Smartphone and automotive technologies are rapidly converging, letting driversenjoy communication and infotainment facilities and monitor in-vehicle func-tionalities, via on-board diagnostics (OBD) technology. Among the variousautomotive apps available in playstores, Android Auto infotainment and OBD-IIapps are widely used and are the most popular choice for smartphone to carinteraction. Automotive apps have the potential of turning cars intosmartphoneson wheelsbut can be also the gateway of attacks. This paper defines a static anal-ysis that identifies potential security risks in Android infotainment and OBD-IIapps. It identifies a set of potential security threats and presents an actual staticanalyzer for such apps. It has been applied to most of the highly rated info-tainment apps available in the Google Play store, as well as on the availableopen-source OBD-II apps, against a set of possible exposure scenarios. Resultsshow that almost 60% of such apps are potentially vulnerable and that 25% posesecurity threats related to the execution of JavaScript. The analysis of the OBD-IIapps shows possibilities of severe controller area network injections and privacyviolations, because of leaks of sensitive information.

Smartphone and automotive technologies are rapidly converging, letting drivers enjoy communication and infotainment facilities and monitor in-vehicle functionalities, via on-board diagnostics (OBD) technology. Among the various automotive apps available in playstores, Android Auto infotainment and OBD-II apps are widely used and are the most popular choice for smartphone to car interaction. Automotive apps have the potential of turning cars into smartphones on wheels but can be also the gateway of attacks. This paper defines a static analysis that identifies potential security risks in Android infotainment and OBD-II apps. It identifies a set of potential security threats and presents an actual static analyzer for such apps. It has been applied to most of the highly rated infotainment apps available in the Google Play store, as well as on the available open-source OBD-II apps, against a set of possible exposure scenarios. Results show that almost 60% of such apps are potentially vulnerable and that 25% pose security threats related to the execution of JavaScript. The analysis of the OBD-II apps shows possibilities of severe controller area network injections and privacy violations, because of leaks of sensitive information.

Static analysis of Android Auto infotainment and on‐board diagnostics II apps

Mandal, Amit Kr;Cortesi, Agostino
;
Ferrara, Pietro;
2019-01-01

Abstract

Smartphone and automotive technologies are rapidly converging, letting drivers enjoy communication and infotainment facilities and monitor in-vehicle functionalities, via on-board diagnostics (OBD) technology. Among the various automotive apps available in playstores, Android Auto infotainment and OBD-II apps are widely used and are the most popular choice for smartphone to car interaction. Automotive apps have the potential of turning cars into smartphones on wheels but can be also the gateway of attacks. This paper defines a static analysis that identifies potential security risks in Android infotainment and OBD-II apps. It identifies a set of potential security threats and presents an actual static analyzer for such apps. It has been applied to most of the highly rated infotainment apps available in the Google Play store, as well as on the available open-source OBD-II apps, against a set of possible exposure scenarios. Results show that almost 60% of such apps are potentially vulnerable and that 25% pose security threats related to the execution of JavaScript. The analysis of the OBD-II apps shows possibilities of severe controller area network injections and privacy violations, because of leaks of sensitive information.
2019
49
File in questo prodotto:
File Dimensione Formato  
Software Practice & Exp. 20-03-2019 (1).pdf

accesso aperto

Descrizione: preprint
Tipologia: Documento in Pre-print
Licenza: Accesso gratuito (solo visione)
Dimensione 2.68 MB
Formato Adobe PDF
2.68 MB Adobe PDF Visualizza/Apri
spe.2698.pdf

non disponibili

Descrizione: versione dell'editore
Tipologia: Versione dell'editore
Licenza: Accesso chiuso-personale
Dimensione 2.64 MB
Formato Adobe PDF
2.64 MB Adobe PDF   Visualizza/Apri

I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/10278/3714436
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 30
  • ???jsp.display-item.citation.isi??? 20
social impact