OWASP (Open Web Application Security Project) has come up with a top 10 risks for the mobile technology. This list is in the ‘beta’ stage. The list, released on 23rd September 2011, has been under a 60 day review period and is due for a final version release any time. When released, this will be the first official version of OWASP top 10 for mobile applications. The current list of OWASP Top 10 Mobile Risks (Release candidate) is reproduced below:
- Insecure Data Storage
- Weak Server Side Controls
- Insufficient Transport Layer Protection
- Client Side Injection
- Poor Authorization and Authentication
- Improper Session Handling
- Security Decisions Via Untrusted Inputs
- Side Channel Data Leakage
- Broken Cryptography
- Sensitive Information Disclosure
The above list of risks are platform agnostic. Also the OWASP project team, working on the ‘Top 10’ have changed their approach from ‘Vulnerability’ centric list to ‘Risk’ centric list. When OWASP releases the final version of this list, IT security fraternity will be seeing a clear mobile security roadmap emerge. In the next part, we shall look into what each of these risks mean. In the final part of this series of OWASP top 10, we shall look into the Top 10 mobile controls recommended by OWASP.