< NULLCON 2025 - BERLIN />

About the Speaker

CFP Live Bug Hunting Training Registration Sponsors Speakers Venue
GO BACK
img
Dimitrios Valsamaras
Senior Security Researcher Microsoft

< Talk Title />

My Other ClassLoader is Your ClassLoader Reloaded: Reviving Evil Parcelable Objects

< Talk Category />

Technical Speakers

< Talk Abstract />

The class loader is a fundamental component of the Java Virtual Machine, responsible for dynamically loading classes into an application's memory during runtime. The functionality of class loaders is outlined by the abstract ClassLoader class, with the PathClassLoader and DexClassLoader being some common implementations in the Android OS.

In the context of data transfer and object management, dynamic class loading becomes particularly relevant when dealing with Serializable and Parcelable objects, as the ClassLoader implementation plays a crucial role in reconstructing them. However, while the Android security model enforces isolation among running processes, nothing prevents an application from creating and maliciously using objects of another app. In fact, the practice of storing application resources and their code in world-readable directories eases this process, since it allows any app to "borrow" the context of another and create class loader instances that can be used to construct Java objects with potentially unsafe content.

Additionally, we introduce a new technique whereby Parcelable objects can be intercepted, stored as files, modified, and subsequently reused. This approach significantly reduces the complexity involved in crafting malicious Parcelable instances, allowing attackers to manipulate serialized objects directly.

Android developers often overlook this contingency, placing undue trust in Java objects received from untrusted sources. In a typical scenario, an application handles such objects without proper caution regarding their encapsulated data. Depending on the use of this data, such an oversight can lead to unpredictable behavior and, under some circumstances, serious security implications.

In this study, we demonstrate techniques and explore how third-party applications, without requiring any permission, can leverage the outlined behavior to craft, modify, and dispatch Parcelable Java objects with malicious content to other applications. We further illustrate, using practical examples, the severe security implications that this may have, underscoring the necessity for more vigilant and comprehensive security practices in Android application development.

< Speaker Bio />

Dimitrios is a seasoned cybersecurity professional with a specialization in mobile, web, and network security. Holding a degree in Computer Science with a focus on Cryptography and Security, he has collaborated with leading companies such as Microsoft and Google, bringing a wealth of expertise to each engagement. With deep expertise in reverse engineering, Dimitrios has been an active member of one of Greece's earliest reverse engineering research groups since his early career. As a frequent speaker at leading security conferences such as BlackHat, Nullcon, Insomni’hack, and Troopers, he is recognized for his in-depth analysis of emerging threats and innovative defense mechanisms.