Java Serialization and Deserialization Operations

In Java
July 18, 2023

When Serialization was introduced to Java in 1997, it was known to be somewhat risky. Nowadays, there is no longer a need to use Serialization in new technologies. We will discuss the risks of Serialization at the end of our article. First, let’s define this process:

Serialization refers to the process of converting our objects into byte streams. This allows us to perform operations such as saving our objects to a file, a database, or memory.

Let’s illustrate the Serialization process with a visual example:

As seen in the image, our object is converted into a byte stream and saved to a database, file, or memory. The reverse process is called deserialization.

What is the purpose of serialVersionUID? This feature is used to ensure the compatibility of serialization and deserialization operations. serialVersionUID serves as a version control mechanism for the serialized object. This mechanism ensures compatibility between the serialized object and the JVM performing the deserialization process. If the serialVersionUID of a serialized object does not match the serialVersionUID compared during the deserialization process, an InvalidClassException error is thrown, and the deserialization process fails. If you do not define serialVersionUID in your class, Java will generate this value. As far as I know, this is a costly operation. I cannot share the details in this article because I am not familiar with them.

An Outdated Mechanism Serialization is now an outdated technology. The fundamental problem with this technology is that it has a large and continuously growing attack surface for protection: Object graphs are deserialized by calling the readObject method on an ObjectInputStream. This method acts as a magic constructor function that can instantiate objects of almost any type. In short, the deserialization process can be problematic. It can be said that there are many things to be protected.

There is no reason to use serialization in any new project you write. There are other mechanisms available in Java that can perform translation between objects and byte arrays without the dangers of serialization. These mechanisms offer various advantages, such as cross-platform support, high performance, a wide range of tool ecosystems, and a large community of experts. Among these, the leading one is the JSON library.

Risks of Serialization Security Risks: When writing object state to a file or a stream over a network using serialization, the security and integrity of this data are not guaranteed. Malicious users can manipulate objects through serialization, compromising application security or gaining access to sensitive information. Compatibility Issues: Serialization involves writing the internal state of classes to a stream or file. However, the structure of classes can change over time. Once an object has been serialized, the deserialization process can fail if the class structure has changed. This can lead to compatibility issues and cause errors in applications. Performance Issues: Serialization requires reading or writing objects from memory to disk or over a network. This process can heavily utilize CPU and disk I/O resources, impacting application performance. Especially when serializing large data structures, the processing time can increase. Future Changes: Serialized data can become incompatible with changes in the object structure. When a class has a new attribute or modified behavior, deserializing serialized objects can cause issues. In this article, we discussed the topic of “Serialization in Java,” which is no longer necessary in new systems. Although we now use technologies like JSON and XML, it is still beneficial to be aware of this technology, as the philosophy of not knowing the past means not knowing the future.