[0x0]

So it seems the story here is that in older versions of android, if you export a Java class to a webview with "addJavascriptInterface", the js code can get arbitrary code exec by calling exportedObject.getClass().forName("java.lang.Runtime").exec() or similar? And if you can mitm/spoof on public wifis, you can inject js to exploit this in apps that export to their webviews?

[zhongjiewu]

This is exactly how it works. And a lot of apps use this JS bridging technic to make their app easy to maintain. Dirty hack becomes technical debt

[majiaguan]

Please disclose more technical detail

[trustlook]

It's a vulnerability on Android Webview component, which supports a "addJavascriptInterface" method. This method allows you to call the Java native method by using a Javascript object inside the webpage. And, there is a trick that can bypass the restriction on classes that JSInterface object could access. You can call any method in any Java class. Such as Java.lang.Runtime.exec. You can google "addJavascriptInterface vulnerability". It's not a new vulnerability, but lots of app haven't fix it yet.