Insecure deserialization: Risks, examples, and best practices for secure apps

Overview

Improper processing of data received from external sources might allow attackers to inject malicious code. Insecure deserialization occurs when untrusted data is used to reconstruct objects or data structures (deserialization), without sufficient validation or protection. Attackers can exploit this by sending manipulated data, which when deserialized, can result in the execution of malicious code, denial-of-service (DoS) attacks, or privilege escalation. In mobile applications, this risk often arises from handling serialized objects received from the server or third-party APIs without proper integrity checks.

Risk factors

Insecure deserialization arises from:

• Deserializing data from untrusted or unauthenticated sources (e.g., API responses or network communication).
• Not validating or sanitizing serialized objects before deserializing them.
• Use of serialization libraries with known vulnerabilities.
• Failure to implement checks like signatures or cryptographic hashes to verify object integrity.

Consequences

If insecure deserialization is exploited, the following can occur:

• Remote code execution: Attackers can manipulate serialized data to execute arbitrary code on the mobile device or backend server.
• Privilege escalation: Manipulating serialized data can allow attackers to elevate privileges within the application.
• Denial of service (DoS): Malicious payloads can crash the app or server by consuming excessive resources during deserialization.
• Data corruption: Attackers can inject malformed or malicious data, leading to application malfunction or incorrect data handling.

Solutions and best practices

To mitigate the risks associated with insecure deserialization, organizations should implement the following security measures:

• Input validation: Strictly validate all serialized data before deserializing, ensuring that it originates from trusted sources.
• Use secure libraries: Only use up-to-date and secure serialization libraries with proven security controls.
• Implement object integrity checks: Use cryptographic hashing or digital signatures to verify the integrity of serialized objects before deserialization.
• Avoid untrusted data: Where possible, avoid deserializing data from untrusted sources.
• App shielding: Application shielding can protect mobile apps from tampering or malicious manipulation of serialized objects.
  
  

Further reading

• Addressing the OWASP Mobile Top 10 (2024)
• App shielding: The essential layer for mobile app security