Table of Contents
Tubes 1 of Tubes 1 of Platform-Based Application Development (IF2211). A financial management app to track income, expense, and saving transactions.
- Navigation
- Header
- Bottom navigation bar
- Authentication
- Login
- Background service that checks JWT expiration
- Logout
- Transaction CRUD
- View transaction details including its location using Google Maps
- Add new transaction with automated date and location data
- Update transaction
- Delete transaction
- List of transactions
- Transaction data are stored locally in a Room database
- View all transactions as transaction list
- Overall statistics including balance, cashflow, and growth
- Display list using recycler view for optimization
- Bill scan
- Add a new transaction entry by capturing a physical bill using a android's camera (Dummy OCR)
- Graphs
- Statistics are represented by graphic charts
- The statistics include total income, expenses, and savings within each period of time, displayed using line charts
- Export
- Transaction data can be exported into a spreadsheet with the format of .xlsx or .xls
- Share
- Transaction data can be shared through GMail as a spreadsheet file with the format of .xlsx or .xls
- Network sensing
- Bondoman uses semi-online system that lets user use the app without having to be always connected to the internet
- Bondoman can detect current network status and alert the user if internet connection is unavailable
- Broadcast receiver
- Preferences settings includes randomize transaction to set a random initial data whenever user add a new transaction
- Profile
- [BONUS] User can customize their profile, including profile picture with optional twibbon overlay
- Security
- [BONUS] OWASP analysis
- Jetpack Compose
- KSP
- Dagger Hilt
- Safe Args
- Life Cycle
- Retrofit
- Moshi
- OkHTTP3
- Room
- CameraX
- AndroidMP
- GMS
- POI
OWASP analysis is a security analysis that is used to identify the security risks in an application. The analysis is based on the OWASP Top 10, which is a list of the 10 most critical security risks in web applications. The analysis is performed by scanning the application for vulnerabilities and then reporting on the findings. The goal of the analysis is to identify and fix any security risks in the application before they can be exploited by attackers.
in this project we will analyze:
- Insufficient Input/Output Validation
- Security Misconfiguration
- Insecure Data Storage
Let's start the analysis!
Insufficient input/output validation is a security risk that occurs when an application does not properly validate user input or output. This can lead to a variety of security risks, including injection attacks, cross-site scripting, and other vulnerabilities. To mitigate this risk, it is important to validate all user input and output to ensure that it is safe and secure. in this part i will make an example of insufficient input/output validation with the following part below:
a. Injections
we will make an example with fill the email and password with "1'or'1'='1" to show all user that registered in the application.
API will response some issue that inform the email and password is invalid and the user can't login to the application. without appearing all user that registered in the application.
b. improper or no input validation
in this part we will not filling anything in page new transaction and click the button "Add Transaction" to show the error message that inform the user to fill the form.
the application will show toast message that inform the user to fill the form and the application still running and not crash.
Security misconfiguration is a security risk that occurs when an application is not properly configured to protect against security threats. This can include things like default passwords, unnecessary services, and other configuration issues that can be exploited by attackers. To mitigate this risk, it is important to ensure that the application is properly configured and that all security settings are up to date.
In this part i will make an example of security misconfiguration about make an necessary permission to access the camera and location in the application.
in this application the user should give the permission to access the camera and location to use the feature in the application. if the user not give the permission the application will not run the feature that need the permission.
so for what is the feature that need the permission, its because to ensure the user data is safe and secure. the application will not access the camera and location without the user permission.
Insecure data storage is a security risk that occurs when an application does not properly store sensitive data. This can include things like storing passwords in plain text, using weak encryption, or not properly securing data at rest. To mitigate this risk, it is important to ensure that all sensitive data is properly encrypted and stored securely.
In this application that have 2 important data that need to be stored securely, it is email and token JWT. the email and token JWT will be stored in root directory with random name and encrypted with RSA encryption by keystore. so the token and the email will be stored securely and can't be accessed by other application without key.
if the user fill something in the email and token file application will denied the access to the file and the application will not crash, but it will go to login page instead.
like this example below:
and the application will response like this:
| NIM | Name |
|---|---|
| 10023509 | M. Surya Dharma Khazinatul Azror |
| 13521019 | Ditra Rizqa Amadia |
| 13521005 | Bernardus Willson |
| 13521005 | Fahrian Afdholi |
| Task item | Contributors |
|---|---|
| Design | Ditra Amadia |
| Surya Azror | |
| Splash screen page | Surya Azror |
| Login page | Bernardus Willson |
| Navigation components | Ditra Amadia |
| Transaction page | Ditra Amadia |
| Bernardus Willson | |
| Fahrian Afdholi | |
| Transaction details page | Bernardus Willson |
| Scan page | Bernardus Willson |
| Add trasaction page | Bernardus Willson |
| Statistics page | Ditra Amadia |
| Bernardus Willson | |
| Settings page | Ditra Amadia |
| Bernardus Willson | |
| Fahrian Afdholi | |
| Profile page | Ditra Amadia |
| Bernardus Willson | |
| Authentication | Fahrian Afdholi |
| Navigation | Ditra Amadia |
| Bernardus Willson | |
| Fahrian Afdholi | |
| Transaction list | Bernardus Willson |
| Fahrian Afdholi | |
| Create transaction | Bernardus Willson |
| Fahrian Afdholi | |
| View transaction detail | Bernardus Willson |
| Fahrian Afdholi | |
| Edit transaction detail | Bernardus Willson |
| Fahrian Afdholi | |
| Delete transaction | Bernardus Willson |
| Fahrian Afdholi | |
| Bill scanning | Bernardus Willson |
| Fahrian Afdholi | |
| Statistics | Bernardus Willson |
| Edit profile | Ditra Amadia |
| Bernardus Willson | |
| Export data | Fahrian Afdholi |
| Share data | Fahrian Afdholi |
| Randomize data | Fahrian Afdholi |
| End To End Testing | Surya Azror |
| Documentation | Ditra Amadia |
| OWASP Analysis | Fahrian Afdholi |