Prior research on Java deserialization gadget chains predominantly targets JVM environments, neglecting Android-specific analysis and leaving the existence and practical risk of such chains on Android largely unexplored. Method: To address this gap, the authors design a sound and efficient customized static analysis framework. They perform the first comprehensive detection across AOSP, the Android SDK, and 1,200 mainstream third-party libraries, incorporating reverse-engineered Parcel API modeling and an extended sink set. Contribution/Results: The study reveals that while Android SDK contains JCL-like bridging gadgets, no security-critical exploitable chains exist. Deserialization risks exhibit strong platform specificity—not generic JVM threats. Evaluated on the Ysoserial benchmark, the tool achieves state-of-the-art precision with significantly reduced analysis time. Crucially, it provides the first empirical refutation of the widely held assumption that high-risk deserialization gadget chains are pervasive on Android.

Inter-app communication is a mandatory and security-critical functionality of operating systems, such as Android. On the application level, Android implements this facility through Intents, which can also transfer non-primitive objects using Java's Serializable API. However, the Serializable API has a long history of deserialization vulnerabilities, specifically deserialization gadget chains. Research endeavors have been heavily directed towards the detection of deserialization gadget chains on the Java platform. Yet, there is little knowledge about the existence of gadget chains within the Android platform. We aim to close this gap by searching gadget chains in the Android SDK, Android's official development libraries, as well as frequently used third-party libraries. To handle this large dataset, we design a gadget chain detection tool optimized for soundness and efficiency. In a benchmark on the full Ysoserial dataset, it achieves similarly sound results to the state-of-the-art in significantly less time. Using our tool, we first show that the Android SDK contains almost the same trampoline gadgets as the Java Class Library. We also find that one can trigger Java native serialization through Android's Parcel API. Yet, running our tool on the Android SDK and 1,200 Android dependencies, in combination with a comprehensive sink dataset, yields no security-critical gadget chains. This result opposes the general notion of Java deserialization gadget chains being a widespread problem. Instead, the issue appears to be more nuanced, and we provide a perspective on where to direct further research.