<![CDATA[Leading Indonesian universities such as Telkom University (Tel-U), Institut Teknologi Bandung(ITB), Universitas Indonesia (UI), and Universitas Gadjah Mada (UGM) have developed mobilebasedacademic information systems that improve the accessibility of campus services, wheresensitive information such as personal data, access credentials, and educational information arestored and managed through the mobile application. The current gap is the lack of understanding ofthe specific vulnerability profile of campus mobile applications and how these vulnerabilities canaffect the data security of educational institutions. This study conducts a comparative analysis ofvulnerabilities in campus mobile applications using the OWASP Mobile Top 10 framework as itstesting standard. In its implementation, this study uses three mobile application security testingtools: AndroBugs, Mobile Security Framework (MobSF), and QARK (Quick Android Review Kit).These three tools were chosen because of their ability to detect various types of vulnerabilitiescovered in the OWASP Mobile Top 10. By comparing vulnerability analysis results on differentcampus mobile applications, this study aims to identify common vulnerability patterns and providerecommendations for improvements following the OWASP Mobile Top 10 security standards. Thetest results show that MySIX ITB and WeAreUI have the most vulnerabilities compared to the otherthree campuses, with 24 vulnerabilities from three different tools. However, if we look at theconsensus between the three tools, MySIX ITB is the most vulnerable application, withvulnerabilities in five categories: M3, M5, M6, M8, and M9. In addition to using three differenttools to strengthen the vulnerability detection rate, we also found some new knowledge. The first isthat all three tools have the same agreement for detecting M2, M6, and M8, which shows the highreliability of the three tools for the categories mentioned. The second is the knowledge that QARKmakes the most different decisions from the other two tools. The test results show that QARK makesdifferent decisions eight times. We also learned that for the four campus mobile apps, developersshould pay more attention to two categories detected by each tool, namely M6 and M8, or InadequatePrivacy Controls and Security Misconfiguration, respectively. Finally, there is knowledge that thestrength of the four mobile apps is resistance to M2; in other words, each campus has used thirdpartylibraries well.]]>
