mixpanel/mixpanel-iphone

Remove vulnerable NSCoding

vneelakantam opened this issue · 5 comments

Description:
NSCoding is an Objective-C protocol designed to allow serialization and deserialization of code objects. However, this protocol does not verify the type of object upon deserialization. Thus, it is vulnerable to object substitution attacks. A maliciously crafted payload which is deserialized via the NSCoding protocol can result in attacker-controlled code being executed.

Apple provides the NSSecureCoding protocol which is robust against this type of attack. NSSecureCoding protects against object substitution attacks by requiring the programmer to declare the expected type of object before deserialization completes. Thus, if an invalid object is deserialized, the error can be handled safely.

Following link leads to vulnerable methods used
https://github.com/mixpanel/mixpanel-iphone/search?q=NSCoding&unscoped_q=NSCoding

Expected Behavior:
Locate all the classes in the App that conform to NSCoding and migrate them to NSSecureCoding. You can utilize Xcode's built-in search function to locate these classes in the App's project. Searching for "NSCoding" will reveal everything that conforms to the vulnerable protocol.

Additionally, ensure all input data is validated before it is used, especially when dealing with data that becomes executable.

You can read more about NSSecureCoding on NSHipster.

Secure Code
`// Declare that your class conforms to NSSecureCoding
@interface MySecureObject : NSObject
@Property (nonatomic, retain) NSDictionary *myData;
@EnD

@implementation MySecureObject

  • (BOOL)supportsSecureCoding {
    // Must override this class delegate method to reture YES
    return YES;
    }
  • (id)initWithCoder:(NSCoder *)decoder {
    if ((self = [super init])) {
    // When decoding sub-objects, use @selector(decodeObjectOfClass:forKey:)
    // This method will throw an exception if the deserialized object's class doesn't match the expected class
    self.myData = [decoder decodeObjectOfClass:[NSDictionary class] forKey:@"myData"];
    }
    return self;
    }
  • (void)encodeWithCoder:(NSCoder *)encoder {
    [encoder encodeObject:self.myData forKey:@"myData"];
    }
    @end`

I upgraded the Cocoapod from 3.6.4 to 3.6.5 for my macOS app yesterday and started getting this message in the Xcode console. This issue has been open for a while, but I assume the notice is related.

[general] NSSecureCoding allowed classes list contains [NSObject class], which bypasses security by allowing any Objective-C class to be implicitly decoded. Consider reducing the scope of allowed classes during decoding by listing only the classes you expect to decode, or a more specific base class than NSObject.

Any update on this? We're seeing massive amounts of logs getting logged to the console because of this.

I'm now seeing crashes in production with iOS 15.1 beta that appear related to this. Any updates? Thanks!

I've taken a crack at implementing this. The code is available for use and I've put up a pull request. #948

We have fixed this in v4.0.0.beta and we have no plan to fix it in 3.x. You can use Swift Package Manager to install the beta version for now(Follow the prompts using the URL for this repository and point to branch 4.0.0.beta).
4.0.0.beta is fully supported by us just without Messages & Experiments. On Jan 1, 2022, we’ll remove the Messages & Experiments feature from Mixpanel and formally release 4.0.0.