Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

The Lifetime of Android API Vulnerabilities: Case Study on the JavaScript-to-Java Interface

  • Conference paper
  • First Online:
Security Protocols XXIII (Security Protocols 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9379))

Included in the following conference series:

Abstract

We examine the lifetime of API vulnerabilities on Android and propose an exponential decay model of the uptake of updates after the release of a fix. We apply our model to a case study of the JavaScript-to-Java interface vulnerability. This vulnerability allows untrusted JavaScript in a WebView to break out of the JavaScript sandbox allowing remote code execution on Android phones; this can often then be further exploited to gain root access. While this vulnerability was first publicly disclosed in December 2012, we predict that the fix will not have been deployed to 95% of devices until December 2017, 5.17 years after the release of the fix. We show how this vulnerability is exploitable in many apps and the role that ad-libraries have in making this flaw so widespread.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We have made these available [13].

  2. 2.

    https://codereview.chromium.org/213693005/patch/20001/30001 committed as 261801 or afae5d83d66c1d041a1fa433fbb087c5cc604b67 or e55966f4c3773a24fe46f9bab60ab3a3fc19abaf.

References

  1. Bergman, N.:. Abusing WebView JavaScript bridges (2012). http://d3adend.org/blog/?p=314. Accessed 09 January 2015

  2. Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE Symposium on Security and Privacy, pp. 511–525 (2013). doi:10.1109/SP.2013.41

  3. Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgärtner, L., Freisleben, B.: Why Eve and Mallory love Android: an analysis of android SSL (in)security. In: CCS, pp. 50–61. ACM (2012). doi:10.1145/2382196.2382205, ISBN: 9781450316514

  4. Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: Network and Distributed System Security Symposium (NDSS) (2014). doi:10.14722/ndss.2014.23323

  5. Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), pp. 101–112 (2012). doi:10.1145/2185448.2185464

  6. MWR labs. WebView addJavascriptInterface Remote Code Execution (2013). https://labs.mwrinfosecurity.com/blog/2013/09/24/webview-addjavascriptinterface-remote-code-execution/. Accessed 19 December 2014

  7. Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the Android system. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), Orlando, pp. 343–352. ACM (2011). doi:10.1145/2076732.2076781, ISBN: 9781450306720

  8. Mettler, A., Wagner, D., Close, T.: Joe-E: a security-oriented subset of Java. In: Network and Distributed System Security Symposium (NDSS) (2010)

    Google Scholar 

  9. Nappa, A., Johnson, R., Bilge, L., Caballero, J., Dumitras, T.: The attack of the clones: a study of the impact of shared code on vulnerability patching. In: IEEE Symposium on Security and Privacy, pp. 692–708 (2015). doi:10.1109/SP.2015.48.138

  10. Pearce, P., Felt, A.P., Wagner, D.: AdDroid: privilege separation for applications and advertisers in Android. In: ACM Symposium on Information, Computer and Communication Security (ASIACCS) (2012). doi:10.1145/2414456.2414498

  11. Shekhar, S., Dietz, M., Wallach, D.S.: AdSplit: separating smartphone advertising from applications. In: Proceedings of the 21st USENIX Conference on Security Symposium, p. 28 (2012). arXiv: 1202.4030

  12. Stevens, R., Gibler, C., Crussell, J., Erickson, J., Chen, H.: Investigating user privacy in Android ad libraries. In: IEEE Mobile Security Technologies (MoST) (2012)

    Google Scholar 

  13. Thomas, D.R.: Historic Google Play dashboard (2015). http://androidvulnerabilities.org/play/historicplaydashboard

  14. Thomas, D.R., Beresford, A.R., Rice, A.: Security metrics for the android ecosystem. In: ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), Denver. ACM (2015). doi:10.1145/2808117.2808118, ISBN: 978-1-4503-3819-6

  15. Thomas, D.R., Coudray, T., Sutcliffe, T.: Supporting data for: “The lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface" (2015). https://www.repository.cam.ac.uk/handle/1810/247976. Accessed 26 May 2015

  16. Viennot, N., Garcia, E., Nieh, J.: A measurement study of Google Play. In: SIGMETRICS (2014). doi:10.1145/2591971.2592003

  17. Wagner, D.T., Rice, A., Beresford, A.R.: Device Analyzer: large-scale mobile data collection. In: Sigmetrics, Big Data Workshop, Pittsburgh. ACM (2013). doi:10.1145/2627534.2627553

  18. Wagner, D., Tribble, D.: A security analysis of the Combex DarpaBrowser architecture (2002). http://combexin.temp.veriohosting.com/papers/darpa-review/security-review.pdf. Accessed 08 March 2012

  19. Wognsen, E.R., Karlsen, H.S.: Static analysis of Dalvik bytecode and reflection in Android. In: Master’s thesis, Department of Computer Science, Aalborg University, Aalborg, Denmark (2012)

    Google Scholar 

Download references

Acknowledgements

This work was supported by a Google focussed research award; and the EPSRC [grant number EP/P505445/1]. Some of the raw data and source code is available [15]; the analysed APKs are not included as we do not have distribution rights for them. Thanks to Robert N.M. Watson for his insight and useful feedback.

Author information

Authors and Affiliations

  1. Computer Laboratory, University of Cambridge, Cambridge, UK

    Daniel R. Thomas & Alastair R. Beresford

  2. Bromium, Cambridge, UK

    Thomas Coudray, Tom Sutcliffe & Adrian Taylor

Authors
  1. Daniel R. Thomas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alastair R. Beresford
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas Coudray
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tom Sutcliffe
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Adrian Taylor
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel R. Thomas .

Editor information

Editors and Affiliations

  1. University of Hertfordshire, Hatfield, United Kingdom

    Bruce Christianson

  2. Faculty of Informatics, Masaryk University, Brno, Czech Republic

    Petr Švenda

  3. Faculty of Informatics, Masaryk University, Brno, Czech Republic

    Vashek Matyáš

  4. University of Hertfordshire, Hatfield, United Kingdom

    James Malcolm

  5. University of Cambridge, Cambridge, United Kingdom

    Frank Stajano

  6. Memorial University of Newfoundland, St. John's, Newfoundland and Labrador, Canada

    Jonathan Anderson

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Thomas, D.R., Beresford, A.R., Coudray, T., Sutcliffe, T., Taylor, A. (2015). The Lifetime of Android API Vulnerabilities: Case Study on the JavaScript-to-Java Interface. In: Christianson, B., Švenda, P., Matyáš, V., Malcolm, J., Stajano, F., Anderson, J. (eds) Security Protocols XXIII. Security Protocols 2015. Lecture Notes in Computer Science(), vol 9379. Springer, Cham. https://doi.org/10.1007/978-3-319-26096-9_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26096-9_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26095-2

  • Online ISBN: 978-3-319-26096-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation