Skip to main content




OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. OWASP-M Top Ten classifies mobile security risks and provides developmental controls to reduce their impact or likelihood of exploitation. The last version reviewed is 2016.


M1. Improper platform usage266. Disable insecure functionalities
320. Avoid client-side control enforcement
330. Verify Subresource Integrity
348. Use consistent encoding
M2. Insecure data storage030. Avoid object reutilization
032. Avoid session ID leakages
046. Manage the integrity of critical files
173. Discard unsafe inputs
185. Encrypt sensitive information
229. Request access credentials
M3. Insecure communication threat agents030. Avoid object reutilization
206. Configure communication protocols
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
M4. Insecure authentication132. Passphrases with at least 4 words
153. Out of band transactions
319. Make authentication options equally secure
328. Request MFA for critical systems
335. Define out of band token lifespan
357. Use stateless session tokens
M5. Insufficient cryptography151. Separate keys for encryption and signatures
185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
361. Replace cryptographic keys
M6. Insecure authorization031. Discard user session data
035. Manage privilege modifications
373. Use certificate pinning
M7. Poor code quality157. Use the strict mode
162. Avoid duplicate code
164. Use optimized structures
172. Encrypt connection strings
345. Establish protections against overflows
348. Use consistent encoding
M8. Code tampering037. Parameters without sensitive data
262. Verify third-party components
326. Detect rooted devices
374. Use of isolation methods in running applications
M9. Reverse engineering050. Control calls to interpreted code
172. Encrypt connection strings
184. Obfuscate application data
M10. Extraneous functionality threat agents154. Eliminate backdoors
323. Exclude unverifiable files