the OWASP Mobile Top 10.

OWASP Mobile Top 10

At Codified Security we view the OWASP Mobile Top 10 as key to helping mobile developers understand and improve app security, all users are able to choose to test their mobile apps against the OWASP Mobile Top 10.

M1  Improper Platform Usage

M1 covers the misuse of features or failures to use built in security controls, covering TouchID, the Keychain, intents on Android, permissions or some other security control that is part of the mobile OS. For more information see our article on OWASP Mobile Top 10 M1.

M2 Insecure Data Storage

M2 combines M2 & M4 from the OWASP Mobile Top Ten 2014 including data exposure, use of storage features, unintended data leakage, and failures to use cryptographic features. For more information see our article on OWASP Mobile Top 10 M2.

M3 Insecure Communication

This covers poor handshaking, use of outdated SSL or TLS, weak negotiation, cleartext communication of sensitive data or assets.

M4 Insecure Authentication

The focus of M4 are the authentication methods and controls of the end user, session management, or failing to identify the user at all when that should be required, failure to maintain the user’s identity when it is required, or any weaknesses in session management.

M5 Insufficient Cryptography

M5 covers implementation failures of cryptography for sensitive data and information.

M6 Insecure Authorisation

The focus of M6 is problems with authorisation (e.g., authorisation decisions in the client side or forced browsing). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).

M7 Client Code Quality

M7 covers “Security Decisions Via Untrusted Inputs” from OWASP Mobile Top 10 2014, its scope is secure coding issues on the client side.

M8 Code Tampering

M8 covers binary patching, modification of local resource, method swizzling, method hooking, and dynamic memory modification. When the app is installed on a user’s mobile device, the client side code and local data is available. Attackers may be able to manipulate the code, change the contents of the memory dynamically, change or replace the system APIs that the app uses, or modify the app’s data.

M9 Reverse Engineering

The focus of M9 is binary analysis with the aim of determining its source code, libraries, algorithms, and other assets. Reverse engineering tools that expose the business logic and architecture of the app. This may be used to exploit other vulnerabilities in the app, as well as revealing information about the back end, cryptographic constants and ciphers, and IP.

M10 Extraneous Functionality

Developers may keep backdoors, debug modes or other development environment security controls that need to be removed before a production release. For example, a developer may accidentally include a password as a comment in a hybrid app or disable 2-factor authentication during testing.

Sign Up now to secure your mobile app

By signing up you agree to our Terms of Service.

OWASP Mobile Top 10

What to expect when you choose Codified Security

OWASP Top 10 mobile apps

Test your mobile app's client side

OWASP Mobile Top 10 app security testing

A report that shows your app's vulnerabilities with remediation advice

OWASP Top 10 Android apps

Custom security rules including PCI-DSS, HIPAA & OWASP Mobile Top 10

testing OWASP top 10 on mobile iOS

From $249 per test


View sample Android & iOS reports

Get reports

Some of the companies we help keep secure:

Get in Touch

Please complete the form below. Someone from Codified Security will contact you within 24 hours.