Benchmarking Mobile Apps Security in Universities: An OWASP Mobile Top 10 Framework Perspective
Authors
| Issue | Vol. 11 No. 1 (2025) |
| Published | 11 July 2025 |
| Section | Articles |
| Pages | 36-49 |
Abstract
Leading Indonesian universities such as Telkom University (Tel-U), Institut Teknologi Bandung
(ITB), Universitas Indonesia (UI), and Universitas Gadjah Mada (UGM) have developed mobilebased
academic information systems that improve the accessibility of campus services, where
sensitive information such as personal data, access credentials, and educational information are
stored and managed through the mobile application. The current gap is the lack of understanding of
the specific vulnerability profile of campus mobile applications and how these vulnerabilities can
affect the data security of educational institutions. This study conducts a comparative analysis of
vulnerabilities in campus mobile applications using the OWASP Mobile Top 10 framework as its
testing standard. In its implementation, this study uses three mobile application security testing
tools: AndroBugs, Mobile Security Framework (MobSF), and QARK (Quick Android Review Kit).
These three tools were chosen because of their ability to detect various types of vulnerabilities
covered in the OWASP Mobile Top 10. By comparing vulnerability analysis results on different
campus mobile applications, this study aims to identify common vulnerability patterns and provide
recommendations for improvements following the OWASP Mobile Top 10 security standards. The
test results show that MySIX ITB and WeAreUI have the most vulnerabilities compared to the other
three campuses, with 24 vulnerabilities from three different tools. However, if we look at the
consensus between the three tools, MySIX ITB is the most vulnerable application, with
vulnerabilities in five categories: M3, M5, M6, M8, and M9. In addition to using three different
tools to strengthen the vulnerability detection rate, we also found some new knowledge. The first is
that all three tools have the same agreement for detecting M2, M6, and M8, which shows the high
reliability of the three tools for the categories mentioned. The second is the knowledge that QARK
makes the most different decisions from the other two tools. The test results show that QARK makes
different decisions eight times. We also learned that for the four campus mobile apps, developers
should pay more attention to two categories detected by each tool, namely M6 and M8, or Inadequate
Privacy Controls and Security Misconfiguration, respectively. Finally, there is knowledge that the
strength of the four mobile apps is resistance to M2; in other words, each campus has used thirdparty
libraries well.