MASVS 6.8: particular examples of "unsafe" deserialization in Android #551
Description
MASVS 6.8 claims:
Object deserialization, if any, is implemented using safe serialization APIs.
and in the previous discussion, the comment mentioned that NSSecureCoding is "safe" (than NSCoding).
So I'm wondering if we have same "unsafe" deserialization API in Android, and safer alternative. In my understanding, "Serializable" in Java is "safe" because it checks a serialized stream with a target class structure and widely used. That's why MSTG-PLATFORM-9 recommends Serializable for the stable classes.
Of course, writing own JSON/YAML/XML/... parser should be unsafe, and I guess reflection-based (de)serialization provided by some libraries (such as Gson or Jackson) might be unsafe, but is there any other examples?
Note: MSTG-PLATFORM-9 mostly mentioned "persistence," not (de)serialize, so I understood importance of keeping the serialization data secure, but it doesn't seem to help us from MASVS 6.8 POV.