Swift Unarchiver Insecure Deserialization
Description
The detector identifies unsafe usage of NSKeyedUnarchiver in Swift applications. NSKeyedUnarchiver can lead to remote code execution vulnerabilities when deserializing untrusted data, as it allows arbitrary class instantiation during the deserialization process.
Detection Strategy
• Scan Swift source files for usage of NSKeyedUnarchiver deserialization functions
• Flag instances where NSKeyedUnarchiver is used without proper class validation checks
• Report vulnerability if unarchiveObject or unarchiveTopLevelObjectWithData methods are called without secure class validation
Vulnerable code example
import Foundation
class Config: NSObject, NSSecureCoding {
static var supportsSecureCoding: Bool = true
var version: String
init(version: String) {
self.version = version ...✅ Secure code example
import Foundation
class Config: NSObject, NSSecureCoding {
static var supportsSecureCoding: Bool = true
var version: String
init(version: String) {
self.version = version ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.