2.8 Use caution in deserializing untrusted data

Details

Developers typically serialize (or “marshal”) data to transfer application state between systems or store it for later use. Deserializing (or “unmarshalling”) that serialized data will then reconstruct the data, or in some cases reconstruct application logic. Unfortunately, an application might assume that the deserialized data is valid or trusted, a situation that an attacker can exploit to modify the regular execution flow of the app. This security flaw applies to both iOS and Android apps (particularly Binder operations in Android).

Remediation

Generally, you can prevent vulnerabilities arising from the deserialization of untrusted data in four ways:

1. Identify trust boundaries between systems, treating data attributed from external sources as untrusted
2. Avoid the deserialization of data from untrusted sources
3. Sanitize the deserialized data (e.g., only allow known safe characters, objects, limited functionality)
4. Validate and authenticate the provenance and contents of a file before deserializing it.

REFERENCES

General

• OWASP - Deserialization of untrusted data
• OWASP Deserialization Cheat Sheet

iOS

• Everything you need to know about NSSecureCoding
• The Java Deserialization Bug and NSSecureCoding

Android

• CVE-2014-7911 – A Deep Dive Analysis of Android System Service Vulnerability and Exploitation

CWE/OWASP

• OWASP Mobile Top 10: M7 - Client Code Quality
• CWE: CWE-502: Deserialization of Untrusted Data