2025-10-23 –, Europe
The class loader is a fundamental component of the Java Virtual Machine, responsible for dynamically loading classes into an application's memory during runtime. The functionality of class loaders is outlined by the abstract ClassLoader class, with the PathClassLoader and DexClassLoader being some common implementations in the Android OS.
In the context of data transfer and object management, dynamic class loading becomes particularly relevant when dealing with Serializable and Parcelable objects, as the ClassLoader implementation plays a crucial role in reconstructing them. However, while the Android security model enforces isolation among running processes, nothing prevents an application from creating and maliciously using objects of another app. In fact, the practice of storing application resources and their code in world-readable directories, eases this process, since it allows any app to "borrow" the context of another and create class loader instances that can be used to construct Java objects with potentially unsafe content.
Android developers often overlook this contingency, placing undue trust to Java objects received from untrusted sources. In a typical scenario, an application handles such objects, without proper caution regarding their encapsulated data. Depending on the use of this data, such an oversight can lead to unpredicted behavior and under some circumstances, it can have serious security implications.
In this study, we demonstrate techniques and explore how third-party applications, without requiring any permission, can leverage the outlined behavior to craft and dispatch parcelable Java objects with malicious content, to other applications. We further illustrate, using practical examples, the severe security implications that this may have, underscoring the necessity for more vigilant and comprehensive security practices in Android application development.
Presentation Outline
-
Java Class Loaders and their types: In this introductory part I am going to provide the audience with a clear, high-level understanding of Java class loaders, explaining their fundamental role in the context of a JVM. We will explore the diverse types of class loaders and touch on the parent-child relationship and delegation model that forms the basis of how they work. Additionally, given that Java reflection is an integral component of class loaders, I will conclude this section by providing an overview of this concept. This will include explaining its fundamental principles and demonstrating its basic applications in practical scenarios.
-
Android ClassLoader implementations: Here I am going to dive deeper into the specific implementations unique to the Android OS. The presentation will center on the most critical ClassLoaders in this context, including the PathClassLoader, DexClassLoader and InMemoryDexClassLoader and touch concepts like the Android's hidden API.
-
Parcelables and Serializable objects, in the context of inter-process communication: In this segment, I will explore the concepts of Parcelable and Serializable objects in Java, focusing on their implementation methodologies and key distinctions. My discussion will extend to their applications in inter-process communication, with a particular focus on security considerations tied to their usage. To illustrate this, I will highlight the CVE-2020-8913 example, providing a real-world context to the concepts discussed.
-
"Borrowing" other application's code: In this part, I plan to guide the audience through the methods available for importing code from other Android applications into an Android Studio project. We will look at how to effectively integrate external code, emphasizing the practical steps and considerations involved in this process.
-
Utilizing the /data/app Folder: While importing code from other apps at compilation time is feasible, this approach can often be complex and fraught with challenges, such as resolving package class conflicts. However, Android stores application resources and code in world-readable directories during the installation process, significantly simplifying the "borrowing" process, described above. One effective method involves using createPackageContext, which, when provided with a package name, returns a context identical to that of the named app at launch, including its resources and class loader. Based on this, I will demonstrate how to instantiate Java objects from another application's private domain, showcasing a more streamlined approach to leveraging external code resources.
-
Creating parcelable evil twins: As previously mentioned, a common oversight among Android developers is the public readability of their application's class loader, coupled with an implicit trust in parcelable or serializable objects from untrusted sources. In this segment, I will walk through real-world case studies where such blind trust has led to significant security vulnerabilities.
-
Closing remarks: As I conclude this briefing, I will highlight the need to avoid receiving and un-marshaling parcelable or serializable objects outside of an app's private sphere. While sometimes this practice may be unavoidable, especially with system-related objects, I will leave the audience with essential insights on how to effectively safeguard Android apps against such types of attacks.
Dimitrios is a seasoned cybersecurity professional with a specialization in mobile, web, and network security. Holding a degree in Computer Science with a focus on Cryptography and Security, he has collaborated with leading companies such as Microsoft and Google, bringing a wealth of expertise to each engagement. With deep expertise in reverse engineering, Dimitrios has been an active member of one of Greece's earliest reverse engineering research groups since his early career. As a frequent speaker at leading security conferences such as BlackHat, Nullcon, Insomni’hack, and Troopers, he is recognized for his in-depth analysis of emerging threats and innovative defense mechanisms.