Link Search Menu Expand Document


Kotlin Guide - Mobile Application Secure Coding Practices, is a guide written for anyone using Kotlin for mobile development.

This guide is a collaborative effort started by Checkmarx Security Research Team, open sourced for community contributions. Its structure covers the OWASP Mobile Top 10 2016 intended to help developers avoid common mistakes.

Kotlin is a statically typed programming language for modern multiplatform applications 100% interoperable with Java™ and Android™, primarily developed by the team at JetBrains. It is now fully supported by Google as an alternative to the Android standard Java compiler.

Why This Guide

Since May 7th 2019, Kotlin is Google’s preferred language for Android app development. So, it is important for developers to familiarize with this new language.

Checkmarx Research Team helps educate developers, security teams, and the industry overall about common coding errors, and brings awareness of vulnerabilities that are often introduced during the software development process.

The Audience for this Guide

The primary audience of this guide is Android developers. This guide can still be used by penetration testers to learn how to identify well-known vulnerabilities on Kotlin applications.

What You Will Learn

The authors of this guide mapped the OWASP Mobile Top 10 security weaknesses to Kotlin on a weakness-by-weakness basis while providing examples, recommendations, and fixes to help developers avoid common mistakes and pitfalls. After reading this guide and referring to it often, you will learn how to ensure you are developing secure mobile apps using Kotlin.

About Checkmarx

Checkmarx is the global leader in software security solutions for modern enterprise software development. Checkmarx delivers the industry’s most comprehensive Software Security Platform that unifies with DevOps and provides static and interactive application security testing, software composition analysis and developer AppSec awareness and training programs to reduce and remediate risk from software vulnerabilities. Checkmarx is trusted by more than 40 percent of the Fortune 100 and half of the Fortune 50, including leading organizations such as SAP, Samsung and Learn more at

About OWASP Mobile Security Project

The OWASP Mobile Security Practices is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications.

The Mobile Top 10 2016 is the last edition of the top 10 most common mobile security weaknesses.

OWASP itself is “an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security”.

How to Contribute

To learn how to contribute, please refer to How-to Contribute section.


This document is released under the Creative Commons Attribution-ShareAlike 4.0 International license (CC BY-SA 4.0). For any reuse or distribution, you must make clear to others the license terms of this work