runtime: BinaryFormatter exception message text should be clearer when the target project type killbits NRBF serialization
Description
Solution: use System.Text.Json serializer dotnet/runtime#68723 (note: it uses base64
encoding for byte[]
, that means +33 % size)
The workaround to enable binary serialization using <EnableUnsafeBinaryFormatterSerialization>true</EnableUnsafeBinaryFormatterSerialization>
doesn’t do anything in MAUI .csproj - the application still doesn’t want to use binary serialization.
Exception message: BinaryFormatter serialization and deserialization are disabled within this application. See https://aka.ms/binaryformatter for more information.
Binary serialization works fine on MAUI Windows.
The task is to serialize objects of this class object stored in a Dictionary
by ID
to disk for offline usage:
This seems nearly impossible to do using XML or JSON serializers so far because of inheritace, interfaces, circular references etc. (with MessagePack library, still circular references problem).
What I have to do without BinaryFormatter
is to clear all Parent
and Children
properties before serialization (write to disk) and recreate all of the after deserialization (read from disk) which is unnecessary overhead and code complexity.
Steps to Reproduce
<EnableUnsafeBinaryFormatterSerialization>true</EnableUnsafeBinaryFormatterSerialization>
in MAUI .csproj where binary serialization is used
Version with bug
Release Candidate 2 (current)
Last version that worked well
Unknown/Other
Affected platforms
Android
Affected platform versions
Android 11 (API 30)
Did you find any workaround?
No response
Relevant log output
No response
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 22 (13 by maintainers)
We hardcode the implementation of BinaryFormatter to throw PlatformNotSupported on mobile here: https://github.com/dotnet/runtime/blob/77a87df24807d750513607accd7032a57795a201/src/libraries/System.Runtime.Serialization.Formatters/src/System.Runtime.Serialization.Formatters.csproj#L77-L79
We should probably create a copy of the exception message and emphasize that you can’t override this. Updating the aka.ms page to list the workloads where this is not overridable would probably be good too.
Also tagging @blowdart because the magic incantation has been invoked.
@steveisok @jonathanpeppers thoughts?
Should we put an error condition on this property in the android and iOS sdk targets to be more descriptive?
You could cast it to object before serializing. And use DTOs to deserialize (there’s a nice DTO mapper project to do this automatically for every class).
Finally: https://github.com/dotnet/designs/blob/8bff552b2bf5d9a36d39db58d106e2b2d34a510a/accepted/2020/better-obsoletion/binaryformatter-obsoletion.md so it looks like in mobile they hard disabled BinaryFormatter and won’t be coming back anytime soon, so I wouldn’t hope this issue will be resolved.
@janseris have a look at https://khalidabuhakmeh.com/serialize-interface-instances-system-text-json you can use converters in System.Text.Json to serialize interfaces. Maybe that could help?
The issue usually with binary formatter is how big of a security issue it is. People can modify the data you store on the device and literally run malicious code.
Anyways I’m not a MAUI dev, I just saw this issue and since I’ve dealt with this issue a few times I thought I’d share the alternatives. BinaryFormatter is very flexible but because of this it’s a huge pain in terms of security.