New OWASP Mobile Top Ten: Know What Changed
4:13

The OWASP Mobile Application Security Verification Standard (MASVS) version 2.1.0 was released in January 2024, containing new, updated, merged, and re-prioritized threat categories. The changes better reflect the current cyber threat landscape, giving mobile developers a stronger advantage in securing apps across platforms.

What's New

There are four new threat categories, including the new top mobile risk.

Improper Credential Usage

Ranked at the top of the new OWASP Mobile Top Ten list, this category includes several potential attack vectors exploiting user credentials, API keys, and improper credential usage.

Inadequate Supply Chain Security

Coming in second, this fast-growing attack vector exploits vulnerabilities in the mobile app supply chain. Attackers target the development tooling you use to inject vulnerabilities, insecurities, or malicious code without being detected.

Insufficient Input/Output Validation

The M4 category relates to validating app input and output. Mobile apps are at risk when data from external sources isn't sufficiently validated or sanitized. Inadequate output validation can lead to data corruption or exploitable presentation vulnerabilities.

Inadequate Privacy Controls

M6 focuses on controls for protecting Personally Identifiable Information (PII) used in an application. These controls prevent data leaks, manipulation, or destruction.

What Merged

In version 2.1.0, four previous categories were merged into two and repositioned on the list.

Insufficient Binary Protections

Sitting at M7, the Insufficient Binary Protections category consists of previously known categories such as Code Tampering and Reverse Engineering. These controls help ensure that binary code can't be leaked, manipulated, repackaged, or used to gain a foothold in the back end for a planned attack.

Insecure Authentication/Authorization

The new standard merges the previous M4 Insecure Authentication and M6 Insecure Authorization into one category at M3. Here, threats target vulnerabilities in authentication (verifying the user is who they say they are) or authorization (verifying the user has the proper credentials to access a resource).

What Was Updated

Four categories were either reworded or had their position changed on the list.

Security Misconfiguration

Security Misconfiguration is the new name for "Extraneous Functionality," which moved from M10 to M8. This category focuses on improper configuration of security settings, permissions, and controls that create exploitable vulnerabilities.

Insecure Communication

This category dropped from M3 to M5. It addresses controls that protect data exchanges with remote servers over communication networks.

Insecure Data Storage

Dropping from M2 to M9, insecure data storage in a mobile app leaves data open to a wide range of potential attackers, usually targeting sensitive or regulated data, intellectual property, or personal information.

Insufficient Cryptography

Last but not least, this category dropped from M5 to M10. Threat agents exploiting insecure cryptography typically aim to decrypt sensitive data, manipulate cryptographic processes, leak encryption keys, steal data, gather intelligence, or commit fraud.

The 2024 Final List

These changes represents the third major revision of the Mobile Top Ten list since its release in 2014 and updates in 2016. Here is the list in order:

 

Check out our training courses geared specifically toward the OWASP Mobile Top Ten and provide your team with the skills to defend mobile apps against every attack vector successfully. Contact us today to learn more.