Architecture and design principles

The following is a merge of ENISA, OWASP and Veracode top 10. I have cut those risks which cannot be addressed by developers. Note some of the OWASP top ten are in the category of vulnerabilities so I have cut these.

ENISA top 10

 * 1) Data leakage resulting from device loss or theft: The smartphone is stolen or lost and its memory or removable media are unprotected, allowing an attacker access to the data stored on it.
 * 2) Unintentional disclosure of data: The smartphone user unintentionally discloses data on the smartphone.
 * 3) Attacks on decommissioned smartphones: The smartphone is decommissioned improperly allowing an attacker access to the data on the device.
 * 4) Phishing attacks: An attacker collects user credentials (such as passwords and credit card numbers) by means of fake apps or (SMS, email) messages that seem genuine.
 * 5) Spyware:  Spyware covers untargeted collection of personal information as opposed to targeted surveillance.
 * 6) Network Spoofing Attacks: An attacker deploys a rogue network access point (WiFi or GSM) and users connect to it. The attacker subsequently intercepts (or tampers with) the user communication to carry out further attacks such as phishing.
 * 7) Surveillance attacks: An attacker keeps a specific user under surveillance through the target user’s smartphone.
 * 8) Diallerware attacks: An attacker steals money from the user by means of malware that makes hidden use of premium SMS services or numbers.
 * 9) Financial malware attacks The smartphone is infected with malware specifically designed for stealing credit card numbers, online banking credentials or subverting online banking or ecommerce transactions.
 * 10) Network congestion 	Network resource overload due to smartphone usage leading to network unavailability for the end-user.

OWASP Top 10 Mobile Risks

 * 1) Insecure or unnecessary client-side data storage
 * 2) Lack of data protection in transit
 * 3) Personal data leakage
 * 4) Client-side injection
 * 5) Client-side DOS
 * 6) Malicious third-party code
 * 7) Client-side buffer overflow

Additional Considerations

 * 1) Failure to properly handle inbound SMS messages
 * 2) Failure to properly handle outbound SMS messages
 * 3) Malicious / Fake applications from appstore
 * 4) Ability of one application to view data or communicate with other applications
 * 5) Switching networks during a transaction
 * 6) Failure to Protect Sensitive Data at rest
 * 7) Failure to disable insecure platform features in application (caching of keystrokes, screen data)