Evaluasi Keamanan OTP Firebase pada Aplikasi Android: Perbandingan SAST dan IAST dalam Identifikasi Kerentanan
DOI:
https://doi.org/10.14421/jiska.4909Keywords:
Firebase OTP, MobS, AppSweep, SAST, IASTAbstract
Application security is crucial for protecting user data from cyber threats, particularly in Android applications that utilize One-Time Password (OTP)-based authentication. This study evaluates the security of Firebase OTP via email using a combination of Static Application Security Testing (SAST) with Mobile Security Framework (MobSF) and Interactive Application Security Testing (IAST) with AppSweep. The results show that the combination of SAST and IAST is superior to single testing methods due to its wider detection coverage. SAST detects vulnerabilities in static code, while IAST identifies exploits in runtime. The testing showed significant improvements, with high-severity vulnerabilities decreasing from 3 cases in OTP-1 to zero in OTP-5, and the security score increasing from 43 (B) to 78 (A) in MobSF. Meanwhile, the number of vulnerabilities in AppSweep decreased from 14 to 9, with all high-severity vulnerabilities resolved. However, this study still has limitations, such as limited dataset coverage and potential bias from the testing tool. For further improvement, additional research can integrate artificial intelligence to automate vulnerability detection, as well as explore biometric-based authentication to enhance system security even further.
References
Asih, M. S., & Hasibuan, A. Z. (2023). Pengamanan Kunci Pintu Brankas Menggunakan Kriptografi One Time Pad (OTP) Berbasis Android. Explorer, 3(2), 58–68. https://doi.org/10.47065/explorer.v3i2.738
Chimuco, F. T., Sequeiros, J. B. F., Lopes, C. G., Simões, T. M. C., Freire, M. M., & Inácio, P. R. M. (2023). Secure cloud-based mobile apps: attack taxonomy, requirements, mechanisms, tests and automation. International Journal of Information Security, 22(4), 833–867. https://doi.org/10.1007/s10207-023-00669-z
Danthy, R., Pratham Pai, K., & Rao, V. (2024). Secure Online Banking Authentication System Using Time Bound Password. 2024 IEEE International Conference on Computing, Power and Communication Technologies (IC2PCT), 130–135. https://doi.org/10.1109/IC2PCT60090.2024.10486295
Ikram, M., Sentana, I. W. B., Asghar, H., Kaafar, M. A., & Kepkowski, M. (2025). More Than Just a Random Number Generator! Unveiling the Security and Privacy Risks of Mobile OTP Authenticator Apps. In Lecture Notes in Computer Science (pp. 177–192). Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics. https://doi.org/10.1007/978-981-96-0576-7_14
Keteku, J., Dameh, G. O., Mante, S. A., Mensah, T. K., Amartey, S. L., & Diekuu, J.-B. (2024). Detection and Prevention of Malware in Android Mobile Devices: A Literature Review. International Journal of Intelligence Science, 14(04), 71–93. https://doi.org/10.4236/ijis.2024.144005
Li, K., Chen, S., Fan, L., Feng, R., Liu, H., Liu, C., Liu, Y., & Chen, Y. (2023). Comparison and Evaluation on Static Application Security Testing (SAST) Tools for Java. Proceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 921–933. https://doi.org/10.1145/3611643.3616262
Lim, J. G. Q., Kwok, Z. Y., Soon, I., Yong, J. X., Song Yuhao, S., Binte Rosley, S. H., & Balachandran, V. (2024). A-COPILOT: Android Covert Operation for Private Information Lifting and OTP Theft: A study on how Malware Masquerading as Legitimate Applications compromise Security and Privacy. Proceedings of the Fourteenth ACM Conference on Data and Application Security and Privacy, 155–157. https://doi.org/10.1145/3626232.3658638
Lubis, D. J., & Riswanto, A. N. (2024). Implementasi Algoritma Random Forest Untuk Optimasi Keamanan Autentikasi One-Time Password (OTP). Informatech: Jurnal Ilmiah Informatika dan Komputer, 1(1), 23–29. https://doi.org/10.69533/eyp7ag46
Moon, I. T., Mimi, A., & Rahman Mridha, Md. M. (2023). Cryptographic Analysis: Popular Social Media Applications and Mitigations of Vulnerabilities. 2023 26th International Conference on Computer and Information Technology (ICCIT), 1–6. https://doi.org/10.1109/ICCIT60459.2023.10441090
Nutalapati, V. (2023). Automated Security Testing for Mobile Apps: Tools, Techniques, and Best Practices. International Engineering & Applied Sciences (IRJEAS), 11(1), 26. https://doi.org/10.55083/irjeas.2023.v11i01004
Pagano, F., Romdhana, A., Caputo, D., Verderame, L., & Merlo, A. (2023). SEBASTiAn: A static and extensible black-box application security testing tool for iOS and Android applications. SoftwareX, 23, Article ID: 101448. https://doi.org/10.1016/j.softx.2023.101448
Pargaonkar, S. (2023). Advancements in Security Testing: A Comprehensive Review of Methodologies and Emerging Trends in Software Quality Engineering. International Journal of Science and Research (IJSR), 12(9), 61–66. https://doi.org/10.21275/SR23829090815
Schleier, S., Holguera, C., Mueller, B., & Willemsen, J. (2024). OWASP Mobile Application Security Testing Guide (MASTG). The OWASP Foundation. https://mas.owasp.org/MASTG/
Schleier, S., Holguera, C., Mueller, B., Willemsen, J., & Beckers, J. (2024). OWASP Mobile Application Security Verification Standard v2.1.0. The OWASP Foundation. https://mas.owasp.org/MASVS/
Smyčka, M. (2024). Evaluation and Application of SAST Tools [Masarykova Univerzita]. https://is.muni.cz/th/j4bxg/smycka_thesis.pdf
Sonnekalb, T., Knaust, C.-T., Gruner, B., Brust, C.-A., Heinze, T. S., Kurnatowski, L. von, Schreiber, A., & Mäder, P. (2023). A Static Analysis Platform for Investigating Security Trends in Repositories. 2023 IEEE/ACM 1st International Workshop on Software Vulnerability (SVM), 1–5. https://doi.org/10.1109/SVM59160.2023.00005
Stanciu, A.-M. (2023). Theoretical Study of Security for a Software Product. In Lecture Notes in Networks and Systems (Vol. 578, pp. 233–242). https://doi.org/10.1007/978-981-19-7660-5_20
Sutter, T., Kehrer, T., Rennhard, M., Tellenbach, B., & Klein, J. (2024). Dynamic Security Analysis on Android: A Systematic Literature Review. IEEE Access, 12, 57261–57287. https://doi.org/10.1109/ACCESS.2024.3390612
Taqwim, M. A., Kusyanti, A., & Siregar, R. A. (2021). Implementasi Algoritme Speck untuk Enkripsi One-Time Password pada Two-Factor Authentication. Jurnal Pengembangan Teknologi Informasi dan Ilmu Komputer, 5(7), 3103–3111. https://j-ptiik.ub.ac.id/index.php/j-ptiik/article/view/9488
Wibawa, S., Suryanto, S., & Ningsih, R. (2024). Perlindungan Data Digital Dengan Time-Based One-Time Password (TOTP). INSANtek, 5(1), 30–36. https://doi.org/10.31294/insantek.v5i1.3495
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 I Gede Surya Rahayuda, Ni Putu Linda Santiari
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
Authors who publish with this journal agree to the following terms as stated in http://creativecommons.org/licenses/by-nc/4.0
a. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
b. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
c. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.
