4

Can you safely deserialize with OpenJDK some binary data that we got by serializing something with Oracle JDK? (and vice-versa)

Let’s assume the java version is the same (and that the class code is available, and is the same, in both stages).

Is the exact way Oracle JVM serializes objects considered public information?

Jon Heller
  • 34,999
  • 6
  • 74
  • 132
Ofer
  • 293
  • 3
  • 9
  • 2
    Yes, they are compatible when it comes to serialization. About your last question, What do you mean by "public information"? do you mean "public domain"? – morgano Sep 07 '15 at 19:43
  • 4
    You mean, do they both conform to the [Java Object Serialization Specification](http://docs.oracle.com/javase/8/docs/platform/serialization/spec/serialTOC.html)? I think that's what it's for. – RealSkeptic Sep 07 '15 at 19:53
  • @morgano I meant to ask if it's secret or not. Thanks for the answer! – Ofer Sep 07 '15 at 19:58
  • 1
    @RealSkeptic Thanks! So if I understand correctly, this specification perfectly defines the way serialization is done. – Ofer Sep 07 '15 at 19:58
  • 1
    The Object Serializarion Specification is public information and it does what it says on the tin. – user207421 Sep 07 '15 at 20:02
  • @morgano would you mind making an answer out of your comment so Ofer can accept it? The question would show better in search results. Thanks! – Matthieu Oct 14 '16 at 14:41
  • @Matthieu Anyone could add an answer, not just me :-) – morgano Nov 18 '16 at 11:41
  • @morgano, I wanted to give you credit, but I added an answer summarizing all contributions. My thanks to everyone! – Matthieu Nov 19 '16 at 14:15

2 Answers2

2

To expand on comments from @morgano, @RealSkeptic and @EJP (to whom credit should be given): yes, Java Object serialization is directed by an official specification, which is public, so any JVM implementation that does serialization should conform to it, or not be called a JVM.

Matthieu
  • 2,736
  • 4
  • 57
  • 87
1

I will say it is not entirely safe. In my Android app, I can not deserialize data on an Android 7 device which has been serialized on an Android 6 device. Apparently, Google switched to OpenJDK in Android 7. The error I get is:

java.io.StreamCorruptedException: invalid type code: 71

This problem was reported here in a similar fashion

This poses quite a problem since my app sends serialized data over the internet and it will not be compatible if it runs on both Android 6(or lower) and Android 7.

Community
  • 1
  • 1
Matthias
  • 33
  • 1
  • 5