Security Company: Many Android Car Apps Are Unsafe

Security company Kaspersky made a presentation at the RSA conference about the security of Android apps for cars, which, for example, can be used to open the doors. The seven apps examined were found to have various security vulnerabilities.

The researchers describe their findings in a blog post. They have researched popular apps from various car manufacturers, but do not disclose the identities of the manufacturers. They say they have shared their findings with the companies. They looked at, among other things, protection against reverse engineering, checking for root permissions and an integrity check on changed code.

They found that none of the apps under investigation took measures against reverse engineering, allowing a malicious party to easily examine the app’s code and find vulnerabilities. In addition, all apps lack an integrity check, so that any modified code is not noticed. For example, according to the researchers, an attacker could inject malicious code into an app and place it in the Play Store as a legitimate app.

A check if the phone is rooted, the apps all do not run either. That comes with risks, because malware on a phone with root access can do a lot of damage, according to the researchers. In addition, in two out of seven cases, the user’s passwords are stored unencrypted. Protection against phishing by means of a malicious overlay is also lacking in all cases.

For example, because the apps unlock the car doors or start the engine, a malicious party can potentially cause a lot of damage. The researchers say no malware targeting auto apps has been discovered so far. However, it would not be difficult to develop malware that forwards a configuration file of such an app to a command and control server. An explanation for the absence of such malware could be that it is not yet economically interesting to develop it.

The findings per app