OWASP MOBILE TOP 10:2024 ALIGNED
Mobile Application Security
Assessment
Platform-native assessment of iOS and Android applications — combining static analysis, dynamic testing, and reverse engineering, delivered through NST Assure.
Schedule Assessment View Services
Mobile applications extend enterprise risk beyond the perimeter. We assess native iOS, Android, and cross-platform applications across binary protections, data storage, network communication, authentication, and platform interaction — covering both static and dynamic analysis — delivered through NST Assure, our PTaaS platform for continuous assurance.
01
HARDENING, OBFUSCATION & ANTI-TAMPERING
Binary & Platform Security
Assesses the resilience of compiled application binaries against reverse engineering, tampering, and runtime manipulation.
Binary protections — code obfuscation, anti-debugging, and integrity verification
Reverse engineering resilience — decompilation resistance, symbol stripping, and class-dump exposure
Runtime manipulation — method swizzling, Frida hooking, and instrumentation bypass
Jailbreak & root detection — detection logic validation and bypass-resistance testing
Platform Interaction — IPC abuse, deep-link hijacking, and intent-filter exploitation
Let's Start →
BINARY & RUNTIME VECTORS
M7 — Insufficient Binary Protections
Critical
Runtime Hooking & Instrumentation
Hook
Jailbreak / Root Bypass
JB
IPC & Deep-Link Hijacking
IPC
BINARY
REVERSE ENG
RASP
IPC
02
CREDENTIALS, BIOMETRICS & TOKEN HANDLING
Authentication & Session Management
Validates identity controls from biometric authentication to token lifecycle management across mobile-specific flows.
Credential handling — hardcoded secrets, insecure storage, and credential-reuse patterns
Biometric authentication — TouchID/FaceID bypass, fallback weaknesses, and local-auth logic flaws
Token & session security — token storage, expiry enforcement, and session-binding validation
SSO & OAuth flows — mobile redirect-URI abuse, PKCE enforcement, and custom-scheme hijacking
Device binding — attestation validation, device-trust signals, and multi-device session controls
Let's Start →
MOBILE AUTH VECTORS
M1 — Improper Credential Usage
Critical
M3 — Insecure Authentication/Authorization
High
Biometric Bypass & Fallback Abuse
Bio
OAuth Custom-Scheme Hijacking
OAuth
AUTH
CREDENTIAL
BIOMETRIC
SESSION
03
LOCAL STORAGE, KEYCHAIN/KEYSTORE & PII
Data Storage & Privacy Controls
Examines how sensitive data is stored, cached, and exposed on-device — including privacy compliance across regulatory frameworks.
Insecure data storage — local databases, shared preferences, and plaintext file exposure
Keychain & Keystore — access-control validation, protection-class audit, and hardware-backed key usage
Clipboard & cache leakage — pasteboard exposure, screenshot capture, and keyboard-cache persistence
Backup & logging — sensitive data in iCloud/ADB backups and verbose log output
Privacy controls — consent enforcement, data-minimisation, and PII-handling compliance
Let's Start →
DATA-AT-REST RISK SURFACE
M9 — Insecure Data Storage
Critical
M6 — Inadequate Privacy Controls
Privacy
M10 — Insufficient Cryptography
Crypto
Backup & Cache Data Exposure
Leak
STORAGE
KEYCHAIN
PRIVACY
PII
04
TLS, CERTIFICATE PINNING & API COMMUNICATION
Network & Transport Security
Validates all data-in-transit protections from certificate pinning to backend API communication security.
Insecure communication — cleartext traffic, mixed-content, and transport-security exceptions
Certificate pinning — pin validation, bypass resilience, and certificate-rotation handling
Man-in-the-middle — proxy detection, SSL interception, and trust-store manipulation
API traffic analysis — request tampering, response manipulation, and sensitive-data exposure in transit
Input/output validation — client-side injection, WebView script injection, and deep-link parameter abuse
Let's Start →
DATA-IN-TRANSIT VECTORS
M5 — Insecure Communication
Critical
M4 — Insufficient Input/Output Validation
I/O
Certificate Pinning Bypass
Pin
MitM & Proxy Detection Evasion
MitM
TLS
PINNING
MITM
WEBVIEW
05
FLUTTER, REACT NATIVE, SDKS & DEPENDENCIES
Supply Chain & Cross-Platform Security
Evaluates third-party dependencies, cross-platform framework risks, and the mobile build pipeline from source to distribution.
Supply chain integrity — SDK provenance, dependency-confusion, and malicious package detection
Cross-platform frameworks — Flutter, React Native, and Kotlin Multiplatform-specific security gaps
Third-party SDK risk — data-collection behaviour, permissions scope, and embedded tracker analysis
Build & distribution — signing-key management, store-deployment hygiene, and sideloading exposure
Security misconfiguration — exported components, debug flags, and overly broad permission requests
Let's Start →
SUPPLY CHAIN & CONFIG RISKS
M2 — Inadequate Supply Chain Security
Critical
M8 — Security Misconfiguration
Config
Cross-Platform Framework Exposure
XPlat
Third-Party SDK & Tracker Audit
SDK
SUPPLY CHAIN
FLUTTER
REACT NATIVE
SDK AUDIT
06
NST ASSURE — PTAAS DELIVERY
NST Assure — Standards & Continuous Assurance
Findings mapped to mobile-specific frameworks and delivered through NST Assure for collaborative remediation.
OWASP Mobile Top 10:2024 — full coverage across all ten risk categories
OWASP MASVS — mobile verification across MASVS-STORAGE, AUTH, NETWORK, PLATFORM, and CRYPTO
OWASP MASTG — atomic test methodology aligned to the Mobile Security Testing Guide
NST Assure platform — real-time reports, trackers, POC artefacts, and revalidation workflows
Continuous assurance — release-cycle validation and posture tracking across app versions
Let's Start →
NST ASSURE — STANDARDS & DELIVERY
OWASP Mobile Top 10:2024
Latest
OWASP MASVS Control Groups
Verify
OWASP MASTG Atomic Tests
MASTG
NST Assure — PTaaS Platform
Delivery
NST ASSURE
MOBILE TOP 10
MASVS
PTAAS
Ready to secure your mobile applications?
Share your requirements — we'll scope an assessment aligned to your mobile platforms and risk profile.
Get in Touch
OWASP Mobile Top 10:2024 iOS & Android native Flutter · React Native NST Assure PTaaS delivery