An Approach for the Identification of Information Leakage in Automotive Infotainment systems
This addresses security and privacy risks for users of modern cars with infotainment systems, but it is incremental as it applies existing static analysis methods to a new domain.
The paper tackled the problem of information leakage in automotive infotainment systems by investigating security vulnerabilities in in-vehicle apps, specifically through inter-component communication, and developed a static analysis tool to identify and mitigate these leaks, evaluating it on Android Auto apps from the Google Play Store with validated results.
The advancements in the digitization world has revolutionized the automotive industry. Today's modern cars are equipped with internet, computers that can provide autonomous driving functionalities as well as infotainment systems that can run mobile operating systems, like Android Auto and Apple CarPlay. Android Automotive is Google's android operating system tailored to run natively on vehicle's infotainment systems, it allows third party apps to be installed and run on vehicle's infotainment systems. Such apps may raise security concerns related to user's safety, security and privacy. This paper investigates security concerns of in-vehicle apps, specifically, those related to inter component communication (ICC) among these apps. ICC allows apps to share information via inter or intra apps components through a messaging object called intent. In case of insecure communication, Intent can be hijacked or spoofed by malicious apps and user's sensitive information can be leaked to hacker's database. We investigate the attack surface and vulnerabilities in these apps and provide a static analysis approach and a tool to find data leakage vulnerabilities. The approach can also provide hints to mitigate these leaks. We evaluate our approach by analyzing a set of Android Auto apps downloaded from Google Play store, and we report our validated results on vulnerabilities identified on those apps.