App Scanning & Validation
All Android Applications (APKs) distributed through the Ignite Store platform go through a rigorous certification process. The certification process starts with an automated scan of applications to check in the following categories.
- Distraction - can the application cause unwanted driver distraction?
- Maliciousness - Is the application of malicious nature?
- Security - does the application pose a cybersecurity risk to the vehicle?
- Privacy - does the application hold and compromise driver's private information?
- Performance - how does the application affect the unit's performance? (CPU, flash wear, ..)
Manifest and Package Validation
The system will unpack the compiled JAR and scan the MANIFEST for..
- Permissions requests - your APK must only ask access to Android packages that are relevant to the service you are providing.
- Conforming to Android Automotive standards, as part of the Android Automotive standard, we expect that your APK has the correct declarations, for example for media category most music services must declare activities for settings and log.
Static Code Analysis
All APKs will be unpackaged and decompiled. Decompiled code will be run through a set of validators to check for usage of restricted APIs, malicious code checks. Native libraries included in the APK are also checked for security hardening flags.
This component will run your APK in a sandboxed environment to verify aspects that can not be validated through static analysis. If your APK requires special manual steps in order to be run, such as requiring a username and password, those details (like a test account) need to be included in your submission so a technician can setup your app correctly in the sandbox environment.
Through a combination of directed automated testing by human testers and automated monkey testing, your APK will be measured for CPU, RAM, Network and Flash Disk usage.
Network traffic will be checked to see if user analytics data collection is being done. If your app is doing data collection and sending it to a 3rd party analytics platform, that's OK, but it must be disclosed to the user before they use your app.
Scoring and Security Review
After all the validation tests (manual and automated) are run, if certain app behaviors are potentially flagged. A human security analyst will review the output of the report to validate the risk and potentially screen out false positives. A final report will be generated and attached to the app submission for final approval by the Ignite Store Administrators.