So it seems the story here is that in older versions of android, if you export a Java class to a webview with "addJavascriptInterface", the js code can get arbitrary code exec by calling exportedObject.getClass().forName("java.lang.Runtime").exec() or similar? And if you can mitm/spoof on public wifis, you can inject js to exploit this in apps that export to their webviews?
It's a vulnerability on Android Webview component, which supports a "addJavascriptInterface" method. This method allows you to call the Java native method by using a Javascript object inside the webpage. And, there is a trick that can bypass the restriction on classes that JSInterface object could access. You can call any method in any Java class. Such as Java.lang.Runtime.exec. You can google "addJavascriptInterface vulnerability". It's not a new vulnerability, but lots of app haven't fix it yet.
You would never be able to install an app without user click "install" etc.
This one uses Javascript Bridge vulnerability to execute high privilege code in your Android. The attack code is javascript to be interpreted to Java calls in Android.
Bit confused as to how this can't happen on iOS "just because," as iOS apps could be targeted in a similar way. Really the message here should be that SSL with certificate-pinning is a must for apps that inherently run in untrusted environments with an inability to easily inspect the security of the network traffic without MITMing it yourself. Wish this was a security feature on the app store -- if, in automated testing or in device logs, an app was entirely secure or insecure with its communication, just as we've padlock icons in browsers today.
Hmm.. interesting, well luckily I don't use Bing app, I don't even use Bing on a normal browser. It just sounds wierd to me for some reason .. "Ok Ima Bing that information right now!".
Correct. Even for the not rooted phones, attackers can send SMS, record audio or access SD card due to the permissions the target app applied. Also you may exploit some privilege escalation vulnerability on Android after you got a shell. It's phone-specific and app-specific though.