How to Avoid Privacy Risks from Third-party Automotive Apps

Image sourced from Pixabay.

Mobile applications for connected cars provide various features to make life easier for motorists, but they can also be a source of risk.

Kaspersky experts have analysed 69 popular third-party mobile applications designed to control connected cars and defined the main threats drivers may face while using them. They found out that more than half (58%) of these applications use the vehicle owners’ credentials without asking for their consent. On top of this, one in five of the applications have no contact information, which makes it impossible to report a problem. These and other findings are published in the new Kaspersky Connected Apps report.

Connected automotive applications provide a wide range of functions to make drivers’ lives easier. For example, they allow users to remotely control their vehicles by locking or unlocking the doors, adjusting climate control, starting and stopping the engine, etc.

Even though most car manufacturers have their own legitimate applications for the cars they make, third-party apps designed by mobile developers are also very popular among users as they may offer unique features that have not yet been introduced by the vehicle manufacturer.

The third-party applications analysed by Kaspersky cover almost all major vehicle brands, with Tesla, Nissan, Renault, Ford and Volkswagen in the top-5 cars most often controlled by such apps. However, these applications are not entirely safe to use, claim Kaspersky researchers.

Some developers advise using the authorisation token instead of a username and password to look more credible. The tricky part here is that, if a token is compromised, malefactors can get access to the cars the same way they would by using victims’ credentials. This means that the risk of losing control over the vehicles is still high.

Users should be aware that everything is at their own risk and using authorisation tokens does not ensure total safety. Despite this, only 19% of developers mention this and warn the user without hiding it in several layers of fine print.

Moreover, every seventh (14%) application does not have information on how to contact the developer or give feedback, making it impossible to report a problem or request more information on the app’s privacy policy. The absence of official contact information and social network pages makes it clear that most of these apps are developed by enthusiasts, which is not necessarily a bad thing, however, such developers don’t have to care about your vehicle’s safety and data security like regulated vehicle manufacturers do.

It is also worth noting that 46 of the 69 applications are either free of charge or offer a demo mode. This has contributed to such applications being downloaded from the Google Play Store more than 239,000 times, which makes you wonder how many people are giving strangers free access to their cars.

“The benefits of a connected world are countless. However, it is important to note that this is still a developing industry, which carries certain risks. When downloading a third-party application to control your car remotely, users should be aware of possible threats. We entrust a lot of private information and personal data to connected technology,” Sergey Zorin, Head of Kaspersky Transportation Security at Kaspersky says.

“We urge application developers to make user protection a priority and take precautionary measures to avoid compromising their customers and themselves,” Zorin advises.

To learn more about the risks of using third-party applications for connected cars, visit Securelist.com.

For application developers, Kaspersky experts recommend the following advice:

  • Adopt solutions that secure the software development process through application control at runtime, scanning for vulnerabilities before deployment, routinely conducting security vetting of containers, and anti-malware testing of production artifacts. With supply chain attacks through public repositories becoming more frequent as of late, the development process is in need of enhanced protection against outside interference.
  • Kaspersky Hybrid Cloud Security meets developers’ needs. It secures Docker and Windows containers and provides a ‘security as code’ approach, with containerisation host memory protection, tasks for containers, image scanning, and scriptable interfaces.  So, you can integrate security tasks into CI/CD pipelines without impacting the development process.
  • Implement protection mechanisms into the application. Kaspersky Mobile SDK provides data protection for customers as well as malware detection, secure connectivity, and more.

Kaspersky experts recommend that users:

  • Only download apps from official stores like the Apple App Store, Google Play or Amazon Appstore. Apps from these markets are not 100% failsafe but they at least get checked by shop representatives and there is some filtration system in place, meaning that not every app can get into these stores.
  • Check the permissions of the apps you use and think carefully before permitting a process, especially when it comes to high-risk permissions such as access to Accessibility Services. The only permission that a flashlight app, for example, needs is access to the flashlight functionality.
  • Adopt a reliable security solution to help detect malicious apps and adware before they can start behaving badly on your device.
  • Don’t forget to update your operating system and all software regularly. Many safety issues can be resolved by installing updated versions of software.

Edited by Zintle Nkohla 

Follow Zintle Nkohla on Twitter

Follow IT News Africa on Twitter