Security Maturity Assessment of Indonesian Android Mobile Banking Apps using MobSF and OWASP

Rizal Aglal  Faozi; Nuur Wachid Abdul Majid; Suprih Widodo

doi:10.29408/edumatic.v10i1.33285

Authors

Rizal Aglal Faozi Universitas Pendidikan Indonesia https://orcid.org/0009-0004-5897-7102
Nuur Wachid Abdul Majid Universitas Pendidikan Indonesia https://orcid.org/0000-0001-9851-2124
Suprih Widodo Universitas Pendidikan Indonesia https://orcid.org/0000-0003-2709-4804

DOI:

https://doi.org/10.29408/edumatic.v10i1.33285

Keywords:

defence-in-depth, mobile banking security, owasp masvs, security maturity, static analysis

Abstract

The rapid expansion of mobile banking in emerging economies has increased exposure to client-side security risks, while MASVS-based security maturity benchmarking of conventional banking applications remains underrepresented in the literature. This study conducts a standard-based comparative security maturity assessment of two major Indonesian Android banking applications, BRImo and myBCA. APK files obtained from the Google Play Store were analysed using Static Application Security Testing with the Mobile Security Framework (MobSF) and evaluated against OWASP MASVS Level 2 and MASVS-R. MobSF scores were interpreted as relative indicators of security maturity based on severity-weighted findings across multiple domains. The results reveal a clear divergence in maturity levels. Although both applications demonstrate strong network-layer protection, BRImo exhibits structural weaknesses in storage, cryptography, platform interaction, and resilience domains, indicating fragmented defence-in-depth implementation. In contrast, myBCA shows more consistent cross-domain control integration. This study contributes an MASVS-based security maturity benchmarking approach and provides conceptual evidence that formal regulatory compliance may coexist with inconsistent client-side technical implementation. The findings offer analytically transferable insights for developers, security auditors, and regulators in rapidly digitalising financial ecosystems.

References

Abiola, O. B. (2023). Exploring Mobile Banking App Security from User’s Perspectives. International Journal for Information Security Research, 13(1), 1077–1084. https://doi.org/10.20533/ijisr.2042.4639.2023.0122

Ali, A. O. M. M. (2026). The Security and Privacy of Mobile Banking in Qatar: A Case Highlighting Current Challenges and Future Recommendations. American Journal of Multidisciplinary Research and Innovation, 5(1), 51–59. https://doi.org/10.54536/ajmri.v5i1.3162

Alsumayt, A., Elbeh, H., Elkawkagy, M., Alfawaer, Z., Alghamedy, F. H., Alshammari, M., Aljameel, S. S., Albassam, S., AlGhareeb, S., & Alamoudi, K. (2024). A Study of Android Security Vulnerabilities and Their Future Prospects. HighTech and Innovation Journal, 5(3), 854–869. https://doi.org/10.28991/HIJ-2024-05-03-020

Amalfitano, D., Júnior, M., Fasolino, A. R., & Delamaro, M. (2025). A GUI-based Metamorphic Testing Technique for Detecting Authentication Vulnerabilities in Android Mobile Apps. Journal of Systems and Software, 224, 112364. https://doi.org/10.1016/j.jss.2025.112364

Archibong, E. E., Stephen, B. U.-A., & Asuquo, P. (2024). Analysis of Cybersecurity Vulnerabilities in Mobile Payment Applications. Archives of Advanced Engineering Science, 1–12. https://doi.org/10.47852/bonviewaaes42022595

Cinar, A. C., & Kara, T. B. (2023). The current state and future of mobile security in the light of the recent mobile security threat reports. Multimedia Tools and Applications, 82(13), 20269–20281. https://doi.org/10.1007/s11042-023-14400-6

Ebad, S. A. (2022). Exploring How to Apply Secure Software Design Principles. IEEE Access, 10, 128983–128993. https://doi.org/10.1109/ACCESS.2022.3227434

El-Zawawy, M. A., & Katsikas, S. (2026). Detecting Hidden Sensitive Operation vulnerabilities and their collusion inter-app attacks in Android. Computers and Electrical Engineering, 129, 110794. https://doi.org/10.1016/j.compeleceng.2025.110794

English, K. V., Bennett, N., Thorn, S., Butler, K. R., Enck, W., & Traynor, P. (2024, June). Examining cryptography and randomness failures in open-source cellular cores. Proceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy (pp. 43-54). ACM. https://doi.org/10.1145/3626232.3653259

Garg, S., & Baliyan, N. (2022). M2VMapper: Malware-to-Vulnerability mapping for Android using text processing. Expert Systems with Applications, 191, 116360. https://doi.org/10.1016/j.eswa.2021.116360

Holguera, C., Mueller, B., Schleier, S., & Willemsen, J. (2023). OWASP Mobile Application Security Verification Standard (Version 1.5). OWASP Foundation.

Imam, A. Y., Usman, H. I., & Abba, A. (2024). Security analysis and evaluation of mobile banking applications in Nigeria. International Journal of Informatics and Communication Technology, 13(3), 354–361. https://doi.org/10.11591/ijict.v13i3.pp354-361

Marques, J. M. E., Mžourek, M., Papuga, J., Růžička, M., & Benasciutti, D. (2024). A probabilistic stress-life model supported by weakest link principle and highly-stressed volume/surface area concepts. International Journal of Fatigue, 178, 108006. https://doi.org/10.1016/j.ijfatigue.2023.108006

Naeem, M., Ozuem, W., & Ward, P. (2022). Understanding the accessibility of retail mobile banking during the COVID-19 pandemic. International Journal of Retail & Distribution Management, 50(7), 860-879. https://doi.org/10.1108/IJRDM-02-2021-0064

Nawaz, S., Linden, T., Mitchell, M., & Bhowmik, J. (2026). Examining effectual, ineffectual and problematic smartphone use: A qualitative exploration of dependence and management behaviours. Social Sciences & Humanities Open, 13, 102569. https://doi.org/10.1016/j.ssaho.2026.102569

Park, Y., Choi, S., Choi, U. Y., Jin, H., Nor, N. H. M., & Park, Y. (2024). A practical approach for finding anti-debugging routines in the Arm-Linux using hardware tracing. Scientific Reports, 14(1). https://doi.org/10.1038/s41598-024-65374-w

Precht, L.-M., Mertens, F., Brickau, D. S., Kramm, R. J., Margraf, J., Stirnberg, J., & Brailovskaia, J. (2024). Engaging in physical activity instead of (over)using the smartphone: An experimental investigation of lifestyle interventions to prevent problematic smartphone use and to promote mental health. Journal of Public Health, 32(4), 589–607. https://doi.org/10.1007/s10389-023-01832-5

Ruohonen, J. (2025). SoK: The design paradigm of safe and secure defaults. Journal of Information Security and Applications, 90, 103989. https://doi.org/10.1016/j.jisa.2025.103989

Sánchez-Fernández, M., & Borda-Mas, M. (2023). Problematic smartphone use and specific problematic Internet uses among university students and associated predictive factors: A systematic review. Education and Information Technologies, 28(6), 7111–7204. https://doi.org/10.1007/s10639-022-11437-2

Senanayake, J., Kalutarage, H., Petrovski, A., Piras, L., & Al-Kadri, M. O. (2024). Defendroid: Real-time Android code vulnerability detection via blockchain federated neural network with XAI. Journal of Information Security and Applications, 82, 103741. https://doi.org/10.1016/j.jisa.2024.103741

Soewito, B., & Suwandaru, A. (2022). Android sensitive data leakage prevention with rooting detection using Java function hooking. Journal of King Saud University - Computer and Information Sciences, 34(5), 1950–1957. https://doi.org/10.1016/j.jksuci.2020.07.006

Yuan, Z., Yang, Z., Tan, J., & Zhang, H. (2026). WebViewJSdetect: Javascript vulnerability detection in android webview via coverage-guided thread-adaptive concurrent abstract interpretation. Computer Networks, 275, 111908. https://doi.org/10.1016/j.comnet.2025.111908