Open cagatayemekci opened 1 year ago
@cagatayemekci Thanks for reaching out. Can you please elaborate the issue you are facing or you are suggesting on Video SDK? Thanks.
We are using data theorem for security issues. This application also controls the frameworks we use. This is the details
The following binaries within the App contain code which leverages `NSCoding`, which is vulnerable to object substitution attacks: `NSCoding` is an Objective-C protocol designed to allow serialization and deserialization of code objects. However, this protocol does not verify the type of object upon deserialization. Thus, it is vulnerable to object substitution attacks. A maliciously crafted payload which is deserialized via the `NSCoding` protocol can result in attacker-controlled code being executed. Apple provides the [`NSSecureCoding` protocol](https://developer.apple.com/documentation/foundation/nssecurecoding?language=objc) which is robust against this type of attack. `NSSecureCoding` protects against object substitution attacks by requiring the programmer to declare the expected type of object before deserialization completes. Thus, if an invalid object is deserialized, the error can be handled safely.
@cagatayemekci Thanks for the details. Can you please share which class in Video SDK you are trying to deserialize which could potentially have the problem? Also are you talking about JSON serialization/deserialization? I am not sure why would you do serialization/deserialization of Twilio video sdk class/objects. They are not in JSON. Can you please share code snippets.
@piyushtank The following classes in the binary conform to NSCoding:
TVIRTCVideoCodecInfo
I was out for few weeks. TVIRTCVideoCodecInfo is using webrtc class RTCVideoCodecInfo. Since this object is not serializing/deserializing, its not a risk, however we have created a ticket internally to fix this in our webrtc code base. We will pick up the ticket when we upgrade to next webrtc version.
Description
NSCoding does not verify the type of object upon deserialization and therefore is vulnerable to object substitution attacks. The code can protect itself from these attacks by using NSSecureCoding instead: https://developer.apple.com/documentation/foundation/nssecurecoding?language=objc
Expected Behavior
Use NSSecureCoding instead of NSCoding
Versions
All relevant version information for the issue.
Video iOS SDK
[e.g. 5.4 via SPM]
Xcode
[e.g. 14.1]
iOS Version
[e.g. 15.6.1]
iOS Device
[e.g. iPhone 11 Pro Max]