DESIGN OF A SECURITY VETTING FRAMEWORK FOR MOBILE SPBE APPLICATIONS BASED ON THE ANDROID OPERATING SYSTEM
Abstract
The increasing number of mobile device users in Indonesia has encouraged the government to utilize mobile applications as an SPBE service function. The mobile SPBE application is a form of SPBE service in the form of application that can be operated on a mobile device. The mobile SPBE application can of course provide benefits to its users, however, there are security risks that need to be anticipated. So through BSSN Regulation Number 4 of 2021 it is mandated that every government agency must implement SPBE security and identify security requirements that have not been implemented in the mobile SPBE application. So the security vetting framework becomes important and necessary to identify and validate security requirements that have not been implemented. However, there is currently no such framework. Therefore, in this research, a framework design was proposed for vetting the security of the mobile SPBE application based on the Android operating system. The design of the security vetting framework adopts NIST SP 800-163r1 which is integrated with application security testing using automated tools and manual testing. Manual testing was carried out according to the OWASP MASTG standard taking into account API security testing based on OWASP API Security. Then the results of application security testing are used to validate the mobile SPBE application security requirements. Based on the simulation results of the framework design on a sample SPBE mobile ABC application owned by a local government in Indonesia, violations were found against several mobile SPBE application security requirements. Then based on the simulation results, the framework design can validate all mobile SPBE application security requirements and is expected to be a reference for government agencies to carry out security vetting for mobile SPBE applications.
Downloads
References
Statista. "Number of smartphone users in Indonesia from 2019 to 2021 with forecasts until 2028." [Online]. Available: https://www.statista.com/statistics/266729/smartphone-users-in-indonesia/ (accessed 5 Januari, 2023).
Statista. "Smartphone market in Indonesia - Statistics and facts." [Online]. Available: https://www.statista.com/topics/5020/smartphones-in-indonesia/#topicOverview (accessed 5 Januari, 2023).
Kementerian Sekretariat Negara Republik Indonesia, "Peraturan Presiden Republik Indonesia Nomor 95 Tahun 2018 Tentang Sistem Pemerintahan Berbasis Elektronik," Jakarta, 2018.
NowSecure. "High-Tech Mobile Apps Expose Data." [Online]. Available: https://www.nowsecure.com/blog/2023/03/29/high-tech-mobile-apps-expose-data/ (accessed 29 Maret, 2023).
Badan Siber dan Sandi Negara, "Peraturan Badan Siber dan Sandi Negara Nomor 4 Tahun 2021 Tentang Pedoman Manajemen Keamanan Informasi Sistem Pemerintahan Berbasis Elektronik Dan Standar Teknis Dan Prosedur Keamanan Sistem Pemerintahan Berbasis Elektronik," Jakarta, 2021.
A. Ankur and S. Patel, "Finding Vulnerabilities in E-Governance Apps of Android Platform," in 2nd International Conference on Technological Advancements in Computational Sciences (ICTACS), pp. 185-191, 2022.
R. A. Pratama, "Perancangan Kerangka Kerja Penilaian Keamanan dan Privasi pada Aplikasi Telemedicine Mobile Berbasis Sistem Operasi Android," Magister, Teknik Elektro, Universitas Indonesia, Jakarta, 2021.
C.-W. Tien, T.-Y. Huang, T.-C. Huang, W.-H. Chung, and S.-Y. Kuo, "MAS: Mobile-Apps Assessment and Analysis System," in 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W), pp. 145-148, 2017.
Eric B. Blancaflor, Gerardine Anne J. Anson, Angela Mae V. Encinas, Kiel Cedrick T. Huplo, Mark Anthony V. Marin, and S. L. G. Zamora, "A Vulnerability Assessment on the Parental Control Mobile Applications’ Security: Status based on the OWASP Security Requirements," presented at the The 11th Annual International Conference on Industrial Engineering and Operations Management, Singapore, 2021.
Statista. "Market share of mobile operating systems in Indonesia from January 2013 to October 2022, by operating system." [Online]. Available: https://www.statista.com/statistics/262205/market-share-held-by-mobile-operating-systems-in-indonesia/ (accessed 10 Januari, 2023).
Statista. "Number of mobile app downloads worldwide from 2016 to 2022." [Online]. Available: https://www.statista.com/statistics/271644/worldwide-free-and-paid-mobile-app-store-downloads/ (accessed 10 Januari, 2023).
OWASP. "OWASP Mobile Top 10 2016." [Online]. Available: https://owasp.org/www-project-mobile-top-10/ (accessed 10 Maret, 2023).
Forum of Incident Response and Security Teams, "Common Vulnerability Scoring System Version 3.1 Calculator." [Online]. Available: https://www.first.org/cvss/calculator/3.1/.
Sven Schleier, Carlos Holguera, Bernhard Mueller, and J. Willemsen, "OWASP Mobile Application Security Testing Guide v1.5.0," 2022. [Online]. Available: https://github.com/OWASP/owasp-mastg/releases/tag/v1.5.0.
OWASP, "OWASP API Security Top 10 2019," 2019. [Online]. Available: https://owasp.org/www-project-api-security/.
M. Ogata, J. Franklin, J. Voas, V. Sritapan, and S. Quirolgico, "NIST SP 800-163 Revision 1: Vetting the Security of Mobile application," 2019.
A. S. e. al. "Mobile Security Framework (MobSF)." [Online]. Available: https://github.com/MobSF/Mobile-Security-Framework-MobSF (accessed 1 April, 2023).
S. Kalaria and M. Chawda. "APKHunt | OWASP MASVS Static Analyzer." [Online]. Available: https://github.com/Cyber-Buddy/APKHunt (accessed 31 Maret, 2023).
Y.-C. Lin. "AndroBugs Framework." [Online]. Available: https://github.com/AndroBugs/AndroBugs_Framework (accessed 3 April, 2023).
Vegabird. "Yaazhini - Android application APK scanner." [Online]. Available: https://www.vegabird.com/yaazhini/ (accessed 2 April, 2023).
R. Gandhi. "InsecureShop." [Online]. Available: https://github.com/hax0rgb/InsecureShop (accessed 3 April, 2023).
S. Schleier. "MASTG Hacking Playground." [Onilne]. Available: https://github.com/OWASP/MASTG-Hacking-Playground (accessed 3 April, 2023).
s. patnayak. "AndroGoat." [Online]. Available: https://github.com/satishpatnayak/AndroGoat (accessed 3 April, 2023).
K. Balajti-Tóth. "AllSafe." [Online]. Available: https://github.com/t0thkr1s/allsafe (accessed 3 April, 2023).
M. S. Rahman, B. Kojusner, R. Kennedy, P. Pathak, L. Qi, and B. Williams, "SO{U}RCERER : Developer-Driven Security Testing Framework for Android Apps," in Automated Software Engineering Conference's Workshop on Advances in Mobile App Analysis (A-Mobile'21), 2021.
M. Antonishyn and O. Misnik, "Analysis of testing approaches to Android mobile application vulnerabilities," CEUR Workshop Proceedings, vol. 2577, 22, pp. 270-280, 2019.
Copyright (c) 2023 Yopie Maulana Syahrizal, Muhammad Salman
This work is licensed under a Creative Commons Attribution 4.0 International License.
