Inter-app communication is a mandatory and security-critical functionality of operating systems, such as Android. On the application level, Android implements this facility through Intents, which can also transfer non-primitive objects using Java's Serializable API. However, the Serializable API has a long history of deserialization vulnerabilities, specifically deserialization gadget chains. Research endeavors have been heavily directed towards the detection of deserialization gadget chains on the Java platform. Yet, there is little knowledge about the existence of gadget chains within the Android platform. We aim to close this gap by searching gadget chains in the Android SDK, Android's official development libraries, as well as frequently used third-party libraries. To handle this large dataset, we design a gadget chain detection tool optimized for soundness and efficiency. In a benchmark on the full Ysoserial dataset, it achieves similarly sound results to the state-of-the-art in significantly less time. Using our tool, we first show that the Android SDK contains almost the same trampoline gadgets as the Java Class Library. We also find that one can trigger Java native serialization through Android's Parcel API. Yet, running our tool on the Android SDK and 1,200 Android dependencies, in combination with a comprehensive sink dataset, yields no security-critical gadget chains. This result opposes the general notion of Java deserialization gadget chains being a widespread problem. Instead, the issue appears to be more nuanced, and we provide a perspective on where to direct further research.

翻译：应用间通信是Android等操作系统必备且安全关键的功能。在应用层面，Android通过Intent机制实现此功能，该机制亦可借助Java的Serializable API传输非基本类型对象。然而，Serializable API长期存在反序列化漏洞问题，特别是反序列化利用链。现有研究主要集中于Java平台反序列化利用链的检测，但对Android平台内利用链的存在情况知之甚少。本研究旨在通过检测Android SDK、官方开发库及常用第三方库中的利用链来填补这一空白。为处理大规模数据集，我们设计了一款兼顾完备性与效率的利用链检测工具。在完整Ysoserial数据集上的基准测试表明，该工具在显著缩短检测时间的同时，达到了与前沿技术相当的完备性。借助该工具，我们首先证明Android SDK包含与Java类库几乎相同的跳板利用组件，并发现可通过Android的Parcel API触发Java原生序列化。然而，对Android SDK及1,200个Android依赖库的检测结果（结合完整的接收器数据集）显示，未发现安全关键型利用链。这一结论与"Java反序列化利用链具有普遍性"的主流观点相悖。研究表明该问题具有更复杂的特性，我们为此指出了未来研究的重点方向。