When it comes to Android apps, even the simplest app could greatly compromise your privacy and security.





Injecting malicious JavaScript into Android applications has drawn an increased attention from the hacking community as its market share spikes. According to security researcher Jeremy S. from Singapore, a critical vulnerability in the Feedly app left millions of android app users vulnerable to the JavaScript infections.

Feedly is a very popular app available for iOS and Android devices, also integrated into hundreds of other third party apps, which offers its users to browse the content of their favourite blogs, magazines, websites and more at one place via RSS feed subscriptions. According to Google Play Store, more than 5 Million users have installed Feedly app into their Android devices.





In a blogpost , the researcher reported that Feedly is vulnerable to JavaScript injection attack, which is originally referred as 'cross-site scripting' or XSS vulnerability, allows an attacker to execute any JavaScript code on client-side. JavaScript is a widely used technology within the websites and web based applications, but it is use not only for the good purposes, but for the malicious purposes as well.





Feedly app was failed to sanitize the Javascript code written in the original articles on subscribed websites or blogs, that left millions of their feed subscribers open to the injection attacks. Researcher demonstrated that the vulnerability allows an attacker to execute the malicious JavaScript code within the Feedly app at the users' end. So, if a user browses an article via Feedly that might include the malicious javascript code, the users unknowingly give leverages to an attacker to carry out malicious activities against themselves.

"The android app does not sanitize JavaScript codes and interprets them as codes. As a result, allows potential attackers to perform JavaScript code executions on victim's Feedly android app session via a crafted blog post," the researcher wrote. He added, "Attacks can take place only when user browses the RSS-subscribed site's contents via the Feedly android app."





A malicious JavaScript injection allows an attacker to do a number of things, to modify or read cookies, temporarily edit web page contents, to modify web forms, to inject tracking codes or exploits codes in order to infect the Android users.



