Oracle Plans to Drop Java Serialization Support, the Source of Most Security Bugs
Oracle plans to drop support for data serialization/deserialization from the main body of the Java language, according to Mark Reinhold, chief architect of the Java platform group at Oracle. Serialization is the process of taking a data object and converting it into a stream of bytes (binary format), so it can be transported across a network or saved inside a database, only to be deserialized later and used in its original form. Serializing and deserializing data is not a problem by itself, or when the source of the data is known to be safe.
These operations become dangerous when an app works with user-supplied data. For the rest of this article, we’ll be referring to this latter case when we’re going to refer to serialization and deserialization operations. Because of its convenience, a large number of high-level programming languages support the feature but nowhere has it been more of a headache than in Java, where it’s been at the heart of a constant stream of security flaws.
Reinhold says the Java team is currently working on dropping serialization support for good from the language’s main body, but still provide developers with a plug-in system to support serialization operations if needed via a new framework. There’s no set date or Java version when Oracle plans to drop serilization, Reinhold said.