OneSignal-iOS-SDK icon indicating copy to clipboard operation
OneSignal-iOS-SDK copied to clipboard

Published 20 hours ago verified publisher icon OneSignal

OneSignalUserDefaults uses NSKeyedUnarchiver method flagged as unsafe

Open patrickhartling opened this issue 3 years ago • 0 comments

Description:

The class OneSignalUserDefaults relies on a deprecated method of NSKeyedUnarchiver, + unarchiveObjectWithData:, which has been deemed unsafe. This was called out by submitting our application code, including the OneSignal iOS SDK, to a scanning service. For reference, the report includes a callout to CVE-676 with respect to this case.

Apple's recommendation is to use +unarchivedObjectOfClass:fromData:error:, introduced in iOS 11.0. The practicality of this change is not currently clear without further review of the code and some experimentation.

Environment

  1. SDK version 3.2.1
  2. Added to project using Carthage
  3. Xcode 12
  4. App targeting iOS 12.0 and newer

Steps to Reproduce Issue: N/A

Anything else: I can work on devising a way to use +unarchivedObjectOfClass:fromData:error: when running on iOS 11.0 or newer, but it would help to know if there are any design requirements of OneSignalUserDefaults that should be kept in mind.

patrickhartling avatar Apr 27 '21 17:04 patrickhartling