Evaluating Network Security Configuration (NSC) Practices in Vehicle-Related Android Applications

Android applications have historically faced vulnerabilities to man-in-the-middle attacks due to insecure custom SSL/TLS certificate validation implementations. In response, Google introduced the Network Security Configuration (NSC) as a configuration-based solution to improve the security of certificate validation practices. NSC was initially developed to enhance the security of Android applications by providing developers with a framework to customize network security settings. However, recent studies have shown that it is often not being leveraged appropriately to enhance security. Motivated by the surge in vehicular connectivity and the corresponding impact on user security and data privacy, our research pivots to the domain of mobile applications for vehicles. As vehicles increasingly become repositories of personal data and integral nodes in the Internet of Things (IoT) ecosystem, ensuring their security moves beyond traditional issues to one of public safety and trust. To provide a view of the current vehicle apps security landscape, we delve into 122 vehicle-related apps, grouping them into three distinct categories: official car apps developed by manufacturers, general car-related apps, and OBD-II diagnostic tool apps. Our findings show that 68.85% of apps utilize NSC with varying degrees of NSC customization and security practices across these categories. Additionally, understanding that frequent updates often correlate with active maintenance and potential security patching, we analyze the update frequencies of the top ten downloaded apps in each category. The results provide valuable insight into app developers’ level of commitment to safety in the evolving automotive ecosystem. This research aims to drive awareness, underline existing security NSC practices, and pave the way for a more secure vehicular app environment.