...
Allowing serialization or deserialization to bypass the security manager may result in classes being constructed without required security checks.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SER04-J | High | Probable | High | P6 | L2 |
Automated Detection
| Tool | Version | Checker | Description |
|---|---|---|---|
| Parasoft Jtest |
|
|
| SECURITY.WSC.SCSER |
| Enforce 'SecurityManager' checks in methods of 'Serializable' classes |
Related Guidelines
Guideline 8-4 / SERIAL-4: Duplicate the SecurityManager checks enforced in a class during serialization and deserialization |
Android Implementation Details
The java.security package exists on Android for compatibility purposes only, and it should not be used.
Bibliography
Section 2.4, "Serialization" |
...
...