Even though every risks stated above are important for security, I would like to focus on discussing the top three important points which have lower awareness even being crucial for security and at last the 10th for binary protection extending it for defensive programming.
M1 Weak Server Side Controls -
Mobile applications will work as thick clients which will be responsible for the application layer stack for the complete solution. And majorly the core of business implementation will reside on servers which will serve these mobile clients. Hence it is important to have robust server side protection schemes.
Most of the server side provide REST integration points which are generic and can be adopted by any other channel with mobile. Hence, the authentication and token mechanism play an important role in covering for security. The current web standards for REST authentication follows OAUTH for validating any request flowing down to the server. The goal is to provide strong session management and as the severity of the transaction is increasing we should make sure implementing stringent token authorization.
Using right HTTP method, even though GET has been fast and light for response, no sensitive information should be passed using this method.
Finally the most important measure is business logic flaws in which it must be made sure that no intermediate step can provide information if the penetration tester is trying to access the server controls then every request should be accepting valid and dependent inputs considering at a particular step to serve the business implementation.
M2 Insecure Data Storage -
Mobile platforms have two ways of storing data on device which is SQLite database or file system. According to my analysis, both are prone and can be accessed in worst case by rooting an android device or jail breaking an iPhone.
The next step can be to encrypt all the information using ciphers in database, but that will start affecting the performance of the application as the amount of data grows.
So the ideal strategy would be, not encrypting everything, but only the sensitive data; as the severity increases it is necessary to not to store data on device but safeguard them on server components. E.g. banking information or credit card details. Most of the banking applications do not store data on mobile device storage space and is fetched from server every time it is requested.
M3 Insufficient Transport Layer protection-
Mobile devices are more connected to internet via Wi-Fi after cellular data. Eavesdropping can start right from local intranet.
Every app should be designed to securely work in this scenario. SSL/TLS is mandatory for any mobile to communicate to their server control.
Apart from that, SSL certificate validation and maintenance should also be planned regularly.
Additionally server controls can have device registration, authorisation with their MAC address for further strengthening the security.
M10 : Lack of Binary Protections and Defensive programming-
This is the most crucial bullet in context of security for any mobile application and if taken care can enable to avoid and also cover most of the above security measures. Even though the two top mobile development platform do provide obfuscation and code protection by their default compilers, it is mandatory for the organisation to validate their binaries with thorough testing around reverse engineering. There are many tools available for verifying all the vulnerabilities due to lack of binary protection.
https://www.owasp.org/index.php/Mobile_Top_10_2014-M10
Few of the good practices for programming for security -
Reference links:
https://www.owasp.org/index.php/Mobile_Top_10_2014-M10
https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks
http://www.informationweek.com/mobile/mobile-applications/mobile-app-development-5-worst-security-dangers/d/d-id/1204488
https://www.nowsecure.com/resources/secure-mobile-development