Indonesian Journal of Electrical Engineering and Computer Science Vol. 28, No. 2, November 2022, pp. 1020~1027 ISSN: 2502-4752, DOI: 10.11591/ijeecs.v28.i2.pp1020-1027  1020 Journal homepage: http://ijeecs.iaescore.com Threat modeling in application security planning citizen service complaints Agus Tedyyana 1 , Fajar Ratnawati 1 , Elgamar Syam 2 , Fajri Profesio Putra 1 1 Department of Informatics Engineering, Politeknik Negeri Bengkalis, Riau, Indonesia 2 Department of Informatics, Universitas Islam Kuantan Singingi, Riau, Indonesia Article Info ABSTRACT Article history: Received Jan 16, 2022 Revised Jul 23, 2022 Accepted Aug 29, 2022 The mobile-based service complaint application is one way to implement good governance today. Public facilitated to make complaints without going through a complicated process. Security aspects must be considered to protect user privacy. The security design must be considered so that no one is harmed by the application's users damaged in the application's use. This study used threat modeling during the planning stage of developing a citizen service complaint application to obtain information about vulnerabilities. The researcher uses the threat modeling process that the open web application security project (OWASP) organization has formulated as a framework. The researchers took steps to describe application information, determine and rank threats, countermeasures, and mitigation. In the final stage, the spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege (STRIDE) threat modeling methodology is used to analyze and assess mitigation actions against threats in the application. The researcher gets a defense strategy to reduce the danger based on the threat analysis results. Threat modeling in the early phase software development life cycle process is constructive in ensuring that software is developed with adequate security based on threat mitigation from the beginning. Keywords: Abuse case Application security Citizen services STRIDE Threat modeling This is an open access article under the CC BY-SA license. Corresponding Author: Agus Tedyyana Department of Informatics Engineering, Politeknik Negeri Bengkalis Bengkalis, Riau, Indonesia Email: agustedyyana@polbeng.ac.id 1. INTRODUCTION The use of mobile platforms to date is increasingly being used in application development. With so many applications that are customized in such a way, there is the possibility of a significant security risk to the application. Abundant features and rich functionalities have the opportunity to have sensitive data from application users stolen by attackers [1]. The development of smartphone technology and increasing internet activity have made digital data more diverse. Photos, videos, text, IP addresses, cookies in the browser, and global positioning system (GPS) coordinates are digital data types [2]. For example, attackers' data is taken if the application is not designed correctly from a security point of view name, places of birth, addresses, and telephone numbers. Examples of vulnerabilities that can occur, for example, applications that are designed not to pay attention to the encryption of user data, the possibility that can happen is that user data is stolen when users use connections on public Wi-Fi, attackers can easily snoop on the data that users send [3]. According to the announcement of the Cyber Operation Security Center for the Indonesian National Cyber and Crypto Agency, during 2019, the point-of-view monitoring system detected around 290.3 million cyberattacks (intrusions) into the Indonesian internet network. The largest was a data leak test attack,