YapDatabase
YapDatabase copied to clipboard
yapstudios
Usage of NSCoding instead of NSSecureCoding
Hello,
This issue is more of a question than exactly an issue. According to Apple documentation NSCoding is vulnerable to object substitution attacks. It recommends using NSSecureCoding instead.
We got this warning in a security scan of an application that uses YapDatabase. I’d like to ask if YapDatabase handles this vulnerability.
Best regards
YapDatabase doesn't really have a strong opinion on how your objects are serialized or deserialized. By default it uses NSKeyedArchiver/Unarchiver but you can set your own custom (de)serializers that don't rely on NSCoding at all.
It's up to the application author to decide to use NSSecureCoding, so it's not really a library level concern.
I suspect what he's talking about is how defaultSerializer and defaultDeserializer are using the now-deprecated variants of archivedDataWithRootObject: and unarchiveObjectWithData: rather than the newer ones that expect to use secure coding.
Ah good call. The newer method archivedData(withRootObject:requiringSecureCoding:) wasn't introduced until iOS 11, but YapDB still supports down to iOS 8.2. Changing the default serializers to require secure coding would be a major breaking change, but might be a good idea for the next major version bump.
One solution is to throw in some #if checks like the following (I think I got the versions correct). That way it's ready and for the future and anyone compiling YapDatabase directly in will get the new methods and no warnings.
#if (TARGET_OS_OSX && MAC_OS_X_VERSION_MIN_REQUIRED >= 101300) || (TARGET_OS_IOS && __IPHONE_OS_VERSION_MIN_REQUIRED >= 110000) || (TARGET_OS_WATCH && __WATCH_OS_VERSION_MIN_REQUIRED >= 40000) || (TARGET_OS_TV && __TV_OS_VERSION_MIN_REQUIRED >= 110000)
new method
#else
old method
#endif