Dimitrios Valsamaras

Dimitrios is a seasoned cybersecurity professional with a specialization in mobile, web, and network security. Holding a degree in Computer Science with a focus on Cryptography and Security, he has collaborated with leading companies such as Microsoft and Google, bringing a wealth of expertise to each engagement. With deep expertise in reverse engineering, Dimitrios has been an active member of one of Greece's earliest reverse engineering research groups since his early career. As a frequent speaker at leading security conferences such as BlackHat, Nullcon, Insomni’hack, and Troopers, he is recognized for his in-depth analysis of emerging threats and innovative defense mechanisms.


Session

10-23
11:15
30min
My other ClassLoader is your ClassLoader: Creating evil twin instances of a class
Dimitrios Valsamaras

The class loader is a fundamental component of the Java Virtual Machine, responsible for dynamically loading classes into an application's memory during runtime. The functionality of class loaders is outlined by the abstract ClassLoader class, with the PathClassLoader and DexClassLoader being some common implementations in the Android OS.

In the context of data transfer and object management, dynamic class loading becomes particularly relevant when dealing with Serializable and Parcelable objects, as the ClassLoader implementation plays a crucial role in reconstructing them. However, while the Android security model enforces isolation among running processes, nothing prevents an application from creating and maliciously using objects of another app. In fact, the practice of storing application resources and their code in world-readable directories, eases this process, since it allows any app to "borrow" the context of another and create class loader instances that can be used to construct Java objects with potentially unsafe content.

Android developers often overlook this contingency, placing undue trust to Java objects received from untrusted sources. In a typical scenario, an application handles such objects, without proper caution regarding their encapsulated data. Depending on the use of this data, such an oversight can lead to unpredicted behavior and under some circumstances, it can have serious security implications.

In this study, we demonstrate techniques and explore how third-party applications, without requiring any permission, can leverage the outlined behavior to craft and dispatch parcelable Java objects with malicious content, to other applications. We further illustrate, using practical examples, the severe security implications that this may have, underscoring the necessity for more vigilant and comprehensive security practices in Android application development.

topic: hack.lu
Europe