8Eki
Is sending an object created via intent.getSerializableExtra to handler.postDelayed leading to Code Execution?
I'm new to android pentesting and I would like to know :
if sending an object created via the result of intent.getSerializableExtra("EXTRA_TEST");
to handler.postDelayed(TheObject,500)
could lead to a vulnerability ?
like
d.a aObject = (d.a) intent.getSerializableExtra("EXTRA_BUY_TAB_START_POSITION_EXPLORE");
if (aVar2 != null) {
this.handler.postDelayed(new e(aVar2), 500);
}
I imagine that if we send an intent with a serialized runnable the target application would execute the malicious code... Is it right ?
edit : "d" is : public final class d extends Fragment and d.a is
public static final class a {
private a() {
}
public /* synthetic */ a(DefaultConstructorMarker defaultConstructorMarker) {
this();
}
public final d a() {
return new d();
}
}