With one of my app, I had a problem with one of my Serialized classes when I try to update my APK.
Indeed, there were problems related to objects saved with the previous version of the apk and the new version of the apk.
In the latest APK (in production on Android Market), I've forgot to configure my proguard.cfg for Serializable class (and so their static final long serialVersionUID member)...
So when I try in my new APK to reload this previous stored Serializable class, I've a InvalidClassException problem in the StackTrace DDMS :
04-24 18:17:40.120: W/System.err(1204): java.io.InvalidClassException: cu; Incompatible class (SUID): cu: static final long serialVersionUID =6593847879518920343L; but expected cu: static final long serialVersionUID =0L;
04-24 18:17:40.125: W/System.err(1204): at java.io.ObjectInputStream.verifyAndInit(ObjectInputStream.java:2380)
04-24 18:17:40.125: W/System.err(1204): at java.io.ObjectInputStream.readNewClassDesc(ObjectInputStream.java:1662)
04-24 18:17:40.125: W/System.err(1204): at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:683)
04-24 18:17:40.125: W/System.err(1204): at java.io.ObjectInputStream.readNewObject(ObjectInputStream.java:1803)
04-24 18:17:40.125: W/System.err(1204): at java.io.ObjectInputStream.readNonPrimitiveContent(ObjectInputStream.java:787)
04-24 18:17:40.125: W/System.err(1204): at java.io.ObjectInputStream.readObject(ObjectInputStream.java:2003)
04-24 18:17:40.125: W/System.err(1204): at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1960)
I know it was a obfuscation problem with Serializable objects and their serialVersionUID...
After reading Proguard and Serialized Java Objects here which is clearly expose my problem, I'm not able to solve my problem...
In my next APK I've add this in my proguard.cfg :
-keepnames class * implements java.io.Serializable
-keepclassmembers class * implements java.io.Serializable {
static final long serialVersionUID;
private static final java.io.ObjectStreamField[] serialPersistentFields;
!static !transient ;
private void writeObject(java.io.ObjectOutputStream);
private void readObject(java.io.ObjectInputStream);
java.lang.Object writeReplace();
java.lang.Object readResolve();
}
to avoid the problem for next updates, my I really need to get back these old objects...
I've try to change the serialVersionUID with 6593847879518920343L or 0L, no success...
Any idea ?
Thanks in advance for your answers !
Serialization is the process of converting an object into a stream of bytes to store the object or transmit it to memory, a database, or a file. Its main purpose is to save the state of an object in order to be able to recreate it when needed. The reverse process is called deserialization.
JSON is a format that encodes objects in a string. Serialization means to convert an object into that string, and deserialization is its inverse operation (convert string -> object).
Serialization and deserialization work together to transform/recreate data objects to/from a portable format. Serialization enables us to save the state of an object and recreate the object in a new location. Serialization encompasses both the storage of the object and exchange of data.
What is insecure deserialization? Insecure deserialization is when user-controllable data is deserialized by a website. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code.
You could try this:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With