Original URL: https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
M1 incorrect platform: This category includes the abuse of functions or use the platform platform security controls. It may include Android intent, platform privileges, abuse TouchID, keychain or other security controls that are part of the mobile operating system. Mobile Application There are several ways to experience this risk.
M2-secure data storage: This new category is a combination of Mobile Top Ten in 2014 of M2 + M4 is. This includes non-secure data storage and accidental data leaks.
M3 insecure communications: This includes bad handshake, an incorrect version of SSL, weak negotiation, communication expressly sensitive assets.
M4 insecure authentication:
This category captures the concept of end-user validation errors or session management. This may include:
- When needed can not identify the user
- When not needed to maintain the user's identity
- Session management weaknesses
M5 lack of encryption: The code will apply to encrypt sensitive information assets. However, cryptography in a way is not enough. Please note that any associated with TLS or SSL content on the M3. In addition, if the application should not use encryption at all, it may belong to M2. This category applies to try to encrypt the problem, but did not complete correctly.
M6 unsafe authorization:
This is a category capture failed authorization (for example, the client's authorization decision to force browsing, etc.). It authentication problems (e.g., device registration, user identification, etc.) are different.
If the application does not authenticate users (for example, grant anonymous access to certain resources or services when needed for authentication and authorization access), then this is not the authentication fails authorization failure.
M7 client code quality: This is a "safe decision by untrusted input", which is one of the categories we use less. This will be all code-level implementation issues of mobile clients. This is different from the server-side coding errors. This captures such as buffer overflows, format string vulnerabilities, and various problems such other error code level classes, wherein the solution is to rewrite some of the code that runs on a mobile device.
M7 tampering Code:
This category includes binary repair, modification of local resources, methods, hooks, and dynamic memory allocation method modifications.
Once the application to the mobile device, code and data resources are resides there. An attacker can modify the code to dynamically change the contents of memory, change or replace the system API used by the application, you can modify the data and application resources. This can provide a direct way for an attacker to disrupt the intended use of the software, in order to obtain personal benefit or financial gain.
M9 reverse engineering: This category includes the analysis of the final core binary files, to determine its source code, libraries, algorithms and other assets. Such as IDA Pro, Hopper, otool and other binary inspection tools like the software could allow an attacker to gain insight into the inner workings of the application. This can be used to take advantage of the application of other freshmen vulnerabilities, as well as revealing about the back-end server, and password encryption constants and intellectual property information.
M10 unrelated functions: Generally, developers including hidden backdoor or other do not intend to publish internally developed security control in the production environment. For example, a developer might accidentally mixed application password will be included as a comment. Another example includes two-factor authentication is disabled during the test.