
Hackers can pwn your Android in 10 seconds, if you use Bing App in Starbucks - zhongjiewu
http://blog.trustlook.com/2014/01/23/trustlook-reported-microsofts-first-ever-android-vulnerability/
======
0x0
So it seems the story here is that in older versions of android, if you export
a Java class to a webview with "addJavascriptInterface", the js code can get
arbitrary code exec by calling
exportedObject.getClass().forName("java.lang.Runtime").exec() or similar? And
if you can mitm/spoof on public wifis, you can inject js to exploit this in
apps that export to their webviews?

~~~
zhongjiewu
This is exactly how it works. And a lot of apps use this JS bridging technic
to make their app easy to maintain. Dirty hack becomes technical debt

~~~
majiaguan
Please disclose more technical detail

~~~
trustlook
It's a vulnerability on Android Webview component, which supports a
"addJavascriptInterface" method. This method allows you to call the Java
native method by using a Javascript object inside the webpage. And, there is a
trick that can bypass the restriction on classes that JSInterface object could
access. You can call any method in any Java class. Such as
Java.lang.Runtime.exec. You can google "addJavascriptInterface vulnerability".
It's not a new vulnerability, but lots of app haven't fix it yet.

------
click170
"Warning: infected app! download and install our app to protect yourself!"

thank god there is an app to protect... wait a minute... where have I seen
these tactics used before...

~~~
zhongjiewu
I wouldn't comment on their AntiVirus stuff but I think the vulnerability in
the Bing App is real.

------
zhongjiewu
Sounds like very dangerous attack and not very difficult to implement.

DNS hijacking:

1\. Quicker DNS response than router to pollute the Android's DNS

2\. Rouge AP that pretend to be common free public wifi like "att",
"starbucks", "cablewifi" or "Free Public WiFi"

3\. De-authenticate valid AP connections and force user to try rouge WIFI

MITM attack: 1\. ARP spoofing

~~~
trustlook
Correct ;-)

~~~
vezzy-fnord
That's a universal network attack though, how is it an exclusive vulnerability
to this app?

~~~
zhongjiewu
You would never be able to install an app without user click "install" etc.

This one uses Javascript Bridge vulnerability to execute high privilege code
in your Android. The attack code is javascript to be interpreted to Java calls
in Android.

You wouldn't be able to do that in iPhone though.

~~~
lstamour
Bit confused as to how this can't happen on iOS "just because," as iOS apps
could be targeted in a similar way. Really the message here should be that SSL
with certificate-pinning is a must for apps that inherently run in untrusted
environments with an inability to easily inspect the security of the network
traffic without MITMing it yourself. Wish this was a security feature on the
app store -- if, in automated testing or in device logs, an app was entirely
secure or insecure with its communication, just as we've padlock icons in
browsers today.

~~~
gress
iOS apps cannot be targeted in this way because they don't have the JavaScript
bridge.

~~~
void-star
Not exactly. iOS 7+ introduced Cocoa<->Javascript bridging capabilities in the
public APIs. Before that, similar iOS APIs had existed as "private" ones (so,
very uncommonly used outside of apple's own apps).

iOS doesn't bridge Javascript to _Java_ which is why this particular attack
wouldn't work. But the JS<->Cocoa stuff is still pretty young, so wait and see
;)

~~~
robterrell
The JS-Cocoa bridge isn't young at all, it's the same bridge that has been on
Mac OS X for years. And it's opt-in -- on the native side you have to specify
which classes can be bridged and what methods can be called. It's not the case
that any bridged webview exposes all of Cocoa for your JS injection pleasure.
You could write an app that specifically exposed some dangerous API, but you'd
know you had done so.

~~~
lstamour
> You could write an app that specifically exposed some dangerous API, but
> you'd know you had done so.

Few people write insecure code on purpose. Of course the same is true of
Safari or networking/parsing code. I still maintain certificate pinning is the
answer here, to try and defend as much as possible against MITM in the first
place.

------
iagox86
"There's a horrible vulnerability in the Bing app! ...but we're not going to
give you any details."

I hate stories like that.

~~~
trustlook
google "addJavascriptInterface vulnerability"

------
joshbaptiste
Hmm.. interesting, well luckily I don't use Bing app, I don't even use Bing on
a normal browser. It just sounds wierd to me for some reason .. "Ok Ima Bing
that information right now!".

~~~
brokenparser
I rather quack it :)

------
dudus
Does this bug affect only android phones that are rooted?

It flashes saying that the bing App got root permission. I think that's
disabled unless the phone was jailbroken.

~~~
trustlook
Correct. Even for the not rooted phones, attackers can send SMS, record audio
or access SD card due to the permissions the target app applied. Also you may
exploit some privilege escalation vulnerability on Android after you got a
shell. It's phone-specific and app-specific though.

------
sleepyK
Well to be honest almost nobody on Android uses Bing.....

Google search is default, and for those looking for alternatives, there's also
an excellent DuckDuckGo app.

~~~
trustlook
LOL, that's what I thought... Well there is a large number of apps also
affected by this vulnerability. Some have 50m-100m downloads.

------
wangsanli
Please disclose more info about how to fix it, thx.

------
stormbrew
There's a bing app?

(sorry, had to do it)

------
Joanne_jiang
wow...unbelievable! would like to hear your next finding

------
xinbenlv
That is shocking

------
majiaguan
lol, Microsoft need to learn how to write Android app, especially in Java
programming

