Search code examples
objective-ccocoacocoa-touchnssecurecoding

How can NSDictionary support NSSecureCoding, when it doesn't know it's future content


By Apple specs., when a class support NSSecureCoding, it should use

decodeObjectOfClass:forKey:

in it's initWithCoder

but as the dictionary has no clue about it's content, how can it support secure coding?

in contrary to a custom object, where the property classes are known


Solution

  • According to this answer Foundation containers (Array, Dictionary, Set, others …?) aren't really as secure as one would think. Apparantly only known foundation classes are deemed secure, which means the default implementation won't allow storing custom objects when using NSSecureCoding.

    The most important quote:

    [...] if you use NSArray() or other collection classes directly in your coding, you need to check what you got back. They are ‘securely’ decoded to the extent that Apple believes decoding them will not result in a buffer overflow etc, that’s all you get by default. [...]