The serialization and deserialization mechanism must respect the accessibility of the implementing class. Untrusted code must be prevented both from writing to the stream using the writeObject() method and also from creating an instance of an object by calling the readObject() method. For classes that have constructors, the accessibility of the readObject() and writeObject() methods must match be less than or equal to the accessibility of the constructor; in general, these methods must should be declared to be private in all other cases.
Serialization may fail to work as expected even when hostile code lacks access to the serializable class's members. The ObjectInputStream.readObject() and ObjectOutputStream.writeObject() methods are declared final and cannot be overridden. The custom form of serialization involves a mechanism that allows the JVM to detect and use private implementations of the two methods in the serializable class. The JVM uses default serialization for all classes where the two methods are declared non-private ???. This can be insecure from many standpoints, for instance, input validation checks installed in the custom serialized form may be bypassed.
...