Skip to main content
SpringerLink
Log in

Static Analysis of Android Apps Interaction with Automotive CAN

  • Conference paper
  • First Online:
Smart Computing and Communication (SmartCom 2018)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 11344))

Included in the following conference series:

Abstract

Modern car infotainment systems allow users to connect an Android device to the vehicle. The device then interacts with the hardware of the car, hence providing new interaction mechanisms to the driver. However, this can be misused and become a major security breach into the car, with subsequent security concerns: the Android device can both read sensitive data (speed, model, airbag status) and send dangerous commands (brake, lock, airbag explosion). Moreover, this scenario is unsettling since Android devices connect to the cloud, opening the door to remote attacks by malicious users or the cyberspace. The OpenXC platform is an open-source API that allows Android apps to interact with the car’s hardware. This article studies this library and shows how it can be used to create injection attacks. Moreover, it introduces a novel static analysis that identifies such attacks before they actually occur. It has been implemented in the Julia static analyzer and finds injection vulnerabilities in actual apps from the Google Play marketplace.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://openxcplatform.com

  2. 2.

    http://docs.automotivelinux.org/docs/apis_services/en/dev/reference/signaling/architecture.html#reusing-existinglegacy-code

  3. 3.

    https://traffic.devpost.com/

  4. 4.

    https://www.sparkfun.com/datasheets/Widgets/ELM327_AT_Commands.pdf

  5. 5.

    https://mirrorlink.com

  6. 6.

    https://www.automotivelinux.org

  7. 7.

    http://android.openxcplatform.com/reference/com/openxc/VehicleManager.html

  8. 8.

    https://github.com/openxc/rain

  9. 9.

    https://play.google.com/store/apps/details?id=com.openxcplatform.enabler

  10. 10.

    http://openxcplatform.com/projects/shift-knob.html

  11. 11.

    http://openxcplatform.com/projects/nightvision.html

  12. 12.

    https://apkpure.com/dsf/com.ntt.customgaugeview

  13. 13.

    https://www.tulatech.com/dsf-overview/

  14. 14.

    https://github.com/openxc/mpg

  15. 15.

    https://github.com/openxc/openxc-vehicle-simulator

  16. 16.

    https://www.wireshark.org/

  17. 17.

    http://findbugs.sourceforge.net

  18. 18.

    https://spotbugs.github.io

  19. 19.

    https://www.sonarqube.org

  20. 20.

    https://github.com/linkedin/qark

  21. 21.

    https://github.com/secure-software-engineering/FlowDroid

References

  1. Avatefipour, O., Hafeez, A., Tayyab, M., Malik, H.: Linking received packet to the transmitter through physical-fingerprinting of controller area network. In: IEEE Workshop on Information Forensics and Security (WIFS 2017), Rennes, France, pp. 1–6, December 2017

    Google Scholar 

  2. Bryant, R.: Symbolic Boolean manipulation with ordered binary-decision diagrams. ACM Comput. Surv. 24(3), 293–318 (1992)

    Article  MathSciNet  Google Scholar 

  3. Checkoway, S., et al.: Comprehensive experimental analyses of automotive attack surfaces. In: 20th USENIX Security Symposium, SanFrancisco, CA, USA. USENIX Association, August 2011

    Google Scholar 

  4. Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: POPL, pp. 238–252 (1977)

    Google Scholar 

  5. Ernst, M.D., Lovato, A., Macedonio, D., Spiridon, C., Spoto, F.: Boolean formulas for the static identification of injection attacks in Java. In: Davis, M., Fehnker, A., McIver, A., Voronkov, A. (eds.) LPAR 2015. LNCS, vol. 9450, pp. 130–145. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48899-7_10

    Chapter  MATH  Google Scholar 

  6. Koscher, K., et al.: Experimental security analysis of a modern automobile. In: 31st IEEE Symposium on Security and Privacy (S&P 2010), Berleley/Oakland, California, USA, pp. 447–462. IEEE Computer Society, May 2010

    Google Scholar 

  7. Mandal, A.K., Cortesi, A., Ferrara, P., Panarotto, F., Spoto, F.: Vulnerability analysis of android auto infotainment apps. In: Proceedings of the 15th ACM International Conference on Computing Frontiers, pp. 183–190. ACM (2018)

    Google Scholar 

  8. Mazloom, S., Rezaeirad, M., Hunter, A., McCoy, D.: A security analysis of an in-vehicle infotainment and app platform. In: 10th USENIX Workshop on Offensive Technologies (WOOT 2016). USENIX Association, Austin, August 2016

    Google Scholar 

  9. Payet, É., Spoto, F.: Static analysis of android programs. Inf. Softw. Technol. 54(11), 1192–1201 (2012)

    Article  Google Scholar 

  10. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)

    Article  Google Scholar 

  11. Spoto, F.: The Julia static analyzer for Java. In: Rival, X. (ed.) SAS 2016. LNCS, vol. 9837, pp. 39–57. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53413-7_3

    Chapter  Google Scholar 

  12. Wang, Q., Sawhney, S.: VeCure: a practical security framework to protect the CAN bus of vehicles. In: 4th International Conference on the Internet of Things (IOT 2014), Cambridge, MA, USA, pp. 13–18. IEEE, October 2014

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Università di Verona, Verona, Italy

    Federica Panarotto & Fausto Spoto

  2. Università Ca’ Foscari, Venezia, Italy

    Agostino Cortesi & Amit Kr Mandal

  3. JuliaSoft Srl, Verona, Italy

    Pietro Ferrara

  4. BML Munjal Univesity, Gurgaon, Haryana, India

    Amit Kr Mandal

Authors
  1. Federica Panarotto
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Agostino Cortesi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pietro Ferrara
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Amit Kr Mandal
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Fausto Spoto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pietro Ferrara .

Editor information

Editors and Affiliations

  1. Columbia University, New York, NY, USA

    Meikang Qiu

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Panarotto, F., Cortesi, A., Ferrara, P., Mandal, A.K., Spoto, F. (2018). Static Analysis of Android Apps Interaction with Automotive CAN. In: Qiu, M. (eds) Smart Computing and Communication. SmartCom 2018. Lecture Notes in Computer Science(), vol 11344. Springer, Cham. https://doi.org/10.1007/978-3-030-05755-8_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-05755-8_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-05754-1

  • Online ISBN: 978-3-030-05755-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation