Security Issues in Nissan’s Mobile App, NissanConnect, Could Potentially Put Users’ Data at Risk

Submitted by Filip Chytry, security expert, seculu.cz

As technology continues to advance, cars are increasingly becoming integrated into our mobile devices. Automotive brands are now releasing mobile apps, allowing users to connect their music streaming services, social networks, and search engines into the car’s system. One app that I’d like to highlight is NissanConnect, a mobile application from Nissan.

I would like to make it clear that issues discussed in this article are not unique to Nissan's app. They can be found in other apps out there. However, since I own a Nissan car, I had the chance to familiarize myself with the brand’s mobile app. I purchased a Nissan several months ago after reading many user reviews and taking into consideration various technological features of the car. Nissan, the car, is great, but I can't say the same thing about NissanConnect, the app. The companies responsible for its Satnav and the mobile app didn't perform sufficient QA testing. In my opinion, the lack of QA resulted in some security holes in the mobile application.

nissan app review

After installing and configuring NissanConnect, I encountered some issues and read more on reviews from other reviews. I found that other app users were also running into some of the same issues that I had. This led me to disassemble the app to take a closer look at what went into the build and the implementation of its security features.

nissan code

nissan app

I became unpleasantly surprised by some of the data that are shared with Airbiquity over HTTP protocol. The app has the permission android.permission.GET_ACCOUNTS, which means it can access other logins you have on your device, such as Facebook, Pandora, etc., and all login information that can easily be obtained on rooted devices. I was left disappointed that Nissan/Airbiquity had cast aside the level of security in this app.

I contacted Nissan Customer Support, explained the security concerns I had discovered, and offered to come up with a plan to improve these issues. Unfortunately, for legal reasons, Nissan’s company policy prevents them from accepting technically-related improvements from users.

I feel that it’s imperative for a company to be concerned about user privacy issues, prioritize the level of security available to protect customer data, and consider user feedback. Unfortunately, in this case, I don’t feel that Nissan’s response has reflected this attitude.

My experience with NissanConnect has inspired me to investigate and review additional automotive mobile applications, paying close attention to their security features and permissions. In general, it’s important to keep in mind that many mobile apps we use on a daily basis could carry security risks that intrude into our privacy and personal data.

To get a FREE security audit of your mobile applications, drop us a line support@teskalabs.com. We'll hunt and find security holes in your apps for you.

Additional reading:

  1. Custom Made vs. Off-The-Shelf Mobile Apps – The Issue of Security
  2. You Can Build Apps for the Apple TV, But Do You Know How to Do It Securely?
  3. We Know Why 85% of Mobile Apps Suck in Security. Do You?
  4. 7 Reasons Why Testing the Security of Mobile Applications Is Crucial for Enterprises
  5. The Top 5 Mobile Application Security Issues You Need to Address When Developing Mobile Applications
  6. What Is a Mobile Application Containerization, or Wrapper, and Why Must It Die?
  7. Security Is Driving the Adoption of Connected Cars

TurboCat.io

Data encryption tool for GDPR

More information


You Might Be Interested in Reading These Articles

A Warning about Zero-Day Vulnerability

A zero-day, also called zero-hour, vulnerability is a security flaw in the code that cyber criminal can use to access your network. Zero-day attacks call for new technologies built from the ground up for today’s advanced threat landscape. There is no known fix, and by the time hackers attack, the damage is already done

Continue reading ...

security

Published on May 12, 2015

SeaCat and OpenSSL Heartbleed Bug

After almost two and a half year we hope that the Heartbleed remains in the past. It is not true, unfortunately. Now we have proof that a security vulnerability remains with us for a long time, maybe almost forever even when there exist patches and fixes. The Internet is a battlefield among the good, the bad, and the ugly. Who has better attacking or defending technology wins.

Continue reading ...

security

Published on December 20, 2016

Google has introduced new rules about how mobile app developers and companies deal with customer impact on apps across the board. What is it?

The new regulations call for increased transparency with regards to how apps make use of customer data. Developers need to ensure that the way they handle user data - from how they collect it to what it might be used for - is perfectly clear to all users. In Google’s words, developers must “limit the use of the data to the description in the disclosure”. In layman’s terms, this means that data use and privacy policies need to be clearly visible on app descriptions in the Google Play store, and not simply within the app itself.

Continue reading ...

security mobile android

Published on October 10, 2017