Coursera Flash Sale
40% Off Coursera Plus for 3 Months!
Grab it
Explore advanced Android security vulnerabilities through this 29-minute conference talk that demonstrates how malicious applications can exploit ClassLoader mechanisms to craft and manipulate Parcelable objects across application boundaries. Learn about the fundamental role of ClassLoaders in the Java Virtual Machine, particularly PathClassLoader and DexClassLoader implementations in Android OS, and understand how they handle dynamic class loading for Serializable and Parcelable objects. Discover a novel technique for intercepting, storing, modifying, and reusing Parcelable objects by manipulating serialized data directly, significantly reducing the complexity of creating malicious instances. Examine how third-party applications can leverage world-readable application directories to "borrow" contexts from other apps and create ClassLoader instances for constructing potentially unsafe Java objects, all without requiring special permissions. Understand the security implications when Android developers place excessive trust in Java objects from untrusted sources, leading to unpredictable behavior and serious security vulnerabilities. Gain insights into practical attack scenarios that demonstrate how these techniques can be used to dispatch malicious Parcelable objects to target applications, emphasizing the critical need for more vigilant security practices in Android application development.
