Static Analysis of Android Apps Interaction with Automotive CAN

Panarotto, Federica; Cortesi, Agostino; Ferrara, Pietro; Mandal, Amit Kr; Spoto, Fausto

doi:10.1007/978-3-030-05755-8_12

Cited by 5 publications

(2 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They examined more than 20 infotainment apps available in Google Play at that time, and concluded that nearly 80% of them were potentially vulnerable. Panarotto et al [11] examined the OpenXC library (http://openxcplatform.com/ (accessed on 20 February 2021)), which provides Android apps with a way, i.e., API, to interact with the car's hardware, and showed how this library can be exploited in the context of injection attacks. Furthermore, the authors proposed a static analysis approach which, according to the authors, nips such attacks in the bud.…”

Section: Related Workmentioning

confidence: 99%

A Multi-Tier Security Analysis of Official Car Management Apps for Android

2021

View full text Add to dashboard Cite

Using automotive smartphone applications (apps) provided by car manufacturers may offer numerous advantages to the vehicle owner, including improved safety, fuel efficiency, anytime monitoring of vehicle data, and timely over-the-air delivery of software updates. On the other hand, the continuous tracking of the vehicle data by such apps may also pose a risk to the car owner, if, say, sensitive pieces of information are leaked to third parties or the app is vulnerable to attacks. This work contributes the first to our knowledge full-fledged security assessment of all the official single-vehicle management apps offered by major car manufacturers who operate in Europe. The apps are scrutinised statically with the purpose of not only identifying surfeits, say, in terms of the permissions requested, but also from a vulnerability assessment viewpoint. On top of that, we run each app to identify possible weak security practices in the owner-to-app registration process. The results reveal a multitude of issues, ranging from an over-claim of sensitive permissions and the use of possibly privacy-invasive API calls, to numerous potentially exploitable CWE and CVE-identified weaknesses and vulnerabilities, the, in some cases, excessive employment of third-party trackers, and a number of other flaws related to the use of third-party software libraries, unsanitised input, and weak user password policies, to mention just a few.

show abstract

Section: Related Workmentioning

confidence: 99%

A Multi-Tier Security Analysis of Official Car Management Apps for Android

2021

View full text Add to dashboard Cite

show abstract

“…This approach has been widely applied to the detection of SQL injections in Web applications [66], leakages of sensitive data [26,27], etc. A first attempt to apply such approach to a scenario similar to IoT was performed by Mandal et al [47] and Panarotto et al [58], that utilized this approach to detect leakages and injection vulnerabilities in Android automotive apps [49]. Huuck [40] discussed the use static code analysis to detect some of these types of issues.…”

Section: Related Workmentioning

confidence: 99%

Static analysis for discovering IoT vulnerabilities

Ferrara

Mandal

Cortesi

et al. 2020

Int J Softw Tools Technol Transfer

Self Cite

View full text Add to dashboard Cite

The Open Web Application Security Project (OWASP), released the “OWASP Top 10 Internet of Things 2018” list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward development of a robust solution for their detection and mitigation. In this paper, we discuss the relationship between these vulnerabilities and the ones listed by OWASP Top 10 (focused on Web applications rather than IoT systems), how these vulnerabilities can actually be exploited, and in which cases static analysis can help in preventing them. Then, we present an extension of an industrial analyzer (Julia) that already covers five out of the top seven vulnerabilities of OWASP Top 10, and we discuss which IoT Top 10 vulnerabilities might be detected by the existing analyses or their extension. The experimental results present the application of some existing Julia’s analyses and their extension to IoT systems, showing its effectiveness of the analysis of some representative case studies.

show abstract

Static analysis of Android Auto infotainment and on‐board diagnostics II apps

et al. 2019

View full text Add to dashboard Cite

Summary Smartphone and automotive technologies are rapidly converging, letting drivers enjoy communication and infotainment facilities and monitor in‐vehicle functionalities, via on‐board diagnostics (OBD) technology. Among the various automotive apps available in playstores, Android Auto infotainment and OBD‐II apps are widely used and are the most popular choice for smartphone to car interaction. Automotive apps have the potential of turning cars into smartphones on wheels but can be also the gateway of attacks. This paper defines a static analysis that identifies potential security risks in Android infotainment and OBD‐II apps. It identifies a set of potential security threats and presents an actual static analyzer for such apps. It has been applied to most of the highly rated infotainment apps available in the Google Play store, as well as on the available open‐source OBD‐II apps, against a set of possible exposure scenarios. Results show that almost 60% of such apps are potentially vulnerable and that 25% pose security threats related to the execution of JavaScript. The analysis of the OBD‐II apps shows possibilities of severe controller area network injections and privacy violations, because of leaks of sensitive information.

show abstract

Static Analysis of Android Apps Interaction with Automotive CAN

Cited by 5 publications

References 10 publications

A Multi-Tier Security Analysis of Official Car Management Apps for Android

A Multi-Tier Security Analysis of Official Car Management Apps for Android

Static analysis for discovering IoT vulnerabilities

Static analysis of Android Auto infotainment and on‐board diagnostics II apps

Contact Info

Product

Resources

About