Serializable Class Containing Sensitive Data

ID

kotlin.serializable_class_containing_sensitive_data

Severity

low

Resource

Information Leak

Language

Kotlin

Tags

CWE:499, NIST.SP.800-53

Description

Serializable class containing sensitive data.

Rationale

Kotlin’s Serializable interface allows objects to be easily transformed into a byte stream and vice versa. This is useful for various operations like caching, deep copying, or network communications. However, if a class contains sensitive data and implements Serializable without adequate protection, it can lead to exposure of this sensitive information.

Consider the following Kotlin class example:

import java.io.Serializable

data class UserCredentials(
    var username: String,
    var password: String // Sensitive data
) : Serializable

In this scenario, UserCredentials implements the Serializable interface and directly stores sensitive data such as a password. If an instance of UserCredentials is serialized, the password might be exposed in transit or when stored, leading to potential data breaches if intercepted by an attacker.

Remediation

To mitigate the risks associated with serializing classes containing sensitive data, adhere to these remediation practices:

  • Avoid Serialization of Sensitive Data: Wherever possible, avoid making classes that contain sensitive information serializable. Design the application to separate data that needs serialization from sensitive data.

  • Transient Fields: Use the transient annotation to prevent the sensitive fields from being serialized. This ensures that such data is not included in the serialized byte stream.

import java.io.Serializable
import kotlin.jvm.Transient

data class UserCredentials(
    var username: String,
    @Transient var password: String // Marked as transient to avoid serialization
) : Serializable

  • Encryption: If serialization of sensitive data is unavoidable, ensure that such data is encrypted before serialization and decrypted upon deserialization.

Configuration

The detector has the following configurable parameters:

  • sensitiveKinds, the sensitive data kinds that are going to be reported by this detector.

References