The detection and diagnosis technology of mobile app in the Internet of Vehicles is an important foundation for the safe operation of vehicles. With the increase in the number of vehicles, the operational safety of app has attracted wide attention in all fields of life. While providing users with a convenient and personalized experience, the networked mobile APP also faces many information security threats. I have made the following summary of the main security threats existing in the current car networking mobile APP:

1. Client Security

Client security threats mainly include configuration security, component security and code security. Configuration security means that the Debug attribute and the allowbackup attribute of the mobile APP are not set to false before it is officially released, which leads to the risk of debugging and arbitrary backup of the mobile APP; Component security means that before the release of APP, the attribute settings of exported activities, services, content providers and broadcast receivers are incorrect, resulting in the exposure of components; Code security means that the code of mobile APP will not be confused and reinforced before it is released. Attackers can easily obtain the source code of the APP by using decompilation tools such as dex2jar, Jadx, apktool, etc. There are mainly file decompilation risks such as signature verification risk and dex file decompilation risk.

2. Data security

In the process of using the car networking mobile APP, the user information will be stored in the owner's mobile phone. For example, the developer's security awareness is weak, and the user's private information is not encrypted, and it is directly stored in the owner's mobile phone in plain text. Hackers only need the user's mobile phone ROOT, and in theory, they can steal all the personal information of users. In addition, if you view the real-time print log through adb or monitor, there is a risk that sensitive information (user name, password, etc.) will be stolen. ) If the output of the log is not well controlled, it will be leaked. In addition, in order to ensure the privacy and confidentiality of data, data is often encrypted, and the safe storage of keys is very important. If the key is leaked, the security of encrypted data will be lost. The security risks faced by data security mainly include the risk of clear storage of shared preference data, the risk of clear storage of SQLite data, the risk of Logcat log data leakage and the risk of hard coding.

3. Communication security

In the communication process between APP and TSP, a lot of user privacy information is transmitted. If critical data traffic is not encrypted during data transmission, it will easily lead to the disclosure of private information of vehicles or users. In addition, a lot of vehicle remote control information will be transmitted during V2X communication. For example, in the process of car-to-person communication, the user remotely controls the vehicle through the mobile APP of the car network. In this process, if the identities of the two communication parties are not authenticated, the attacker can hijack and tamper with the communication message and replay the forged communication message, thus achieving the purpose of controlling the vehicle and posing a serious threat to the driver's life safety.

In addition, the attacker can obtain the prior knowledge of the communication protocol by repeatedly testing the vehicle, and then attack the vehicle by forging the remote control information of the vehicle. Communication security threats mainly include insecure communication protocols, insecure authentication and unencrypted key data.

4. Business safety

This part of the security risks mainly refers to the developer's failure to develop in strict accordance with the mobile application development guidelines, and improper handling of the business logic and functional modules of the car networking mobile app, mainly including identity authentication risks, such as the risk of any user logging in, the risk of password explosion, and the risk of account cancellation. The risks of captcha mechanism, such as the risk of captcha explosion, the risk of captcha echo, the risk of captcha unlimited sending, etc. Payment mechanism risks, such as the risk of tampering with the payment amount and the risk of tampering with the quantity of goods; Remote control risks, such as automobile control instruction tampering risk and automobile control instruction replay risk; General Web vulnerability risks, such as SQL injection vulnerability, XSS vulnerability, unauthorized access, etc.