Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Insecure Android Apps Expose Connected Cars

Researchers at Kaspersky Lab have analyzed several Android applications for connected cars and determined that most of them lack important security features, making it easier for hackers to unlock the vehicles.

Researchers at Kaspersky Lab have analyzed several Android applications for connected cars and determined that most of them lack important security features, making it easier for hackers to unlock the vehicles.

Carmakers often provide mobile applications that allow owners to control various functions remotely, including locking and unlocking doors, starting the engine, locating the vehicle, obtaining service information, and controlling air conditioning.

Kaspersky has analyzed seven of the most popular connected car Android applications, which have been installed by millions of users. The applications have not been named, but the security firm has reported its findings to their developers.

Researchers tested the apps to determine if they can be abused to steal a car or incapacitate its systems. They also looked for various security mechanisms, such as the use of obfuscation to prevent reverse engineering, checking if the device is rooted, checking the integrity of the code, and ensuring that the legitimate GUI is displayed to the user (i.e. overlay protection).

All the tested applications can be used to unlock a vehicle’s door and some of them also allow the user to start the engine. However, the aforementioned security features are mostly missing from the apps – only one encrypts the username and password, and none of them use obfuscation, overlay protection, root detection or code integrity checks.

The lack of security mechanisms makes it easier for a piece of malware that has infected the Android device to take control of the smart car app. And while hijacking the application does not allow an attacker to drive away with the car, it does allow them to unlock it and disable its alarm, which can make it easier to steal.

Researchers said car apps should be as secure as online banking apps, but they believe these applications currently represent the weakest link.

In November, researchers at Norway-based security firm Promon demonstrated how thieves with the necessary hacking skills can track and steal Tesla vehicles through the carmaker’s Android app. At the time, Tesla said the vulnerabilities exploited by the researchers were not specific to its products, and argued that once a smartphone is hacked, all the apps stored on it are compromised.

Kaspersky researchers agree, but they told SecurityWeek that certain security mechanisms can make exploitation more difficult, even if the attacker has root access to the device.

“If you store users’ data in an encrypted storage (in addition to default Android secure storage which can be accessed by root-rights owner), if your app has a root-detection feature, if the code of the app is obfuscated and if it does a self-integrity check, it would be much-much harder for an attacker to break it and steal your users’ private data or even get access to their cars’ control,” the researchers said.

Related: Millions of Cars Vulnerable to Remote Unlocking Hack

Related: Researchers Hack Mitsubishi Outlander PHEV

Related: Cars Plagued by Many Serious Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.