Android Parcels - The Bad, the Good and the Better - Introducing Android's Safer Parcel

Explore a comprehensive 39-minute conference talk from Black Hat that delves into Android's Parcel serialization mechanism and its security implications. Gain insights into the vulnerabilities associated with Parcelable implementations, which have plagued Android for nearly a decade. Discover how these high-severity flaws have been exploited by malware authors to achieve privileged exploits, including silent package installation and arbitrary code execution. Learn about various exploit techniques, such as the persistent Bundle FengShui exploits, and a newly reported exploit chain (CVE-2021-0928) that enables arbitrary code execution in privileged application processes on Android 12. Presented by Hao Ke, Bernardo Rufino, Maria Uretsky, and Yang Yang, this talk offers a detailed examination of Android Parcels' security landscape and introduces the concept of a safer Parcel implementation.