Evaluasi Keamanan Sistem Pada Aplikasi Catatmak Dengan Metode Kualitatif Berbasis Pengkodean Tematik

Authors

  • Fariz Nur Fikri Zaki Universitas Amikom Purwokerto
  • Putri Awaliatuz Zahra
  • Vidia Alma Cyrilla
  • Wahyu Latifatun
  • Ranggi Praharaningtyas Aji
  • Dhanar Intan Surya Saputra

DOI:

https://doi.org/10.35960/ikomti.v6i2.1871

Keywords:

mobile app security, user privacy, data protection, OTP, access control

Abstract

This study evaluates the implementation of data security and privacy mechanisms in the Catatmak mobile application, a local personal finance tool. It addresses the increasing risks associated with the handling of sensitive user data, particularly in digital financial platforms used by the general public. A qualitative method was employed, using semi-structured interviews with the main developer of the app, who also oversees the system’s technical infrastructure. The interview explored data collection policies, encryption and authentication mechanisms, as well as role-based access control. In parallel, static and dynamic security assessments were conducted using Mobile Security Framework (MobSF) and the OWASP Application Security Verification Standard (ASVS). Results indicate that Catatmak enforces key security practices including HTTPS encryption, OTP-based login, encrypted cloud storage, and RBAC-based access segmentation. Despite these efforts, user-related vulnerabilities remain dominant, particularly weak password habits and careless sharing of OTP codes. The developer emphasized that “most threats don’t come from hackers, but from users giving away their own credentials.” As a result, the study recommends the integration of two-factor authentication (2FA), user security education, and the adoption of Secure Software Development Lifecycle (SDLC) principles. These insights are expected to inform the development of more secure financial apps within the Indonesian digital ecosystem.

References

[1] A. Y. Balogun, “Cybersecurity in mobile fintech applications: Addressing the unique challenges of securing user data,” SSRN Electronic Journal, 2024, doi: 10.2139/ssrn.4712648.

[2] R. Croft, M. Zhang, dan Y. Guo, “An Empirical Study of Rule-Based and Learning-Based Approaches for Static Application Security Testing,” arXiv preprint arXiv:2106.15414, 2021.

[3] R. Yadav, S. Dhingra, dan A. Sethi, “Security and privacy issues in mobile financial applications: A review,” Comput Sci Rev, vol. 39, hlm. 100356, 2021, doi: 10.1016/j.cosrev.2021.100356.

[4] A. P. Felt, K. Greenwood, dan D. Wagner, “The effectiveness of application permissions,” dalam Proceedings of the USENIX Conference, 2012, hlm. 7–13.

[5] T. Appiah dan V. V Agblewornu, “The interplay of perceived benefit, perceived risk, and trust in Fintech adoption: Insights from Sub-Saharan Africa,” Heliyon, vol. 11, no. 4, hlm. e100372, 2025, doi: 10.1016/j.heliyon.2025.e100372.

[6] T. M. Gronli dan G. Ghinea, “Mobile application security best practices,” Int J Inf Manage, vol. 52, hlm. 102–108, 2020, doi: 10.1016/j.ijinfomgt.2019.102108.

[7] M. E. Kiger dan L. Varpio, “Thematic analysis of qualitative data: AMEE Guide No. 131,” Med Teach, vol. 42, no. 8, hlm. 846–854, 2020, doi: 10.1080/0142159X.2020.1755030.

[8] V. Braun dan V. Clarke, “Thematic analysis: A practical guide,” Med Teach, vol. 42, no. 8, hlm. 846–854, 2020, doi: 10.1080/0142159X.2020.1755030.

[9] M. Alshamrani, N. Kaabouch, dan M. Ghazinejad, “A Survey on Mobile App Security,” IEEE Access, vol. 8, hlm. 117153–117186, 2020, doi: 10.1109/ACCESS.2020.3021621.

[10] S. Iqbal, H. Naeem, dan M. Mehmood, “Information security risk management in cloud-based systems,” Journal of Information Security and Applications, vol. 65, hlm. 103150, 2022, doi: 10.1016/j.jisa.2022.103150.

[11] S.-F. Wen dan B. Katt, “A Quantitative Security Evaluation and Analysis Model for Web Applications Based on OWASP ASVS,” Comput Secur, vol. 135, hlm. 103532, 2023, doi: 10.1016/j.cose.2023.103532.

[12] Y. Zhang dan Q. Li, “Data Privacy and Cloud Computing,” IEEE Cloud Computing, vol. 9, no. 4, hlm. 34–41, 2022, doi: 10.1109/MCC.2022.3186873.

[13] I. Ghafir, V. Prenosil, dan M. Hammoudeh, “Automated security auditing for mobile applications,” Journal of Digital Forensics, Security and Law, vol. 15, no. 2, hlm. 73–90, 2020, doi: 10.15394/jdfsl.2020.1576.

[14] M. Rahman, M. Kabir, dan M. Hasan, “Empirical study on mobile finance app security using MobSF and ASVS,” Journal of Systems and Software, vol. 200, hlm. 111500, 2023, doi: 10.1016/j.jss.2023.111500.

[15] R. S. Sandhu dan P. Samarati, “Access control: principle and practice,” IEEE Communications Magazine, vol. 32, no. 9, hlm. 40–48, 1994, doi: 10.1109/35.312842.

[16] P. Zúquete dan P. Ferreira, “Using two-factor authentication to improve mobile app security,” Journal of Information Security and Applications, vol. 47, hlm. 198–208, 2019, doi: 10.1016/j.jisa.2019.03.011.

[17] L. Wu, H. Huang, dan X. Xu, “AI-driven anomaly detection in financial mobile apps,” Journal of Systems and Software, vol. 168, hlm. 110643, 2020, doi: 10.1016/j.jss.2020.110643.

[18] H. Alqahtani, A. Khan, dan M. Almalki, “User awareness and cybersecurity practices in mobile apps,” International Journal of Information Security Science, vol. 10, no. 3, hlm. 85–93, 2021.

[19] A. Gupta dan B. Bhushan, “Security patterns in mobile app architecture,” Future Generation Computer Systems, vol. 110, hlm. 656–666, 2020, doi: 10.1016/j.future.2020.03.020.

[20] D. Jia, “Application and Optimization of Cloud Computing in Financial Management Information Systems,” dalam Conference on Financial Innovation and Business Analytics (CFBA 2024), Springer, 2024, hlm. 134–142. doi: 10.1007/978-981-99-8902-2_13.

[21] S. Lim dan H. Lee, “TLS Adoption and Configuration in Mobile Apps,” Security and Privacy, vol. 2, no. 1, hlm. 10–20, 2019, doi: 10.1002/spy2.95.

[22] R. Sharma dan R. Dubey, “Combining RBAC with OTP for secure mobile applications,” Journal of Cybersecurity Advances, vol. 5, no. 2, hlm. 122–133, 2021.

[23] T. Wu, Y. Wang, dan C. Lee, “Adaptive authentication for mobile financial apps: A risk-based approach,” Comput Secur, vol. 110, hlm. 102423, 2021, doi: 10.1016/j.cose.2021.102423.

[24] M. Giwah dan T. Adeyemi, “Human Factors in Cybersecurity Breaches,” Journal of Information Security, vol. 12, no. 4, hlm. 211–222, 2021, doi: 10.4236/jis.2021.124013.

[25] N. A. G. Arachchilage dan S. Love, “A game design framework for avoiding phishing attacks,” Comput Human Behav, vol. 29, no. 3, hlm. 706–714, 2013, doi: 10.1016/j.chb.2012.12.018.

[26] D. Zolotukhin, J. Nieminen, dan M. Myllyaho, “Human errors in information security incidents: Root cause analysis,” Information and Computer Security, vol. 27, no. 2, hlm. 207–222, 2019, doi: 10.1108/ICS-03-2018-0039.

[27] K. Krombholz, H. Hobel, dan E. Weippl, “Improving security behavior through user training: Experimental evidence,” ACM Transactions on Privacy and Security, vol. 21, no. 4, hlm. 1–29, 2018, doi: 10.1145/3239551.

Downloads

Published

28-06-2025

How to Cite

[1]
Fariz Nur Fikri Zaki, Putri Awaliatuz Zahra, Vidia Alma Cyrilla, Wahyu Latifatun, Ranggi Praharaningtyas Aji, and Dhanar Intan Surya Saputra, “Evaluasi Keamanan Sistem Pada Aplikasi Catatmak Dengan Metode Kualitatif Berbasis Pengkodean Tematik ”, IKOMTI, vol. 6, no. 2, pp. 80–85, Jun. 2025.