runtime: BinaryFormatter exception message text should be clearer when the target project type killbits NRBF serialization

Description

Solution: use System.Text.Json serializer dotnet/runtime#68723 (note: it uses base64 encoding for byte[], that means +33 % size)

The workaround to enable binary serialization using <EnableUnsafeBinaryFormatterSerialization>true</EnableUnsafeBinaryFormatterSerialization> doesn’t do anything in MAUI .csproj - the application still doesn’t want to use binary serialization.

Exception message: BinaryFormatter serialization and deserialization are disabled within this application. See https://aka.ms/binaryformatter for more information.

Binary serialization works fine on MAUI Windows.

The task is to serialize objects of this class object stored in a Dictionary by ID to disk for offline usage: This seems nearly impossible to do using XML or JSON serializers so far because of inheritace, interfaces, circular references etc. (with MessagePack library, still circular references problem).

What I have to do without BinaryFormatter is to clear all Parent and Children properties before serialization (write to disk) and recreate all of the after deserialization (read from disk) which is unnecessary overhead and code complexity.

image

Steps to Reproduce

<EnableUnsafeBinaryFormatterSerialization>true</EnableUnsafeBinaryFormatterSerialization> in MAUI .csproj where binary serialization is used

Version with bug

Release Candidate 2 (current)

Last version that worked well

Unknown/Other

Affected platforms

Android

Affected platform versions

Android 11 (API 30)

Did you find any workaround?

No response

Relevant log output

No response

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 22 (13 by maintainers)

Most upvoted comments

We hardcode the implementation of BinaryFormatter to throw PlatformNotSupported on mobile here: https://github.com/dotnet/runtime/blob/77a87df24807d750513607accd7032a57795a201/src/libraries/System.Runtime.Serialization.Formatters/src/System.Runtime.Serialization.Formatters.csproj#L77-L79

We should probably create a copy of the exception message and emphasize that you can’t override this. Updating the aka.ms page to list the workloads where this is not overridable would probably be good too.

Also tagging @blowdart because the magic incantation has been invoked.

@steveisok @jonathanpeppers thoughts?

Should we put an error condition on this property in the android and iOS sdk targets to be more descriptive?

@janseris have a look at https://khalidabuhakmeh.com/serialize-interface-instances-system-text-json you can use converters in System.Text.Json to serialize interfaces. Maybe that could help? The issue usually with binary formatter is how big of a security issue it is. People can modify the data you store on the device and literally run malicious code. Anyways I’m not a MAUI dev, I just saw this issue and since I’ve dealt with this issue a few times I thought I’d share the alternatives. BinaryFormatter is very flexible but because of this it’s a huge pain in terms of security.

Thank you, well this is where I will add so much additional code and complexity just to save objects to disk. I need to keep the reason to change the classes to only when the actual class definition changes, not because of serialization. This means that adding any annotations (maybe besides [Serializable]) is unacceptable. I need to declare generic serializer for any class. This way, a new converter must be created for any object (which uses interfaces) which is serialized. That is a maintainability nightmare.

You could cast it to object before serializing. And use DTOs to deserialize (there’s a nice DTO mapper project to do this automatically for every class).

Finally: https://github.com/dotnet/designs/blob/8bff552b2bf5d9a36d39db58d106e2b2d34a510a/accepted/2020/better-obsoletion/binaryformatter-obsoletion.md so it looks like in mobile they hard disabled BinaryFormatter and won’t be coming back anytime soon, so I wouldn’t hope this issue will be resolved.

image

@janseris have a look at https://khalidabuhakmeh.com/serialize-interface-instances-system-text-json you can use converters in System.Text.Json to serialize interfaces. Maybe that could help?

The issue usually with binary formatter is how big of a security issue it is. People can modify the data you store on the device and literally run malicious code.

Anyways I’m not a MAUI dev, I just saw this issue and since I’ve dealt with this issue a few times I thought I’d share the alternatives. BinaryFormatter is very flexible but because of this it’s a huge pain in terms of security.