The Lifetime of Android API Vulnerabilities: Case Study on the JavaScript-to-Java Interface
نویسندگان
چکیده
We examine the lifetime of API vulnerabilities on Android and propose an exponential decay model of the uptake of updates after the release of a fix. We apply our model to a case study of the JavaScript-to-Java interface vulnerability. This vulnerability allows untrusted JavaScript in a WebView to break out of the JavaScript sandbox allowing remote code execution on Android phones, this can often then be further exploited to gain root access. While this vulnerability was first reported in 2012-12-21 we predict that the fix will not have been deployed to 95% of devices until 2018-01-10, 5.2 years after the release of the fix. We show how this vulnerability is exploitable in many apps and the role that ad-libraries have in making this flaw so widespread.
منابع مشابه
Access Control to Prevent Malicious JavaScript Code Exploiting Vulnerabilities of WebView in Android OS
Android applications that using WebView can load and display web pages. Interaction with web pages allows JavaScript code within the web pages to access resources on the Android device by using the Java object, which is registered into WebView. If this WebView feature were exploited by an attacker, JavaScript code could be used to launch attacks, such as stealing from or tampering personal info...
متن کاملConstruction of Trusted Computing Platform Based on Android System
With the widespread use of Android mobile phones, the problems of security of phone become increasingly prominent. The Java technology architecture for trusted computing is a trend to solve the above problems. Through the analysis of the current Java platform trusted computing architecture and the security of Android operating system, the trusted platform architecture based on Android and Java ...
متن کاملTCPSnitch: Dissecting the Usage of the Socket API
Networked applications interact with the TCP/IP stack through the socket API. Over the years, various extensions have been added to this popular API. In this paper, we propose and implement the TCPSnitch software that tracks the interactions between Linux and Android applications and the TCP/IP stack. We collect a dataset containing the interactions produced by more than 120 different applicati...
متن کاملEasy as abcDE: Piano Fingering Transcription Online
Benefits • Easily deployable as a web application • Highly usable, with a what-you-see-is-what-you-get (WYSIWYG) paradigm to reduce data entry errors • Scalable for data collection on the web (no more transcription of hand-written annotations) • Configurable, with experimental design in mind • Interoperable with Qualtrics survey tool (via its JavaScript API) • Compatible with standardized, well...
متن کاملAutomated Generation of Event-Oriented Exploits in Android Hybrid Apps
Recently more and more Android apps integrate the embedded browser, known as “WebView”, to render web pages and run JavaScript code without leaving these apps. WebView provides a powerful feature that allows event handlers defined in the native context (i.e., Java in Android) to handle web events that occur in WebView. However, as shown in prior work, this feature suffers from remote attacks, w...
متن کامل