MASTG-BEST-0064: Use Safe APIs for Object Deserialization

Use secure, class-restricted deserialization for object archives that can be influenced by an attacker. This includes archives received from files, IPC payloads, network responses, pasteboard data, app extensions, shared containers, or other storage locations outside the app's full control.

For current Apple guidance, see Archives and Serialization, NSSecureCoding, and NSKeyedUnarchiver. Apple's archived Secure Coding Guide section on "Validating Input and Interprocess Communication" still provides useful background and examples.

Use Secure Coding and Class-Restricted Decoding

Make classes that participate in secure archives conform to NSSecureCoding and return true from supportsSecureCoding. Decode nested objects with class-restricted APIs such as decodeObject(of:forKey:).

Enable secure coding when creating and reading archives. Use archivedData(withRootObject:requiringSecureCoding:) with requiringSecureCoding set to true, and ensure requiresSecureCoding is enabled before decoding attacker-influenced data.

Restrict Top-Level Unarchiving

Use top-level unarchiving APIs that require the expected class or set of allowed classes, such as unarchivedObject(ofClass:from:). When decoding collections, include both the collection type and the allowed element types in the allowed class set.

Validate Decoded Values

Treat decoded objects as input data. Validate their contents before using them in security-sensitive decisions, file paths, URLs, commands, authorization logic, or persistent application state.

Tests

MASTG-TEST-0386: References to Object Deserialization of Untrusted Data