ADVISORY MI3-2017-001


Android Operating System (JELLY_BEAN - API Level 16 and below)


Mi3 Security is aware of a vulnerability in the Javascript interface of certain Android systems and applications leveraging API version 16 and below that could place users of applications in danger of remote-code exploitation. 

As of August 2017 Google estimates that 7.6% of all devices still run JELLY_BEAN (API 16). Google also estimates there are over 2 Billion monthly active Android devices, presenting a total of 152 Million devices potentially exposed to this vulnerability.


Low Priority. 

Given the API level targeted and the number of supported devices this is rated as a low potential for exploitation.



This vulnerability impacts API level 16 and below only.

The root of the problem is a JavaScript binding method called addJavascriptInterface that is a common, but insecure, method of loading web content into an Android app. When an Android application invokes the method and loads the content from a web browser in WebView over HTTP, it opens the door for attackers to execute code remotely. Attackers can hijack mobile communications to inject malicious content and links into the application, gaining full control of the app running on the device.


Total Devices Potential Affected: 152 Million

This vulnerability can have potentially severe impacts including:

  • Remote code execution
  • Access to mobile operating system
  • Access to private and confidential information
  • Lateral attacks to connected networks (including enterprise networks)


Detection can be performed by identifying any use of the addjavascriptinterface function call on applications targeted to API 16 and below. The Mi3 Security RECON platform includes a fingerprint to detect this potential vulnerability.


  • The addjavascriptinterface vulnerability is originally attributed to Neil Bergman with the metasploit-framework module to jduck and joev
  • The vulnerability was also discussed by Adrienne Porter-Felt, Dawn Song, Erika Chin, Steve Hanna, and David Wagner of UC Berkeley here --
  • In 2014 FireEye talked about this vulnerability and dubbed it "JBOH", or JavaScript-Binding Over HTTP. Watch the BlackHat talk here