Back To The Future - Going Back In Time To Abuse Android's JIT


Portals - Abusing JavaScript Interface Usage in Android Browsers - OWASP 2017


All Your Browsers Belong To Us - Infiltrate 2016

On the shoulders of giants, this presentation will take a deep dive into the Dalvik Virtual Machine's JIT implementation and how it can be used and abused to execute shellcode. We will additionally take a cursory look at the JIT compiler introduced in Android Nougat, and whether or not the same techniques can be applied. Also discussed are the tools that were created in order to assist in tracing through and deconstructing the JIT compilation internals.



Five years ago, the ability to execute arbitrary code in Android WebViews through Javascript Interfaces was discovered roughly five years ago. Since then this vulnerability has been patched and minimal research has surfaced about additional problems with Javascript Interfaces.

This talk is to serve as a (re)introduction into Javascript Interfaces and the Android Browsers that use them. We will discuss how they are implemented, their per-browser functionality, and the security problems that comes with them.

We will also dive into a generic methodology for developing your own toolset and processes for analyzing Javascript Interfaces in Android Browsers, along with some details around vulnerability research and exploit development.



The age of Android is upon us, and is taking no prisoners. More and more
Android users flock to the Google Play Store and rummage through apps,
searching for the new hotness to download and install on their devices.
What they don’t know will kill them … nah not really, but they’re probably
going to have a bad time.

This presentation will take a deep dive into the pervasiveness of
vulnerability patterns that riddle the most popular of Android Web
Browsers, and the techniques can be used to exploit them. Multiple
browsers will be used to demonstrate many of the abuse cases, a methodology
for vulnerability research and exploit development.