Summary
The Android Attacks module provides a structured, hands-on introduction to the most common and impactful security risks affecting modern mobile applications.
This course maps real-world Android vulnerabilities to common mobile security risk categories. Each attack shows how these issues appear in production-style applications, how attackers exploit them, and how developers can detect and fix them.
Throughout this module, students will analyze vulnerable Android applications using mostly static and, in some cases, dynamic analysis techniques. Each section focuses on a specific mobile security risk and includes realistic attack scenarios aligned with common backend and client-side misconfigurations.
The module assumes familiarity with Android fundamentals and basic static and dynamic analysis.
Recommended prior knowledge:
Introduction
In this module, we will go through the OWASP Mobile Top 10 list, which covers a wide range of real-world vulnerabilities and misconfigurations. The Open Worldwide Application Security Project (OWASP) is a non-profit, open community that documents and suggests best practices for improving the security of software and systems, with a primary focus on web applications, APIs, and related technologies, but it also provides guidance applicable to mobile and IoT. It is widely known for its Top 10, which represents a broad consensus about the most critical security risks for each category. In this way, OWASP helps individuals and professionals across the industry focus on the risks that actually matter.
What is the OWASP Mobile Top 10
The OWASP Mobile Top 10 is a community-maintained list that describes the most critical security risks affecting mobile applications. Although this list refers to both Android and iOS, the underlying problems are universal across mobile platforms, and therefore, in this module, we will examine them using Android only. Unlike traditional web security, mobile applications introduce unique challenges due to their fundamentally different platform architecture.
- Poor implementation of communication between installed apps can lead to data leakage.
- Sensitive data can also be stored locally, introducing new risks, either on its own or in combination with insecure communication with a vulnerable remote web server.
- Permissions granted to an application can be abused if not used properly.
- The compiled binary (bytecode/machine code) is stored locally and can be reverse-engineered or modified by users to bypass security mechanisms, or examined to create malicious apps that target applications on other users’ devices.
In this module, we will go through the OWASP Top 10 list created in 2024. However, a previous version of this list was released by OWASP in 2016.
OWASP Mobile Top 10 - 2016 vs 2024
The 2016 Mobile Top 10 was mostly influenced by the early mobile app mistakes:
- Storing secrets in apps
- Weak SSL
- Simple reverse-engineering techniques
- Over-privileged permissions
In the 2024 list, the threat model has adapted:
- Mobile apps are now
API-driven, using remote web servers - Most attacks target server logic, not just the device
- Encryption exists, but is often
misused - Reverse engineering is no longer just a niche technique; it has become a common requirement for analyzing mobile apps, understanding their behavior, and identifying vulnerabilities or abuses
In the 2024 list, we can clearly see a shift in focus from mobile as a device to mobile as a connected system, where the application, backend services, network communication, and cryptography all work together to enforce security. The following subsection briefly describes each category.
OWASP Mobile Top 10 (2024) Overview
M1: Improper Credential Usage
Mobile apps mishandle credentials (like hardcoded API keys, tokens, or passwords), making it easy for attackers to reuse or steal them.
M2: Inadequate Supply Chain Security
Vulnerabilities in third-party libraries or the build/distribution process allow attackers to insert malicious code or compromise the app before it reaches users.
M3: Insecure Authentication/Authorization
Weak or missing authentication and permission checks allow attackers to bypass access controls or act as another user.
M4: Insufficient Input/Output Validation
Apps often fail to properly validate incoming or outgoing data, which can lead to potential injection, tampering, or data corruption.
M5: Insecure Communication
Data exchanged between the app and the backend is not adequately protected (e.g., missing TLS/HTTPS or weak encryption), making it vulnerable to interception.
M6: Inadequate Privacy Controls
The app fails to protect user privacy, as it may leak personal data or improperly handle consent.
M7: Insufficient Binary Protections
The app lacks defenses against reverse engineering, tampering, or debugging, making it easier for attackers to analyze or modify it.
M8: Security Misconfiguration
Incorrect or unsafe settings (like excessive permissions, exposed components, or debug flags) create exploitable weaknesses.
M9: Insecure Data Storage
Sensitive information is stored locally on the device in an unsafe manner, such as in plaintext files, shared preferences, databases, caches, or backups. This allows attackers to recover data directly from the device without needing to break any cryptographic protection.
M10: Insufficient Cryptography
Sensitive data is protected using weak, broken, or incorrectly implemented cryptographic mechanisms. This includes hardcoded keys, predictable key derivation, insecure encryption modes, improper key storage, or custom cryptographic implementations that can be reversed or bypassed by attackers.
What comes next
In the following sections, we will go through each of the categories mentioned earlier in depth using real Android application examples, and show how these vulnerabilities look in production-style apps, how attackers exploit them, and how they can be detected and fixed.
