droidsec.org

On the WebView addJavascriptInterface Saga

26 Feb 2014 by jduck

In the last month, several new facts ¡Êµ¡¤Î¡Ë¥«¥à to light in the saga of °ÂÁ´ ÌäÂ꡿ȯ¹Ô¤¹¤ës with using addJavascriptInterface in Android WebView È¿ÂФ¹¤ës. While the dangers associated with this method are °æ¸Í¡¿ÊÛ¸î»ÎÀÊ Ê¸½ñd, the ½½Ê¬¤Ê extent and reach of associated ÌäÂ꡿ȯ¹Ô¤¹¤ës was not known until recently. These ÌäÂ꡿ȯ¹Ô¤¹¤ës continue to be a ±ÖÉ¡¿Çº¤Þ¤¹ on the °ÂÁ´ of the Android ecosystem to this day.

We decided to Îá¾õ this ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë for many different ¿äÏÀ¤¹¤ë¡¿Íýͳs. First, we want to »Ï¤á¤ë¡¤·è¤á¤ë the facts straight. The interactions ȼ¤¦¡¿´Ø¤ï¤ëing this method and the °ÂÁ´ ÌäÂ꡿ȯ¹Ô¤¹¤ës that result from it are ¥³¥ó¥Ó¥Ê¡¼¥È¡¿Ê£¹çÂÎ. Understandably, some published articles ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ë technically inaccuracies. Second, we have been doing more ¼Â¸³¡Ê¤¹¤ë¡Ëing and think that some of the ¼Â¸³¡Ê¤¹¤ë¡Ë results are Íø±×¡¿¶½Ì£ing. Finally, we want to make some ¿äÁ¦s to ¤µ¤Þ¤¶¤Þ¤Ê parties within the ecosystem and ʸ½ñ open questions in and ̤Íè directions for our ¸¦µæ.

It¡Çs important to ¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ë that this ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë does not discuss a number of other important Android °ÂÁ´ ÌäÂ꡿ȯ¹Ô¤¹¤ës. Many egregious privacy ϳ¤ì¤ës ·Ô¡¦¼è¤ê½ü¤¯ from Android »ÈÍÑ¡¿Å¬ÍÑs and advertising SDKs. ºß¸Ë¡¿³ô and third party browsers are often ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ to ¸øÁ³¤È ¸øɽ¤¹¤ë¡¿Ë½Ïª¤¹¤ëd vulnerabilities. There are other °ÂÁ´ ÌäÂ꡿ȯ¹Ô¤¹¤ës that can ·Ô¡¦¼è¤ê½ü¤¯ from using addJavascriptInterface too. These topics are not covered in this ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë, but deserve attention too.

NOTE: This ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë ballooned °ÕÌ£¤¢¤ê¤²¤Ë. As such, we will be working to publish more ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës in the ̤Íè.

Background

In this section, you will learn about the different ²Ê³Ø¡Ê¹©³Ø¡Ëµ»½Ñs and paradigms that come together to create the ÌäÂ꡿ȯ¹Ô¤¹¤ës that are the topic of this ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë. This ´Þ¤às introductions to ¥½¥Õ¥È¥¦¥§¥¢ °·¤¦ing on Android, the ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ API, and important ½êͭʪ¡¿»ñ»º¡¿ºâ»ºs of these vulnerabilities.

¥½¥Õ¥È¥¦¥§¥¢ on Android

¥½¥Õ¥È¥¦¥§¥¢ on Android ÁõÃÖs consists of firmware and »ÈÍÑ¡¿Å¬ÍÑs. Each type of ¥½¥Õ¥È¥¦¥§¥¢ are ¸«²ò¡¿ËÝÌõ¡¿ÈÇd, ʬÇÛ¤¹¤ëd, and updated using different µ¡³£ÁõÃÖs.

The firmware for a particular ÁõÃÖ is built by the party ÀÕǤ¤¬¤¢¤ë »ý³¤¹¤ëing the ÁõÃÖ. The firmware is put ¤Î¾å¤Ë the ÁõÃÖ by that party and later updates (·Ðͳ¤Ç OTA usually) must go through that party ƱÍͤË. In ¿·µ¬²ÃÆþ to the Android ¸«²ò¡¿ËÝÌõ¡¿ÈÇ, OEMs and ±¿Á÷¡¿ÊݶݼÔs have their own ¸«²ò¡¿ËÝÌõ¡¿ÈÇing ·×²è¡¿±¢ËÅs. This part of the Android ¥½¥Õ¥È¥¦¥§¥¢ update ²áÄø is discussed in depth ¤É¤³¤«¤è¤½¤Ç, so we won¡Çt (a)¼ê¤Î¹þ¤ó¤À¡¿(v)¾Ü½Ò¤¹¤ë ¤½¤Î¾å¤Î.

»ÈÍÑ¡¿Å¬ÍÑs are either ʬÇÛ¤¹¤ëd as part of the firmware or ·Ðͳ¤Ç Google Play. In both »öÎã¡¿´µ¼Ôs, the »ÈÍÑ¡¿Å¬ÍÑs can be updated ľÀÜ¡¿¤Þ¤Ã¤¹¤°¤Ë by the vendor ·Ðͳ¤Ç Google Play. »ÈÍÑ¡¿Å¬ÍÑs are ¸«²ò¡¿ËÝÌõ¡¿ÈÇd by their ³Æ¡¹¤Î vendors.

In ¿·µ¬²ÃÆþ to the Android ¸«²ò¡¿ËÝÌõ¡¿ÈÇ, Google uses a ¸«²ò¡¿ËÝÌõ¡¿ÈÇing µ¡³£ÁõÃÖ to ¼¨¤¹ the Àµ³Î¤Ê availability and ¹Ô°Ù of È¿ÂФ¹¤ës and methods. These È¿ÂФ¹¤ës and methods ¹½À®¤¹¤ë the developer API, and hence this ¸«²ò¡¿ËÝÌõ¡¿ÈÇ is called the API level. As the API levels have Áý²Ã¤¹¤ëd, many changes have been made. The developer documentation ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës lots of ¸ø¼°Ê¸½ñ¡¤Ç§¤á¤ës about changes throughout the ¿Ê²½ of Android.

»ÈÍÑ¡¿Å¬ÍÑ developers choose which API level they use for their »ÈÍÑ¡¿Å¬ÍÑ at ¼ý½¸¤¹¤ë time. When a new API level is ²òÊü¡Ê¤¹¤ë¡Ëd, developers don¡Çt have to do anything unless they want to take advantage of functionality from the new API. That is, app developers are ²òÊü¤¹¤ë¡¿¼«Í³¤Ê to select an older API level when they build their »ÈÍÑ¡¿Å¬ÍÑ. Google has tried to dissuade this practice in newer ¸«²ò¡¿ËÝÌõ¡¿ÈÇs of the SDK by printing ·Ù¹ðs at ¼ý½¸¤¹¤ë time. Also, Google created Google Play Services to ´ËϤ¹¤ë some of the ¶ìÄË ¸¶°ø¡Ê¤È¤Ê¤ë¡Ëd by API ¿Ê²½. However, no technical ¾ãÊÉ Ë¸¤²¤ës using older API levels. In fact, some developers do this ¸Î°Õ¤Ë as a way to maximize ÁõÃÖ compatibility. Once an »ÈÍÑ¡¿Å¬ÍÑ is built against a particular API level, it cannot be changed without recompiling and redeploying.

WebViews and addJavascriptInterface

In Android, many browsers web-based Æ°¤­¤ä¤¹¤¤ »ÈÍÑ¡¿Å¬ÍÑs rely on the WebView ¹½À®Í×ÁÇ. The documentation for this ¹½À®Í×ÁÇ is pretty good, so check it out if you want to fully understand it¡Çs ÌÜŪ and usage. ½½Ê¬¤Ç¤¢¤ë to say that it¡Çs a part of the Android ÏÈÁÈ¤ß that ¶¡µë¤¹¤ës a working, embeddable Web browser. On ¸«²ò¡¿ËÝÌõ¡¿ÈÇs »öÁ°¤Î to Android KitKat (4.4) it¡Çs based on the WebKit engine. With KitKat and later, it¡Çs based on Chromium. It doesn¡Çt ´Þ¤à the UI Éôʬ which is also referred to as ¡Èthe chrome¡É (not to be º®Í𤵤»¤ëd with the Chrome browser).

The addJavascriptInterface method is one of the ways that developers that embed a WebView into their »ÈÍÑ¡¿Å¬ÍÑ (´Þ¤àing people that build browsers) to expose Java functionality to Javascript. It has ¸ºß¤¹¤ëd since the first ²òÊü¡Ê¤¹¤ë¡Ë of Android (API level 1). It ¶¡µë¤¹¤ës a method to ãÀ®¤¹¤ë synchronous (meaning Javascript waits for a ÊÖÅú) communication with the hosting »ÈÍÑ¡¿Å¬ÍÑ. There¡Çs plenty of »ñ¸»s showing how to use this functionality out there, so we won¡Çt go into ¤½¤Î¾å¤Î ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ë here. For a more high-level explanation, see the Our findings make uncomfortable reading section of Dave Hartley¡Çs article on the MWR blog.

°ÂÁ´ ÌäÂ꡿ȯ¹Ô¤¹¤ës

¿½Å¤Î °ÂÁ´ ÌäÂ꡿ȯ¹Ô¤¹¤ës ¸ºß¤¹¤ë ȼ¤¦¡¿´Ø¤ï¤ëing the addJavascriptInterface method of Android WebView È¿ÂФ¹¤ës. Several ÌäÂ꡿ȯ¹Ô¤¹¤ës ȼ¤¦¡¿´Ø¤ï¤ë »ÈÍÑ¡¿Å¬ÍÑs that expose an È¿ÂФ¹¤ë to untrusted Javascript within a WebView using the ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ API. Another ÌäÂ꡿ȯ¹Ô¤¹¤ë, on which the ³«È¯¡¿ÍøÍÑ of the aforementioned ÌäÂ꡿ȯ¹Ô¤¹¤ës rely, is that untrusted Javascript can ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë ÆÈÃÇŪ¤Ê Java code (and thus Çú·â¤¹¤ë Ì¿Îá¡Ê¤¹¤ë¡Ës and native code). More ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës about these ÌäÂ꡿ȯ¹Ô¤¹¤ës are ¸½ºß¤Îd in the ¤Ë°ú¤­Â³¤¤¤Æ sections. The important point to understand here is that this is not just one ÌäÂ꡿ȯ¹Ô¤¹¤ë. There are ¿½Å¤Î, interrelated vulnerabilities.

In all »öÎã¡¿´µ¼Ôs, °Î¶È¡¿ÍøÍѤ¹¤ëing ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ apps gives an ¹¶·â¼Ô the Æø¢s of the app itself. However, wide public availability of Æø¢ escalation °Î¶È¡¿ÍøÍѤ¹¤ës for Android ÁõÃÖs can lead to a ½½Ê¬¤Ê ÁõÃÖ ÂŶ¨.

Attack Vectors

Each vulnerability can be °Î¶È¡¿ÍøÍѤ¹¤ëd ·Ðͳ¤Ç one or more attack vectors. Àµ³Î¤Ë¡¿¤Þ¤µ¤Ë which attack vectors µö¤¹ ³«È¯¡¿ÍøÍÑ depends on the ¾õ¶· in which the ±Æ¶Á¤¹¤ë¡¿´¶¾ðd WebView is used. That is, it depends where untrusted Javascript comes from. From our point of ¸«²ò¡Ê¤ò¤È¤ë¡Ë they break É餫¤¹¡¿·âÄƤ¹¤ë into the ¤Ë°ú¤­Â³¤¤¤Æ ÉôÎàs:

1. URL-based attack vectors such as sending a URL ·Ðͳ¤Ç email, IM, SMS, etc.
2. Malicious ÀëÅÁs (aka Malvertising)
3. ÃíÆþ¤¹¤ëing an °Î¶È¡¿ÍøÍѤ¹¤ë into a ÂŶ¨d ¿®ÍÑd ¾ì½ê¡¿°ÌÃÖ (e.g. a watering ·ê¤ò³«¤±¤ë attack)
4. Man in the Middle attacks (MitM) such as DNS ¥Ï¥¤¥¸¥ã¥Ã¥¯, rogue AP/BTS, etc.
5. Ãϸµ¤Î attacks against Javascript ¡ÊÉð´ï¤Ê¤É¤Î¡Ë±£Æ¿¾ì½êd on ³°Éô¤Î Ãù¢ (SD card)

The most ¸·¤·¤¤ ÌäÂ꡿ȯ¹Ô¤¹¤ës can be °Î¶È¡¿ÍøÍѤ¹¤ëd in all ¥·¥Ê¥ê¥ªs while ¤ï¤º¤«¤Ë ¤¤¤Ã¤½¤¦¾¯¤Ê¤¯ ¸·¤·¤¤ can only be °Î¶È¡¿ÍøÍѤ¹¤ëd ·Ðͳ¤Ç a subset.

New ³«È¯s

»Ù±ç¤¹¤ë in September 2013, jduck developed a Metasploit °Î¶È¡¿ÍøÍѤ¹¤ë module called addjsif that Ūs ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ uses of addJavascriptInterface within advertising SDKs. He created this °Î¶È¡¿ÍøÍѤ¹¤ë in hopes that having it in Metasploit would bring Éղà attention and visibility to the ¿¿ÌÌÌܤµ of these ÌäÂ꡿ȯ¹Ô¤¹¤ës. It is ÆÃ¤Ë designed to be used as a MitM proxy server that will ÃíÆþ¤¹¤ë its payload into passing traffic. The addjsif »ö¶È¡¿·×²è¡Ê¤¹¤ë¡Ë¡Çs README ʸ½ñs how ¹ÔÀ¯´±¡¿´ÉÍý¼Ôs can »Ï¤á¤ë¡¤·è¤á¤ë up and use the °Î¶È¡¿ÍøÍѤ¹¤ë to ¼Â¸³¡Ê¤¹¤ë¡Ë ÁõÃÖs on their ÌÖ¾õÁÈ¿¥s.

While ¼Â¸³¡Ê¤¹¤ë¡Ëing his module, jduck ¼óÈø¤è¤¯ °Î¶È¡¿ÍøÍѤ¹¤ëd the wildly popular Fruit Ninja and Angry Birds games Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ëd on a Nexus 4 running Android 4.3 (!!). He also ¸¦µæd the »Ø̾¤¹¤ës of other È¿ÂФ¹¤ës exposed ·Ðͳ¤Ç addJavascriptInterface and embedded their »Ø̾¤¹¤ës into the module.

The ·èÄ꡿ȽÄ꾡¤Á¡Ê¤¹¤ë¡Ë to open source jduck¡Çs °Î¶È¡¿ÍøÍѤ¹¤ë module at the end of January 2014 »Ï¤á¤ë¡¤·è¤á¤ë in Æ°µÄ the sequence of events ¼çÍ×¤Ê to this ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë. Though MWR Labs published an °Î¶È¡¿ÍøÍѤ¹¤ë in December 2013, their Drozer Æ»¶ñ ´Êñ¤Ë doesn¡Çt have as large of »ÈÍÑ¼Ô base as Metasploit does. The ½é¤á¤Î goal stood and so the module was ²òÊü¡Ê¤¹¤ë¡Ëd ¸øÁ³¤È.

Starting in Áá´ü¤Ë February, the Metasploit engineers took jduck¡Çs work and started looking to Åý¹ç¤¹¤ë it into their ¿¯Æþ¡¿¿»Æ© ¼Â¸³¡Ê¤¹¤ë¡Ëing ÏÈÁȤß. Some of their À®²Ì¡¿ÅØÎÏs are ʸ½ñd in the pull request »Ï¤á¤ëd to ¹çÊ»¤¹¤ë it. As seen in description of the pull request, Rapid7¡Çs Joe Vennix discovered that after minor modifications jduck¡Çs °Î¶È¡¿ÍøÍѤ¹¤ë module was able to remotely ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë ÆÈÃÇŪ¤Ê code on older ¸«²ò¡¿ËÝÌõ¡¿ÈÇs of the ºß¸Ë¡¿³ô Android Browser app. This was news to us, as it hadn¡Çt °ÊÁ° been Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬d ¸øÁ³¤È by anyone (´Þ¤àing Google!).

¤½¤Î¾å¤Î ¼Â¸³¡Ê¤¹¤ë¡Ëing by Tim Wright showed that the °Î¶È¡¿ÍøÍѤ¹¤ë also ºîÉÊ on the ¸½ºß¤Î ¸«²ò¡¿ËÝÌõ¡¿ÈÇ of Google Glass (XE12 as of this Îá¾õing). Even worse, an °Î¶È¡¿ÍøÍѤ¹¤ëd Google Glass browser »º¤¹¤ë¡¿À¸¤¸¤ës camera µö²Äs. That¡Çs ¸¢Íø. This °Î¶È¡¿ÍøÍѤ¹¤ë µö¤¹s an ¹¶·â¼Ô to see whatever someone who is wearing Google Glass sees. On ºÇ¹â¤Î¡¤¤ò±Û¤¹ of that, several ¸øÁ³¤È ÍøÍѤǤ­¤ë °Î¶È¡¿ÍøÍѤ¹¤ës are ͭǽ¤Ê of ¿­¤Ó¡Ê¤ë¡Ëing root Æø¢s on a Google Glass ÁõÃÖ. These facts Ï¢¹ç¤µ¤»¤ëd should ¸¶°ø¡Ê¤È¤Ê¤ë¡Ë ¤ä¤á¤ë a ´Ø¿´ for Áá´ü¤Ë adopters of this exorbitantly Äê²Á¤Ä¤­¤Î gadget.

¤Ë°ú¤­Â³¤¤¤Æ these events, another ¥Þ¥¹¥³¥ß blitz ³¤¤¤Æµ¯¤³¤ëd with many articles ¡Ê¿ÍÌ¿¤Ê¤É¤ò¡ËÃ¥¤¦¡¤¼çÄ¥¤¹¤ëing that 70% of Android ÁõÃÖs are ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ to this particular °Î¶È¡¿ÍøÍѤ¹¤ë. A Èó¾ï¤ËŤ¤ discussion on a ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë to the /r/Android sub-reddit had us defending our ¸¦µæ against vehement Âй³¼Ôs. Truth be told, the 70% number ¡Êµ¡¤Î¡Ë¥«¥à from an ²¾Äê¡¿°ú¤­¼õ¤±¤ë¤³¤È that all ÁõÃÖs »öÁ°¤Î to Android 4.2 were ±Æ¶Á¤¹¤ë¡¿´¶¾ðd. We had ¼Â¸³¡Ê¤¹¤ë¡Ëd against only a handful of ÁõÃÖs at that point and thus decided to do some more Å°ÄìŪ¤Ê ¼Â¸³¡Ê¤¹¤ë¡Ëing against the ºß¸Ë¡¿³ô browser of ¤µ¤Þ¤¶¤Þ¤Ê ÁõÃÖs.

First, jduck »Ï¤á¤ë¡¤·è¤á¤ë out to create a simple and °ÂÁ´¤Ê ¼Â¸³¡Ê¤¹¤ë¡Ë page that would ¡Ê°­»ö¡¤ÈëÌ©¤Ê¤É¤ò¡Ëȯ¸«¤¹¤ë whether or not the WebView in which it was Ééôd was ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. The Rapid7/Metasploit team Êä½õÁõÃÖd in ÁÈ¿¥¤¹¤ëing some ¡Ê¿Í¤¬¡Ë·²¤¬¤ë-sourced ¼Â¸³¡Ê¤¹¤ë¡Ëing on Twitter while he ¼Â¸³¡Ê¤¹¤ë¡Ëd against the droidsec droid army. Each of jduck¡Çs ÁõÃÖs run ºß¸Ë¡¿³ô firmware (in most »öÎã¡¿´µ¼Ôs the ºÇ¿·¤Î ÍøÍѤǤ­¤ë), so the ¼Â¸³¡Ê¤¹¤ë¡Ës are a decent ¸«ËÜing of the over all ÁõÃÖ pool. ¤½¤Î¾å¤Î, Joe Vennix ran some ¼Â¸³¡Ê¤¹¤ë¡Ës against one of the public ¼Â¸³¡Ê¤¹¤ë¡Ëing services to see how their ÁõÃÖs fared. The results of this °ìÏ¢¤Î²ñµÄ¡¢¸ò¾Ä¡¿´°À®¤¹¤ë of ¼Â¸³¡Ê¤¹¤ë¡Ëing were ¤ä¤á¤ë Íø±×¡¿¶½Ì£ing and several new facts were ˽Ϫ¤¹¤ëd.

½ÅÍ×¤Ê Findings

Through our ¼Â¸³¡Ê¤¹¤ë¡Ëing, we have discovered several important facts ²ÁÃ͡ʤ¬¤¢¤ë¡Ë discussing. The ½ÅÍ×¤Ê findings are:

1. Áá´ü¤Ë ¼Â¸³¡Ê¤¹¤ë¡Ëing with ¹­¹ð-supported apps ÌÀ¤é¤«¤Ë¤¹¤ë¡¿Ï³¤é¤¹d that even ¸½ºß¤Î and fully up-to-date ÁõÃÖs can be ¼óÈø¤è¤¯ °Î¶È¡¿ÍøÍѤ¹¤ëd in ÌÀ³Î¤Ê¡¿ºÙÉô circumstances. »ÈÍÑ¡¿Å¬ÍÑs that (1) insecurely use addJavascriptInterface to ¡ÊȽ·è¤Ê¤É¤ò¡Ë²¼¤¹ untrusted content and (2) are ¼ý½¸¤¹¤ëd against an API level ¤¤¤Ã¤½¤¦¾¯¤Ê¤¯ than 17 remain ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. The popular apps ¼Â¸³¡Ê¤¹¤ë¡Ëd are only two such apps; it¡Çs likely that many many more ¸ºß¤¹¤ë. This ÌäÂ꡿ȯ¹Ô¤¹¤ë was ³ä¤êÅö¤Æ¤ëd CVE-2012-6636.

2. More ºÇ¶á¤Î ¼Â¸³¡Ê¤¹¤ë¡Ëing ÌÀ¤é¤«¤Ë¤¹¤ë¡¿Ï³¤é¤¹d that ³Î¤«¤Ê ¸«²ò¡¿ËÝÌõ¡¿ÈÇs of ºß¸Ë¡¿³ô browsers, ´Þ¤àing AOSP, are also ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. This ÌäÂ꡿ȯ¹Ô¤¹¤ë is ͽÄê to insecure use of addJavascriptInterface ȼ¤¦¡¿´Ø¤ï¤ëing the searchBoxJavaBridge_ È¿ÂФ¹¤ë. Digging in deeper we discovered Àµ³Î¤Ë¡¿¤Þ¤µ¤Ë when the ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ È¿ÂФ¹¤ë was introduced (9497c5f in Android 4.0) and ½üµî¤¹¤ëd (d773ca8 and 0e9292b in Android 4.2) within AOSP code. It was ³ä¤êÅö¤Æ¤ëd CVE-2014-1939 per our request.

3. Some ÁõÃÖs using ¸«²ò¡¿ËÝÌõ¡¿ÈÇs of Android within the ±Æ¶Á¤¹¤ë¡¿´¶¾ðd ÈÏ°Ï (4.0 < x < 4.2) were not ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. This ¼¨¤¹s that OEMs/±¿Á÷¡¿ÊݶݼÔs »Ù±ç¤¹¤ë-ported the patch to their firmware somewhere along the way. It¡Çs possible (maybe even likely) that Google ÄÌÃΤ¹¤ëd these partners of the ÌäÂ꡿ȯ¹Ô¤¹¤ë to »É·ã¡Ê¤¹¤ë¡Ë movement without ÄÌÃΤ¹¤ëing the general public. ·èÄꤹ¤ëing the entirety of ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ ÁõÃÖ + firmware combinations remains an open problem (and one that we are ³èȯ¤Ë Áܤ·½Ð¤¹ing to ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½ê).

4. An Éղà insecurely exposed È¿ÂФ¹¤ë was ÀßΩ¤¹¤ë within ³Î¤«¤Ê HTC ÁõÃÖ firmware ¸«²ò¡¿ËÝÌõ¡¿ÈÇs. In particular, ¼Â¸³¡Ê¤¹¤ë¡Ëing against the One V and One X+ on Android 4.0.3 and 4.1.1 showed that an È¿ÂФ¹¤ë called HTMLOUT was exposed. Interestingly, this is the exact »Ø̾¤¹¤ë of an È¿ÂФ¹¤ë that was discussed in a blog by Aleksander Kmetec in 2009. (NOTE: A quick search while Îá¾õing this ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë turned up this ¡Êa¡ËÃé¹ð¤Î¡¿¡Ên¡Ë·ÙÊó on WooYun. We don¡Çt believe a CVE has been ³ä¤êÅö¤Æ¤ëd yet.)

5. ³Î¤«¤Ê ¸«²ò¡¿ËÝÌõ¡¿ÈÇs of third-party browsers are also ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. In particular, ³Î¤«¤Ê ¸«²ò¡¿ËÝÌõ¡¿ÈÇs of the ¥¤¥ë¥« Browser ¼Â¸³¡Ê¤¹¤ë¡Ëd ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. Unfortunately, the exact ¸«²ò¡¿ËÝÌõ¡¿ÈÇ and ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë of exposed È¿ÂФ¹¤ës are not ÍøÍѤǤ­¤ë.

¤Ë¤â¤«¤«¤ï¤é¤º the fact that these ÌäÂ꡿ȯ¹Ô¤¹¤ës have ¸ºß¤¹¤ëd for years, several of these findings have only come to light in the last month. These ÌäÂ꡿ȯ¹Ô¤¹¤ës are important and need more attention. The next section ¶¡µë¤¹¤ës some suggestions about what ¤µ¤Þ¤¶¤Þ¤Ê parties in the Android ecosystem can do to help.

Suggestions

These ÌäÂ꡿ȯ¹Ô¤¹¤ës have not been holistically ±éÀâ¡Ê¤¹¤ë¡Ë¡¿½»½êd. Thankfully, there are a number of things that ¤µ¤Þ¤¶¤Þ¤Ê groups within the Android ecosystem can do to ²þÁ±¤¹¤ë the ¾õ¶·¡¿¾ðÀª. Without ²ðÆþ or ±ç½õ from Android vendors, we are ÂçÉôʬ¤Ï left to our own ÁõÃÖ to Êݸ¤ë ourselves and our »ÈÍѼÔs.

That leads to the first, and most important, ¿äÁ¦ for everyone in the ecosystem. Communication is ½ÅÍפÊ. We as a community need to spread the word about what brings these ÌäÂ꡿ȯ¹Ô¤¹¤ës about, how to Èò¤±¤ë them, how to °ÌÃÖ¤ò¼¨¤¹ and ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë instances of them, and so on. Please do your part to help make the Android ecosystem a more °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë place.

Google - You took a ¹ÎÄêŪ¤Ê step when you made that °ÂÁ´ enhancement in Android 4.2. However, the ½é¤á¤Î ¡Èľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë¡É and messaging surrounding it leave much to be ´ê˾¡Ê¤¹¤ë¡Ëd.

On the messaging Ì£Êý¤¹¤ë, that ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë Âåɽ¤¹¤ës a ¹ÔÊýÉÔÌÀ¤Ë¤Ê¤ëd ŬÀڤʻþ´ü to ÅÁ¤¨¤ë the ¿¿ÌÌÌܤµ of the »öÊÁ. You could have ·ø¸Ç¤Ë recommended Ūing apps that depend on addJavascriptInterface to the ºÇ¿·¤Î API level. You could have ·«¤êÊÖ¤·¸À¤¦d the ´í¸±¡¤´í¤Ê¤¯¤¹¤ë of improperly using this API. Unfortunately, you Áª¤Öd to only casually explain the change as an enhancement.

On the ¡Èľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë¡É Ì£Êý¤¹¤ë, a more ÀѶËŪ¤Ê approach would be far more ¸ú²ÌŪ¤Ê. Had you taken such an approach, you might not be reading this ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë. Because of the approach you chose, developers can still build, and are still building, ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ apps today. These apps can even be °Î¶È¡¿ÍøÍѤ¹¤ëd on the most up-to-date ÁõÃÖs. These are serious vulnerabilities and they should be given the º·É¡Ê¤¹¤ë¡Ë¡¦ÅÀ and ¶ÛµÞ that they deserve. We ò´êd with you to take more ÀѶËŪ¤Ê ³èÆ°¡¿ÀïÆ®s to ¼£ÎÅ¡ÊÌô¡Ë this blight.

OEMs and ±¿Á÷¡¿ÊݶݼÔs - Some of you have done a good thing by »Ù±ç¤¹¤ë-porting the ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë to older firmwares. That¡Çs ¹­Âç¤Ê¡¿Â¿¿ô¤Î¡¿½ÅÍ×¤Ê for the ÁõÃÖs that did get updated, but that leaves »ÈÍѼÔs of older ÁõÃÖs exposed. We dream of a day when you don¡Çt leave anyone behind. The time from a °ÂÁ´ ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë to it ¸ºß on »ÈÍѼÔs¡Ç ÁõÃÖs really should be on the order of days, not months or weeks. We implore you to find ways to continue to ²þÁ±¤¹¤ë this ²áÄø.

App Developers - If you¡Çre ¸½ºß¡¿°ìÈÌ¤Ë Ê¬ÇÛ¤¹¤ëing a ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ app/SDK, please take ¨ºÂ¤Î steps to ÄûÀµ¤¹¤ë the ÌäÂ꡿ȯ¹Ô¤¹¤ë and get an update ¡Ê·³Ââ¤ò¡ËŸ³«¤¹¤ë¡¤ÇÛÈ÷¤¹¤ëd. If possible, Èò¤±¤ë using addJavascriptInterface at all. If you must use it, Ū your app/SDK to API level 17 or higher. If you¡Çre making an SDK, consider ·³Ââing your »ÈÍѼÔs to use API level 17 or higher. If you must have a synchronous ´Ø·¸ to Java-land, consider using shouldAllowURLOverriding to ̵»ë¡¿Ìµ¸ú onJsAlert or onJsPrompt. App developers need to go the extra mile to be sure they are not ´Þ¤àing advertising SDKs that put »ÈÍѼÔs at ´í¸±. Finally, use the best practices (HTTPS and ¾ÚÌÀ½ñ pinning) to help keep your WebView content ¿®Íê¤Ç¤­¤ë in the ľÌ̤¹¤ë of MitM attacks.

¸¦µæ°÷s - Join us in doing Éղà ¸¦µæ, ¼Â¸³¡Ê¤¹¤ë¡Ëing, and Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬ing so that we can ½üµî¤¹¤ë these dangerous ÌäÂ꡿ȯ¹Ô¤¹¤ës. Help discover Àµ³Î¤Ë¡¿¤Þ¤µ¤Ë which ÁõÃÖs and/or apps that are out there are ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. Áܤ·½Ð¤¹ out Éղà ´í¸±¤Ê uses of addJavascriptInterface and Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬ your findings. It¡Çs my understanding that finding such a thing will ¾¡Íø¡¤¾¡¤Ä you a shiny CVE. The ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë in the addjsif MSF module might even be a good starting place. Work with ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ ÁõÃÖ/app vendors to get the ÌäÂ꡿ȯ¹Ô¤¹¤ës ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd. Start ÂÐÏÃs with your ¸ÜµÒs in the Æ°¤­¤ä¤¹¤¤ space to raise ǧ¼±¡¿°Õ¼±À­. Finally, you can help Êݸ¤ë »ÈÍѼÔs by creating third-party ²òÅús!

»ÈÍѼÔs - The °ÂÁ´ and privacy of your ÁõÃÖ is ºÇ½ªÅª¤Ë in your ¼êÅϤ¹s. Keep your ÃíÌܤ¹¤ë¡¤¤â¤¯¤í¤às and ears open for ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë about ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ apps. Don¡Çt connect to ÀøºßŪ¤Ë malicious Wi-Fi Àܶá points. ½üµî¤¹¤ë ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ apps from your ÁõÃÖ until they can be updated. Give 1-À±¡¿¼çÌò¤Ë¤¹¤ë ratings to ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ apps. As a ·Ù²ü, play ¹­¹ð-supported games in airplane Êý¼°. »Ùʧ¤¦¡¿Ä¶â for your apps so that advertising ÌÖ¾õÁÈ¿¥ code is never ³èÆ°¤µ¤»¤ë¡¿Àï»þÊÔÀ®¤¹¤ëd.

̤Íè Work / Open Questions

While putting together this ¸¦µæ we have identified a number of gaps and Í¥¤ì¤¿ questions. We have Éղà ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës that we ·×²è¡Ê¤¹¤ë¡Ë to publish in the coming days and weeks. Ideas for ̤Íè work ´Þ¤à:

1. More ¼Â¸³¡Ê¤¹¤ë¡Ëing - Our ¼Â¸³¡Ê¤¹¤ë¡Ë results are ¸øÀµ¤Ë¡¿¤«¤Ê¤ê ¸Â¤é¤ì¤¿¡¿Î©·ûŪ¤Ê. We¡Çd like to solicit more high ¼Á ¼Â¸³¡Ê¤¹¤ë¡Ë results from the community Êá¤Þ¤é¤Ê¤¤¤Ç. We¡Çre thinking of the best way to enable this ¼Â¸³¡Ê¤¹¤ë¡Ëing, but for now ¤Ë°ú¤­Â³¤¤¤Æ the directions on the ¼Â¸³¡Ê¤¹¤ë¡Ë page would help.

2. More ÁõÃÖs - Our ¼Â¸³¡Ê¤¹¤ë¡Ë bed is ¸øÀµ¤Ë¡¿¤«¤Ê¤ê small. We¡Çd love to Äɲ乤ë more ÁõÃÖs, and have Äɲ乤ëd a ò´ê for ÁõÃÖs to our ´óÉÕ page.

3. More Åý·×¡Ê³Ø¡Ë - Ãê½Ð¤¹¤ëing Åý·×¡Ê³Ø¡Ë from app markets is very »ñ¸» ½¸ÃæŪ¤Ê. ·èÄꤹ¤ëing which apps use addJavascriptInterface insecurely Í׵᤹¤ës looking at each app ¸Ä¡¹¤Ë, ¤«¤â¤·¤ì¤Ê¤¤ even ¿½Å¤Î ¸«²ò¡¿ËÝÌõ¡¿ÈÇs of each.

4. More ¸¦µæ - Our ¼Â¸³¡Ê¤¹¤ë¡Ës looking into whether or not ¼ý½¸¤¹¤ëing a library for Android apps ¸¶°ø¡Ê¤È¤Ê¤ë¡Ës apps that use that library to be ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ were ½½Ê¬¤ÊÀâÆÀÎϤΤʤ¤. Do they build against a particular API level? Can they use a different API level than the app they are ´Þ¤àd in? These are questions we¡Çd like to answer.

There¡Çs more than enough for us to do. We would love your help!

·ëÏÀ

This ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë ʸ½ñs some history and our ºÇ¿·¤Î findings in our ¸½ºß¿Ê¹ÔÃæ¤Î ¸¦µæ of the WebView addJavascriptInterface vulnerability saga. Though these ÌäÂ꡿ȯ¹Ô¤¹¤ës have received a ¹­Âç¤Ê¡¿Â¿¿ô¤Î¡¿½ÅÍ×¤Ê ¼è°ú¡¤¶¨Äê of attention in the °µÎϡʤò¤«¤±¤ë¡Ë, most »ÈÍѼÔs remain ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. The ºÇ¿·¤Î articles ¾ÇÅÀ¡Ê¤ò¹ç¤ï¤»¤ë¡Ë on the new ȯ¸«s that some ºß¸Ë¡¿³ô browsers are ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. However, they fail to explain the ½½Ê¬¤Ê ´í¸±. Once an ¹¶·â¼Ô ¿­¤Ó¡Ê¤ë¡Ës Àܶá, a variety of ¸øÁ³¤È ÍøÍѤǤ­¤ë °Î¶È¡¿ÍøÍѤ¹¤ës µö¤¹ them to fully ÂŶ¨ the ÁõÃÖ. Most importantly, »ÈÍÑ¡¿Å¬ÍÑ developers often still expose »ÈÍѼÔs¡Ç ÁõÃÖs by insecurely using addJavascriptInterface. These ÌäÂ꡿ȯ¹Ô¤¹¤ës can be °Î¶È¡¿ÍøÍѤ¹¤ëd, even on a fully updated and ¸½ºß¤Î ÁõÃÖ (such as a Nexus 5 - ¼Â¸³¡Ê¤¹¤ë¡Ëd today with Fruit Ninja).

The perilous ¾õ¶·¡¿¾ðÀª of more than 51% of the Android ÁõÃÖ pool running woefully outdated ¥½¥Õ¥È¥¦¥§¥¢ remains. As ¤Ë¤Ä¤¤¤Æ¸ÀµÚ¤¹¤ëd °ÊÁ°, many of the ¼Â¸³¡Ê¤¹¤ë¡Ëd ÁõÃÖs are fully updated to their ºÇ¿·¤Î ºß¸Ë¡¿³ô firmware. In our ¼Â¸³¡Ê¤¹¤ë¡Ëing of 44 ÁõÃÖs, 13 were running browsers in the ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ ¸«²ò¡¿ËÝÌõ¡¿ÈÇ ÈÏ°Ï. Of those, 6 had a ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ ºß¸Ë¡¿³ô browser. Extrapolating these numbers out Àµ³Î¤Ë is impossible without the exact numbers of each ÁõÃÖ/firmware combination, but a fair estimation is something like 25 ¥Ñ¡¼¥»¥ó¥È (46% of 51%). This is much ¤¤¤Ã¤½¤¦¾¯¤Ê¤¯ than the 70% °úÍѤ¹¤ëd in many articles, but also doesn¡Çt take into account the other ÌäÂ꡿ȯ¹Ô¤¹¤ës surrounding this method (which are much larger ÌäÂ꡿ȯ¹Ô¤¹¤ës).

In ¤Î¶á¤¯¤Ëing, there is much to do before this saga will end. We¡Çve ¶¡µë¤¹¤ëd some ¿äÁ¦s for ¤µ¤Þ¤¶¤Þ¤Ê parties in the ecosystem and hope that they will not Íî¤Á¤ë on deaf ears. That said, we¡Çre not naive. We ǧ¤á¤ë that there are many challenges on the road ahead of us. Through our ΨÀès we hope to ÂǤÁ¾¡¤Ä these ÌäÂ꡿ȯ¹Ô¤¹¤ës and ´«¤á¤ë Android °ÂÁ´ into a new »þÂå.

Be °ÂÁ´¤Ê out there!