The OWASP Mobile Application Security Verification Standard (MASVS) version 2.1.0 was released in January 2024, containing new, updated, merged, and re-prioritized threat categories. The changes better reflect the current cyber threat landscape, giving mobile developers a stronger advantage in securing apps across platforms.
What's New
There are four new threat categories, including the new top mobile risk.
Ranked at the top of the new OWASP Mobile Top Ten list, this category includes several potential attack vectors exploiting user credentials, API keys, and improper credential usage.
Inadequate Supply Chain Security
Coming in second, this fast-growing attack vector exploits vulnerabilities in the mobile app supply chain. Attackers target the development tooling you use to inject vulnerabilities, insecurities, or malicious code without being detected.
Insufficient Input/Output Validation
The M4 category relates to validating app input and output. Mobile apps are at risk when data from external sources isn't sufficiently validated or sanitized. Inadequate output validation can lead to data corruption or exploitable presentation vulnerabilities.
M6 focuses on controls for protecting Personally Identifiable Information (PII) used in an application. These controls prevent data leaks, manipulation, or destruction.
What Merged
In version 2.1.0, four previous categories were merged into two and repositioned on the list.
Insufficient Binary Protections
Sitting at M7, the Insufficient Binary Protections category consists of previously known categories such as Code Tampering and Reverse Engineering. These controls help ensure that binary code can't be leaked, manipulated, repackaged, or used to gain a foothold in the back end for a planned attack.
Insecure Authentication/Authorization
The new standard merges the previous M4 Insecure Authentication and M6 Insecure Authorization into one category at M3. Here, threats target vulnerabilities in authentication (verifying the user is who they say they are) or authorization (verifying the user has the proper credentials to access a resource).
What Was Updated
Four categories were either reworded or had their position changed on the list.
Security Misconfiguration is the new name for "Extraneous Functionality," which moved from M10 to M8. This category focuses on improper configuration of security settings, permissions, and controls that create exploitable vulnerabilities.
This category dropped from M3 to M5. It addresses controls that protect data exchanges with remote servers over communication networks.
Dropping from M2 to M9, insecure data storage in a mobile app leaves data open to a wide range of potential attackers, usually targeting sensitive or regulated data, intellectual property, or personal information.
Last but not least, this category dropped from M5 to M10. Threat agents exploiting insecure cryptography typically aim to decrypt sensitive data, manipulate cryptographic processes, leak encryption keys, steal data, gather intelligence, or commit fraud.
The 2024 Final List
These changes represents the third major revision of the Mobile Top Ten list since its release in 2014 and updates in 2016. Here is the list in order:
Check out our training courses geared specifically toward the OWASP Mobile Top Ten and provide your team with the skills to defend mobile apps against every attack vector successfully. Contact us today to learn more.
