SlideShare uma empresa Scribd logo

Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Aplikasi Android.pdf

idsecconf
idsecconf

Evaluasi privasi pengguna pada aplikasi Android menemukan bahwa: (1) sebagian besar aplikasi mengumpulkan data pribadi pengguna seperti lokasi, kontak, dan aktivitas; (2) data tersebut dapat dibagikan ke pihak ketiga dan tidak mudah dihapus; (3) hanya beberapa aplikasi yang memiliki petugas perlindungan data yang tersedia. Analisis ini menunjukkan pentingnya perlindungan privasi pengguna yang lebih

Celular
1 de 29
Baixar para ler offline
EVALUASI PERLINDUNGAN PRIVASI PENGGUNA PADA APLIKASI-APLIKASI ANDROID Ammar Alifian Fahdan Baskoro Adi Pratomo Hudan Studiawan
TENTANG SAYA Nama: Baskoro Adi Pratomo baskoro@if.its.ac.id Twitter: @baskoroadi Afiliasi: Dosen Departemen Teknik Informatika, Institut Teknologi Sepuluh Nopember, Surabaya, Indonesia (2010-sekarang) Research Assistant Cardiff University (2016-2021) Area Riset: Network Security Malware detection Reverse Engineering Machine Learning/Deep Learning for Cyber Security
PRIVASI VS KERAHASIAAN Privasi:  The ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively
STATISTIK 2.5 milyar perangkat Android aktif 2.7 juta aplikasi Android terdaftar 3813 kasus data breach per Juni 2019
KETIDAKAWASAN PENGGUNA 46,5% pengguna tidak sadar bahwa kegiatan daring mereka seperti browsing, berbelanja online, dan media sosial merupakan sumber data yang penting 22,4% responden mengaku tidak membaca syarat dan ketentuan terkait keamanan data saat mengisi data pribadi di sistem https://www.kompas.com/cekfakta/read/2022/02/10/090900082/kabar-data-kesadaran-keamanan-data-pribadi-masyarakat-dalam-angka?page=all
MENGAPA PERLU EVALUASI PRIVASI
METODOLOGI
PEMILIHAN SAMPEL APLIKASI Kriteria:  Digunakan oleh setidaknya satu juta pengguna  Dibuat oleh BUMN atau pemerintah atau digunakan untuk tujuan e- commerce  Dibuat dan dioptimasikan untuk pengguna Android di Indonesia Nama Aplikasi Versi Jenis BNI Mobile 5.7.1 BUMN BRImo 2.21.0 BUMN BTN Mobile 9.3 BUMN Ferizy 2.0.3 BUMN Fly Garuda 5.2.9 BUMN Kimia Farma 3.2.3 BUMN MIB 1.0.12 BUMN MyPertamina 3.6.2 BUMN PLN Mobile 5.2.24 BUMN KAI Access 4.9.7 BUMN Shopee 2.84.31 e-Commerce Lazada 7.2.1 e-Commerce Akulaku 4.6.5 e-Commerce Tokopedia 3.156 e-Commerce Blibli 4.6.5 e-Commerce Indomaret Poinku 3.4.0 e-Commerce Alfagift 4.7.1 e-Commerce JD.ID 6.5.3 e-Commerce OLX 7.12.1 e-Commerce Klik Indomaret 2207300 e-Commerce
METODE ANALISIS Analisis kebijakan privasi aplikasi Analisis tracker dan perizinan Analisis API endpoint dan data
ANALISIS KEBIJAKAN PRIVASI APLIKASI
HALAMAN KEBIJAKAN PRIVASI GOOGLE PLAYSTORE
ANALISIS TRACKER DAN PERIZINAN
EXODUS HTTPS://EXODUS-PRIVACY.EU.ORG/EN/
PERIZINAN YANG DIANALISIS Nama Permission Deskripsi ACCESS_COARSE_LOCATION Mengakses lokasi pengguna secara kasar ACCESS_FINE_LOCATION Mengakses lokasi pengguna secara akurat CAMERA Mengakses kamera READ_CONTACTS Mengakses kontak READ_EXTERNAL_STORAGE Membaca penyimpanan eksternal READ_PHONE_STATE Mengakses status perangkat WRITE_EXTERNAL_STORAGE Menulis di penyimpanan eksternal
ANALISIS API ENDPOINT DAN DATA
ANALISIS API ENDPOINT DAN DATA (2)
TEMUAN
DATA DIOLAH APLIKASI Lokasi Info pribadi Info keuangan Pesan Foto dan video File dan dokumen Kontak Aktivitas aplikasi Penjelajahan web Info dan performa aplikasi ID perangkat atau lainnya Audio Kalender Kesegaran dan Kebugaran Shopee v v v v v v v v v v v Lazada v v v v v Blibli Akulaku v v v v v v v v v Tokopedia v v v v v v v Indomaret Poinku Tidak ada informasi di Google Play Store Alfagift v v BNI Mobile Banking v v v BRIMo BTN Mobile Tidak ada informasi di Google Play Store MIB Tidak ada informasi di Google Play Store Fly Garuda v v v v v v Ferizy PosAja Tidak ada informasi di Google Play Store KAI Access v v Kimia Farma Mobile v v v v MyPertamina v v v v v v PLN Mobile v v v v v v
DATA DIBAGIKAN KE PIHAK KETIGA Lokasi Info pribadi Info keuangan Foto dan video File dan dokumen Aktivitas aplikasi ID perangkat atau lainnya Shopee v v v v v v v Lazada v v Blibli v v Akulaku Tokopedia v v v v v v Indomaret Poinku Tidak ada informasi di Google Play Store Alfagift BNI Mobile Banking BRIMo BTN Mobile Tidak ada informasi di Google Play Store Mandiri Internet Bisnis Tidak ada informasi di Google Play Store Fly Garuda v v Ferizy PosAja Tidak ada informasi di Google Play Store KAI Access v Kimia Farma Mobile v MyPertamina PLN Mobile
BISAKAH KITA MENGHAPUS DATA Nama Aplikasi Bisa Tidak n/a Shopee v Lazada v Blibli v Akulaku v Tokopedia v Indomaret Poinku v Alfagift v BNI Mobile Banking v BRIMo v BTN Mobile v Mandiri Internet Bisnis v Fly Garuda v Ferizy v PosAja v KAI Access v Kimia Farma Mobile v MyPertamina v PLN Mobile v
DATA PROTECTION OFFICER Nama Aplikasi DPO Customer Service Tidak Ada Bisa dihubungi langsung Dihubungi melalui CS Shopee v Lazada v Blibli v Akulaku v Tokopedia v Indomaret Poinku v Alfagift v BNI Mobile Banking v BRIMo v BTN Mobile v Mandiri Internet Bisnis v Fly Garuda v Ferizy v PosAja v KAI Access v Kimia Farma Mobile v MyPertamina v PLN Mobile v DPO adalah entitas yang memiliki tugas untuk memastikan bahwa data yang dikelola, baik data pengguna, data perusahaan maupun data karyawannya, dijaga dan dikelola sesuai dengan undang-undang data yang berlaku
PENGGUNAAN SSL Nama Aplikasi Full Partial Tidak ada BNI Mobile Banking v BRIMo v BTN Mobile v Mandiri Internet Bisnis v Fly Garuda v Ferizy v PosAja v KAI Access v Kimia Farma Mobile v MyPertamina v PLN Mobile v
ANALISIS PERIZINAN: BUMN BNI BriMO BTN MIB Garuda Indonesia Ferizy KAI Access PosAja PLN Mobile My Pertamina ACCESS_COARSE_LOCATION v v v v v v v v v ACCESS_FINE_LOCATION v v v v v v v v v CAMERA v v v v v v v v v READ_CONTACTS v v v READ_EXTERNAL_STORAGE v v v v v v v v READ_PHONE_STATE v v v v v WRITE_EXTERNAL_STORAGE v v v v v v v v
ANALISIS PERIZINAN: E-COMMERCE Perizinan Shopee Lazada Blibli Akulaku Tokopedia Indomaret MyPoint Alfagift JD.ID OLX Klik Indomaret ACCESS_COARSE_LOCATIO N v v v v v v ✓ ✓ ✓ ACCESS_FINE_LOCATION v v v v v v ✓ ✓ ✓ CAMERA v v v v v v v ✓ ✓ ✓ READ_CONTACTS v v v v v ✓ ✓ ✓ READ_EXTERNAL_STORAGE v v v v v v v ✓ ✓ ✓ READ_PHONE_STATE v v v v v v v ✓ ✓ ✓ WRITE_EXTERNAL_STORAGE v v v v v v v ✓ ✓ ✓
ANALISIS TRACKER Nama Tracker BNI Google Firebase Analytics, MoEngage BriMO Google CrashLytics. Google Firebase Analytics Garuda Indonesia Google CrashLytics, Google Firebase Analytics, Huawei Mobile Services (HMS) Core, Insider Ferizy Amplitude, Facebook Ads, Facebook Analytics, Facebook Login, Facebook Share, Google AdMob, Google Analytics, Google Firebase Analytics, Segment BTN - MIB - KAI Access Google Firebase Analytics PosAja! Amplitude, Facebook Ads, Facebook Analytics, Facebook Login, Facebook Share, Google AdMob, Google Analytics, Google Firebase Analytics, Segment PLN Mobile AppsFlyer, Facebook Login, Facebook Share, Google CrashLytics, Google Firebase Analytics My Pertamina Google CrashLytics, Google Firebase Analysis
ANALISIS DATA DAN ENDPOINT PENGIRIMAN DEVICEID
KESIMPULAN Lebih banyak aplikasi e-commerce yang mengizinkan penghapusan data pribadi Sebagian besar aplikasi BUMN dan e-commerce tidak memiliki DPO yang dedicated 2 dari 10 aplikasi BUMN memiliki tracker yang tidak relevan Aplikasi e-commerce memerlukan izin dan penggunaan data yang lebih banyak daripada BUMN. Beberapa aplikasi BUMN mengumpulkan deviceID
KESIMPULAN
TERIMA KASIH

Recomendados

idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfAli - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfidsecconf
 

Recomendados

idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...
idsecconf2023 - Mochammad Riyan Firmansyah - Takeover Cloud Managed Router vi...idsecconf
 
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdf
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf
 
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...
idsecconf2023 - Akshantula Neha, Mohammad Febri Ramadlan - Cyber Harmony Auto...idsecconf
 
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
 
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
 
Ali - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfAli - The Journey-Hack Electron App Desktop (MacOS).pdf
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfidsecconf
 
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...idsecconf
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfidsecconf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...idsecconf
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfidsecconf
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfidsecconf
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidadaidsecconf
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullahidsecconf
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaidsecconf
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwiantoidsecconf
 
Stream crime
Stream crime Stream crime
Stream crime idsecconf
 
(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchainsidsecconf
 
Mips router targeted worm botnet
Mips router targeted worm botnetMips router targeted worm botnet
Mips router targeted worm botnetidsecconf
 
The achilles heel of GPN Card implementation
The achilles heel of GPN Card implementationThe achilles heel of GPN Card implementation
The achilles heel of GPN Card implementationidsecconf
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpickidsecconf
 
Paper - semi-automated information gathering tools for subdomain enumeration ...
Paper - semi-automated information gathering tools for subdomain enumeration ...Paper - semi-automated information gathering tools for subdomain enumeration ...
Paper - semi-automated information gathering tools for subdomain enumeration ...idsecconf
 
Reconnaissance not always about resources
Reconnaissance not always about resourcesReconnaissance not always about resources
Reconnaissance not always about resourcesidsecconf
 
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...idsecconf
 
A tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programA tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programidsecconf
 

Mais conteúdo relacionado

Mais de idsecconf

Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...idsecconf
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfidsecconf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...idsecconf
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfidsecconf
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfidsecconf
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidadaidsecconf
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullahidsecconf
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaidsecconf
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwiantoidsecconf
 
Stream crime
Stream crime Stream crime
Stream crime idsecconf
 
(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchainsidsecconf
 
Mips router targeted worm botnet
Mips router targeted worm botnetMips router targeted worm botnet
Mips router targeted worm botnetidsecconf
 
The achilles heel of GPN Card implementation
The achilles heel of GPN Card implementationThe achilles heel of GPN Card implementation
The achilles heel of GPN Card implementationidsecconf
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpickidsecconf
 
Paper - semi-automated information gathering tools for subdomain enumeration ...
Paper - semi-automated information gathering tools for subdomain enumeration ...Paper - semi-automated information gathering tools for subdomain enumeration ...
Paper - semi-automated information gathering tools for subdomain enumeration ...idsecconf
 
Reconnaissance not always about resources
Reconnaissance not always about resourcesReconnaissance not always about resources
Reconnaissance not always about resourcesidsecconf
 
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...idsecconf
 
A tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programA tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programidsecconf
 

Mais de idsecconf (20)

Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...
 
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfRama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdf
 
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...
 
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfNosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdf
 
Utian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdfUtian Ayuba - Profiling The Cloud Crime.pdf
Utian Ayuba - Profiling The Cloud Crime.pdf
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika TriwidadaPerkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidada
 
Pentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - AbdullahPentesting react native application for fun and profit - Abdullah
Pentesting react native application for fun and profit - Abdullah
 
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaHacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabella
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi DwiantoDevsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwianto
 
Stream crime
Stream crime Stream crime
Stream crime
 
(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains(Paper) Mips botnet worm with open wrt sdk toolchains
(Paper) Mips botnet worm with open wrt sdk toolchains
 
Mips router targeted worm botnet
Mips router targeted worm botnetMips router targeted worm botnet
Mips router targeted worm botnet
 
The achilles heel of GPN Card implementation
The achilles heel of GPN Card implementationThe achilles heel of GPN Card implementation
The achilles heel of GPN Card implementation
 
iot hacking, smartlockpick
iot hacking, smartlockpick iot hacking, smartlockpick
iot hacking, smartlockpick
 
Paper - semi-automated information gathering tools for subdomain enumeration ...
Paper - semi-automated information gathering tools for subdomain enumeration ...Paper - semi-automated information gathering tools for subdomain enumeration ...
Paper - semi-automated information gathering tools for subdomain enumeration ...
 
Reconnaissance not always about resources
Reconnaissance not always about resourcesReconnaissance not always about resources
Reconnaissance not always about resources
 
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...Case Study on supply chain attack-how an rce in jenkins leads to data breache...
Case Study on supply chain attack-how an rce in jenkins leads to data breache...
 
A tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting programA tale story of building and maturing threat hunting program
A tale story of building and maturing threat hunting program
 

Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Aplikasi Android.pdf

  • 1. EVALUASI PERLINDUNGAN PRIVASI PENGGUNA PADA APLIKASI-APLIKASI ANDROID Ammar Alifian Fahdan Baskoro Adi Pratomo Hudan Studiawan
  • 2. TENTANG SAYA Nama: Baskoro Adi Pratomo baskoro@if.its.ac.id Twitter: @baskoroadi Afiliasi: Dosen Departemen Teknik Informatika, Institut Teknologi Sepuluh Nopember, Surabaya, Indonesia (2010-sekarang) Research Assistant Cardiff University (2016-2021) Area Riset: Network Security Malware detection Reverse Engineering Machine Learning/Deep Learning for Cyber Security
  • 3. PRIVASI VS KERAHASIAAN Privasi:  The ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively
  • 4. STATISTIK 2.5 milyar perangkat Android aktif 2.7 juta aplikasi Android terdaftar 3813 kasus data breach per Juni 2019
  • 5. KETIDAKAWASAN PENGGUNA 46,5% pengguna tidak sadar bahwa kegiatan daring mereka seperti browsing, berbelanja online, dan media sosial merupakan sumber data yang penting 22,4% responden mengaku tidak membaca syarat dan ketentuan terkait keamanan data saat mengisi data pribadi di sistem https://www.kompas.com/cekfakta/read/2022/02/10/090900082/kabar-data-kesadaran-keamanan-data-pribadi-masyarakat-dalam-angka?page=all
  • 8. PEMILIHAN SAMPEL APLIKASI Kriteria:  Digunakan oleh setidaknya satu juta pengguna  Dibuat oleh BUMN atau pemerintah atau digunakan untuk tujuan e- commerce  Dibuat dan dioptimasikan untuk pengguna Android di Indonesia Nama Aplikasi Versi Jenis BNI Mobile 5.7.1 BUMN BRImo 2.21.0 BUMN BTN Mobile 9.3 BUMN Ferizy 2.0.3 BUMN Fly Garuda 5.2.9 BUMN Kimia Farma 3.2.3 BUMN MIB 1.0.12 BUMN MyPertamina 3.6.2 BUMN PLN Mobile 5.2.24 BUMN KAI Access 4.9.7 BUMN Shopee 2.84.31 e-Commerce Lazada 7.2.1 e-Commerce Akulaku 4.6.5 e-Commerce Tokopedia 3.156 e-Commerce Blibli 4.6.5 e-Commerce Indomaret Poinku 3.4.0 e-Commerce Alfagift 4.7.1 e-Commerce JD.ID 6.5.3 e-Commerce OLX 7.12.1 e-Commerce Klik Indomaret 2207300 e-Commerce
  • 9. METODE ANALISIS Analisis kebijakan privasi aplikasi Analisis tracker dan perizinan Analisis API endpoint dan data
  • 11. HALAMAN KEBIJAKAN PRIVASI GOOGLE PLAYSTORE
  • 14. PERIZINAN YANG DIANALISIS Nama Permission Deskripsi ACCESS_COARSE_LOCATION Mengakses lokasi pengguna secara kasar ACCESS_FINE_LOCATION Mengakses lokasi pengguna secara akurat CAMERA Mengakses kamera READ_CONTACTS Mengakses kontak READ_EXTERNAL_STORAGE Membaca penyimpanan eksternal READ_PHONE_STATE Mengakses status perangkat WRITE_EXTERNAL_STORAGE Menulis di penyimpanan eksternal
  • 16. ANALISIS API ENDPOINT DAN DATA (2)
  • 18. DATA DIOLAH APLIKASI Lokasi Info pribadi Info keuangan Pesan Foto dan video File dan dokumen Kontak Aktivitas aplikasi Penjelajahan web Info dan performa aplikasi ID perangkat atau lainnya Audio Kalender Kesegaran dan Kebugaran Shopee v v v v v v v v v v v Lazada v v v v v Blibli Akulaku v v v v v v v v v Tokopedia v v v v v v v Indomaret Poinku Tidak ada informasi di Google Play Store Alfagift v v BNI Mobile Banking v v v BRIMo BTN Mobile Tidak ada informasi di Google Play Store MIB Tidak ada informasi di Google Play Store Fly Garuda v v v v v v Ferizy PosAja Tidak ada informasi di Google Play Store KAI Access v v Kimia Farma Mobile v v v v MyPertamina v v v v v v PLN Mobile v v v v v v
  • 19. DATA DIBAGIKAN KE PIHAK KETIGA Lokasi Info pribadi Info keuangan Foto dan video File dan dokumen Aktivitas aplikasi ID perangkat atau lainnya Shopee v v v v v v v Lazada v v Blibli v v Akulaku Tokopedia v v v v v v Indomaret Poinku Tidak ada informasi di Google Play Store Alfagift BNI Mobile Banking BRIMo BTN Mobile Tidak ada informasi di Google Play Store Mandiri Internet Bisnis Tidak ada informasi di Google Play Store Fly Garuda v v Ferizy PosAja Tidak ada informasi di Google Play Store KAI Access v Kimia Farma Mobile v MyPertamina PLN Mobile
  • 20. BISAKAH KITA MENGHAPUS DATA Nama Aplikasi Bisa Tidak n/a Shopee v Lazada v Blibli v Akulaku v Tokopedia v Indomaret Poinku v Alfagift v BNI Mobile Banking v BRIMo v BTN Mobile v Mandiri Internet Bisnis v Fly Garuda v Ferizy v PosAja v KAI Access v Kimia Farma Mobile v MyPertamina v PLN Mobile v
  • 21. DATA PROTECTION OFFICER Nama Aplikasi DPO Customer Service Tidak Ada Bisa dihubungi langsung Dihubungi melalui CS Shopee v Lazada v Blibli v Akulaku v Tokopedia v Indomaret Poinku v Alfagift v BNI Mobile Banking v BRIMo v BTN Mobile v Mandiri Internet Bisnis v Fly Garuda v Ferizy v PosAja v KAI Access v Kimia Farma Mobile v MyPertamina v PLN Mobile v DPO adalah entitas yang memiliki tugas untuk memastikan bahwa data yang dikelola, baik data pengguna, data perusahaan maupun data karyawannya, dijaga dan dikelola sesuai dengan undang-undang data yang berlaku
  • 22. PENGGUNAAN SSL Nama Aplikasi Full Partial Tidak ada BNI Mobile Banking v BRIMo v BTN Mobile v Mandiri Internet Bisnis v Fly Garuda v Ferizy v PosAja v KAI Access v Kimia Farma Mobile v MyPertamina v PLN Mobile v
  • 23. ANALISIS PERIZINAN: BUMN BNI BriMO BTN MIB Garuda Indonesia Ferizy KAI Access PosAja PLN Mobile My Pertamina ACCESS_COARSE_LOCATION v v v v v v v v v ACCESS_FINE_LOCATION v v v v v v v v v CAMERA v v v v v v v v v READ_CONTACTS v v v READ_EXTERNAL_STORAGE v v v v v v v v READ_PHONE_STATE v v v v v WRITE_EXTERNAL_STORAGE v v v v v v v v
  • 24. ANALISIS PERIZINAN: E-COMMERCE Perizinan Shopee Lazada Blibli Akulaku Tokopedia Indomaret MyPoint Alfagift JD.ID OLX Klik Indomaret ACCESS_COARSE_LOCATIO N v v v v v v ✓ ✓ ✓ ACCESS_FINE_LOCATION v v v v v v ✓ ✓ ✓ CAMERA v v v v v v v ✓ ✓ ✓ READ_CONTACTS v v v v v ✓ ✓ ✓ READ_EXTERNAL_STORAGE v v v v v v v ✓ ✓ ✓ READ_PHONE_STATE v v v v v v v ✓ ✓ ✓ WRITE_EXTERNAL_STORAGE v v v v v v v ✓ ✓ ✓
  • 25. ANALISIS TRACKER Nama Tracker BNI Google Firebase Analytics, MoEngage BriMO Google CrashLytics. Google Firebase Analytics Garuda Indonesia Google CrashLytics, Google Firebase Analytics, Huawei Mobile Services (HMS) Core, Insider Ferizy Amplitude, Facebook Ads, Facebook Analytics, Facebook Login, Facebook Share, Google AdMob, Google Analytics, Google Firebase Analytics, Segment BTN - MIB - KAI Access Google Firebase Analytics PosAja! Amplitude, Facebook Ads, Facebook Analytics, Facebook Login, Facebook Share, Google AdMob, Google Analytics, Google Firebase Analytics, Segment PLN Mobile AppsFlyer, Facebook Login, Facebook Share, Google CrashLytics, Google Firebase Analytics My Pertamina Google CrashLytics, Google Firebase Analysis
  • 26. ANALISIS DATA DAN ENDPOINT PENGIRIMAN DEVICEID
  • 27. KESIMPULAN Lebih banyak aplikasi e-commerce yang mengizinkan penghapusan data pribadi Sebagian besar aplikasi BUMN dan e-commerce tidak memiliki DPO yang dedicated 2 dari 10 aplikasi BUMN memiliki tracker yang tidak relevan Aplikasi e-commerce memerlukan izin dan penggunaan data yang lebih banyak daripada BUMN. Beberapa aplikasi BUMN mengumpulkan deviceID