2.8 Use caution in deserializing untrusted data

Details

Developers typically serialize (or “marshal”) data to transfer application state between systems or store it for later use. Deserializing (or “unmarshalling”) that serialized data will then reconstruct the data, or in some cases reconstruct application logic. Unfortunately, an application might assume that the deserialized data is valid or trusted, a situation that an attacker can exploit to modify the regular execution flow of the app. This security flaw applies to both iOS and Android apps (particularly Binder operations in Android).

Remediation

Generally, you can prevent vulnerabilities arising from the deserialization of untrusted data in four ways:

  1. Identify trust boundaries between systems, treating data attributed from external sources as untrusted
  2. Avoid the deserialization of data from untrusted sources
  3. Sanitize the deserialized data (e.g., only allow known safe characters, objects, limited functionality)
  4. Validate and authenticate the provenance and contents of a file before deserializing it.

REFERENCES

General

iOS

Android

CWE/OWASP