Know Your OWASP: Mobile Top 10 vs Mobile Application Security Project

As we reach the one year anniversary since the latest update to the OWASP Mobile Top 10 list, we’ve seen a lot of relevant mobile app security action over the past twelve months – including plenty of real-world examples of the reigning number one risk category, “Improper Credential Usage” (leaky credentials, hardcoded secrets, etc.). It’s a fair time to ask why these sorts of lists matter and if they’re even the best tools for helping development teams improve the security of their mobile apps.

Since 2001, the non-profit OWASP Foundation (which stands for “Open Worldwide Application Security Project”) has driven community-led, open source projects such as code, documentation, and standards to help organizations conceive, develop, acquire, operate, and maintain applications that can be trusted. Among their many projects, OWASP published its original OWASP Top 10 of common web application vulnerabilities in 2003. The list was designed to be updated and republished on a regular basis (every few years).

Due to rising popularity and unique differences from web applications, OWASP decided to provide separate support information for developing reliable and secure mobile applications. Two different groups of industry professionals within OWASP’s membership lead these efforts.

The first working group is the OWASP Mobile Application Security (MAS) Project, which includes featured contributors and officially recognized MAS Advocates. The MAS Project’s stated mission is to provide “...a security and privacy standard for mobile apps (OWASP MASVS), a collection of mobile app-specific weaknesses (OWASP MASWE) and a comprehensive testing guide (OWASP MASTG) that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.”

The second working group is in charge of the OWASP Mobile Top 10. This popular list of commonly observed vulnerabilities was updated for the first time in eight years in late 2024. It is managed by its own group of rotating contributors.

The fact that these are separate groups working on different parts of the mobile app security puzzle has drawn questions from some developers and compliance professionals (namely, “Which OWASP guidance is most important for mobile apps?”).

While the OWASP Mobile Top 10 has been a very successful tool for building awareness (about evolving risks for mobile apps), the OWASP MAS Project offers assurance. Specifically, OWASP MASVS (mobile application security verification standards) and OWASP MASTG (mobile application security testing guidelines) provide rigorous and research-based work to directly guide and support mobile app development and security professionals.

This piece looks deeper into these two groups and their specific missions.

Some background on the “Mobile Top 10”

The first Mobile Top 10 list was published in 2014, with updates following in 2016 and late 2024. Originally designed as a “common pitfalls” exercise, the Mobile Top 10 has evolved somewhat with changing membership of the working group over the years. Technology changes like the increasing use of generative AI and large language model (LLM) tools in software development also led OWASP to develop a separate Top 10 for LLMs in 2025.

The popular “Top Ten” listicle format works for almost any subject because it’s short, sweet, and of the moment. What the format may lack in terms of analytical depth and actionable details, it makes up for in portability. As such, the OWASP Mobile Top 10 has become a seasoned PR traveler. Whenever an updated list comes out, industry pundits and tech publications write articles and blogs offering their own unique spin to provide context about how the new vulnerabilities or shifted rankings reflect the current state of the mobile app threat landscape.

Counting down the latest “Mobile Top 10”

The 2024 update of the OWASP Mobile Top 10 (the first since 2016) includes several new areas – such as Inadequate Supply Chain Security (in response to the significant impacts now being caused by software supply chain attacks, perhaps most notably the 2020 SolarWinds hack), and Insecure Data Storage (as a nod to increasing regulatory risks for non-compliance with the latest data privacy laws, such as the EU’s GDPR). Below is the current ranking, annotated with real-world attack examples.

1. Improper credential usage: Poor implementation of credential management, such as using hardcoded credentials and improper handling, can lead to severe security weaknesses. In late 2024, researchers published details about a variety of popular Android and iOS apps (used for dining, photo editing, cab hailing, and more) that all had similar security vulnerabilities due to hardcoded credentials.
2. Inadequate supply chain security: Manipulation of mobile app functionality by exploiting vulnerabilities in the software supply chain. Analysis of 10 popular sports betting applications on the Google Play store revealed that each app had averages of 10 vulnerable components and 179 individual vulnerabilities.
3. Insecure authentication/authorization: Typically, automated attacks by malware or bots that exploit vulnerabilities by directly submitting service requests to the mobile app’s backend server to fake or bypass mobile app authentication. 
   Alternatively, the attacker can log into the application as a legitimate user after successfully passing the authentication control and then force-browse to a vulnerable endpoint to execute administrative functionality. Reports indicate that internal patient record data from the UK’s National Health Service (NHS) could have been accessed without requiring authentication due to a security hole in an API.
4. Insufficient input/output validation: Insufficient validation and sanitization of data from external sources, such as user inputs or network data, can introduce severe security vulnerabilities. A security researcher very recently identified a client-side validation vulnerability in the rewards system of McDonald’s mobile app. The application failed to perform server-side verification of reward point balances, allowing users to potentially claim free food items regardless of their actual point totals.
5. Insecure communication: While modern mobile applications aim to protect network traffic, common inconsistencies in their implementation can lead to exposure of data and session IDs. Several U.S. federal agencies were using a cloned and modified version of the Signal app because it offered the ability to archive member conversations, in accordance with government requirements. However, transferring the conversations to a third-party server for archiving simultaneously undermined the end-to-end encryption that is central to Signal’s identity and security. The cloned app was hacked within minutes and 410 GB of breached data was later published online.
6. Inadequate privacy controls: Protection failures that allow Personally Identifiable Information (PII) to be leaked (violation of confidentiality), manipulated (violation of integrity), or destroyed/blocked (violation of availability). In March 2025, multiple vulnerabilities were identified in Dario Health’s blood glucose monitoring Android app. If exploited, an attacker could not only access private PII, but also manipulate data, inject code, or achieve cross-site scripting, resulting in the leak of private information.
7. Insufficient binary protections: Failures that allow extraction of proprietary code (IP) and valuable secrets (like API keys), bypass of security checks, or malicious modification of code. This category also includes missing protections against attacks, such as mechanisms the compiler would add to make attacks impossible or more complicated – like position-independent code (PIC) or position-independent executable (PIE). Back in 2022, a threat campaign dubbed “SeaFlower” distributed seemingly legitimate cryptocurrency wallet apps that contained backdoors for seed phrase exfiltration. Researchers noted SeaFlower’s highly sophisticated reverse engineering, complete with automatic deployment and legitimate developer provisioning profiles for the Apple App Store.
8. Security misconfiguration: Improper configuration of security settings, permissions, and controls can lead to unauthorized access to sensitive data and other malicious threat actions. A bicycle rental mobile app in the UK reportedly made confidential customer data available (including names, contact details and order history) due to misconfigured administrative access permissions.
9. Insecure data storage: Includes weak encryption, insufficient data protection, insecure data storage mechanisms, and improper handling of user credentials. A popular women-only dating safety app exposed at least 59 GB of user data (including driver license images, photos, and other message attachments) due to an unsecured Firebase storage bucket. A second leaked database revealed 1.1 million private messages sent between app users, including discussions of sensitive topics.
10. Insufficient cryptography: Exploiting vulnerabilities in the cryptographic mechanisms used to protect sensitive information, which in turn undermines its confidentiality, integrity, and authenticity. Researchers recently discovered that several Android VPN apps (with over 700 million Google Play downloads combined) not only use weak/deprecated encryption mechanisms, but also contain hard-coded passwords – which could allow an attacker to decrypt user traffic.

Raising awareness about evolving mobile app threats is valuable. The OWASP Mobile Top 10 is a useful tool for increasing general public knowledge about the latest risks and common best practices. But it’s more of a conversation starter, not a set of defined professional security standards or technical guidance to help mobile application publishers improve security across their various projects.

Setting the standard for mobile app security

The OWASP MAS Project provides more substantial and actionable technical information for developers, software engineers, and security professionals in the mobile application space via OWASP MASVS and OWASP MASTG. These resources help developers understand how to test their mobile applications and what to test for in order to ensure a secure app. They also provide organizations with a standard of reference for evaluating a mobile application security solution.

While OWASP sets the standards for mobile application security, Guardsquare operationalizes it. Our solutions for testing, protection, API integrity, and monitoring combine to ensure comprehensive, purpose-built mobile application security in alignment with OWASP’s recommendations.

For example, AppSweep, Guardsquare’s MAST product, groups findings according to OWASP MASVS for clear vulnerability classification, prioritization, and remediation – enabling developers to prioritize remediation of critical security issues early in the development process. In addition, Guardsquare’s comprehensive code hardening and RASP capabilities – provided by both DexGuard (Android) and iXGuard (iOS) – directly align with MASVS-RESILIENCE requirements for multiple defensive layers such as code obfuscation, anti-debugging, and anti-tampering.

Learn more about how Guardsquare solutions align with OWASP MAS standards to deliver comprehensive mobile app security across the full software development lifecycle (SDLC).

Guardsquare is a proven leader in the mobile app security industry – including contributions to the OWASP Mobile Application Security project and recognition of OWASP MAS Advocate Status.