Security Analysis of the Lombok Tourism Android Application Using Penetration Testing (Pentesting) Methods Based on the OWASP Mobile Top 10-2024 Framework

Abstract

Android has become the most widely used operating system for mobile devices, playing a crucial role in supporting the tourism sector. As tourism in Indonesia grows, the demand for quick and easy access to information for travel planning has increased. However, concerns about the security of user data in Android applications have emerged. This study focuses on penetration testing of tourism-related Android applications in Lombok to identify vulnerabilities, particularly based on the OWASP Top 10 Mobile Risks. Using static analysis with the Mobile Security Framework (MobFS), two critical vulnerabilities were identified: Insecure Data Storage and Insufficient Cryptography. Penetration testing revealed that although there was a risk related to insecure data storage, no sensitive user data was found in the application's database. The application was also found to use outdated encryption (CBC with PKCS7 padding), which could expose it to padding oracle attacks. This research emphasizes the need for robust security measures in mobile applications within the tourism sector.