Home / Digital News / Insecure Android apps put connected cars at risk

Insecure Android apps put connected cars at risk

applications that allow millions of owners to remotely locate and unlock their vehicles are missing features that could prevent tampering by hackers.

Researchers from antivirus vendor Kaspersky Lab took seven of the most popular apps that accompany cars from various manufacturers and analyzed them from the perspective of a compromised Android device. The apps and manufacturers have not been named.

The researchers looked at whether such apps use any of the available countermeasures that would make it hard for attackers to hijack them when the devices they’re installed on are infected with malware. Other types of applications, such as banking apps, have such protections.

The analysis revealed that none of the tested applications used code obfuscation to make it harder for attackers to reverse engineer them and none of them used code integrity checks to prevent malicious manipulation.

Two applications didn’t encrypt the login credentials stored locally and four encrypted only the password. None of the apps checked if the devices they’re running on are rooted, which could indicate that they’re insecure and possibly compromised.

Finally, none of the tested applications used overlay protections to prevent other apps from drawing over their screens. There are malware apps that display fake log-in screens on top of other apps in order to trick users to expose their log-in credentials.

While compromising apps might not directly enable theft, it could make it easier for would-be thieves. Most such apps, or the credentials they store, can be used to remotely unlock the vehicle and disable its alarm system.

“Also, the risks should not be limited to mere car theft,” the Kaspersky researchers said in a blog post. “Accessing the car and deliberate tampering with its elements may lead to road accidents, injuries, or death.”

While manufacturers are rushing to add features to cars that are meant to improve the experience for car owners, they tend to focus more on securing the back-end infrastructure and the communications channels. However, the Kaspersky researchers warn that client-side code, such as the accompanying apps, should not be ignored as it’s the easiest target for attackers and most likely the most vulnerable spot.

“Being an expensive thing, a car requires an approach to that is no less meticulous than that of a bank account,” the researchers said.

Check Also

Google will review web apps that want access to its users’ data

In response to recent attacks where hackers abused Google’s OAuth services to gain access to …

Leave a Reply

Your email address will not be published. Required fields are marked *