Android Apps Vulnerability Detection with Static and Dynamic Analysis Approach using MOBSF

Abstract

Ensuring the security of Android applications is paramount, especially for apps like Mobile JKN, launched by the Social Security Agency on Health “BPJS Kesehatan” under the Ministry of Health Republic Indonesia, which contain sensitive participant data. Such information is often targeted by cybercriminals seeking personal gain through data theft by exploiting security vulnerabilities within the application. To address these risks, a thorough analysis was conducted to detect security loopholes in the Mobile JKN application. The study used the Mobile Security Framework (MOBSF) tools and involved static and dynamic analyses. Despite the application’s implementation of secure SSL Pinning and detection of rooted devices, the static analysis revealed potential security loopholes, including dangerous permission access, weak cryptographic methods, and vulnerable hardcoded secrets. Moreover, the application was found vulnerable to Janus, SQL Injection, and padding oracle attacks. While the dynamic analysis showed satisfactory implementation of SSL Pinning and no performance degradation, it also revealed that root detection was lacking, and debugger connections were not detected while the application was running. These findings emphasize the critical need for immediate security enhancements in the Mobile JKN application.