BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//hack-lu-2025//speaker//C3TJEK BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-hack-lu-2025-CHMH78@pretalx.com DTSTART;TZID=CET:20251023T111500 DTEND;TZID=CET:20251023T114500 DESCRIPTION:The class loader is a fundamental component of the Java Virtual Machine\, responsible for dynamically loading classes into an application 's memory during runtime. The functionality of class loaders is outlined b y the abstract ClassLoader class\, with the PathClassLoader and DexClassLo ader being some common implementations in the Android OS.\n\nIn the contex t of data transfer and object management\, dynamic class loading becomes p articularly relevant when dealing with Serializable and Parcelable objects \, as the ClassLoader implementation plays a crucial role in reconstructin g them. However\, while the Android security model enforces isolation amon g running processes\, nothing prevents an application from creating and ma liciously using objects of another app. In fact\, the practice of storing application resources and their code in world-readable directories\, eases this process\, since it allows any app to "borrow" the context of another and create class loader instances that can be used to construct Java obje cts with potentially unsafe content.\n\nAndroid developers often overlook this contingency\, placing undue trust to Java objects received from untru sted sources. In a typical scenario\, an application handles such objects\ , without proper caution regarding their encapsulated data. Depending on t he use of this data\, such an oversight can lead to unpredicted behavior a nd under some circumstances\, it can have serious security implications.\n \nIn this study\, we demonstrate techniques and explore how third-party ap plications\, without requiring any permission\, can leverage the outlined behavior to craft and dispatch parcelable Java objects with malicious cont ent\, to other applications. We further illustrate\, using practical examp les\, the severe security implications that this may have\, underscoring t he necessity for more vigilant and comprehensive security practices in And roid application development. DTSTAMP:20260421T224754Z LOCATION:Europe SUMMARY:My other ClassLoader is your ClassLoader: Creating evil twin instan ces of a class - Dimitrios Valsamaras URL:https://pretalx.com/hack-lu-2025/talk/CHMH78/ END:VEVENT END:VCALENDAR