Cybersecurity experts warn of risks of unofficial apps for cars

Cybersecurity experts warn of the risks of unofficial car apps.Infographic: Ph.D.

Automotive mobile apps offer a wide range of features to make life easier for drivers. Apps that allow you to control your vehicle remotely, open or close the doors, adjust the climate and even start or stop the engine. Many apps are provided by car manufacturers, but there are also third-party apps (apps) that are popular with users and offer many features that are not yet available from official brands.

Cybersecurity firm Kaspersky analyzed 69 third-party apps designed for connected cars, including nearly every major car brand including Tesla, Nissan, Renault, Ford and Volkswagen. Experts identified the main privacy risks faced by users and found that more than half of the apps, or 58%, did not warn about the risks of car owners’ accounts using the original car manufacturer’s services.

Some developers recommend using an authorization token instead of a username and password to appear more trustworthy. However, if the token is compromised, cybercriminals can access the car as if they had the victim’s credentials. This means that the risk of losing control of the vehicle remains high. However, only 19% of manufacturers mentioned or warned about this risk.

The report also revealed that one in seven or 14 percent of apps did not provide contact details for the manufacturer, making it impossible to report possible bugs or ask for more information about the privacy policy. This suggests that most of these apps were not developed by non-specialized companies, which Kaspersky believes is not necessarily a bad thing, but it means that, in general, there is a little less focus on vehicle and information security than it really is. If it is an app from the respective manufacturer.

Kaspersky experts drew attention to the importance of 46 of the 69 apps analysed being free or offering a trial version, explaining the more than 239,000 downloads from the Google Play Store. This shows that people are unaware of the risks of allowing strangers into their vehicles.

“The benefits of a connected world are countless. However, it must be remembered that this is a developing industry, so there are certain risks. Users must be aware of these threats when downloading third-party applications to remotely control your car. Private information and personal data are entrusted to connected technologies. Unfortunately, not all developers act responsibly when storing and collecting data, which results in users exposing their personal information. This data can be accessed from the “dark web” ” for sale, and end up in unreliable hands. Cybercriminals can not only steal personal data and credentials, but also gain access to vehicles, resulting in dangerous situations for personal safety. For these reasons, we urge app developers to prioritize user protection , and take steps to avoid harming their customers and themselves,” commented Sergey Zorin, Head of Cybersecurity at Kaspersky.

Kaspersky experts recommend users:

  • Only download apps from official sources such as the Apple App Store, Google Play, or the Amazon Appstore. While not 100% secure, applications are censored and filtered on these platforms.
  • Analyze and critique application permissions and consider them carefully before granting them, especially when high-risk permissions are involved, such as accessibility services. For example, the only permission a application A precise flashlight is one that allows access to flashlight functions.
  • Use a reliable security solution to detect malicious apps and adware before they attack your device.
  • Regularly update the operating system and all software. Many security issues can be resolved by following this simple step.

Suggestions for programmers are as follows:

  • Employ solutions that protect the software development process, monitor applications as they run, perform scans for possible vulnerabilities, and perform regular security analysis. As attacks on the supply chain via public repositories become more frequent, the application development process needs more protection from outside interference.
  • Use specialized solutions.solution Kaspersky Hybrid Cloud Security Addresses the security needs of developers as it secures Docker and Windows containers and provides a “Security as Code” approach with host memory protection or image and interface scanning. In this way, security tasks can be integrated into the CI/CD pipeline without affecting the development process.
  • Implement protection mechanisms in your application. Kaspersky Mobile SDK solution guarantees data protection and detection for customers malicious softwaresecure connections, and more.


Leave a Comment

Your email address will not be published.