Skip to main content

The OWASP Mobile Top Ten 2016 is a well know resource for developing a comprehensive mobile application security plan. The OWASP list covers the most critical security vulnerabilities for mobile applications that app business owners and developers should consider early on in the development cycle. Understanding the mobile threat environment is key to making sure new and updated apps include sufficient hardening to protect against mobile threats. Threats that can be directly tied to financial and intellectual property loss, brand damage, and penalties from PII exposure.

The following table details the OWASP Mobile Top Ten and outlines how Arxan’s Application Protection shields critical apps from these know threats. Also, of note should be the inclusion in the 2016 list of two new categories, 'Reverse Engineering' and 'Code Tampering' compared to the 2014 edition. Including these threats in the Mobile Top 10 indicates the increasing occurrence of these attacks and their importance as a primary attack vector.


OWASP Mobile Top Ten Arxan Application Protection

Improper Platform Usage
Covers the misuse of a mobile operating system feature and the failure to use platform security controls.

Arxan’s anti-tamper and anti-reverse engineering capabilities can prevent an attacker from bypassing specific platform security controls.

Insecure Data Storage
This category covers insecure data storage and unintended data leakage

Arxan can hardens applications against these risks and ensures data stored on the device remains secure.
Insecure Communication
This category encompasses any failure to ensure the security of data in transit, such as poor handshaking and incorrect SSL versions
Arxan provides hardening against data in transit attacks like bypassing application certificate pinning.
Insecure Authentication
Insecure Authentication refers to the absence or improper implementation of authentication mechanisms and to bad session management.
Arxan can prevent reverse engineering and tampering to ensure authentication mechanisms remain secure.
Insufficient Cryptography
This category covers failures to properly encrypt sensitive information assets.
Arxan reinforces cryptographic mechanisms by preventing reverse engineering, as well as offer enhanced cryptographic operations to provide additional protection of keys and other sensitive data at rest and during run-time.
Insecure Authorization
This category refers to the failure of a server to correctly enforce identity and permissions as defined by the mobile app.
Arxan prevents authorization attacks and ensures integrity in the authorization routines for the application, API calls, and other common authorized operations.
Client Code Quality
Client Code Quality is an umbrella category for code-level implementation problems in the mobile app.
Code Tampering
Code Tampering covers the unauthorized modification of an application for personal or monetary gain.
Layered, adaptive app and key & data protection together with real-time threat analytics and predictive intelligence can help prevent, identify and mitigate code tampering
Reverse Engineering
This category includes analysis of the final core binary to determine its source code, libraries, algorithms and other assets with the aim of exploiting vulnerabilities, harvesting sensitive data or stealing intellectual property.
Layered, adaptive app and key & data protection together with real-time threat analytics and predictive intelligence can help prevent, identify and mitigate code tampering
Extraneous Functionality
This category covers the inclusion of hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment.
Arxan Application Protection utilizes unique build environment configurations between build phases to ensure extraneous functionality is unlikely to make its way into production