​​​​Automotive APK Validation

Overview 

All APKs distributed through the Ignite Store platform go through a rigorous certification process.
HARMAN performs an automated certification process for submitted apps. The process starts with an automated scan of your application to check in the following categories:

  • Distraction - can the application cause unwanted driver distraction?
  • Maliciousness - is the application of malicious nature?
  • Security - does the application pose a cybersecurity risk to the vehicle?
  • Privacy - does the application hold and compromise driver's private information?
  • Performance - how does the application affect the unit's performance? (CPU, memory​, flash)

Process

The APK validation procedure includes several stages:

Static Validation

The purpose of this stage is to detect potential security and privacy issues during static analysis. During this stage we:

  • Scan your APK code and manifest to run a list of detectors (developed by Harman), each detector is violation specific.
  • Perform permissions check - your APK must only ask access to Android packages that are relevant to the service you are providing.
  • Perform declarations check - as part of the Android Automotive standard, we expect that your APK has the correct declarations, for example for media category most music services must declare activities for settings and log.

Dynamic Validation

  • The purpose of this stage is to reveal security, privacy and performance issues at runtime. During this stage we:​
  • Run your application in a sandbox environment.
  • Launch your application and all its activities and analyze them to find violations.
  • Test your application in three scenarios: after boot, idle and heavy usage, 5 minutes for each scenario.
  • Measure resource consumption of your application during these stages: CPU, RAM, disk usage and network usage vs. defined thresholds.

External APIs Validation

The purpose of this stage discover known vulnerabilities or malicious code that your application may contain. 

During this stage we use external APIs to:

  • Scan your APK for malicious code using leading Anti-Virus engines.
  • Scan your APK for known vulnerabilities.
  • Scan your APK for usage of old libraries.
  • Scan your APK for license compliance of open source components.
image2021-1-21_11-33-48.png

Scoring, Security Review and Final Report

After all the validation tests (manual and automated) are run, suspicious unwanted behaviors are flagged.

A human security analyst will review the output of the report to validate the risk and screen out potential false positives.

A final report will be generated and attached to the app submission for final approval by the Ignite Store administrators.

You are expected to review the report, relate to the failed tests and fix the issues so the application will be certified for the automotive environment as part of the Ignite Store.​​