Android applications rely heavily on Parcelables for inter-process communication, often assuming sandbox boundaries prevent malicious object manipulation. In practice, complex class loader behavior and unsafe trust assumptions allow attackers to inject, revive and modify objects originating outside an application's control. These weaknesses expose sensitive data flows, enable intent manipulation and create paths to privilege abuse.

By examining how custom objects move across application boundaries, this session clarifies why common defensive assumptions fail and how exploitation scales from small objects to deeply nested structures, thereby outlining practical defensive strategies that reduce exposure without breaking application functionality.

This session, led by Dimitrios Valsamaras, senior security researcher at Microsoft, will cover:

• Scaling object manipulation from simple fields to large nested structures;
• Exploitation risks tied to intent redirection and token leakage;
• Secure design patterns for handling externally supplied objects.