Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Serialization / Deserialization & Proguard

With one of my app, I had a problem with one of my Serialized classes when I try to update my APK.

Indeed, there were problems related to objects saved with the previous version of the apk and the new version of the apk.

In the latest APK (in production on Android Market), I've forgot to configure my proguard.cfg for Serializable class (and so their static final long serialVersionUID member)...

So when I try in my new APK to reload this previous stored Serializable class, I've a InvalidClassException problem in the StackTrace DDMS :

04-24 18:17:40.120: W/System.err(1204): java.io.InvalidClassException: cu; Incompatible class (SUID): cu: static final long serialVersionUID =6593847879518920343L; but expected cu: static final long serialVersionUID =0L;
04-24 18:17:40.125: W/System.err(1204):     at java.io.ObjectInputStream.verifyAndInit(ObjectInputStream.java:2380)
04-24 18:17:40.125: W/System.err(1204):     at java.io.ObjectInputStream.readNewClassDesc(ObjectInputStream.java:1662)
04-24 18:17:40.125: W/System.err(1204):     at java.io.ObjectInputStream.readClassDesc(ObjectInputStream.java:683)
04-24 18:17:40.125: W/System.err(1204):     at java.io.ObjectInputStream.readNewObject(ObjectInputStream.java:1803)
04-24 18:17:40.125: W/System.err(1204):     at java.io.ObjectInputStream.readNonPrimitiveContent(ObjectInputStream.java:787)
04-24 18:17:40.125: W/System.err(1204):     at java.io.ObjectInputStream.readObject(ObjectInputStream.java:2003)
04-24 18:17:40.125: W/System.err(1204):     at java.io.ObjectInputStream.readObject(ObjectInputStream.java:1960)

I know it was a obfuscation problem with Serializable objects and their serialVersionUID...

After reading Proguard and Serialized Java Objects here which is clearly expose my problem, I'm not able to solve my problem...

In my next APK I've add this in my proguard.cfg :

-keepnames class * implements java.io.Serializable

-keepclassmembers class * implements java.io.Serializable {
    static final long serialVersionUID;
    private static final java.io.ObjectStreamField[] serialPersistentFields;
    !static !transient ;
    private void writeObject(java.io.ObjectOutputStream);
    private void readObject(java.io.ObjectInputStream);
    java.lang.Object writeReplace();
    java.lang.Object readResolve();
}

to avoid the problem for next updates, my I really need to get back these old objects...

I've try to change the serialVersionUID with 6593847879518920343L or 0L, no success...

Any idea ?

Thanks in advance for your answers !

like image 270
StephaneT Avatar asked Apr 25 '13 09:04

StephaneT


People also ask

What is meant by serialization and deserialization?

Serialization is the process of converting an object into a stream of bytes to store the object or transmit it to memory, a database, or a file. Its main purpose is to save the state of an object in order to be able to recreate it when needed. The reverse process is called deserialization.

What is serialization and deserialization in JSON?

JSON is a format that encodes objects in a string. Serialization means to convert an object into that string, and deserialization is its inverse operation (convert string -> object).

Why serialization and deserialization is used?

Serialization and deserialization work together to transform/recreate data objects to/from a portable format. Serialization enables us to save the state of an object and recreate the object in a new location. Serialization encompasses both the storage of the object and exchange of data.

What is serialization and deserialization vulnerability?

What is insecure deserialization? Insecure deserialization is when user-controllable data is deserialized by a website. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code.


1 Answers

You could try this:

  1. Compute the serialVersionUIDs of the obfuscated serializable classes and add them to the current source code.
  2. Obfuscate the new code, preserving the serialVersionUIDs, but also making sure the serializable classes are mapped to the earlier obfuscated names (with the option -applymapping).
like image 199
Eric Lafortune Avatar answered Oct 09 '22 03:10

Eric Lafortune