![[Search]](/static/images/search.gif){kind=small}
![[A-Z Index]](/static/images/az.gif){kind=small}
![[Contact]](/static/images/contact.gif){kind=small}
![[University of Cambridge]](/static/images/identifier2.gif){kind=small}
![[Talks.cam]](/static/images/talkslogosmall.gif)
Monday 30 March 2015, 14:05-14:55
The Lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface
- đ¤ Speaker: Daniel Thomas (University of Cambridge)
- đ Date & Time: Monday 30 March 2015, 14:05 - 14:55
- đ Venue: LT1, Computer Laboratory, William Gates Builiding
Abstract
We examine the lifetime of API vulnerabilities on Android and propose an exponential decay model of the uptake of updates after the release of a fix. We apply our model to a case study of the JavaScript-to-Java interface vulnerability. This vulnerability allows untrusted JavaScript in a WebView to break out of the JavaScript sandbox allowing remote code execution on Android phones, this can often then be further exploited to gain root access. While this vulnerability was first reported in 2012-12-21 we predict that the fix will not have been deployed to 95% of devices until 2018-01-10, 5.2 years after the release of the fix. We show how this vulnerability is exploitable in many apps and the role that ad-libraries have in making this flaw so widespread.
Series This talk is part of the Computer Laboratory Digital Technology Group (DTG) Meetings series.
Included in Lists
- All Talks (aka the CURE list)
- bld31
- Cambridge talks
- Computer Laboratory Digital Technology Group (DTG) Meetings
- Department of Computer Science and Technology talks and seminars
- Interested Talks
- LT1, Computer Laboratory, William Gates Builiding
- School of Technology
- Trust & Technology Initiative - interesting events
- yk449
Note: Ex-directory lists are not shown.