Posted by Jann Horn on Nov 19

In Android <5.0, java.io.ObjectInputStream did not check whether the Object that
is being deserialized is actually serializable. That issue was fixed in Android
5.0 with this commit:
<https://android.googlesource.com/platform/libcore/+/738c833d38d41f8f76eb7e77ab39add82b1ae1e2>

This means that when ObjectInputStream is used on untrusted inputs, an attacker
can cause an instance of any class with a non-private parameterless constructor
to…