Top 10 Mobile Risks 2024

 As developers, a fundamental aspect is security. This requires that we pay focus and attention to the latest security trends and articles and who better than OWASP, founded in 2001, is the Open Worldwide Application Security Project as an online community that produces openly accessible articles, methodologies, documentation, tools and technologies in the fields of IoT, system software and web application security.

One of the most important guides in the field of mobile security is the famed Top 10 Mobile Threats.A more than relevant source for developers, It is important to note that OWASP does not hold it annually, this is the third major review and the last one since 2016.

Top 10 Mobile Risks 2024

My intention is not to make a copy-paste as you can read the full note. But to make an analysis of the evolution and trend. Basically, and by way of summary, they are:

You can read about each of them in the list below:

• M1: Improper Credential Usage
• M2: Inadequate Supply Chain Security
• M3: Insecure Authentication/Authorization
• M4: Insufficient Input/Output Validation
• M5: Insecure Communication
• M6: Inadequate Privacy Controls
• M7: Insufficient Binary Protections
• M8: Security Misconfiguration
• M9: Insecure Data Storage
• M10: Insufficient Cryptography

The TOP 1 thread of improper use of credentials is surprisingly common, I'm used to seeing them stored in a key-value sandbox of the application, hardcoded API keys, etc... But I expected to find the hardcoded secrets somewhere in the list and yet they said they would take it into account in the future.

Comparison between 2016 and 2024

We can see how data storage has been minimised in recent years. The same goes for cryptography and insecure communication. We can see how data storage has been minimised in recent years. The same is true for cryptography. 

Conclusions

Interestingly, none of the points catch me off guard. But it is curious to see the evolution of many of them. For example, the policies that Google and Apple have taken with their development tools have had a big effect on the de-escalation of the M5, M9 and M10 threats. However, it is clear that the first four threats have not yet been properly handled either by the development tools or by many less experienced developers. 

See you in other posts!!