Static Security Analysis of Government and Non-Government Android Mobile Applications in Malaysia: A Comparative Study Using MobSF and OWASP Mobile Top 10

Alanda, A., Satria, D., Mooduto, H. A., & Kurniawan, B. (2020). Mobile application security penetration testing based on OWASP. IOP Conference Series: Materials Science and Engineering, 846, 012036. https://doi.org/10.1088/1757-899X/846/1/012036
Android Developers. (n.d.-a). Application Fundamentals. Retrieved from https://developer.android.com/guide/components/fundamentals.
Android Developers. (n.d.-b). Introduction to Activities. Retrieved from https://developer.android.com/guide/components/activities/intro-activities.
Android Developers. (n.d.-c). Services Overview. Retrieved from https://developer.android.com/guide/components/services.
Android Developers. (n.d.-d). Broadcasts Overview. Retrieved from https://developer.android.com/guide/components/broadcasts.
Android Developers. (n.d.-e). Content Providers. Retrieved from https://developer.android.com/guide/topics/providers/content-providers.
Android Developers. (n.d.-f). Intents and Intent Filters. Retrieved from https://developer.android.com/guide/components/intents-filters.
Android Runtime (ART) and Dalvik. (n.d.). Retrieved from https://source.android.com/docs/core/runtime.
Bassolé, D., Koala, G., Traoré, Y., & Sié, O. (2020). Vulnerability Analysis in Mobile Banking and Payment Applications on Android in African Countries. InterSol.
Bayern, M. (2019). 75% of developers worry about app security, but half lack dedicated security experts on their team. Retrieved from https://www.techrepublic.com/article/75-of-developers-worry-about-app-security-but-half-lack-dedicated-security-experts-on-their-team/
Benitez-Mejia, D. G. N., Sanchez-Perez, G., & Toscano-Medina, L. K. (2016). Android applications and security breach. In 2016 3rd International Conference on Digital Information Processing, Data Mining, and Wireless Communications, DIPDMWC 2016 (pp. 164-169). Institute of Electrical and Electronics Engineers Inc. https://doi.org/10.1109/DIPDMWC.2016.7529383
Bertoglio, D. D., Girotto, G., & Neu, C. V. (2019). Pentest on an Internet mobile app: A case study using Tramonto. arXiv. https://doi.org/10.48550/arXiv.1912.09779
Buzzard, J. (2022). 2022 Identity Fraud Study: The Virtual Battleground. Retrieved from https://javelinstrategy.com/2022-Identity-fraud-scams-report.
Chanajitt, R., Viriyasitavat, W., & Choo, K.-K. R. (2016). Forensic analysis and security assessment of Android m-banking apps. Retrieved from https://gsec.hitb.org/materials/sg2016/COMMSEC%20D2%20-%20Rajchada%20Chanajitt%20-%20Forensic%20Analysis%20and%20Assessment%20of%20Android%20Banking%20Apps.pdf
Dehling, T., Gao, F., Schneider, S., Sunyaev, A. (2015). Exploring the Far Side of Mobile Health: Information Security and Privacy of Mobile Health Apps on iOS and Android. Retrieved from https://mhealth.jmir.org/2015/1/e8/PDF.
Ericsson. (2022). Ericsson mobility report. Retrieved from https://www.ericsson.com/49d3a0/assets/local/reports-papers/mobility-report/documents/2022/ericsson-mobility-report-june-2022.pdf
Filiol, E., & Irolla, P. (2015). (In)Security of mobile banking...and of other mobile apps. Retrieved from https://www.blackhat.com/docs/asia-15/materials/asia-15-Filiol-InSecurity-Of-Mobile-Banking-wp.pdf
Github. (n.d.-a). MobSF/Mobile-Security-Framework-MobSF. Retrieved from https://github.com/MobSF/MobileSecurity-Framework-MobSF
Github. (n.d.-b). Allsafe. Retrieved from https://github.com/t0thkr1s/allsafe.
Google. (n.d.). Android Releases: Android Developers. Retrieved from https://developer.android.com/about/versions/.
Hassan, M. A., Shukur, Z., & Mohd, M. (2022). A penetration testing on Malaysia popular e-wallets and m-banking apps. International Journal of Advanced Computer Science and Applications, 13, 10-15. https://doi.org/10.14569/IJACSA.2022.0130580
Hatamian, M., Wairimu, S., Momen, N., & Fritsch, L. (2021). A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps. Empirical Software Engineering 26, (36). https://doi.org/10.1007/s10664-020-09934-4
Homeland Security. (2017). Study on Mobile Device Security. Retrieved from https://www.dhs.gov/sites/default/files/publications/DHS%20Study%20on%20Mobile%20Device%20Security%20-%20April%202017-FINAL.pdf. https://doi.org/10.1109/DIPDMWC.2016.7529383
Joseph, R. B., Zibran, M. F., & Eishita, F. Z. (2021). Choosing the weapon: A comparative study of security analyzers for Android applications. In Proceedings of the 2021 IEEE/ACIS 19th International Conference on Software Engineering Research, Management and Applications (SERA) (pp. 1-6). IEEE. https://doi.org/10.1109/SERA51205.2021.9509271
Knorr, K., & Aspinall, D. (2015). Security testing for Android mHealth apps. In 2015 IEEE Eighth International Conference on Software Testing, Verification and Validation Workshops (ICSTW) (pp. 18-24). https://doi.org/10.1109/ICSTW.2015.7107459
Knorr, K., Aspinall, D., & Wolters, M. (2015). On the privacy, security and safety of blood pressure and diabetes apps. In IFIP Advances in Information and Communication Technology (Vol. 459, pp. 503-516). https://doi.org/10.1007/978-3-319-18467-8_38
Kohli, N., & Mohaghegh, M. (2020). Security testing of Android-based COVID tracer applications. Retrieved from https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9411579
Krombholz, K., Hobel, H., Donko Huber, M., & Weippl, E. (2014). Advanced social engineering attacks. Journal of Information Security and Applications, 19(2), 89-100. https://doi.org/10.1016/j.jisa.2014.09.005
Kumar, M. S. (2020). Driving SSDLC by adopting Mobile Security Analysis using MobSF. Retrieved from https://blogs.halodoc.io/ios-mobsf/.
Lee, A. (2018). A decade in, how safe are your iOS and Android apps? Retrieved from https://www.nowsecure.com/blog/2018/07/11/a-decade-in-how-safe-are-your-ios-and-android-apps/
Lewis, R. (2006). Security tips for temporary file usage in applications. Retrieved from https://www.codeproject.com/Articles/15956/Security-Tips-forTemporary-File-Usage-in-Applicat
Li, L., Bissyandé, T. F., Papadakis, M., Rasthofer, S., Bartel, A., Octeau, D., Klein, J., & Traon, L. (2017). Static analysis of Android apps: A systematic literature review. Information and Software Technology, 88, 67-95. https://doi.org/10.1016/j.infsof.2017.04.001
Lindström, H., & Marstorp, G. (2018). Security Testing of an OBD-II Connected IoT Device. Retrieved from http://autosec.se/wp-content/uploads/2018/05/MarstorpLindstrom-Security-Testing-of-an-OBD-II-Connected-IoT-Device.pdf.
Lockwood, A. (2012). Content providers and content resolvers. Retrieved from https://www.androiddesignpatterns.com/2012/06/content-resolvers-and-content-providers.html.
Maharjan, A. (2020). Ranking of Android apps based on security evidence. Retrieved from https://scholarworks.iupui.edu/bitstream/handle/1805/24775/Thesis.pdf?sequence=1&isAllowed=y
MITRE Corporation. (n.d.). Google Android: Vulnerability Statistics. Retrieved from https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224.
MobSF. (n.d.). Requirements. Retrieved from https://mobsf.github.io/docs/#/requirements.
Mokhtar, N. A. (2022). Hackers threaten to sell civil servants' personal data. The News Straits Times. Retrieved from https://www.nst.com.my/news/nation/2022/09/831916/hackers-threaten-sell-civil-servants-personal-data
Mukherjee, L. (2020). OWASP Mobile Top 10 Vulnerabilities & Mitigation Strategies. Retrieved from https://sectigostore.com/blog/owasp-mobile-top-10/.
New Straits Times. (2021). NST Leader: MyIdentity theft. Retrieved from https://www.nst.com.my/opinion/leaders/2021/09/732095/nst-leader-myidentitytheft.
Ng, B. (2021). Android Security Overview. Retrieved from https://medium.com/@boshng95/android-security-overview-7386022ad55d.
Nguyen-Vu, L., Chau, N.-T., Kang, S., & Jung, S. (2017). Android rooting: An arms race between evasion and detection. Security and Communication Networks. https://doi.org/10.1155/2017/4121765
Nilsson, R. (2020). Penetration testing of Android applications (Dissertation). Retrieved from http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-280290
OWASP. (2016a). OWASP Mobile Top 10. Retrieved from https://owasp.org/www-project-mobile-top-10/.
OWASP. (2016b). M1: Improper Platform Usage. Retrieved from https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage.
OWASP. (2016c). M4: Insecure Authentication. Retrieved from https://owasp.org/wwwproject-mobile-top-10/2016-risks/m4-insecure-authentication.
OWASP. (2016d). M5: Insufficient Cryptography. Retrieved from https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography.

OWASP. (2016e). M6: Insecure Authorization. Retrieved from https://owasp.org/wwwproject-mobile-top-10/2016-risks/m6-insecure-authorization.
OWASP. (2016f). M7: Poor Code Quality. Retrieved from https://owasp.org/www-project-mobile-top-10/2016-risks/m7-client-code-quality.
OWASP. (2016g). M9: Reverse Engineering. Retrieved from https://owasp.org/wwwproject-mobile-top-10/2016-risks/m9-reverse-engineering.
OWASP. (2022). OWASP Mobile Application Security Testing Guide (MASTG) v1.5.0. Retrieved from https://github.com/OWASP/owasp-mastg/releases/latest/download/OWASP_MASTG-v1.5.0.pdf.
OWASP. (n.d.-b). SQL Injection Prevention Cheat Sheet. Retrieved from https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.htm
Papageorgiou, A., Strigkos, M., Politou, E., Alepis, E., Solanas, A., Patsakis, C. (2018). Security and privacy analysis of mobile health applications: the alarming state of practice. Retrieved from https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8272037.
PewResearch.Org. (2021). Mobile Fact Sheet. Retrieved from https://www.pewresearch.org/internet/fact-sheet/mobile/.
Pi?tek, K. (2022). Hard-coded Tokens, Keys and Credentials in Mobile Apps. Retrieved from https://www.netguru.com/blog/hardcoded-keys-storage-mobile-app.
Positive Technologies. (2019). Vulnerabilities and threats in mobile applications, 2019. Retrieved from https://www.ptsecurity.com/ww-en/analytics/mobile-applicationsecurity-threats-and-vulnerabilities-2019/
Reaves, B., Bowers, J., Scaife, N., Bates, A., Bhartiya, A., Traynor, P., & Butler, K. R. (2017). Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World. Retrieved from https://www.cise.ufl.edu/~traynor/papers/reaves-usenix15a.pdf.
Reed, B. (2022). Test of 250 Popular Android Mobile Apps Reveals that 70% Leak Sensitive Personal Data. Retrieved from https://www.nowsecure.com/blog/2019/06/06/test-of-250-popular-android-mobile-apps-reveal-that70-leak-sensitive-personal-data/.
Ruth, C. (2021). Over 60% of Android apps have security vulnerabilities. Retrieved from https://atlasvpn.com/blog/over-60-of-android-apps-have-security-vulnerabilities.
Sai, A., Buckley Lero, J., & Le Gear, A. (2019). Privacy and security analysis of cryptocurrency mobile applications. In Proceedings of the 2019 Fifth Conference on Mobile and Secure Services (MobiSecServ) (pp. 1-6).
Security Tips. (n.d.). Android Developers. Retrieved from https://developer.android.com/training/articles/security-tips#WebView.
Sharma, T., & Bashir, M. (2020). An analysis of phishing emails and how the human vulnerabilities are exploited. In Proceedings of the 11th International Conference on Applied Human Factors and Ergonomics (AHFE 2020), San Diego, CA.
Skylot. (2019). Retrieved from https://github.com/skylot/jadx.
Statista. (2019). Share of global smartphone shipments by operating systems from 2014 to 2023. Retrieved from https://www.statista.com/statistics/272307/market-shareforecast-for-smartphone-operating-systems/
Statista. (2022a). Mobile operating systems' market share worldwide from January 2012 to August 2022. Retrieved from https://www.statista.com/statistics/272698/global-market-share-held-by-mobile-operating-systems-since-2009/.

Statista. (2022b). Number of available applications in the Google Play Store from December 2009 to March 2022. Retrieved from https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/.
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., & Markov, Y. (2017). The first collision for full SHA-1. In J. Katz & H. Shacham (Eds.), Advances in Cryptology – CRYPTO 2017 (Vol. 10401, pp. 1-22). Springer, Cham. https://doi.org/10.1007/978-3-319-63688-7_19
Team Sesame. (2017). Padding Oracle Attacks. Retrieved from https://tlseminar.github.io/padding-oracle/.
Vermeulen, R. (2019). Security evaluation of glucose monitoring applications for Android smartphones. Retrieved from https://www.os3.nl/_media/2018- 2019/courses/rp1/p41_report.pdf.
Yang, W., Zhang, Y., Li, J., Liu, H., Wang, Q., Zhang, Y., & Gu, D. (2017). Show me the money! Finding flawed implementations of third-party in-app payment in Android apps. In NDSS Symposium 2017.
Ngui, Y. (2021). Malaysia’s Covid-19 App Reports ‘Malicious Script’ Misuse.

Paramasivam, D. a/l, Ismail, N. L., & Al-Nahari, A. (2024). Static Security Analysis of Government and Non-Government Android Mobile Applications in Malaysia: A Comparative Study Using MobSF and OWASP Mobile Top 10. International Journal of Academic Research in Business and Social Sciences, 14(10), 2640–2662.

Copyright: © 2024 The Author(s)
Published by HRMARS (www.hrmars.com)
This article is published under the Creative Commons Attribution (CC BY 4.0) license. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this license may be seen at: http://creativecommons.org/licences/by/4.0/legalcode