hacktricks/mobile-pentesting/ios-pentesting/ios-serialisation-and-encoding.md

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

Code and more information in [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence).

## Object Serialization in iOS Development

In iOS, **object serialization** involves converting objects into a format that can be easily stored or transmitted, and then reconstructing them from this format when needed. Two main protocols, **`NSCoding`** and **`NSSecureCoding`**, facilitate this process for Objective-C or `NSObject` subclasses, allowing objects to be serialized into **`NSData`**, a format that wraps byte buffers.

### **`NSCoding`** Implementation
To implement `NSCoding`, a class must inherit from `NSObject` or be marked as `@objc`. This protocol mandates the implementation of two methods for encoding and decoding instance variables:

```swift
class CustomPoint: NSObject, NSCoding {
    var x: Double = 0.0
    var name: String = ""

    func encode(with aCoder: NSCoder) {
        aCoder.encode(x, forKey: "x")
        aCoder.encode(name, forKey: "name")
    }

    required convenience init?(coder aDecoder: NSCoder) {
        guard let name = aDecoder.decodeObject(forKey: "name") as? String else { return nil }
        self.init(x: aDecoder.decodeDouble(forKey: "x"), name: name)
    }
}
```

### **Enhancing Security with `NSSecureCoding`**
To mitigate vulnerabilities where attackers inject data into already constructed objects, **`NSSecureCoding`** offers an enhanced protocol. Classes conforming to `NSSecureCoding` must verify the type of objects during decoding, ensuring that only the expected object types are instantiated. However, it's crucial to note that while `NSSecureCoding` enhances type safety, it doesn't encrypt data or ensure its integrity, necessitating additional measures for protecting sensitive information:

```swift
static var supportsSecureCoding: Bool {
    return true
}

let obj = decoder.decodeObject(of: MyClass.self, forKey: "myKey")
```

## Data Archiving with `NSKeyedArchiver`
`NSKeyedArchiver` and its counterpart, `NSKeyedUnarchiver`, enable encoding objects into a file and later retrieving them. This mechanism is useful for persisting objects:

```swift
NSKeyedArchiver.archiveRootObject(customPoint, toFile: "/path/to/archive")
let customPoint = NSKeyedUnarchiver.unarchiveObjectWithFile("/path/to/archive") as? CustomPoint
```

### Using `Codable` for Simplified Serialization
Swift's `Codable` protocol combines `Decodable` and `Encodable`, facilitating the encoding and decoding of objects like `String`, `Int`, `Double`, etc., without extra effort:

```swift
struct CustomPointStruct: Codable {
    var x: Double
    var name: String
}
```

This approach supports straightforward serialization to and from property lists and JSON, enhancing data handling in Swift applications.

## JSON and XML Encoding Alternatives
Beyond native support, several third-party libraries offer JSON and XML encoding/decoding capabilities, each with its own performance characteristics and security considerations. It's imperative to carefully select these libraries, especially to mitigate vulnerabilities like XXE (XML External Entities) attacks by configuring parsers to prevent external entity processing.

### Security Considerations
When serializing data, especially to the file system, it's essential to be vigilant about the potential inclusion of sensitive information. Serialized data, if intercepted or improperly handled, can expose applications to risks such as unauthorized actions or data leakage. Encrypting and signing serialized data is recommended to enhance security.


## References
* [https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence](https://mas.owasp.org/MASTG/iOS/0x06h-Testing-Platform-Interaction/#object-persistence)

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>