OWASP Mobile Top 10 List: Why Publish a Separate List for Mobile?

Share this blog

The Open Worldwide Application Security Project (OWASP) is a nonprofit dedicated to helping teams improve the security of their software. Among a wide range of resources and initiatives, OWASP publishes the top 10 lists that reveal the biggest risks and the best mitigation strategies. In this post, we examine these top 10 lists, including why they’re important and why there are different lists for web apps and mobile apps.

Why OWASP Lists Are Important

OWASP is a nonprofit foundation focused on improving software security. This online community produces a range of resources, including methodologies, documentation, tools, and technologies.

OWASP is well known for its top 10 lists. Over the years, these lists have come to represent de facto standards for application and security teams worldwide. In addition, these lists provide industry standards and best practices. By employing these guidelines, teams can change their cultures, approaches, and practices to produce more secure code.

The OWASP Methodology

OWASP develops its top 10 lists in an interesting fashion. First, they call for organizations to contribute data they have collected about vulnerabilities discovered through various processes. This data is primarily drawn from security teams’ automated testing. The data set is significant. In 2017, OWASP received data generated by more than 114,000 applications. For the 2021 list, they drew from more than double that number.

This data is compiled to determine eight of the 10 categories. The other two categories are picked by an industry survey. This approach accounts for the fact that automated testing processes don’t necessarily keep up with evolving threats. By augmenting data with practitioner insights, these lists offer a complete view of today’s threat landscape and how it is evolving.

OWASP Top 10 Lists

OWASP supports hundreds of projects, including a number of top 10 lists that look at the most critical security vulnerabilities in different arenas. The organization has published these two lists:

The OWASP Top 10 and the OWASP Mobile Top 10: Why Two Lists?

Wondering why there are two separate lists for web and mobile apps? Here are a few reasons:

Devices Live Outside the Perimeter

Mobile apps predominantly run on bring-your-own (BYO) devices that are beyond the control of the organization developing the app. The security risk associated with these devices is highly variable and relies solely on the behavior and usage patterns of individual end users. Consequently, both the app and the organization face considerable exposure, as the app becomes vulnerable to multiple attack vectors present on the device.

Easy Access to the App Code 

Placing mobile apps in the app store provides attackers with convenient access to the app’s code. This enables malicious actors to download the app onto their own devices, allowing them to inspect and manipulate the application. Surprisingly, this process can be completed in less than 15 minutes and typically costs less than $150. In contrast, web apps operate on servers located behind a DMZ (demilitarized zone), making it more challenging for attackers to readily access the code.

Different Attack Vectors

Mobile applications are typically installed on devices and have access to device resources, such as cameras and GPS. On the other hand, web applications run in a browser and have access to web resources, such as cookies and HTTP headers. The different attack vectors associated with each type of application give rise to different security risks.

Different Authentication Mechanisms

Mobile applications often use different authentication mechanisms than web applications. For example, many mobile applications use OAuth or mobile-specific authentication frameworks. This can create different vulnerabilities and risks.

Platform-Specific Issues

Mobile applications are developed for specific mobile operating systems, such as iOS and Android—and each platform has its own unique security challenges. The OWASP Mobile Top 10 takes these platform-specific issues into account.

Different Programming Languages

Mobile applications may be developed using different programming languages than web applications. For example, mobile apps are often developed using Java, Swift, or Kotlin. In contrast, web apps may often be developed using JavaScript, PHP, or Python. This can create different vulnerabilities and risks.

Differences in Device Security

Mobile devices often have different security mechanisms than web browsers. For example, mobile devices often have biometric authentication or secure enclaves. These variances can have a number of different security ramifications for web and mobile applications.

Conclusion

The OWASP Top 10 and the OWASP Mobile Top 10 are different because web browser apps and mobile apps have fundamentally different characteristics, architectures, and threat vectors. By addressing OWASP standards aligned with their specific apps, developers and security teams can take the essential steps needed to ensure that their apps are protected against evolving threats—whether they’re running on web browsers or mobile devices.

If you would like to learn more about and assess your mobile application against the OWASP Mobile Top 10 and MASVS standards, please contact us today and ask for a free mobile application risk assessment.

Avatar photo
Mobile App Security Expert. View the author's experience and accomplishments on LinkedIn.