StartHere.android
Hardcoding secrets such as API keys, encryption keys, or sensitive credentials in mobile apps is a critical security risk because attackers can…
Cover the OWASP Mobile Top 10 (2024) with hands-on Android and iOS challenges. Developers fix real vulnerabilities in real mobile apps — and build the habits that keep your releases off the incident report.
The OWASP Mobile Top 10 (2024) is the benchmark for mobile application security. Every challenge below is a real Android or iOS app with a real vulnerability: developers fix it without breaking functionality, and every verified fix becomes reportable evidence of mobile security capability.
Hardcoded API keys, tokens and credentials shipped inside the app binary.
Weak biometric, session or role checks that let attackers act as other users.
Untrusted data from intents, deep links and IPC processed without validation.
Weak TLS configuration and unencrypted transport of sensitive data.
PII leaking through caches, memory residue, logs and analytics.
Apps shipped without obfuscation or integrity protections, making reverse engineering trivial.
Over-broad permissions, exported components and unsafe WebView settings.
Sensitive data written to SharedPreferences, UserDefaults or misused keychains.
Weak random number generation and broken cryptographic primitives.
Assign these challenges to your team as learning pathways, track verified fixes, and report OWASP Mobile Top 10 coverage to auditors, customers and the board — with evidence, not attendance sheets.