Difference between revisions of "OWASP Mobile Security Project"

Jump to: navigation, search
Line 12: Line 12:
==== Top Ten Mobile Controls ====
==== Top Ten Mobile Controls ====
{{:Projects/OWASP Mobile Security Project - Top Ten Mobile Controls| Top Ten Mobile Controls}}
{{:Projects/OWASP Mobile Security Project - Top Ten Mobile Controls And Design Principles| Top Ten Mobile Controls}}
==== Mobile Platforms ====
==== Mobile Platforms ====

Revision as of 04:48, 17 May 2011


What does this OWASP project offer you?
What releases are available for this project?
what is this project?
Name: OWASP Mobile Security Project (home page)
Purpose: Our primary focus is at the application layer. While we take into consideration the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas that the average developer can make a difference. Additionally, we focus not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. We focus heavily on the integration between the mobile application, remote authentication services, and cloud platform-specific features.
License: N/A
who is working on this project?
Project Leader(s):
Project Contributor(s):
how can you learn more?
Project Pamphlet: Not Yet Created
Project Presentation: View
Mailing list: Mailing List Archives
Project Roadmap: View
Key Contacts
  • Contact the GPC to report a problem or concern about this project or to update information.
current release
Not Yet Published
last reviewed release
Not Yet Reviewed

other releases

For Security Testers

Projects/OWASP Mobile Security Project - Security Testers

Secure Development Guidelines

Secure Mobile Development Guidelines Objective

The OWASP Secure Development Guidelines will provide developers with the knowledge they need to build secure mobile applications. An extendable framework will be provided that includes the core security flaws found across nearly all mobile platforms. It will be a living reference where contributors can plug in newly exposed APIs for various platforms and provide good/bad code examples along with remediation guidance for those issues.

Top Ten Mobile Risks

The Mobile Top Ten 2016

Following a 90-day review and publication of the release candidate, we determined that the release candidate was ready for final publication. The 2016 list has now been published and can be found here: OWASP Mobile Top Ten 2016

Feel free to visit the mailing list as well!

2015 Mobile Top Ten Analysis Results

Are you interested in what the data collection for the 2015 list looks like? Check out the final synthesis... Media:2015 Data Synthesis Results.pptx

We are fleshing out the new Mobile Top Ten at Projects/OWASP_Mobile_Security_Project_-2015_Scratchpad. Have a look.

Here is the original raw data: [Dropbox Data]

Project Leads, Credit, and Contributions

How Did the List Get Made?

  1. We wanted to know what the community wanted in the next Mobile Top Ten list and what they thought about the last. We published a survey and shared the results with everyone.
  2. We issued a Call for Data and aggressively pursued many different vendors and consultants for raw data.
  3. We had a huge response by vendors and consultants. We collected lots of data about the last years vulnerabilities from a number of different vendors and consultant. That raw data can be found here.
  4. Over the coming months, we then analyzed the data. Lots of different contributors did their own analysis and compared results. Here is a sample of the color commentary on the data.
  5. Ultimately, we agreed on the findings and published key findings from the data that we all agreed upon.
  6. Next, we started coming up with a consensus of what we wanted in the next revision of the Mobile Top Ten.
  7. Results were collected and a release candidate got released.
  8. We examined the results from the release candidate and concluded that we achieved what we set out to do for 2016
  9. We published the list officially and moved it from release to final stage


  • The list below is the OLD release candidate v1.0 of the OWASP Top 10 Mobile Risks.  This list was initially released on September 23, 2011 at Appsec USA.  

Top Ten Mobile Controls

Projects/OWASP Mobile Security Project - Top Ten Mobile Controls And Design Principles

Mobile Platforms

Mobile Platforms

Coming soon...




Windows Phone 7

To contribute to this section, contact mike.zusman@owasp.org

Mobile Threat Model

Template:Mobile Threat Model