Gson
Google's Java/Android JSON serialization/deserialization library. Converts Java objects to JSON and back using reflection-based mapping. Works without annotations on simple POJOs — gson.toJson(object) and gson.fromJson(json, Type.class). Widely used in Android development and Java services. Now superseded by Jackson for most server-side use but still common in Android apps and legacy codebases.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Serialization library. No network calls. Deserialization of untrusted JSON is generally safe with Gson (no Java deserialization gadgets unlike native Java serialization).
⚡ Reliability
Best When
You're building an Android app or working in a legacy Java codebase where Gson is already the standard — simple POJO serialization without annotation ceremony.
Avoid When
You're starting a new server-side Java project — use Jackson. For Kotlin, use kotlinx.serialization or Moshi.
Use Cases
- • Serialize and deserialize Java/Kotlin objects to/from JSON in Android applications without annotation setup
- • Parse JSON API responses in Java services with minimal configuration using reflection-based mapping
- • Convert custom Java types to JSON for logging, caching, or API responses in Spring/Dropwizard services
- • Handle nested JSON structures with TypeToken for generic types (List<User>, Map<String, Order>)
- • Customize JSON output with GsonBuilder for date formats, null handling, and field exclusion strategies
Not For
- • High-performance server-side JSON — Jackson is 2-3x faster than Gson and has richer features
- • Kotlin data classes requiring compile-time safety — kotlinx.serialization provides Kotlin-native JSON
- • Complex polymorphic serialization — Jackson's polymorphism annotations are more powerful than Gson's RuntimeTypeAdapterFactory
Interface
Authentication
Serialization library. No authentication required.
Pricing
Apache 2.0 license. Maintained by Google.
Agent Metadata
Known Gotchas
- ⚠ Generic types require TypeToken — gson.fromJson(json, List<User>.class) doesn't work due to Java type erasure; use new TypeToken<List<User>>(){}.getType()
- ⚠ Gson is not thread-safe by default — sharing a single Gson instance across threads requires the Gson instance to be created with no mutable state, but it is safe for concurrent reads
- ⚠ Null values: Gson skips null fields by default — use GsonBuilder.serializeNulls() to include null fields in JSON output
- ⚠ Kotlin data class default values are not respected during deserialization — Gson uses unsafe object creation that bypasses constructors; use kotlinx.serialization or Moshi for Kotlin
- ⚠ Date serialization uses toString() by default which is locale-dependent — configure custom DateSerializer or use GsonBuilder.setDateFormat() for consistent ISO format
- ⚠ Inner classes (non-static nested classes) cause Gson to fail — use static nested classes or plain outer classes for Gson-serializable types
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for Gson.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-06.