owasp-mobile-top-10
OWASP Mobile Top 10
This skill encodes the OWASP Mobile Top 10 for secure mobile app design and review. References are loaded per risk (progressive disclosure). Based on OWASP Mobile Top 10 2024.
When to Read Which Reference
| Risk | Read |
|---|---|
| M1 Improper Credential Usage | references/m1-improper-credential-usage.md |
| M2 Inadequate Supply Chain Security | references/m2-supply-chain-security.md |
| M3 Insecure Authentication/Authorization | references/m3-insecure-auth.md |
| M4 Insufficient Input/Output Validation | references/m4-input-output-validation.md |
| M5 Insecure Communication | references/m5-insecure-communication.md |
| M6 Inadequate Privacy Controls | references/m6-privacy-controls.md |
| M7 Insufficient Binary Protections | references/m7-binary-protections.md |
| M8 Security Misconfiguration | references/m8-security-misconfiguration.md |
| M9 Insecure Data Storage | references/m9-insecure-data-storage.md |
| M10 Insufficient Cryptography | references/m10-insufficient-cryptography.md |
Quick Patterns
- Store credentials and API keys in secure storage (keychain/Keystore); never hardcode. Validate all inputs and encode outputs.
- Use certificate pinning and TLS for communication; enforce privacy controls and minimal data collection.
- Harden binary (obfuscation, integrity); use secure defaults and encrypt sensitive data at rest.
Quick Reference / Examples
| Task | Approach |
|---|---|
| Store credentials | Use iOS Keychain or Android Keystore; never hardcode. See M1. |
| Secure network calls | Use TLS 1.2+, implement certificate pinning. See M5. |
| Validate input | Sanitize all user/external input before use. See M4. |
| Protect local data | Encrypt with platform APIs (EncryptedSharedPreferences, Data Protection). See M9. |
Safe - Android Keystore for credentials:
val keyStore = KeyStore.getInstance("AndroidKeyStore")
keyStore.load(null)
val secretKey = keyStore.getKey("my_key_alias", null) as SecretKey
Unsafe - hardcoded API key:
val API_KEY = "sk-12345abcdef" // NEVER do this - extract from APK
Certificate pinning (OkHttp):
val certificatePinner = CertificatePinner.Builder()
.add("api.example.com", "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.build()
Workflow
Load the reference for the risk you are addressing (e.g. credential handling → M1; network → M5; local storage → M9). See OWASP Mobile Top 10 for the official list.
More from yariv1025/skills
owasp-api-security-top-10
OWASP API Security Top 10 - prevention, detection, and remediation for REST/GraphQL/API security. Use when designing or reviewing APIs - object- and function-level authorization, authentication, rate limiting and resource consumption, sensitive business flows, SSRF, API inventory and versioning, or consumption of third-party APIs.
14agent-dev-guardrails
Enforce disciplined agent development workflows with plan-first development, small-slice execution, specialized self-review roles, quality gates, and project setup. Use when starting a new project, setting up development conventions, wanting structured planning, or needing the agent to follow best practices for code quality, review, and validation.
8owasp-iot-top-10
OWASP IoT Top 10 - prevention, detection, and remediation for IoT device and ecosystem security. Use when designing or reviewing IoT devices - passwords, network services, ecosystem interfaces, secure updates, components, data transfer/storage, device management, default settings, physical hardening, privacy.
7owasp-serverless-top-10
OWASP Serverless Top 10 - prevention, detection, and remediation for serverless (Lambda, Functions) security. Use when building or reviewing serverless apps - event injection, over-permissioned functions, insecure deps, secrets, config, and other serverless-specific interpretations of the Web Top 10.
7owasp-privacy-top-10
OWASP Top 10 Privacy Risks - prevention, detection, and remediation for privacy in web applications. Use when addressing app vulnerabilities, data leakage, breach response, consent, transparency, data deletion, data quality, session expiration, user access rights, excessive data collection.
6owasp-cicd-top-10
OWASP Top 10 CI/CD Security Risks - prevention, detection, and remediation for pipeline security. Use when securing or reviewing CI/CD - flow control, IAM, dependency chain, poisoned pipeline execution, PBAC, credential hygiene, system config, third-party services, artifact integrity, logging and visibility.
6