Ensuring the security of Android applications is paramount, especially for apps like Mobile JKN, launched by the Social Security Agency on Health “BPJS Kesehatan” under the Ministry of Health Republic Indonesia, which contain sensitive participant data. Such information is often targeted by cybercriminals seeking personal gain through data theft by exploiting security vulnerabilities within the application. To address these risks, a thorough analysis was conducted to detect security loopholes in the Mobile JKN application. The study used the Mobile Security Framework (MOBSF) tools and involved static and dynamic analyses. Despite the application’s implementation of secure SSL Pinning and detection of rooted devices, the static analysis revealed potential security loopholes, including dangerous permission access, weak cryptographic methods, and vulnerable hardcoded secrets. Moreover, the application was found vulnerable to Janus, SQL Injection, and padding oracle attacks. While the dynamic analysis showed satisfactory implementation of SSL Pinning and no performance degradation, it also revealed that root detection was lacking, and debugger connections were not detected while the application was running. These findings emphasize the critical need for immediate security enhancements in the Mobile JKN application.

Mobile JKN Security; Cyber Threats in Healthcare; Application Vulnerabilities; SSL Pinning Analysis; Data Privacy Concerns

R. Mustajab, " Durasi bermain aplikasi mobile di Indonesia meningkat pada 2022," retrieved from https://dataindonesia.id/digital/detail/durasi-bermain-aplikasi-mobile-di-indonesia-meningkat-pada-2022, 2023, accessed on June 21, 2023.

Data.ai, “State of Mobile 2022 Indonesia,” retrieved from https://www.data.ai/en/go/state-of-mobile-2022-indonesia, 2022, accessed on June 20, 2023.

S. Solechan, "Badan Penyelenggara Jaminan Sosial (BPJS) Kesehatan Sebagai Pelayanan Publik," Administrative Law and Governance Journal, vol. 2, no. 4, pp. 686-696, Nov. 2019. doi: 10.14710/alj.v2i4.686-696

V. Wirawan, “Penerapan E-Government dalam Menyongsong Era Revolusi Industri 4.0 Kontemporer di Indonesia,” Jurnal Penegakan Hukum dan Keadilan, vol. 1, no. 1. Universitas Muhammadiyah Yogyakarta, 2020. doi: 10.18196/jphk.1101.

A. Wulanadary, S. Sudarman, and I. Ikhsan, “Inovasi Bpjs Kesehatan Dalam Pemberian Layanan Kepada Masyarakat : Aplikasi Mobile Jkn,” Jurnal Public Policy, vol. 5, no. 2. Universitas Teuku Umar, p. 98, Oct. 31, 2019. doi: 10.35308/jpp.v5i2.1119.

R. Ratra and P. Gulia, “Privacy Preserving Data Mining: Techniques and Algorithms,” International Journal of Engineering Trends and Technology, vol. 68, no. 11. Seventh Sense Research Group Journals, pp. 56–62, Nov. 25, 2020. doi: 10.14445/22315381/ijett-v68i11p207

R. Amalia, Wasilah, and Rini Nurlistiani, “Evaluasi dan Audit Aplikasi Mobile JKN pada BPJS Kesehatan Menggunakan Model TAM dan COBIT 5.0”, JUPITER, vol. 14, no. 2-a, pp. 157–166, Oct. 2022. doi: 10.5281./4734/5.jupiter.2022.10

F. Ibrar, H. Saleem, S. Castle, and M. Z. Malik, “A Study of Static Analysis Tools to Detect Vulnerabilities of Branchless Banking Applications in Developing Countries,” Proceedings of the Ninth International Conference on Information and Communication Technologies and Development. ACM, Nov. 16, 2017. doi: 10.1145/3136560.3136595.

M. Antonishyn, “Mobile applications vulnerabilities testing model,” Collection “Information Technology and Security,” vol. 8, no. 1. Kyiv Politechnic Institute, pp. 49–57, Jul. 09, 2020. doi: 10.20535/2411-1031.2020.8.1.218003.

B. Yankson, J. V. K, P. C. K. Hung, F. Iqbal and L. Ali, “Security Assessment for Zenbo Robot Using Drozer and mobSF Frameworks,” 2021 11th IFIP International Conference on New Technologies, Mobility and Security (NTMS), Paris, France, 2021, pp. 1-7, doi: 10.1109/NTMS49979.2021.9432666.

H. Shahriar, C. Zhang, M. A. Talukder, and S. Islam, “Mobile Application Security Using Static and Dynamic Analysis,” Studies in Computational Intelligence. Springer International Publishing, pp. 443–459, Dec. 15, 2020. doi: 10.1007/978-3-030-57024-8_20.

T. H. Chiboora, L. Chacha, T. Byagutangaza, and A. Gueye, “Evaluating Mobile Banking Application Security Posture Using the OWASP’s MASVS Framework,” Proceedings of the 6th ACM SIGCAS/SIGCHI Conference on Computing and Sustainable Societies. ACM, Aug. 16, 2023. doi: 10.1145/3588001.3609367.

B. Bokolo, G. Sur, Q. Liu, F. Yuan and F. Liang, “Hybrid Analysis Based Cross Inspection Framework for Android Malware Detection,” 2022 IEEE/ACIS 20th International Conference on Software Engineering Research, Management and Applications (SERA), Las Vegas, NV, USA, 2022, pp. 99-105, doi: 10.1109/SERA54885.2022.9806746.

M. S. Rahman, B. Kojusner, R. Kennedy, P. Pathak, L. Qi and B. Williams, “So {U} R CERER: Developer-Driven Security Testing Framework for Android Apps,” 2021 36th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW), Melbourne, Australia, 2021, pp. 40-46, doi: 10.1109/ASEW52652.2021.00020.

Shahriar, Hossain, Md Arabin Talukder, and Md Saiful Islam. “An exploratory analysis of mobile security tools.” (2019). doi: 10.1080/19393555.2020.1741743.

T. Mantoro, D. Stephen and W. Wandy, “Malware Detection with Obfuscation Techniques on Android Using Dynamic Analysis,” 2022 IEEE 8th International Conference on Computing, Engineering and Design (ICCED), Sukasbumi, Indonesia, 2022, pp. 1-6, doi: 10.1109/ICCED56140.2022.10010359.

A. Bakhtiyor, A. Orif, B. Ilkhom and K. Zarif, “Differential Collisions in SHA-1,” 2020 International Conference on Information Science and Communications Technologies (ICISCT), Tashkent, Uzbekistan, 2020, pp. 1-5, doi: 10.1109/ICISCT50599.2020.9351441.

B. Kieu-Do-Nguyen, T. -T. Hoang, C. -K. Pham and C. Pham-Quoc, “A Power-efficient Implementation of SHA-256 Hash Function for Embedded Applications,” 2021 International Conference on Advanced Technologies for Communications (ATC), Ho Chi Minh City, Vietnam, 2021, pp. 39-44, doi: 10.1109/ATC52653.2021.9598264.