A multi-tier security analysis of official car management apps for Android

Using automotive smartphone applications (apps) provided by car manufacturers may offer numerous advantages to the vehicle owner, including improved safety, fuel efficiency, anytime monitoring of vehicle data, and timely over-the-air delivery of software updates. On the other hand, the continuous tracking of the vehicle data by such apps may also pose a risk to the car owner, if, say, sensitive pieces of information are leaked to third parties or the app is vulnerable to attacks. This work offers the first to our knowledge full-fledged security assessment of all the official single-vehicle management apps offered by major car manufacturers who operate in Europe. The apps are scrutinized statically with the purpose of not only identifying surfeits, say, in terms of the permissions requested, but also from a vulnerability assessment viewpoint. On top of that, we also run each app to identify possible weak security practices in the owner-to-app registration process. The results reveal a multitude of issues, ranging from an over-claim of sensitive permissions and the use of possibly privacy-invasive API calls, to numerous potentially exploitable CWE and CVE-identified weaknesses and vulnerabilities, the excessive employment of third-party trackers, and a number of other flaws related to the use of third-party software libraries, unsanitized input, and weak user password policies, to mention just a few.

CHATZOGLOU Efstratios;  KAMPOURAKIS Georgios;  KOULIARIDIS Vasileios; 

2021-03-01

Multidisciplinary Digital Publishing Institute (MDPI)

JRC123937

1999-5903 (online),   

https://www.mdpi.com/1999-5903/13/3/58,    https://publications.jrc.ec.europa.eu/repository/handle/JRC123937,   

10.3390/fi13030058 (online),