Skip to main content




OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. OWASP-M Top Ten classifies mobile security risks and provides developmental controls to reduce their impact or likelihood of exploitation. The last version reviewed is 2016.


M1. Improper platform usage
266. Disable insecure functionalities
320. Avoid client-side control enforcement
330. Verify Subresource Integrity
348. Use consistent encoding
M2. Insecure data storage
030. Avoid object reutilization
032. Avoid session ID leakages
046. Manage the integrity of critical files
173. Discard unsafe inputs
185. Encrypt sensitive information
229. Request access credentials
M3. Insecure communication threat agents
030. Avoid object reutilization
206. Configure communication protocols
223. Uniform distribution in random numbers
224. Use secure cryptographic mechanisms
336. Disable insecure TLS versions
338. Implement perfect forward secrecy
M4. Insecure authentication
132. Passphrases with at least 4 words
153. Out of band transactions
319. Make authentication options equally secure
328. Request MFA for critical systems
335. Define out of band token lifespan
357. Use stateless session tokens
M5. Insufficient cryptography
151. Separate keys for encryption and signatures
185. Encrypt sensitive information
224. Use secure cryptographic mechanisms
361. Replace cryptographic keys
M6. Insecure authorization
031. Discard user session data
035. Manage privilege modifications
373. Use certificate pinning
M7. Poor code quality
157. Use the strict mode
162. Avoid duplicate code
164. Use optimized structures
172. Encrypt connection strings
345. Establish protections against overflows
348. Use consistent encoding
M8. Code tampering
037. Parameters without sensitive data
262. Verify third-party components
326. Detect rooted devices
374. Use of isolation methods in running applications
M9. Reverse engineering
050. Control calls to interpreted code
172. Encrypt connection strings
184. Obfuscate application data
M10. Extraneous functionality threat agents
154. Eliminate backdoors
323. Exclude unverifiable files
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.