1. Home
  2. >
  3. Driving
  4. >
  5. Driving Guide
  6. >
  7. Mainstream overseas brand mobile...

[YesAuto Internet Travel] As the “person” who knows you best, the privacy and security issues of mobile phones have exploded from time to time in the past few years. Our account numbers, passwords and even small secrets are stored in the mobile phone. Once “hacked”, the loss and impact may be huge.

After the automobile entered the era of network connection, various OEMs have also successively developed their own mobile apps for vehicle information query, remote control, and community operations. The goal of our “Internet of Vehicles App Information Security Test” project is to explore the security level of each car company's app and the degree of importance it attaches to user information security.

In the past issue, we tested a variety of App applications of Chinese brands. This issue will focus on mainstream overseas brands to see if overseas brands attach more importance to information security .

In order to explore the privacy and security levels of various apps, Autohome cooperates with third-party organizations to find possible vulnerabilities in the Internet of Vehicles mobile apps through rigorous code analysis and point out their security risks.

Personal privacy and information security issues should not be underestimated. It is hoped that the “Automobile App Information Security Test” can help consumers urge companies to pay more attention to privacy and security issues, and at the same time promote auto companies to continuously improve their level of information security protection.

Overview of Tested App Results

The apps tested in this phase include iBuick 8.5.1 (SAIC-GM Buick), My Mazda 1.0.4 (FAW-Mazda), Dongfeng Honda_link 1.0.1 (Dongfeng Honda), Dongfeng Peugeot Zhixing 3.0.2 (Dongfeng Peugeot), Dongfeng Citroen Zhixing 3.0.2 (Dongfeng Citroen), Lingxing 1.2.1 (GAC Mitsubishi), Nissan Zhilian 1.5.0 (Dongfeng Nissan), SAIC-Volkswagen 1.0.9, FAW-Volkswagen 3.0.7 and FAW-Toyota 4.0.2 , total 10 apps. The tested object is the Android APK software package, which is tested in the form of third-party agency code analysis.

    Due to testing and content production cycle issues, each App version has been updated to a larger or smaller size. The test results are only for the above App version number, and only for the Android phone version.

This issue involves 10 brands and more than 50 models, many of which are in the forefront or even the top of the sales rankings. We also hope to help more consumers understand the car’s mobile app information security level through the “Automobile App Information Security Test” .

Code analysis results and interpretation

On this project, we did not cooperate with any car company, but directly handed over the APK software package for Android system to a certain authoritative third-party testing agency for code analysis. Due to the certain delay in the test time, the test The conclusion is only applicable to the Android version of the mobile app, only for the software version indicated in the article . In theory, due to Apple's own security testing of the iPhone version of the App, the software security may be relatively better. The following are the code test results and some simple interpretations.

SAIC-GM Buick's iBuck code analysis score is the best , almost getting full marks. In the entire test, there is only 1 problem, no risk vulnerabilities. Simply put, “problems” refer to relatively unreasonable places in the App code, and “risk vulnerabilities” can be exploited by others. Depending on the degree of risk, personal information may be stolen and even the vehicle may be unlocked and controlled.

The only problem with iBuck is the document test. This part of the problem is that the files stored in the device are not well encrypted and protected. Others may steal this part of the file, replace, modify or even reverse it. Especially the key information, stealing the key information is equivalent to getting your account password.

Dongfeng Honda_link scored 96 points, ranking second . A total of 5 problems were found in the test, and there were no risk vulnerabilities. In addition to 1 file test problem, 4 description file (Information) problems are also included.

The description file problem refers to the security risk of the information being sent. Like local files, if the information is intercepted, it means that there is an information security risk. At the same time, there are three problems with Dongfeng Honda_link reaching the warning level in terms of the proportion of risk levels.

FAW-Volkswagen, Nissan Zhilian, Dongfeng Peugeot Zhixing and Dongfeng Citroen Zhixing scored 95.5 points. Their risks and the number of problems are also exactly the same, all of which are 6 problems, including 5 description file problems and 1 file problem. There are no risk vulnerabilities, and there are three problems that reach the warning level.

GAC Mitsubishi's Lingxing scored 95 points. Compared with the former four apps, the number of problems that Lingxing reached the warning level was 4, so the score was slightly lower by 0.5 points. The following scores are below 90 points.

There are 15 problems with the SAIC Volkswagen App. In addition to the description file and file test mentioned above, there are 1 broadcast test (Broadcast) and 2 web browsing test (Webview) problems.

Broadcasting issues and vulnerabilities will give fake cloud servers an opportunity, causing our software to be remotely controlled or used by Trojan horse programs. The controlled software may continue to send messages to the cloud, blocking our access to normal services through the server. Vulnerabilities in web browsing will affect our security when viewing web pages. Code testing content will include web access permissions, scope, and verification of user information.

Mazda’s My Mazda and FAW Toyota App scored 86 points and 85.5 points respectively in the test. My Mazda had problems in the certification test (Qualification). Usually the certification system of the certificate will be based on your common equipment, user ID and key. For judgment, if the software certificate is at risk of being tampered with or copied, it means that your identity information may be fraudulently used by criminals .

Summary of this article

The above are the code test results of ten overseas brand car networking mobile apps. Going back to the test results, we are very happy to see that there are no risk vulnerabilities in the mobile apps of any car company. There are only code problems. The actual possibility of being attacked by hackers and criminals is relatively small . And the final results should be viewed dialectically. First of all, “do too many mistakes.” To give a very simple example, only apps with web browsing capabilities may have web browsing code problems. The ten software features vary in degree of complexity. The test uses a mechanism of deducting points based on the number of code problems and the degree of risk, and apps with many functions naturally suffer. Of course, as consumers, we still hope that while car companies can provide more convenient services, they can also protect the privacy and information security of car owners to the greatest extent. (Photo/Zheng Xu from the home of the car)