The lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface

Daniel R. Thomas, Alastair R. Beresford, Thomas Coudray, Tom Sutcliffe, Adrian Taylor

Research output: Chapter in Book/Report/Conference proceedingConference contribution book

7 Citations (Scopus)
1 Downloads (Pure)

Abstract

We examine the lifetime of API vulnerabilities on Android and propose an exponential decay model of the uptake of updates after the release of a fix. We apply our model to a case study of the JavaScript-to-Java interface vulnerability. This vulnerability allows untrusted JavaScript in a WebView to break out of the JavaScript sandbox allowing remote code execution on Android phones, this can often then be further exploited to gain root access. While this vulnerability was first reported in 2012-12-21 we predict that the fix will not have been deployed to 95% of devices until 2018-01-10, 5.2 years after the release of the fix. We show how this vulnerability is exploitable in many apps and the role that ad-libraries have in making this flaw so widespread.
Original languageEnglish
Title of host publicationCambridge International Workshop on Security Protocols
Subtitle of host publicationSecurity Protocols 2015: Security Protocols XXIII
PublisherSpringer
Pages126-138
Number of pages12
ISBN (Print)9783319260969
DOIs
Publication statusPublished - 1 Apr 2015

Publication series

NameLNCS
Volume9379

    Fingerprint

Keywords

  • API security
  • Android
  • WebView
  • security updates
  • ad-libraries
  • JavaScript
  • Java
  • vulnerabilities
  • network attacker
  • RCE

Cite this

Thomas, D. R., Beresford, A. R., Coudray, T., Sutcliffe, T., & Taylor, A. (2015). The lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface. In Cambridge International Workshop on Security Protocols: Security Protocols 2015: Security Protocols XXIII (pp. 126-138). (LNCS; Vol. 9379). Springer. https://doi.org/10.1007/978-3-319-26096-9_13