Keep Me Updated: An Empirical Study on Embedded Java']JavaScript Engines in Android Apps

Although JavaScript (JS) has been widely used in mobile development, little is known about the security implications of utilizing JS engines shipped as native app libraries. In this paper, we conduct an empirical study by designing a JS-Inspector pipeline to identify the embedded JS engines in Android apps and assess their security. We investigate over 65,000 Android apps released between Jan 2018 and July 2023. The results show that many popular apps use embedded JS engines, and their engines remain outdated for extended periods. Moreover, approximately 85% of apps have not received updates since their initial release. As such, over 70% of the identified embedded engines are vulnerable to known exploits. We further present case studies of popular apps catering to millions of users. By exploiting their unpatched JS engines through various strategies, such as man-in-the-middle attacks, intent abuse, and malicious mini-apps, we can easily seize control of the targeted apps and execute arbitrary code. This work highlights critical security concerns associated with embedded JS engines. It emphasizes the urgency for timely updates and enhanced security measures during app development.