Static Analysis-Based Security Enhancement for Mobile Applications Using Mobile Security Framework (MOBSF)

Putri Nur Izzati; Kasmawi Kasmawi

doi:10.30871/jaic.v9i4.9525

Authors

Putri Nur Izzati Politeknik Negeri Bengkalis
Kasmawi Kasmawi Politeknik Negeri Bengkalis

DOI:

https://doi.org/10.30871/jaic.v9i4.9525

Keywords:

Mobile App Security, static analysis MOBSF, security analysis, Vulnerability Repair, Mobile Security Framework

Abstract

Mobile application security is crucial to protect users’ personal data and maintain trust in the application. Without proper security testing, an app becomes vulnerable to threats such as data theft and cyber attacks. This study aims to identify and fix security vulnerabilities in the XYZ mobile application, a social platform used to report domestic violence and child sexual abuse cases. The analysis was conducted using static analysis with the Mobile Security Framework (MOBSF). The XYZ app was developed using Flutter and falls under the hybrid application category. Since it handles sensitive information from victims and reporters, ensuring its security is essential. The analysis revealed four major vulnerabilities with high risk levels, mainly related to misconfiguration and weak security settings. After addressing these issues, the app’s security score improved from 37/100 (high risk) to 61/100 (low risk). These improvements were implemented in the final development phase before the app was released to users. MOBSF helped developers detect potential vulnerabilities early through static analysis, serving as a security baseline. This approach ensured the app no longer contained risks such as debug certificates, enabled debug mode, or support for outdated Android versions. The findings show that MOBSF-based security analysis is effective in detecting and reducing application security weaknesses, making the XYZ app more secure in protecting user data.

Downloads

Download data is not yet available.

References

[1] F. Al Fajar, “Analisis Keamanan Aplikasi Web Prodi Teknik Informatika UIKA Menggunakan Acunetix Web Vulnerability”, INOVA-TIF, vol. 3, no. 2, pp. 110–120, Dec. 2020.

[2] Fortinet (2023). What is mobile security? Mobile app security definition. https://www.fortinet.com/resources/cyberglossary/mobile-app-security

[3] Kurniawan, C., Trianto, N., Rekayasa,), Siber, K., Siber, P., & Negara,

S. (2021). Security Assessment pada Aplikasi Mobile Android XYZ dengan Mengacu pada Kerentanan OWASP Mobile Top Ten 2016.

[4] Given. (N.D.). Upgrading And Expanding Androbugs To Address Emerging Vulnerabilities. https://ssrn.com/abstract=4600829

[5] Haris, M., Jadoon, B., Yousaf, M., & Hassan Khan, F. (2017).

Evolution Of Android Operating System: A Review. www.apiar.org.au

[6] Lomio, F., Moreschini, S., & Lenarduzzi, V. (2021). Fault Prediction based on Software Metrics and SonarQube Rules. Machine or Deep Learning? http://arxiv.org/abs/2103.11321

[7] Erbeliza, S. (2023). Analisis Keamanan Aplikasi Mobile Commerce Menggunakan Mobile Security Framework (MOBSF) Dan OWASP Mobile Application Security Testing Guide (Mastg).

[8] Himawan, I., Septianzah, K., & Setiadi, I. (2023). Analisa Resiko Malware Dengan Static Mobsf Terhadap Aplikasi Android Apk. Technologia: Jurnal Ilmiah, 14(4), 364.

https://doi.org/10.31602/tji.v14i4.11460

[9] OWASP, Top 10 Mobile Risks - OWASP Mobile Top 10 2024 - Final Release, [online] accessed on: 5 Juni 2024 dari https://owasp.org/www-project-mobile-top-10/2023-risks/

[10] Aan Kartono, Anang Sularsa, S. J. I. I. (2019). Membangun Sistem Pengujian Keamanan Aplikasi Android Menggunakan Mobsf. E- Proceeding of Applied Science, 5(1), 146.

[11] Tansen, E., & Wahyu Nurdiarto, D. (2020). Analisis Dan Deteksi Malware Dengan Metode Hybrid Analysis Menggunakan Framework Mobsf. Jurnal Teknologi Informasi, 4(2).

[12] Kadi, D. (2017). Pengembangan Aplikasi Mobile Objek Wisata Secara Real Time Dengan Augmented Reality Di Kabupaten Sumba Barat Daya. Uajy, 17–39. http://eprints.stainkudus.ac.id/192/5/5. BAB II.pdf

[13] AWS, Apa itu Analitik Keamanan?, [online] accessed on: 5 Juni 2024 dari https://aws.amazon.com/id/what-is/security-analytics/

[14] Digital Solusi Grup, Apa itu Application Security? Pengertian, Maksud, dan Pembahasannya!, accessed on: 5 Juni 2024 dari https://digitalsolusigrup.co.id/application-security-adalah/

[15] Wibowo, E. Y. A. (2019). Evaluasi Tata Kelola Keamanan Teknologi Informasi Menggunakan Framework Cobit 5 Dan Iso 27002” (Studi Kasus: Pusat Jaringan Komunikasi Badan Meteorologi Klimatologi Dan Geofisika. Repository.Uinjkt.Ac.Id, 1–585. http://repository.uinjkt.ac.id/dspace/handle/123456789/48133

[16] OWASP, Top 10 Mobile Risks - OWASP Mobile Top 10 2024 - Final Release, accessed on: 5 Juni 2024 dari https://owasp.org/www- project-mobile-top-10/2023-risks/

[17] Tansen, E., & Wahyu Nurdiarto, D. (2020). Analisis Dan Deteksi Malware Dengan Metode Hybrid Analysis Menggunakan Framework Mobsf. Jurnal Teknologi Informasi, 4(2).

[18] Putranda Muhammad Arrysatrya Yusuf Putrandaa1, I. K. A. M. (2024). Analisis Keamanan pada Aplikasi Udayana Mobile Mengacu pada OWASP Mobile Top 10 2016. Jurnal Elektronik Ilmu Komputer Udayana, 12(3).

[19] Aan Kartono, Anang Sularsa, S. J. I. I. (2019). Membangun Sistem Pengujian Keamanan Aplikasi Android Menggunakan Mobsf. E- Proceeding of Applied Science, 5(1), 146.

[20] Febriyan, D., #1, P., Hasbi, M., Surya, M., 3, M., Rekayasa, #, Siber, K., Siber, P., Negara, S., (2022). Security Assessment Aplikasi Mobile E-Kinerja dengan Acuan OWASP Top 10 Mobile Risks., 8(3).

[21] Anwar, C., Herli Sumerli A, C., Rahayu, N., & Kraugusteeliana, K. (2023). The Application of Mobile Security Framework (MOBSF) and Mobile Application Security Testing Guide to Ensure the Security in Mobile Commerce Applications. 5(2), 97–102. https://doi.org/10.37034/jsisfotek.v5i1.231

[22] Archibong, E. E., Stephen, B. U.-A., & Asuquo, P. (2024). Analysis of Cybersecurity Vulnerabilities in Mobile Payment Applications. Archives of Advanced Engineering Science. https://doi.org/10.47852/bonviewaaes42022595

[23] Gunawan Indra, & Yudatama Arya Kukuh. (2023). Analisis Keamanan Aplikasi Dompet Digital Pendekatan Statis dan Dinamis. 17.

[24] Nurindahsari, F., & Zen, B. P. (2021). Analisis Statik Keamanan Aplikasi Video Streaming Berbasis Android Menggunakan Mobile Security Framework (Mobsf) Security Static Analysis Of Android- Based Video Streaming Application Using Mobile Security Framework (Mobsf) (Vol. 4, Issue 2).

Https://Databoks.Katadata.Co.Id

[25] Alanda, A., Satria, D., Mooduto, H. A., & Kurniawan, B. (2020). Mobile Application Security Penetration Testing Based on OWASP. IOP Conference Series: Materials Science and Engineering, 846(1). https://doi.org/10.1088/1757-899X/846/1/012036

[26] Chiboora, T. H., Chacha, L., Byagutangaza, T., & Gueye, A. (2023). Evaluating Mobile Banking Application Security Posture Using the OWASP’s MASVS Framework. COMPASS 2023 - Proceedings of the ACM SIGCAS/SIGCHI Conference on Computing and Sustainable Societies, 99–106. https://doi.org/10.1145/3588001.3609367

[27] Mykhaylova, O., Fedynyshyn, T., Datsiuk, A., Fihol, B., & Hulak, H. (N.D.). Mobile Application As A Critical Infrastructure Cyberattack Surface.

[28] Holla, S., & Katti, M. M. (N.D.). Android Based Mobile Application Development And Its Security. International Journal Of Computer Trends And Technology. Http://Www.Internationaljournalssrg.Org

[29] Sachdeva, S., Jolivot, R., & Choensawat, W. (N.D.). Android Malware Classification Based On Mobile Security Framework.

[30] Torstensson, J. (2017). Android Security An Evaluation Of Applications In Google Play.

[31] Reddy Basireddy, M. (2024). Investigations Into Security Testing Techniques, Tools, And Methodologies For Identifying And

Mitigating Security Vulnerabilities, Journal Of Artificial Intelligence, Machine Learning And Data Science. J Artif Intell Mach Learn & Data Sci, 2024(1), 626. Https://Doi.Org/10.51219/Jaimld/Maheswara

[32] Uskono, B. M., Wijaya, R., Galih Pradipta, M., & Kusnadi, A. (2021). Analisis Keamanan Aplikasi Fintech Di Indonesia: Studi Kasus OVO,

GoPay, ShopeePay dan Dana. Journal of Information and Information Security (JIFORTY), 2(1), 177–186.

http://ejurnal.ubharajaya.ac.id/index.php/jiforty