SECURITY.SER2

Avoid making your interfaces Serializable

Description

This rule flags Serializable interfaces.

Java's serialization mechanism lets you save entire objects to a storage mechanism such as a disc, database, or string. The mechanism also lets classes be restored from saved information later, perhaps from the same application after it has stopped and restarted or from another application. Saving an object's state in Java is serialization; restoring its state is deserialization. Serialization is dangerous because it lets adversaries access your objects' internal state. Adversaries can serialize one of your objects into a byte array that can be read, which lets them inspect your object's full internal state, including any fields you marked private and the internal state of any objects your reference.

Repair

If possible, do not make your interfaces Serializable.

If you make your interfaces Serializable, make sure that any sensitive data members are "transient."

Reference

Viaga, J., McGraw,G., Mutsdoch,T, Felten, E.. "Statically Scanning Java Code: Finding Security Vulnerabilities." IEEE Software, September/October 2000.