OWASP Mobile Top 10 for Payment Apps
The OWASP Mobile Top 10 represents the most critical security risks for mobile applications. Here's how each applies to payment apps.
M1: Improper Platform Usage
Risk: Misuse of platform features like Keychain, Keystore, or biometrics.
Payment Impact: Credentials stored insecurely, authentication bypassed.
PCI Relevance: Requirement 3.4, 8.3
M2: Insecure Data Storage
Risk: Sensitive data stored without encryption.
Payment Impact: Card data, tokens, or credentials exposed.
PCI Relevance: Requirement 3.4, 3.5
M3: Insecure Communication
Risk: Lack of TLS or improper certificate validation.
Payment Impact: Transaction interception, credential theft.
PCI Relevance: Requirement 4.1, 4.2
M4: Insecure Authentication
Risk: Weak authentication or session management.
Payment Impact: Account takeover, unauthorized transactions.
PCI Relevance: Requirement 8.2, 8.3
M5: Insufficient Cryptography
Risk: Weak algorithms or improper implementation.
Payment Impact: Encrypted data compromised.
PCI Relevance: Requirement 3.5, 3.6
M6: Insecure Authorization
Risk: Client-side authorization decisions.
Payment Impact: Privilege escalation, unauthorized access.
PCI Relevance: Requirement 7.1, 7.2
M7: Client Code Quality
Risk: Buffer overflows, format strings, memory issues.
Payment Impact: Code execution, data corruption.
PCI Relevance: Requirement 6.5
M8: Code Tampering
Risk: No integrity verification or anti-tampering.
Payment Impact: Modified app used for fraud.
PCI Relevance: Requirement 11.5
M9: Reverse Engineering
Risk: Lack of obfuscation, easy decompilation.
Payment Impact: Business logic exposed, keys extracted.
PCI Relevance: Requirement 6.5
M10: Extraneous Functionality
Risk: Debug code, test backdoors in production.
Payment Impact: Hidden access points exploited.
PCI Relevance: Requirement 6.5.10
Scan for all OWASP Mobile Top 10 vulnerabilities. Start now.