A multi-tool assessment of eight Android social-media apps categorized automated findings against the OWASP Mobile Top 10 (2024). M9 insecure-data-storage signals appeared in every assessed app, but tool alerts are not equivalent to confirmed exploitable vulnerabilities.
Key findings
- M9 appeared across all apps, M6 was least frequent, and no M1 or M2 findings were reported. X had the highest alert count and TikTok the fewest; however, counts do not directly measure severity, exploitability or the security of current versions.
Why this matters globally
A multi-tool workflow can reduce single-scanner blind spots and serve as a screening layer in global software-development pipelines. Lasting value depends on manual confirmation, risk-based triage and responsible disclosure.
Thai researcher contribution
The three authors are linked to Suranaree University of Technology and frame the assessment around Thailand's high social-media use, providing a regional baseline for app-security research.
Limitations to consider
Results depend on APK versions, configurations and scanner rules. Static analysis can produce false positives and false negatives; the abstract reports no dynamic testing, exploit confirmation or observed harm, and unweighted alert counts can mislead.