On the Security of Mobile and Auto Companion Apps

Today’s smartphone platforms have millions of applications, which not only access users’ private data but also information from the connected external services and IoT/CPS devices. Mobile application security involves protecting sensitive information and securing communication between the application and external services or devices. We focus on these two key aspects of mobile application security.

In the first part of this dissertation, we aim to ensure the security of user information collected by mobile apps. Mobile apps seek consent from users to approve various permissions to access sensitive information such as location and personal information. However, users often blindly accept permission requests and apps start to abuse this mechanism. As long as a permission is requested, the state-of-the-art security mechanisms will treat it as legitimate. We ask the question whether the permission requests are valid? We attempt to validate permission requests using statistical analysis on permission sets extracted from groups of functionally similar apps. We detected mobile applications with abusive permission access and measure the risk of information leaks through each mobile application.

Second, we propose to investigate the security of auto companion apps. Auto companion apps are mobile apps designed to remotely connect with cars to provide features such as diagnostics, navigation, entertainment, and safety alerts. However, this can lead to several security threats, for instance, onboard information of vehicles can be tracked or altered through a malicious app. We design a comprehensive security analysis framework on automotive companion apps all stages of communication and collaboration between vehicles and companion apps such as connection establishment, authentication, encryption, information storage, and Vehicle diagnostic and control command access. By conducting static and network traffic analysis of Android OBD apps, we identify a series of vulnerability scenarios. We further evaluate these vulnerabilities with vehicle-based testing and identify potential security threats associated with auto companion apps