2024-07-19 05:18:31 +00:00
{% hint style="success" %}
学习与实践 AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
学习与实践 GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 05:18:31 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-19 05:18:31 +00:00
< summary > 支持 HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-19 05:18:31 +00:00
* 查看 [**订阅计划** ](https://github.com/sponsors/carlospolop )!
* **加入** 💬 [**Discord 群组** ](https://discord.gg/hRep4RUj7f ) 或 [**telegram 群组** ](https://t.me/peass ) 或 **在** **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )** 上关注我们。**
* **通过向** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) 和 [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github 仓库提交 PR 来分享黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 05:18:31 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-07-19 05:18:31 +00:00
代码和更多信息请见 [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence ](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence )。
2022-04-28 16:01:33 +00:00
2024-07-19 05:18:31 +00:00
## iOS 开发中的对象序列化
2021-05-21 16:38:18 +00:00
2024-07-19 05:18:31 +00:00
在 iOS 中,**对象序列化** 涉及将对象转换为可以轻松存储或传输的格式,然后在需要时从该格式重建它们。两个主要协议,**`NSCoding`** 和 ** `NSSecureCoding` **,为 Objective-C 或 `NSObject` 子类提供了这一过程,允许对象序列化为 ** `NSData` **,一种包装字节缓冲区的格式。
2021-05-21 16:38:18 +00:00
2024-02-08 04:42:06 +00:00
### **`NSCoding`** 实现
2024-07-19 05:18:31 +00:00
要实现 `NSCoding` ,一个类必须继承自 `NSObject` 或标记为 `@objc` 。该协议要求实现两个方法来编码和解码实例变量:
2021-05-21 16:38:18 +00:00
```swift
class CustomPoint: NSObject, NSCoding {
2024-02-08 04:42:06 +00:00
var x: Double = 0.0
var name: String = ""
2021-05-21 16:38:18 +00:00
2023-08-03 19:12:22 +00:00
func encode(with aCoder: NSCoder) {
aCoder.encode(x, forKey: "x")
aCoder.encode(name, forKey: "name")
}
required convenience init?(coder aDecoder: NSCoder) {
2024-02-08 04:42:06 +00:00
guard let name = aDecoder.decodeObject(forKey: "name") as? String else { return nil }
self.init(x: aDecoder.decodeDouble(forKey: "x"), name: name)
2023-08-03 19:12:22 +00:00
}
}
```
2024-07-19 05:18:31 +00:00
### **通过 `NSSecureCoding` 增强安全性**
为了减轻攻击者将数据注入已构造对象的漏洞,**`NSSecureCoding`** 提供了一种增强的协议。符合 `NSSecureCoding` 的类必须在解码时验证对象的类型,确保仅实例化预期的对象类型。然而,重要的是要注意,虽然 `NSSecureCoding` 增强了类型安全性,但它并不加密数据或确保其完整性,因此需要额外的措施来保护敏感信息:
2021-05-21 16:38:18 +00:00
```swift
static var supportsSecureCoding: Bool {
2023-08-03 19:12:22 +00:00
return true
2021-05-21 16:38:18 +00:00
}
2024-02-08 04:42:06 +00:00
let obj = decoder.decodeObject(of: MyClass.self, forKey: "myKey")
2021-05-21 16:38:18 +00:00
```
2024-07-19 05:18:31 +00:00
## Data Archiving with `NSKeyedArchiver`
`NSKeyedArchiver` 和它的对应类 `NSKeyedUnarchiver` 使得将对象编码到文件中并随后检索成为可能。这个机制对于持久化对象非常有用:
2021-05-21 16:38:18 +00:00
```swift
2024-02-08 04:42:06 +00:00
NSKeyedArchiver.archiveRootObject(customPoint, toFile: "/path/to/archive")
let customPoint = NSKeyedUnarchiver.unarchiveObjectWithFile("/path/to/archive") as? CustomPoint
2023-08-03 19:12:22 +00:00
```
2024-07-19 05:18:31 +00:00
### 使用 `Codable` 简化序列化
Swift 的 `Codable` 协议结合了 `Decodable` 和 `Encodable` ,便于对 `String` 、`Int`、`Double` 等对象进行编码和解码,而无需额外的努力:
2021-05-21 16:38:18 +00:00
```swift
struct CustomPointStruct: Codable {
2024-02-08 04:42:06 +00:00
var x: Double
2023-08-03 19:12:22 +00:00
var name: String
2021-05-21 16:38:18 +00:00
}
```
2024-07-19 05:18:31 +00:00
这种方法支持将数据简单地序列化到属性列表和JSON中,
2021-05-21 16:38:18 +00:00
2024-02-08 04:42:06 +00:00
## JSON和XML编码替代方案
2024-07-19 05:18:31 +00:00
除了原生支持外, , , ( ) ,
2021-05-21 16:38:18 +00:00
2024-02-08 04:42:06 +00:00
### 安全考虑
2024-07-19 05:18:31 +00:00
在序列化数据时,特别是写入文件系统时,必须警惕潜在的敏感信息的包含。如果序列化的数据被拦截或处理不当,可能会使应用程序面临未经授权的操作或数据泄露等风险。建议对序列化数据进行加密和签名,以增强安全性。
2021-05-21 16:38:18 +00:00
2024-07-19 05:18:31 +00:00
## 参考文献
2024-02-08 04:42:06 +00:00
* [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence ](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence )
2022-04-28 16:01:33 +00:00
2024-07-19 05:18:31 +00:00
{% hint style="success" %}
Learn & practice AWS Hacking:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Learn & practice GCP Hacking: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 05:18:31 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-19 05:18:31 +00:00
< summary > Support HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-19 05:18:31 +00:00
* Check the [**subscription plans** ](https://github.com/sponsors/carlospolop )!
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 05:18:31 +00:00
{% endhint %}
