CloudInsight Logo
CloudInsight
Back to HomeOWASP

OWASP Mobile & IoT Top 10 Complete Guide: 2024 Mobile and IoT Security Vulnerabilities Analysis [2026 Update]

14 min min read
#OWASP#Mobile Security#IoT Security#MASVS#App Security

OWASP Mobile & IoT Top 10 Complete Guide: 2024 Mobile and IoT Security Vulnerabilities Analysis [2026 Update]

TL;DR

  • OWASP Mobile Top 10 2024 is the first major update since 2016
  • New categories added: "Improper Credential Usage" and "Supply Chain Security"
  • OWASP IoT Top 10 covers ten major security risks for IoT devices
  • MASVS is the mobile app security verification standard, with L1/L2/R three levels
  • MASTG is the implementation guide for mobile app security testing
  • App and IoT security needs to be considered from the design phase

Version Note: This article covers OWASP Mobile Top 10 2024 version (officially released in 2024) and IoT Top 10. The 2024 version has significant changes compared to 2016, adding modern topics like supply chain security and credential management.

Part 1: OWASP Mobile Top 10

What is OWASP Mobile Top 10?

OWASP Mobile Top 10 is the list of ten major security risks for mobile applications. It covers common vulnerability types on iOS and Android platforms.

Mobile app security challenges differ from web applications:

  • Code executes on user devices
  • Can be reverse-engineered and analyzed
  • Must handle device-specific security mechanisms
  • Network environment is uncontrollable (public WiFi)

The latest version was updated in 2024. Compared to previous versions, it emphasizes client-side security and privacy protection more.

To learn about the OWASP organization and web security standards, refer to the OWASP Complete Guide.

Mobile Top 10 Vulnerability Analysis

M1: Improper Platform Usage

Description: Not correctly using iOS/Android platform security features, or violating platform security guidelines.

Common Issues:

  • Not using Keychain/Keystore for sensitive data storage
  • Ignoring App Transport Security (ATS) settings
  • Improper use of Intent (Android) or URL Scheme (iOS)
  • Requesting unnecessary permissions

Attack Scenario:

Android App uses Intent to pass sensitive data
Malicious App can intercept these Intents
Steal user credentials

Protection Measures:

  1. Follow platform security development guidelines
  2. Use platform-provided security APIs
  3. Principle of least privilege
  4. Properly configure app export attributes

M2: Insecure Data Storage

Description: Sensitive data stored insecurely on the device.

Risk Locations:

  • SharedPreferences / NSUserDefaults (plaintext storage)
  • SQLite database (unencrypted)
  • Local file system
  • System logs
  • Clipboard
  • Backup files

Attack Methods:

  • Malicious app reading shared storage
  • Device lost or stolen
  • Obtaining data through backup files
  • Accessing app sandbox after Root/Jailbreak

Protection Measures:

// iOS - Use Keychain for sensitive data storage
let query: [String: Any] = [
    kSecClass as String: kSecClassGenericPassword,
    kSecAttrAccount as String: "userToken",
    kSecValueData as String: tokenData,
    kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlocked
]
SecItemAdd(query as CFDictionary, nil)

// Android - Use EncryptedSharedPreferences
val masterKey = MasterKey.Builder(context)
    .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
    .build()

val sharedPreferences = EncryptedSharedPreferences.create(
    context,
    "secret_prefs",
    masterKey,
    EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
    EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
)

M3: Insecure Communication

Description: Communication between app and server lacks proper protection.

Common Issues:

  • Using HTTP instead of HTTPS
  • Accepting invalid or self-signed certificates
  • Not implementing Certificate Pinning
  • Passing sensitive data in URLs

Attack Scenario:

User connects to public WiFi at coffee shop
Attacker performs Man-in-the-Middle (MITM) attack
Intercepts app's network traffic
Steals login credentials or Session Token

Protection Measures:

  1. Enforce HTTPS
  2. Implement Certificate Pinning
  3. Verify server certificates
  4. Don't put sensitive data in URLs
// iOS - Certificate Pinning example
let serverTrustPolicy = ServerTrustPolicy.pinCertificates(
    certificates: ServerTrustPolicy.certificates(),
    validateCertificateChain: true,
    validateHost: true
)

M4: Insecure Authentication

Description: App's user authentication mechanism has vulnerabilities.

Common Issues:

  • Offline authentication can be bypassed
  • Weak password policies
  • No account lockout implementation
  • Improper session management
  • Flawed biometric implementation

Protection Measures:

  1. Authentication logic on server-side
  2. Use standard authentication protocols (OAuth 2.0)
  3. Implement multi-factor authentication
  4. Secure Session Token storage and transmission

M5: Insufficient Cryptography

Description: Using insecure encryption methods or flawed encryption implementation.

Common Issues:

  • Using known insecure algorithms (MD5, SHA1, DES)
  • Keys hardcoded in source code
  • Self-implemented encryption algorithms
  • Improper key management

Bad Example:

// Wrong: Key hardcoded in code
private static final String SECRET_KEY = "MySecretKey123";

// Wrong: Using insecure algorithm
MessageDigest md = MessageDigest.getInstance("MD5");

Correct Approach:

// Use Android Keystore to generate and store keys
KeyGenerator keyGenerator = KeyGenerator.getInstance(
    KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
keyGenerator.init(
    new KeyGenParameterSpec.Builder("MyKey",
        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
        .setBlockModes(KeyProperties.BLOCK_MODE_GCM)
        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)
        .build());
SecretKey key = keyGenerator.generateKey();

M6: Insecure Authorization

Description: App's permission checking has vulnerabilities, allowing users to access functions or data they shouldn't.

Common Issues:

  • Only checking permissions on client-side
  • Can access others' data by modifying requests
  • Hidden features only hide UI without backend validation

This is similar to A01 Broken Access Control in OWASP Top 10.

Protection Measures:

  1. All permission checks execute on server-side
  2. Verify requester identity and resource ownership
  3. Don't trust role information from client

M7: Client Code Quality

Description: Code quality issues leading to security vulnerabilities.

Common Issues:

  • Buffer overflow
  • Format string vulnerabilities
  • Memory leaks
  • Unhandled exceptions
  • Race conditions

Protection Measures:

  1. Use memory-safe languages (Swift, Kotlin)
  2. Static code analysis
  3. Code review
  4. Fuzzing

M8: Code Tampering

Description: Attackers modify app code or runtime environment.

Attack Methods:

  • Modifying APK/IPA and repackaging
  • Hooking functions to change behavior
  • Modifying runtime memory
  • Running on jailbroken/rooted devices

Protection Measures:

  1. Code obfuscation
  2. Integrity checking
  3. Root/Jailbreak detection
  4. Anti-debugging mechanisms
  5. Runtime protection
// Android - Signature verification example
public boolean verifySignature(Context context) {
    try {
        PackageInfo packageInfo = context.getPackageManager()
            .getPackageInfo(context.getPackageName(),
                PackageManager.GET_SIGNATURES);
        for (Signature signature : packageInfo.signatures) {
            String currentSignature = signature.toCharsString();
            if (!currentSignature.equals(EXPECTED_SIGNATURE)) {
                return false;
            }
        }
        return true;
    } catch (Exception e) {
        return false;
    }
}

M9: Reverse Engineering

Description: Attackers analyze app code to find vulnerabilities or steal business logic.

Attack Purposes:

  • Find API endpoints and parameters
  • Extract hardcoded keys or credentials
  • Understand business logic to bypass
  • Create pirated or maliciously modified versions

Common Tools:

  • Android: jadx, apktool, Frida
  • iOS: class-dump, Hopper, IDA Pro

Protection Measures:

  1. Code obfuscation (ProGuard, R8, SwiftShield)
  2. String encryption
  3. Control flow obfuscation
  4. Native code (NDK/C++)
  5. Commercial protection solutions

M10: Extraneous Functionality

Description: Development-stage backdoors or test features exist in app and are exploited by attackers.

Common Issues:

  • Hidden admin entry points
  • Test bypass mechanisms
  • Development logging output
  • Unremoved test accounts
  • Sensitive information in comments

Protection Measures:

  1. Establish release checklist
  2. Automated scanning for hidden features
  3. Code review
  4. Separate development/production configurations

OWASP MASVS and MASTG

Besides Mobile Top 10, OWASP provides a more complete Mobile security framework.

MASVS (Mobile Application Security Verification Standard)

MASVS is the mobile app security verification standard defining security requirements apps should meet.

Three Verification Levels:

LevelNameApplicable Scenarios
L1Standard SecurityGeneral Apps
L2Defense-in-DepthApps handling sensitive data
RResiliencyApps needing reverse engineering protection

MASVS Control Categories:

  • MASVS-STORAGE: Data Storage
  • MASVS-CRYPTO: Cryptography
  • MASVS-AUTH: Authentication & Authorization
  • MASVS-NETWORK: Network Communication
  • MASVS-PLATFORM: Platform Interaction
  • MASVS-CODE: Code Quality
  • MASVS-RESILIENCE: Anti-Reverse Engineering

MASTG (Mobile Application Security Testing Guide)

MASTG is the implementation guide for MASVS. It details how to test each control.

Contents Include:

  • iOS/Android platform security mechanism explanations
  • Testing methods for each control
  • Testing tool usage tutorials
  • Test case examples

These two documents are essential references for Mobile App security assessment.

Mobile App Security Testing Tools

MobSF (Mobile Security Framework)

Open-source automated mobile app security testing framework.

Features:

  • Static analysis (no app execution needed)
  • Dynamic analysis (runtime testing)
  • Supports Android APK, iOS IPA, source code
  • Automatic report generation

Usage:

# Docker installation
docker pull opensecurity/mobile-security-framework-mobsf
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf

# Open browser
# http://localhost:8000
# Upload APK/IPA to analyze

QARK (Quick Android Review Kit)

LinkedIn open-source Android app static analysis tool.

Features:

  • Focuses on finding security vulnerabilities
  • Can analyze APK or source code
  • Generates detailed vulnerability reports
# Install
pip install qark

# Analyze APK
qark --apk path/to/app.apk

# Analyze source code
qark --java path/to/source/

Frida

Powerful dynamic analysis framework. Can hook and modify app behavior in real-time.

Uses:

  • Bypass SSL Pinning
  • Analyze encryption logic
  • Modify function return values
  • Trace function calls
// Frida Script - Bypass Root detection
Java.perform(function() {
    var RootCheck = Java.use("com.app.security.RootCheck");
    RootCheck.isRooted.implementation = function() {
        console.log("Root check bypassed");
        return false;
    };
});

Combined with OWASP ZAP, you can perform more complete testing of app APIs.

Part 2: OWASP IoT Top 10

What is OWASP IoT Top 10?

OWASP IoT Top 10 is the list of ten major security risks for IoT devices.

IoT device security challenges:

  • Limited computational resources, difficult to implement complete security mechanisms
  • Imperfect update mechanisms
  • Insecure default configurations
  • Complex supply chains
  • Long lifecycle (may operate for over ten years)

The 2018 version is the current latest. It covers the complete IoT ecosystem from hardware to cloud.

IoT Top 10 Vulnerability Analysis

I1: Weak, Guessable, or Hardcoded Passwords

Issues:

  • Using default passwords like admin/admin, root/root
  • Passwords hardcoded in firmware
  • Not forcing users to change default passwords
  • Weak password policies

Real Case: 2016 Mirai botnet attack. Exploited IoT device default passwords, infected hundreds of thousands of devices, launched the largest DDoS attack in history.

Protection Measures:

  1. Force password change on first use
  2. Each device uses unique default password
  3. Prohibit weak passwords
  4. Support multi-factor authentication

I2: Insecure Network Services

Issues:

  • Unnecessary network services enabled
  • Services with known unpatched vulnerabilities
  • Accessible without authentication
  • Exposed management interfaces

Common Problem Services:

  • Telnet (plaintext transmission)
  • SSH without password
  • Public management web interface
  • UPnP (auto-opens ports)

Protection Measures:

  1. Disable unnecessary services
  2. Regular updates to patch vulnerabilities
  3. Network services require authentication
  4. Use firewall to limit access

I3: Insecure Ecosystem Interfaces

Issues: IoT devices typically connect to mobile apps, cloud platforms, APIs, etc. Security issues in these interfaces affect the entire system.

Common Issues:

  • Web management interface has XSS, SQL Injection
  • API lacks authentication or has weak authentication
  • Mobile app stores sensitive data insecurely

Protection Measures:

  1. Apply OWASP Top 10 and API Top 10 standards
  2. All interfaces require authentication and authorization
  3. Input validation and output encoding

I4: Lack of Secure Update Mechanism

Issues:

  • No firmware update capability
  • Updates not encrypted during transmission
  • Update files not signed
  • No downgrade attack prevention

Attack Scenario:

Attacker intercepts firmware update traffic
Injects malicious code
Device downloads and installs malicious firmware
Device becomes part of botnet

Protection Measures:

  1. Updates must use encrypted transmission (HTTPS)
  2. Firmware must be digitally signed
  3. Verify firmware integrity
  4. Prevent version downgrade
  5. Support automatic updates

I5: Use of Insecure or Outdated Components

Issues:

  • Using libraries with known vulnerabilities
  • Outdated operating system versions
  • Not updating third-party components

Protection Measures:

  1. Establish BOM (Bill of Materials) list
  2. Monitor component vulnerability announcements
  3. Regular component updates
  4. Retire unmaintained components

I6: Insufficient Privacy Protection

Issues:

  • Collecting excessive user data
  • Data storage and transmission not encrypted
  • Not informing users of data usage
  • Data retained too long

Protection Measures:

  1. Data minimization principle
  2. Encrypt sensitive data
  3. Transparent privacy policy
  4. Provide data deletion option

I7: Insecure Data Transfer and Storage

Issues:

  • Sensitive data transmitted in plaintext
  • Local storage not encrypted
  • Improper key management

Protection Measures:

  1. Use TLS to encrypt all transmission
  2. Encrypt local data
  3. Secure key storage

I8: Lack of Device Management

Issues:

  • Cannot remotely manage devices
  • Cannot monitor device status
  • Cannot track assets
  • Lacks logging

Enterprise IoT deployment needs:

  1. Device inventory management
  2. Remote configuration and updates
  3. Security monitoring and alerting
  4. Device decommissioning process

I9: Insecure Default Settings

Issues:

  • Unnecessary features enabled by default
  • Default passwords too simple
  • Default permissions too broad
  • Debug mode enabled by default

Protection Measures:

  1. Secure defaults principle
  2. Disable unnecessary features
  3. Mandatory configuration flow
  4. Provide secure configuration guide

I10: Lack of Physical Hardening

Issues:

  • Exposed debug interfaces (UART, JTAG)
  • No tamper detection
  • Firmware easily readable
  • No Secure Boot

Protection Measures:

  1. Remove or disable debug interfaces
  2. Tamper detection
  3. Encrypted storage
  4. Implement Secure Boot

IoT Security Testing Methods

IoT security testing requires multi-layer assessment.

Testing Scope:

LayerTesting Focus
HardwarePhysical interfaces, debug ports, storage media
FirmwareUpdate mechanism, encryption, hardcoded passwords
NetworkOpen services, encryption, authentication
Web/AppStandard Web/Mobile security testing
APIAuthentication, authorization, input validation
CloudData security, access control

Common Tools:

ToolPurpose
BinwalkFirmware analysis and extraction
FirmwalkerFirmware security scanning
NmapNetwork service scanning
WiresharkNetwork traffic analysis
Bus PirateHardware interface analysis
OWASP ZAPWeb/API scanning

Firmware Analysis Example:

# Use Binwalk to extract firmware
binwalk -e firmware.bin

# Search for hardcoded passwords
grep -r "password" _firmware.bin.extracted/
grep -r "secret" _firmware.bin.extracted/

# Find SSH keys
find _firmware.bin.extracted/ -name "*.pem"
find _firmware.bin.extracted/ -name "id_rsa"

FAQ

Q1: Is iOS or Android More Secure?

Both have pros and cons, no absolute answer.

iOS Security Advantages:

  • Closed ecosystem, strict app review
  • High system update coverage
  • Hardware and software integrated security mechanisms
  • Stricter sandbox isolation

Android Security Advantages:

  • Open source, security mechanisms can be reviewed
  • More granular permission control
  • Rich enterprise management features
  • Can install security apps (antivirus, VPN)

Actual Risk Comparison:

  • iOS devices less targeted by malware
  • Android has more malware (due to market share, sideloading)
  • Both have been targeted by nation-state attacks
  • App's own security matters more than platform

Conclusion: Choosing either platform, keeping system updated, only installing trusted apps, and being careful with permissions matters more than which platform you choose.

Q2: How to Check if an App is Secure?

What Regular Users Can Do:

  1. Only download apps from official stores
  2. Check if app's requested permissions are reasonable
  3. Review user ratings and reviews
  4. Confirm developer information
  5. Pay attention to app's privacy policy

What Development Teams Should Do:

  1. Use MobSF for automated scanning
  2. Follow OWASP MASVS checklist
  3. Conduct code review
  4. Commission professional penetration testing
  5. Regular reassessment

App Security Check Indicators:

  • Is communication encrypted (check if HTTPS is used)
  • Is Certificate Pinning implemented
  • Is local data encrypted
  • Is authentication mechanism secure
  • Are there anti-reverse engineering measures

Q3: Should I Worry About Smart Home Device Security?

Yes, and it's very important.

Smart Home Device Security Risks:

  1. Privacy Risk: Cameras, microphones can be hacked
  2. Springboard: Attackers can enter home network through IoT devices
  3. Botnet: Used to launch DDoS attacks
  4. Ransomware: Smart locks being hacked could lock you out

Real Cases:

  • Smart cameras hacked to livestream home footage
  • Smart speakers used for eavesdropping
  • Smart TVs infected with adware
  • Baby monitors accessed by strangers

Protection Recommendations:

  1. Research brand's security record before purchase
  2. Change default passwords
  3. Regularly update firmware
  4. Put IoT devices in separate network segment
  5. Disable unnecessary remote access features
  6. Factory reset devices when no longer used

Conclusion

Mobile and IoT device security challenges differ from traditional web applications and require specialized security thinking.

Mobile Security Key Points:

  • Data storage must be encrypted
  • Communication needs Certificate Pinning
  • Authentication and authorization verified server-side
  • Prevent reverse engineering and code tampering
  • Follow MASVS standards

IoT Security Key Points:

  • Eliminate default passwords
  • Establish secure update mechanism
  • Minimize attack surface
  • Consider entire ecosystem
  • Don't neglect physical security

Next step recommendations:

  • Check your app security level with MASVS
  • Inventory IoT devices in your environment
  • Confirm all device firmware is latest version
  • Plan IoT device network isolation

If you're developing AI-powered Mobile or IoT applications, also note the OWASP LLM Top 10 risks. For hands-on practice, Juice Shop is a great starting point.

Need Professional Cloud Advice?

Whether you're evaluating cloud platforms, optimizing existing architecture, or looking for cost-saving solutions, we can help

Book Free Consultation

Related Articles

OWASP

What is OWASP? 2025 Complete Guide: Top 10, ZAP Tools, Security Standards Explained

Deep dive into OWASP web security standards, covering Top 10 vulnerability lists, ZAP scanning tools, API/LLM/Mobile security guides. Free resources and enterprise adoption practices.

OWASP

OWASP API Security Top 10 Complete Guide: 2023 API Security Vulnerabilities and Protection [2026 Update]

In-depth analysis of OWASP API Top 10 security vulnerabilities, covering BOLA, authentication failures, and all ten API risks, plus protection measures and testing methods. Includes 2024-2025 attack cases.

OWASP

OWASP Top 10 Complete Analysis: 2025 Latest Top 10 Web Security Risks [2026 Update]

In-depth analysis of OWASP Top 10 web security vulnerability list, covering 2025 latest version top 10 vulnerabilities (including new Software Supply Chain Failures), historical version comparisons, explanations and practical application guide.