I rambled a bit here:
http://www.java-gaming.org/topics/serialization-by-various-means/27316/msg/244250/view.html#msg244250Every time you update your code your saved files will become incompatible. That is why you should avoid serialization. (In my point of view)
Serialization is fine, Java's built-in serialization not so much. With Kryo's TaggedFieldSerializer you get backword compatibility -- you can add new fields without breaking old bytes. Instead of removing fields, you just @Deprecated them (and I also usually rename them to ignored1, ignored2, etc).
There are other ways to keep backward and forward compatibility, but they start to impact performance and I've found TaggedFieldSerializer is enough for games. When I make a change that is large enough that I can't evolve the class (which is rare), I write a serializer that transforms the old class to a new class. This consists of simply doing the old deserialization, then writing a method that populates the a new class instance with data from the old class instance.
For Android, check my answer
here.
Saying the answer is shared preferences on Android is just as good as saying the answer is "write to a file" or "write to a database". This is only sufficient if you want to hand write all your serialization and handle compatibility yourself (hint: you don't

). If hand writing binary serialization, Kryo provides a lot of utility to reduce the effort, so I would still suggest it.