Authorization / Android Class Load Hijacking

AndroidMobile App


Android Class Load Hijacking is a vulnerability that enables an attacker to gain control of a mobile application's runtime environment by exploiting the application's class loader. This vulnerability is identified in the Common Weakness Enumeration (CWE) directory as CWE-427 and is also described in the OWASP Testing Guide as a vulnerability in mobile applications.


This vulnerability can potentially give an attacker access to confidential information stored on the device or system, as well as to modify or delete data. It can be used to launch malicious code, allowing the attacker to bypass authentication and gain control of the system. An attacker can also use this vulnerability to perform a variety of malicious activities such as altering the application's behavior and executing arbitrary code.


The best way to prevent Android class loader hijacking is to use a secure coding approach when developing and deploying Android applications. This includes validating input, using code obfuscation, and code signing. Additionally, the application should be tested for any class loader vulnerabilities before deployment.


The following Java code snippet is an example of a vulnerable Android class loader hijacking vulnerability as identified in CVE-2019-2216:

public void onCreate(Bundle savedInstanceState) {
  Bundle extras = getIntent().getExtras();
  if (extras != null) {
    String className = extras.getString("className");
    Class clazz = getClassLoader().loadClass(className);
    Object obj = clazz.newInstance();
    // Do something with the object

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.