The Lifetime of Android API Vulnerabilities: Case Study on the JavaScript-to-Java Interface

  • Daniel R. ThomasEmail author
  • Alastair R. Beresford
  • Thomas Coudray
  • Tom Sutcliffe
  • Adrian Taylor
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9379)


We examine the lifetime of API vulnerabilities on Android and propose an exponential decay model of the uptake of updates after the release of a fix. We apply our model to a case study of the JavaScript-to-Java interface vulnerability. This vulnerability allows untrusted JavaScript in a WebView to break out of the JavaScript sandbox allowing remote code execution on Android phones; this can often then be further exploited to gain root access. While this vulnerability was first publicly disclosed in December 2012, we predict that the fix will not have been deployed to 95% of devices until December 2017, 5.17 years after the release of the fix. We show how this vulnerability is exploitable in many apps and the role that ad-libraries have in making this flaw so widespread.


API security Android WebView Security updates Ad-libraries JavaScript Java Vulnerabilities Network attacker RCE 



This work was supported by a Google focussed research award; and the EPSRC [grant number EP/P505445/1]. Some of the raw data and source code is available [15]; the analysed APKs are not included as we do not have distribution rights for them. Thanks to Robert N.M. Watson for his insight and useful feedback.


  1. 1.
    Bergman, N.:. Abusing WebView JavaScript bridges (2012). Accessed 09 January 2015
  2. 2.
    Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: IEEE Symposium on Security and Privacy, pp. 511–525 (2013). doi: 10.1109/SP.2013.41
  3. 3.
    Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgärtner, L., Freisleben, B.: Why Eve and Mallory love Android: an analysis of android SSL (in)security. In: CCS, pp. 50–61. ACM (2012). doi: 10.1145/2382196.2382205, ISBN: 9781450316514
  4. 4.
    Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: Network and Distributed System Security Symposium (NDSS) (2014). doi: 10.14722/ndss.2014.23323
  5. 5.
    Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), pp. 101–112 (2012). doi: 10.1145/2185448.2185464
  6. 6.
    MWR labs. WebView addJavascriptInterface Remote Code Execution (2013). Accessed 19 December 2014
  7. 7.
    Luo, T., Hao, H., Du, W., Wang, Y., Yin, H.: Attacks on WebView in the Android system. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC), Orlando, pp. 343–352. ACM (2011). doi: 10.1145/2076732.2076781, ISBN: 9781450306720
  8. 8.
    Mettler, A., Wagner, D., Close, T.: Joe-E: a security-oriented subset of Java. In: Network and Distributed System Security Symposium (NDSS) (2010)Google Scholar
  9. 9.
    Nappa, A., Johnson, R., Bilge, L., Caballero, J., Dumitras, T.: The attack of the clones: a study of the impact of shared code on vulnerability patching. In: IEEE Symposium on Security and Privacy, pp. 692–708 (2015). doi: 10.1109/SP.2015.48.138
  10. 10.
    Pearce, P., Felt, A.P., Wagner, D.: AdDroid: privilege separation for applications and advertisers in Android. In: ACM Symposium on Information, Computer and Communication Security (ASIACCS) (2012). doi: 10.1145/2414456.2414498
  11. 11.
    Shekhar, S., Dietz, M., Wallach, D.S.: AdSplit: separating smartphone advertising from applications. In: Proceedings of the 21st USENIX Conference on Security Symposium, p. 28 (2012). arXiv: 1202.4030
  12. 12.
    Stevens, R., Gibler, C., Crussell, J., Erickson, J., Chen, H.: Investigating user privacy in Android ad libraries. In: IEEE Mobile Security Technologies (MoST) (2012)Google Scholar
  13. 13.
    Thomas, D.R.: Historic Google Play dashboard (2015).
  14. 14.
    Thomas, D.R., Beresford, A.R., Rice, A.: Security metrics for the android ecosystem. In: ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), Denver. ACM (2015). doi: 10.1145/2808117.2808118, ISBN: 978-1-4503-3819-6
  15. 15.
    Thomas, D.R., Coudray, T., Sutcliffe, T.: Supporting data for: “The lifetime of Android API vulnerabilities: case study on the JavaScript-to-Java interface" (2015). Accessed 26 May 2015
  16. 16.
    Viennot, N., Garcia, E., Nieh, J.: A measurement study of Google Play. In: SIGMETRICS (2014). doi: 10.1145/2591971.2592003
  17. 17.
    Wagner, D.T., Rice, A., Beresford, A.R.: Device Analyzer: large-scale mobile data collection. In: Sigmetrics, Big Data Workshop, Pittsburgh. ACM (2013). doi: 10.1145/2627534.2627553
  18. 18.
    Wagner, D., Tribble, D.: A security analysis of the Combex DarpaBrowser architecture (2002). Accessed 08 March 2012
  19. 19.
    Wognsen, E.R., Karlsen, H.S.: Static analysis of Dalvik bytecode and reflection in Android. In: Master’s thesis, Department of Computer Science, Aalborg University, Aalborg, Denmark (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Daniel R. Thomas
    • 1
    Email author
  • Alastair R. Beresford
    • 1
  • Thomas Coudray
    • 2
  • Tom Sutcliffe
    • 2
  • Adrian Taylor
    • 2
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUK
  2. 2.BromiumCambridgeUK

Personalised recommendations