Vulnerability analysis of Android auto infotainment apps

Mandal, Amit Kr; Cortesi, Agostino; Ferrara, Pietro; Panarotto, Federica; Spoto, Fausto

doi:10.1145/3203217.3203278

Cited by 22 publications

(9 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nevertheless, while in this ecosystem, connected car apps are a popular subject, little research has been conducted so far towards evaluating them under the security and privacy prisms. Mandal et al [9] presented a static analysis approach to discover software vulnerabilities in Android auto infotainment apps [10]. They examined more than 20 infotainment apps available in Google Play at that time, and concluded that nearly 80% of them were potentially vulnerable.…”

Section: Related Workmentioning

confidence: 99%

A Multi-Tier Security Analysis of Official Car Management Apps for Android

2021

View full text Add to dashboard Cite

Using automotive smartphone applications (apps) provided by car manufacturers may offer numerous advantages to the vehicle owner, including improved safety, fuel efficiency, anytime monitoring of vehicle data, and timely over-the-air delivery of software updates. On the other hand, the continuous tracking of the vehicle data by such apps may also pose a risk to the car owner, if, say, sensitive pieces of information are leaked to third parties or the app is vulnerable to attacks. This work contributes the first to our knowledge full-fledged security assessment of all the official single-vehicle management apps offered by major car manufacturers who operate in Europe. The apps are scrutinised statically with the purpose of not only identifying surfeits, say, in terms of the permissions requested, but also from a vulnerability assessment viewpoint. On top of that, we run each app to identify possible weak security practices in the owner-to-app registration process. The results reveal a multitude of issues, ranging from an over-claim of sensitive permissions and the use of possibly privacy-invasive API calls, to numerous potentially exploitable CWE and CVE-identified weaknesses and vulnerabilities, the, in some cases, excessive employment of third-party trackers, and a number of other flaws related to the use of third-party software libraries, unsanitised input, and weak user password policies, to mention just a few.

show abstract

Section: Related Workmentioning

confidence: 99%

A Multi-Tier Security Analysis of Official Car Management Apps for Android

2021

View full text Add to dashboard Cite

show abstract

“…This approach has been widely applied to the detection of SQL injections in Web applications [66], leakages of sensitive data [26,27], etc. A first attempt to apply such approach to a scenario similar to IoT was performed by Mandal et al [47] and Panarotto et al [58], that utilized this approach to detect leakages and injection vulnerabilities in Android automotive apps [49]. Huuck [40] discussed the use static code analysis to detect some of these types of issues.…”

Section: Related Workmentioning

confidence: 99%

Static analysis for discovering IoT vulnerabilities

Ferrara

Mandal

Cortesi

et al. 2020

Int J Softw Tools Technol Transfer

Self Cite

View full text Add to dashboard Cite

The Open Web Application Security Project (OWASP), released the “OWASP Top 10 Internet of Things 2018” list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward development of a robust solution for their detection and mitigation. In this paper, we discuss the relationship between these vulnerabilities and the ones listed by OWASP Top 10 (focused on Web applications rather than IoT systems), how these vulnerabilities can actually be exploited, and in which cases static analysis can help in preventing them. Then, we present an extension of an industrial analyzer (Julia) that already covers five out of the top seven vulnerabilities of OWASP Top 10, and we discuss which IoT Top 10 vulnerabilities might be detected by the existing analyses or their extension. The experimental results present the application of some existing Julia’s analyses and their extension to IoT systems, showing its effectiveness of the analysis of some representative case studies.

show abstract

“…Abstract Interpretation [13] is a mathematical framework, originally introduced by Cousot and Cousot in 1977, which provides a sound approximation of programs concrete semantics enabling sound answers to questions about programs run-time behaviors. The framework has been applied to different applications areas, from Security (e.g., [30,31]) to Databases (e.g., [32,33]), and to different programming environments (e.g., [34][35][36]). The idea is to lift concrete semantics to an abstract setting by replacing concrete values by suitable properties of interest, and simulating the concrete operations by sound abstract operations.…”

Section: Preliminaries: Abstract Interpretationmentioning

confidence: 99%

A Hierarchical and Abstraction-Based Blockchain Model

et al. 2019

Self Cite

View full text Add to dashboard Cite

In the nine years since its launch, amid intense research, scalability is always a serious concern in blockchain, especially in case of large-scale network generating huge number of transaction-records. In this paper, we propose a hierarchical blockchain model characterized by:(1) each level maintains multiple local blockchain networks, (2) each local blockchain records local transactional activities, and (3) partial views (tunable w.r.t. precision) of different subsets of local blockchain-records are maintained in the blockchains at next level of the hierarchy. To meet this objective, we apply abstractions on a set of transaction-records in a regular time interval by following the Abstract Interpretation framework, which provides a tunable precision in various abstract domain and guarantees the soundness of the system. While this model suitably fits to the real-worlds organizational structures, the proposal is powerful enough to scale when large number of nodes participate in a network resulting into an enormous growth of the network-size and the number of transaction-records. We discuss experimental results on a small-scale network with three sub networks at lower-level and by abstracting the transaction-records in the abstract domain of intervals. The results are encouraging and clearly indicate the effectiveness of this approach to control exponential growth of blockchain size w.r.t. the total number of participants in the network.

show abstract

Vulnerability analysis of Android auto infotainment apps

Cited by 22 publications

References 11 publications

A Multi-Tier Security Analysis of Official Car Management Apps for Android

A Multi-Tier Security Analysis of Official Car Management Apps for Android

Static analysis for discovering IoT vulnerabilities

A Hierarchical and Abstraction-Based Blockchain Model

Contact Info

Product

Resources

About