Switch from Unsafe Serialization API to NSSecureCoding

[cagatayemekci]

Before filing an issue please check that the issue is not already addressed by the following:

• Video Guides
• Changelog

If this is an issue with the SDK itself, file it here. If this is an issue with the QuickStart apps, please use video-quickstart-ios.

Please ensure that you are not sharing any
Personally Identifiable Information(PII)
or sensitive account information (API keys, credentials, etc.) when reporting an issue.

Description

NSCoding does not verify the type of object upon deserialization and therefore is vulnerable to object substitution attacks. The code can protect itself from these attacks by using NSSecureCoding instead: https://developer.apple.com/documentation/foundation/nssecurecoding?language=objc

Expected Behavior

Use NSSecureCoding instead of NSCoding

Versions

All relevant version information for the issue.

Video iOS SDK

[e.g. 5.4 via SPM]

Xcode

[e.g. 14.1]

iOS Version

[e.g. 15.6.1]

iOS Device

[e.g. iPhone 11 Pro Max]

[piyushtank]

@cagatayemekci Thanks for reaching out. Can you please elaborate the issue you are facing or you are suggesting on Video SDK? Thanks.

[cagatayemekci]

We are using data theorem for security issues. This application also controls the frameworks we use. This is the details

Details

The following binaries within the App contain code which leverages NSCoding, which is vulnerable to object substitution attacks:

NSCoding is an Objective-C protocol designed to allow serialization and deserialization of code objects. However, this protocol does not verify the type of object upon deserialization.
Thus, it is vulnerable to object substitution attacks. A maliciously crafted payload which is deserialized via the NSCoding protocol can result in attacker-controlled code being executed.

Apple provides the NSSecureCoding protocol which is robust against this type of attack.
NSSecureCoding protects against object substitution attacks by requiring the programmer to declare the expected type of object before deserialization completes. Thus, if an invalid
object is deserialized, the error can be handled safely.

[piyushtank]

@cagatayemekci Thanks for the details. Can you please share which class in Video SDK you are trying to deserialize which could potentially have the problem? Also are you talking about JSON serialization/deserialization? I am not sure why would you do serialization/deserialization of Twilio video sdk class/objects. They are not in JSON. Can you please share code snippets.

[cagatayemekci]

@piyushtank The following classes in the binary conform to NSCoding:
TVIRTCVideoCodecInfo

[piyushtank]

I was out for few weeks.
TVIRTCVideoCodecInfo is using webrtc class RTCVideoCodecInfo. Since this object is not serializing/deserializing, its not a risk, however we have created a ticket internally to fix this in our webrtc code base. We will pick up the ticket when we upgrade to next webrtc version.