Breaking Android IPC: A Deep Dive into AIDL Fuzzing
2025-10-24 , Europe

In this talk, we’ll deep dive inro fuzzing Android’s IPC mechanisms, focusing on the AIDL fuzzing in particular. We’ll dive into techniques for fuzzing AIDL interfaces to uncover vulnerabilities, discuss tools and frameworks, and highlight security issues we identified using this method.


In this talk, we’ll dive deep into Android’s Inter-Process Communication (IPC) mechanisms, focusing on the security challenges and vulnerabilities that come with them. We’ll start by exploring how IPC functions within the Android architecture, emphasizing its vital role in enabling communication between various components, such as services and activities. We’ll take a closer look at the Android Interface Definition Language (AIDL), which is frequently used to manage more complex IPC scenarios in Android apps. We’ll examine the security model that supports Android’s IPC mechanism and analyze common attack surfaces. By doing so, we’ll highlight the various risks associated with poorly secured IPC channels and the potential consequences of exploitation.

The highlight of our talk will focus on AIDL fuzzing, a powerful and surprisingly simple technique for discovering vulnerabilities in Android’s IPC systems. We’ll introduce the fundamentals of fuzzing and walk you through fuzzing AIDL interfaces to uncover hidden vulnerabilities. Along the way, we’ll cover the tools and scripts built for AIDL fuzzing. For a more hands-on experience, we’ll present our setup and execute an AIDL fuzzing session on a sample vulnerability we identified on an Android interface live.

I (@h4ckologic) am a cybersecurity researcher passionate about uncovering and addressing critical vulnerabilities in complex technology implementations. My work includes identifying and reporting issues to top tech companies like Apple, Google , Microsoft and many others, some of my CVES identified are Apple (CVE-2021-31001), PhantomJS (CVE-2019-17221), and NPM html-pdf (CVE-2019-15138). I’ve had the privilege of sharing my research at leading conferences, including NoNameCon, Ekoparty, and Hacktivity (2020); Hack in the Box and Romhack (2023); and HITB Bangkok and BSides Ahmedabad (2024). With a focus on practical solutions and deep technical insights, I’m dedicated to advancing security practices and contributing to the global infosec community.