BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//Talks.cam//talks.cam.ac.uk//
X-WR-CALNAME:Talks.cam
BEGIN:VEVENT
SUMMARY:The Lifetime of Android API vulnerabilities: case study on the Jav
 aScript-to-Java interface - Daniel Thomas (University of Cambridge)
DTSTART:20150330T130500Z
DTEND:20150330T135500Z
UID:TALK58573@talks.cam.ac.uk
CONTACT:Andrew Rice
DESCRIPTION:We examine the lifetime of API vulnerabilities on Android and 
 propose an\nexponential decay model of the uptake of updates after the rel
 ease of a\nfix. We apply our model to a case study of the JavaScript-to-Ja
 va\ninterface vulnerability. This vulnerability allows untrusted JavaScrip
 t\nin a WebView to break out of the JavaScript sandbox allowing remote cod
 e\nexecution on Android phones\, this can often then be further exploited 
 to\ngain root access. While this vulnerability was first reported in\n2012
 -12-21 we predict that the fix will not have been deployed to 95% of\ndevi
 ces until 2018-01-10\, 5.2 years after the release\nof the fix. We show ho
 w this vulnerability is exploitable in many apps\nand the role that ad-lib
 raries have in making this flaw so widespread.
LOCATION:LT1\, Computer Laboratory\, William Gates Builiding
END:VEVENT
END:VCALENDAR