Static analysis of Android Auto infotainment and on‐board diagnostics II apps

• Published in: Software, practice & experience Vol. 49; no. 7; pp. 1131 - 1161
• Main Authors: Mandal, Amit Kr, Panarotto, Federica, Cortesi, Agostino, Ferrara, Pietro, Spoto, Fausto
• Format: Journal Article
• Language: English
• Published: Bognor Regis Wiley Subscription Services, Inc 01.07.2019
• Subjects: abstract interpretation; Android auto security; Applications programs; Automobiles; Automotive electronics; Automotive wheels; Controller area network; in‐vehicle infotainment system; ODB‐II app security; Smartphones; static analysis; Threat evaluation; Vehicle wheels
• ISSN: 0038-0644; 1097-024X
• DOI: 10.1002/spe.2698

Summary Smartphone and automotive technologies are rapidly converging, letting drivers enjoy communication and infotainment facilities and monitor in‐vehicle functionalities, via on‐board diagnostics (OBD) technology. Among the various automotive apps available in playstores, Android Auto infotainment and OBD‐II apps are widely used and are the most popular choice for smartphone to car interaction. Automotive apps have the potential of turning cars into smartphones on wheels but can be also the gateway of attacks. This paper defines a static analysis that identifies potential security risks in Android infotainment and OBD‐II apps. It identifies a set of potential security threats and presents an actual static analyzer for such apps. It has been applied to most of the highly rated infotainment apps available in the Google Play store, as well as on the available open‐source OBD‐II apps, against a set of possible exposure scenarios. Results show that almost 60% of such apps are potentially vulnerable and that 25% pose security threats related to the execution of JavaScript. The analysis of the OBD‐II apps shows possibilities of severe controller area network injections and privacy violations, because of leaks of sensitive information.