Android Class Loading Hijacking
Android Class Loading Hijacking
Description
Android provides APIs that allow an application to dynamically load code to be executed. For example, an application may support plug-ins that are downloaded and then loaded at a later time. Unfortunately, if these plug-ins are stored in an insecure location, this process can be hijacked, allowing access to private data and unexpected arbitrary code execution by malicious applications
Two classes allow the loading of additional code:
DexClassLoader (String dexPath, String dexOutputDir, String libPath, ClassLoader parent)
PathClassLoader (String path, String libPath, ClassLoader parent)
Recommendation
When loading additional code in Android applications, a developer should ensure that both the loaded code and the generated alternative versions of the code are placed in a secured directory, typically within the application's private directory.