The OWASP AI/LLM Top 10: Understanding Security and Privacy Risks in AI-Powered Mobile Applications

The rapid integration of artificial intelligence (AI) and generative AI (GenAI) into mobile applications has transformed how users interact with their devices. From personal assistants to image recognition, AI and large language model (LLM) capabilities now sit in the palms of our hands. However, this convenience comes with serious security, privacy and safety implications that organizations, developers and security professionals must address when implementing AI in mobile applications. 

The OWASP Top 10 for Large Language Model Applications for 2025 offers a vital framework for understanding these emerging AI risks. In this blog, we examine each of the OWASP Top 10 LLM security risks through the lens of mobile application security, using real-world examples to show how these vulnerabilities surface when integrating large language models into mobile apps.

By understanding and implementing the OWASP LLM Top 10 principles, mobile development teams can build AI-enabled applications that offer a valuable user experience without compromising user privacy and security.

LLM01: Prompt Injection

Prompt injection occurs when user inputs manipulate an LLM’s behavior in unintended ways, violating guidelines, generating harmful content or enabling unauthorized access. Attacks can be direct (via user input) or indirect, where external content like documents or web pages contain hidden instructions.

The EmailGPT (CVE-2024-5184) case illustrates this risk. Attackers embedded malicious prompts in incoming emails, tricking the web app into leaking sensitive data and altering content. In AI-powered email clients, such vulnerabilities could allow attackers to exfiltrate messages, contacts or calendar data with a single crafted email.

To defend against this, mobile AI apps must enforce strict input/output filtering, apply semantic analysis to detect manipulation and clearly separate trusted system prompts from user-provided content.

LLM02: Sensitive Information Disclosure

LLMs embedded in mobile applications pose unique risks for exposing sensitive data such as messages, photos, location data, health records and financial details. When personal data interacts with an AI model, the potential for leakage increases dramatically.

The ChatGPT “poem forever” vulnerability revealed how repeated prompting could extract training data, including other users’ information. For mobile apps in healthcare or finance, this could mean exposing confidential records through model queries.

Mobile developers integrating GenAI must sanitize all data before it reaches the model: strip  personally identifiable information (PII), enforce strict input validation and isolate personalization data from model training. Apps with multiple user roles must ensure robust data separation to prevent IDOR-like vulnerabilities. 

LLM03: Supply-Chain Vulnerabilities

The AI supply chain in mobile apps is vast and includes pre-trained models, third-party services and hardware acceleration libraries.

A study of 116 mobile deep learning apps in the Google Play Store showed attackers could replace embedded AI models with tampered versions. Compromised apps included those handling facial authentication and financial services. Similarly, LeftoverLocals (CVE-2023-4969) exploited leaked GPU local memory to recover sensitive data. 

To mitigate supply-chain risk, mobile developers must rigorously vet all AI components, maintain Software Bills of Materials (SBOMs), verify model signatures and encrypt models deployed on device. Regular security audits and attestation APIs help verify integrity and detect poisoned components.

LLM04: Data and Model Poisoning

Data poisoning manipulates training data to introduce backdoors, biases or misinformation. The PoisonGPT case showed how a corrupted model could spread fake news while appearing normal. 

Mobile apps that integrate compromised models — for chat, personalization or recommendations — risk spreading false or harmful content. For example, a financial app could be tricked into missing fraud patterns or a healthcare app could deliver unsafe medical advice. Even learning or news apps could be weaponized to distribute disinformation.

Developers should track data provenance, perform anomaly detection and monitor for manipulation attempts. For on-device learning apps, rate limiting and behavioral analysis can identify coordinated poisoning campaigns.

LLM05: Improper Output Handling

LLM outputs require the same validation as untrusted inputs. The EmailGPT example again shows how malicious prompts led the model to generate unsafe outputs that the apps executed directly.

In mobile apps, this could occur if AI generates SQL queries or JavaScript executed in a webview, potentially leading to injection attacks. 

Mobile apps should treat all LLM-generated content as untrusted, applying controls like HTML encoding, SQL parameterization and path validation.

LLM06: Excessive Agency

Mobile apps giving AI agents the power to act on users’ behalf risk excessive agency when the AI performs unintended or harmful actions.

The Slack AI data exposure incident highlighted these dangers. Similarly, a mobile assistant with permissions to send emails, access calendars and read messages could be tricked into exfiltrating private data.

Follow the principle of least privilege: restrict AI capabilities, limit permissions and require user-level authorization for sensitive data access. And, of course, mobile apps should implement authorization checks in downstream functions rather than relying on the AI to determine what is allowed.

LLM07: System Prompt Leakage

System prompts guide AI behavior, but embedding secrets or credentials in them creates major exposure risks. Like hardcoded keys in mobile apps, sensitive information in system prompts can be extracted through targeted queries. 

Knowing which APIs the assistant can call, what parameters they accept, and what permissions are required allows attackers to focus their efforts on the most valuable targets, significantly reducing the reconnaissance phase of an attack.

Mobile apps should manage secrets using secure environment variables or secret management tools, not inside prompts. Keep prompts limited to behavioral instructions and rely on additional external guardrails to enforce security policies and protect business-sensitive information. 

LLM08: Vector and Embedding Weaknesses

Retrieval-Augmented Generation (RAG) enables LLMs to use external knowledge bases, but also introduces embedding and vector database vulnerabilities that may leak sensitive data or allow cross-user access.

On iOS and Android platforms, performance and network constraints add complexity. Developers should ensure secure data transfer and storage, apply access controls and protect user-specific embeddings from inversion attacks.

LLM09: Misinformation

LLMs can generate convincing but inaccurate information, posing legal, ethical and safety risks for mobile users.

In the Air Canada chatbot case, the company was held liable for incorrect information about bereavement fares provided by its AI. In healthcare apps, research shows chatbots often misrepresent treatment certainty or provide wrong advice.

Organizations should:

• Validate of AI outputs and cross-reference data.
• Flag information that cannot be verified. 
• Use RAG to ground responses in verified sources. 
• Label AI-generated content clearly and warn about the potential for errors. 
• Require users to acknowledge limitations and consult humans in high-stakes scenarios.

LLM10: Unbounded Consumption

LLMs consume significant compute resources, opening the door to resource exhaustion and cost-based attacks. The Sourcegraph incident demonstrated how attackers manipulated APIs to trigger denial-of-service conditions. 

In mobile environments, excessive AI inference requests can inflate costs, tax hardware and degrade performance. Developers should enforce rate limits, timeouts and anomaly detection while monitoring API usage patterns.

Recommendations and Conclusion

While OWASP LLM Top 10 threats extend beyond mobile, every AI-driven app must defend against them. Mobile development teams should adopt defense-in-depth practices throughout the lifecycle, from initial design through deployment and ongoing maintenance.

Organizations should implement continuous, automated mobile application security testing to identify vulnerabilities introduced by AI components. The NowSecure mobile Pen Testing as a Service (PTaaS) approach combines ongoing validation of LLM integrations, SDKs and APIs in high-impact apps. Leaders should evaluate risk by gaining insight into the security and privacy posture of all third-party AI-powered apps used by their organizations. 

Key strategies include:

• Apply privacy by design and data minimization — keep sensitive data on-device. 
• Maintain transparency about AI functionality and data use.
• Continuously update models and dependencies to fix new vulnerabilities.

As Generative AI and mobile applications continue to evolve, so will the threat landscape. By understanding and implementing the OWASP LLM Top 10 principles, mobile development teams can build AI-enabled applications that offer a valuable user experience without compromising user privacy and security. Collaboration among developers, researchers and security professionals is essential to ensure the safe future of AI-powered mobile apps.