Journal Screenshot

International Journal of Academic Research in Business and Social Sciences

Open Access Journal

ISSN: 2222-6990

Static Security Analysis of Government and Non-Government Android Mobile Applications in Malaysia: A Comparative Study Using MobSF and OWASP Mobile Top 10

Noor Lees Ismail, Dhanesh Paramasivam, Abdulaziz Al-Nahari

http://dx.doi.org/10.6007/IJARBSS/v14-i10/22955

Open access

In the current era, mobile phones have become a priority in everybody's life as they are commonly used for communication, business purposes, and other important reasons. Mobile applications are software created to run on a mobile device, and they have become part of our day-to-day lives that many things can be accomplished such as shopping, social networking, banking, and gaming, among others. Since mobile applications deal with sensitive and confidential information that could be misused by malicious agents, security in mobile applications is a crucial issue that must be tackled. In this context, we have performed a static security analysis using a well-known and recognized tool called MobSF Security Framework on Malaysian government and non-government Android mobile applications. This study’s novelty is the static analysis to compare the security statuses of both categories of mobile applications based on OWASP Mobile Top 10 and the tools’ scoring system. The most common vulnerabilities for both government and non-government mobile applications were identified based on OWASP Mobile Top 10 and security recommendations for each domain were discussed. On the other hand, scoring results from MobSF Security Score identified the safest and the least safe mobile applications among the tested applications.

Alanda, A., Satria, D., Mooduto, H. A., & Kurniawan, B. (2020). Mobile application security penetration testing based on OWASP. IOP Conference Series: Materials Science and Engineering, 846, 012036. https://doi.org/10.1088/1757-899X/846/1/012036
Android Developers. (n.d.-a). Application Fundamentals. Retrieved from https://developer.android.com/guide/components/fundamentals.
Android Developers. (n.d.-b). Introduction to Activities. Retrieved from https://developer.android.com/guide/components/activities/intro-activities.
Android Developers. (n.d.-c). Services Overview. Retrieved from https://developer.android.com/guide/components/services.
Android Developers. (n.d.-d). Broadcasts Overview. Retrieved from https://developer.android.com/guide/components/broadcasts.
Android Developers. (n.d.-e). Content Providers. Retrieved from https://developer.android.com/guide/topics/providers/content-providers.
Android Developers. (n.d.-f). Intents and Intent Filters. Retrieved from https://developer.android.com/guide/components/intents-filters.
Android Runtime (ART) and Dalvik. (n.d.). Retrieved from https://source.android.com/docs/core/runtime.
Bassolé, D., Koala, G., Traoré, Y., & Sié, O. (2020). Vulnerability Analysis in Mobile Banking and Payment Applications on Android in African Countries. InterSol.
Bayern, M. (2019). 75% of developers worry about app security, but half lack dedicated security experts on their team. Retrieved from https://www.techrepublic.com/article/75-of-developers-worry-about-app-security-but-half-lack-dedicated-security-experts-on-their-team/
Benitez-Mejia, D. G. N., Sanchez-Perez, G., & Toscano-Medina, L. K. (2016). Android applications and security breach. In 2016 3rd International Conference on Digital Information Processing, Data Mining, and Wireless Communications, DIPDMWC 2016 (pp. 164-169). Institute of Electrical and Electronics Engineers Inc. https://doi.org/10.1109/DIPDMWC.2016.7529383
Bertoglio, D. D., Girotto, G., & Neu, C. V. (2019). Pentest on an Internet mobile app: A case study using Tramonto. arXiv. https://doi.org/10.48550/arXiv.1912.09779
Buzzard, J. (2022). 2022 Identity Fraud Study: The Virtual Battleground. Retrieved from https://javelinstrategy.com/2022-Identity-fraud-scams-report.
Chanajitt, R., Viriyasitavat, W., & Choo, K.-K. R. (2016). Forensic analysis and security assessment of Android m-banking apps. Retrieved from https://gsec.hitb.org/materials/sg2016/COMMSEC%20D2%20-%20Rajchada%20Chanajitt%20-%20Forensic%20Analysis%20and%20Assessment%20of%20Android%20Banking%20Apps.pdf
Dehling, T., Gao, F., Schneider, S., Sunyaev, A. (2015). Exploring the Far Side of Mobile Health: Information Security and Privacy of Mobile Health Apps on iOS and Android. Retrieved from https://mhealth.jmir.org/2015/1/e8/PDF.
Ericsson. (2022). Ericsson mobility report. Retrieved from https://www.ericsson.com/49d3a0/assets/local/reports-papers/mobility-report/documents/2022/ericsson-mobility-report-june-2022.pdf
Filiol, E., & Irolla, P. (2015). (In)Security of mobile banking...and of other mobile apps. Retrieved from https://www.blackhat.com/docs/asia-15/materials/asia-15-Filiol-InSecurity-Of-Mobile-Banking-wp.pdf
Github. (n.d.-a). MobSF/Mobile-Security-Framework-MobSF. Retrieved from https://github.com/MobSF/MobileSecurity-Framework-MobSF
Github. (n.d.-b). Allsafe. Retrieved from https://github.com/t0thkr1s/allsafe.
Google. (n.d.). Android Releases: Android Developers. Retrieved from https://developer.android.com/about/versions/.
Hassan, M. A., Shukur, Z., & Mohd, M. (2022). A penetration testing on Malaysia popular e-wallets and m-banking apps. International Journal of Advanced Computer Science and Applications, 13, 10-15. https://doi.org/10.14569/IJACSA.2022.0130580
Hatamian, M., Wairimu, S., Momen, N., & Fritsch, L. (2021). A privacy and security analysis of early-deployed COVID-19 contact tracing Android apps. Empirical Software Engineering 26, (36). https://doi.org/10.1007/s10664-020-09934-4
Homeland Security. (2017). Study on Mobile Device Security. Retrieved from https://www.dhs.gov/sites/default/files/publications/DHS%20Study%20on%20Mobile%20Device%20Security%20-%20April%202017-FINAL.pdf. https://doi.org/10.1109/DIPDMWC.2016.7529383
Joseph, R. B., Zibran, M. F., & Eishita, F. Z. (2021). Choosing the weapon: A comparative study of security analyzers for Android applications. In Proceedings of the 2021 IEEE/ACIS 19th International Conference on Software Engineering Research, Management and Applications (SERA) (pp. 1-6). IEEE. https://doi.org/10.1109/SERA51205.2021.9509271
Knorr, K., & Aspinall, D. (2015). Security testing for Android mHealth apps. In 2015 IEEE Eighth International Conference on Software Testing, Verification and Validation Workshops (ICSTW) (pp. 18-24). https://doi.org/10.1109/ICSTW.2015.7107459
Knorr, K., Aspinall, D., & Wolters, M. (2015). On the privacy, security and safety of blood pressure and diabetes apps. In IFIP Advances in Information and Communication Technology (Vol. 459, pp. 503-516). https://doi.org/10.1007/978-3-319-18467-8_38
Kohli, N., & Mohaghegh, M. (2020). Security testing of Android-based COVID tracer applications. Retrieved from https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=9411579
Krombholz, K., Hobel, H., Donko Huber, M., & Weippl, E. (2014). Advanced social engineering attacks. Journal of Information Security and Applications, 19(2), 89-100. https://doi.org/10.1016/j.jisa.2014.09.005
Kumar, M. S. (2020). Driving SSDLC by adopting Mobile Security Analysis using MobSF. Retrieved from https://blogs.halodoc.io/ios-mobsf/.
Lee, A. (2018). A decade in, how safe are your iOS and Android apps? Retrieved from https://www.nowsecure.com/blog/2018/07/11/a-decade-in-how-safe-are-your-ios-and-android-apps/
Lewis, R. (2006). Security tips for temporary file usage in applications. Retrieved from https://www.codeproject.com/Articles/15956/Security-Tips-forTemporary-File-Usage-in-Applicat
Li, L., Bissyandé, T. F., Papadakis, M., Rasthofer, S., Bartel, A., Octeau, D., Klein, J., & Traon, L. (2017). Static analysis of Android apps: A systematic literature review. Information and Software Technology, 88, 67-95. https://doi.org/10.1016/j.infsof.2017.04.001
Lindström, H., & Marstorp, G. (2018). Security Testing of an OBD-II Connected IoT Device. Retrieved from http://autosec.se/wp-content/uploads/2018/05/MarstorpLindstrom-Security-Testing-of-an-OBD-II-Connected-IoT-Device.pdf.
Lockwood, A. (2012). Content providers and content resolvers. Retrieved from https://www.androiddesignpatterns.com/2012/06/content-resolvers-and-content-providers.html.
Maharjan, A. (2020). Ranking of Android apps based on security evidence. Retrieved from https://scholarworks.iupui.edu/bitstream/handle/1805/24775/Thesis.pdf?sequence=1&isAllowed=y
MITRE Corporation. (n.d.). Google Android: Vulnerability Statistics. Retrieved from https://www.cvedetails.com/product/19997/Google-Android.html?vendor_id=1224.
MobSF. (n.d.). Requirements. Retrieved from https://mobsf.github.io/docs/#/requirements.
Mokhtar, N. A. (2022). Hackers threaten to sell civil servants' personal data. The News Straits Times. Retrieved from https://www.nst.com.my/news/nation/2022/09/831916/hackers-threaten-sell-civil-servants-personal-data
Mukherjee, L. (2020). OWASP Mobile Top 10 Vulnerabilities & Mitigation Strategies. Retrieved from https://sectigostore.com/blog/owasp-mobile-top-10/.
New Straits Times. (2021). NST Leader: MyIdentity theft. Retrieved from https://www.nst.com.my/opinion/leaders/2021/09/732095/nst-leader-myidentitytheft.
Ng, B. (2021). Android Security Overview. Retrieved from https://medium.com/@boshng95/android-security-overview-7386022ad55d.
Nguyen-Vu, L., Chau, N.-T., Kang, S., & Jung, S. (2017). Android rooting: An arms race between evasion and detection. Security and Communication Networks. https://doi.org/10.1155/2017/4121765
Nilsson, R. (2020). Penetration testing of Android applications (Dissertation). Retrieved from http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-280290
OWASP. (2016a). OWASP Mobile Top 10. Retrieved from https://owasp.org/www-project-mobile-top-10/.
OWASP. (2016b). M1: Improper Platform Usage. Retrieved from https://owasp.org/www-project-mobile-top-10/2016-risks/m1-improper-platform-usage.
OWASP. (2016c). M4: Insecure Authentication. Retrieved from https://owasp.org/wwwproject-mobile-top-10/2016-risks/m4-insecure-authentication.
OWASP. (2016d). M5: Insufficient Cryptography. Retrieved from https://owasp.org/www-project-mobile-top-10/2016-risks/m5-insufficient-cryptography.

OWASP. (2016e). M6: Insecure Authorization. Retrieved from https://owasp.org/wwwproject-mobile-top-10/2016-risks/m6-insecure-authorization.
OWASP. (2016f). M7: Poor Code Quality. Retrieved from https://owasp.org/www-project-mobile-top-10/2016-risks/m7-client-code-quality.
OWASP. (2016g). M9: Reverse Engineering. Retrieved from https://owasp.org/wwwproject-mobile-top-10/2016-risks/m9-reverse-engineering.
OWASP. (2022). OWASP Mobile Application Security Testing Guide (MASTG) v1.5.0. Retrieved from https://github.com/OWASP/owasp-mastg/releases/latest/download/OWASP_MASTG-v1.5.0.pdf.
OWASP. (n.d.-b). SQL Injection Prevention Cheat Sheet. Retrieved from https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.htm
Papageorgiou, A., Strigkos, M., Politou, E., Alepis, E., Solanas, A., Patsakis, C. (2018). Security and privacy analysis of mobile health applications: the alarming state of practice. Retrieved from https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8272037.
PewResearch.Org. (2021). Mobile Fact Sheet. Retrieved from https://www.pewresearch.org/internet/fact-sheet/mobile/.
Pi?tek, K. (2022). Hard-coded Tokens, Keys and Credentials in Mobile Apps. Retrieved from https://www.netguru.com/blog/hardcoded-keys-storage-mobile-app.
Positive Technologies. (2019). Vulnerabilities and threats in mobile applications, 2019. Retrieved from https://www.ptsecurity.com/ww-en/analytics/mobile-applicationsecurity-threats-and-vulnerabilities-2019/
Reaves, B., Bowers, J., Scaife, N., Bates, A., Bhartiya, A., Traynor, P., & Butler, K. R. (2017). Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World. Retrieved from https://www.cise.ufl.edu/~traynor/papers/reaves-usenix15a.pdf.
Reed, B. (2022). Test of 250 Popular Android Mobile Apps Reveals that 70% Leak Sensitive Personal Data. Retrieved from https://www.nowsecure.com/blog/2019/06/06/test-of-250-popular-android-mobile-apps-reveal-that70-leak-sensitive-personal-data/.
Ruth, C. (2021). Over 60% of Android apps have security vulnerabilities. Retrieved from https://atlasvpn.com/blog/over-60-of-android-apps-have-security-vulnerabilities.
Sai, A., Buckley Lero, J., & Le Gear, A. (2019). Privacy and security analysis of cryptocurrency mobile applications. In Proceedings of the 2019 Fifth Conference on Mobile and Secure Services (MobiSecServ) (pp. 1-6).
Security Tips. (n.d.). Android Developers. Retrieved from https://developer.android.com/training/articles/security-tips#WebView.
Sharma, T., & Bashir, M. (2020). An analysis of phishing emails and how the human vulnerabilities are exploited. In Proceedings of the 11th International Conference on Applied Human Factors and Ergonomics (AHFE 2020), San Diego, CA.
Skylot. (2019). Retrieved from https://github.com/skylot/jadx.
Statista. (2019). Share of global smartphone shipments by operating systems from 2014 to 2023. Retrieved from https://www.statista.com/statistics/272307/market-shareforecast-for-smartphone-operating-systems/
Statista. (2022a). Mobile operating systems' market share worldwide from January 2012 to August 2022. Retrieved from https://www.statista.com/statistics/272698/global-market-share-held-by-mobile-operating-systems-since-2009/.

Statista. (2022b). Number of available applications in the Google Play Store from December 2009 to March 2022. Retrieved from https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/.
Stevens, M., Bursztein, E., Karpman, P., Albertini, A., & Markov, Y. (2017). The first collision for full SHA-1. In J. Katz & H. Shacham (Eds.), Advances in Cryptology – CRYPTO 2017 (Vol. 10401, pp. 1-22). Springer, Cham. https://doi.org/10.1007/978-3-319-63688-7_19
Team Sesame. (2017). Padding Oracle Attacks. Retrieved from https://tlseminar.github.io/padding-oracle/.
Vermeulen, R. (2019). Security evaluation of glucose monitoring applications for Android smartphones. Retrieved from https://www.os3.nl/_media/2018- 2019/courses/rp1/p41_report.pdf.
Yang, W., Zhang, Y., Li, J., Liu, H., Wang, Q., Zhang, Y., & Gu, D. (2017). Show me the money! Finding flawed implementations of third-party in-app payment in Android apps. In NDSS Symposium 2017.
Ngui, Y. (2021). Malaysia’s Covid-19 App Reports ‘Malicious Script’ Misuse.

Paramasivam, D. a/l, Ismail, N. L., & Al-Nahari, A. (2024). Static Security Analysis of Government and Non-Government Android Mobile Applications in Malaysia: A Comparative Study Using MobSF and OWASP Mobile Top 10. International Journal of Academic Research in Business and Social Sciences, 14(10), 2640–2662.