It is possible to change the mappings in a serialized java.security.Permissions object such that they no longer map correctly, and Permissions.readObject won't detect this. This can cause incorrect behavior in the implies method. For example, you could change the mapping of java.io.FilePermission to a java.util.PropertyPermissionCollection, and permissions.implies(new FilePermission(...)) would always return false.