According to Jiangxiang, co-founder of the Internet Fast Bird, the flaw is based on encapsulating the WebView control in the Android SDK, which allows JavaScript to invoke Java code within the page, in conjunction with the application that uses it.
This feature brings convenience as well as significant potential risks.
Because the Java code itself can invoke many functions of the system itself, such as reading and writing files, calling, texting, and so on, after careful construction, can even root phone, install malicious programs. The system is designed to limit the amount of Java code that can be invoked, but this limitation is not tight on systems prior to 4.2, which can lead to restrictions that may be bypassed and in the form of a dummy.
For security reasons, to prevent Java-layer functions from being arbitrarily invoked, Google, after the Android 4.2 version, rules that the functions allowed to be called must be annotated with javascriptinterface, so if an application relies on an API level of 17 or more, Will not be affected by this problem (note: Applications in Android 4.2 with API level less than 17 will also be affected).
A large number of mobile developers in China have mistakenly invoked the WebView control interface, leading to a massive burst of vulnerability attacks.
Before app developers upgrade their apps, it's recommended that you use the system's own browser to access the Web page and visit the links from strangers in social applications with caution.
About Internet fast Bird:
Provide mobile internet access to save traffic, cloud real-time interception of attacks and other services.