Skip to content

Android Class Loading Hijacking

Android Class Loading Hijacking

Description

Android provides APIs that allow an application to dynamically load code to be executed. For example, an application may support plug-ins that are downloaded and then loaded at a later time. Unfortunately, if these plug-ins are stored in an insecure location, this process can be hijacked, allowing access to private data and unexpected arbitrary code execution by malicious applications

Two classes allow the loading of additional code:

    DexClassLoader (String dexPath, String dexOutputDir, String libPath, ClassLoader parent)
    PathClassLoader (String path, String libPath, ClassLoader parent)

Recommendation

When loading additional code in Android applications, a developer should ensure that both the loaded code and the generated alternative versions of the code are placed in a secured directory, typically within the application's private directory.