An Approach for the Identification of Information Leakage in Automotive Infotainment systems

TL;DR

This paper presents a static analysis method and tool to detect data leakage vulnerabilities in Android Auto infotainment apps, addressing security concerns related to inter-component communication and malicious app hijacking.

Contribution

It introduces a novel static analysis approach and tool specifically designed to identify information leakage vulnerabilities in automotive infotainment applications.

Findings

Identified multiple data leakage vulnerabilities in real Android Auto apps

Demonstrated effectiveness of the approach in analyzing apps from Google Play

Provided mitigation hints for security improvements

Abstract

The advancements in the digitization world has revolutionized the automotive industry. Today's modern cars are equipped with internet, computers that can provide autonomous driving functionalities as well as infotainment systems that can run mobile operating systems, like Android Auto and Apple CarPlay. Android Automotive is Google's android operating system tailored to run natively on vehicle's infotainment systems, it allows third party apps to be installed and run on vehicle's infotainment systems. Such apps may raise security concerns related to user's safety, security and privacy. This paper investigates security concerns of in-vehicle apps, specifically, those related to inter component communication (ICC) among these apps. ICC allows apps to share information via inter or intra apps components through a messaging object called intent. In case of insecure communication, Intent can be hijacked or spoofed by malicious apps and user's sensitive information can be leaked to hacker's database. We investigate the attack surface and vulnerabilities in these apps and provide a static analysis approach and a tool to find data leakage vulnerabilities. The approach can also provide hints to mitigate these leaks. We evaluate our approach by analyzing a set of Android Auto apps downloaded from Google Play store, and we report our validated results on vulnerabilities identified on those apps.