By analyzing the data from over 60 mobile application security assessments, we identify the typical types of mobile vulnerabilities, the system components that contain those vulnerabilities, the components where given types of vulnerabilities cluster, and how to test for each of these. Attendees will learn in the session how to identify these vulnerabilities, how to create and implement an effective mobile security plan, and where to focus their limited testing resources to minimize mobile application portfolio risks. This is critical because automated web application testing tools are able to easily find vulnerabilities while today's mobile security industry does not offer automated testing tools that can effectively test web services (i.e. the interaction between mobile clients and back-end services.) As a result, best practices for mobile application testing must incorporate significant, often laborious, manual testing. At this point in the presentation, we will use the statistics from the research to define the appropriate manual testing that needs to be implemented.