ios Object Encoding and Decoding with NSSecureCoding Protocol
Object Encoding and Decoding with NSSecureCoding Protocol
NSCoding is a fantastically simple and convenient way to store data on iOS or Mac OS by turning your model objects directly into a file and then loading it back into memory again, without needing to write any file parsing and serialization logic. To save any object to a data file (assuming that it implements the NSCoding protocol), you can just do this:
Foo *someFoo = [[Foo alloc] init]; |
And to load it again later:
Foo *someFoo = [NSKeyedUnarchiver unarchiveObjectWithFile:someFile]; |
That’s fine for resources that are compiled into your app (such as nib files, which use NSCoding under the hood), but the problem with using NSCoding for reading and writing user data files is that, because you are encoding whole classes in a file, you are implicitly giving that file (with potentially unknown origin) permission to instantiate classes inside your app.
Although you cannot store executable code in an NSCoded file (on iOS at least), a hacker could use a specially crafted file to trick your app into instantiating classes that you never intended it to, or do so in a different context to what you intended. Whilst it would be difficult to do any real harm in this way, it could certainly lead to app crashes and/or data loss for users.
In iOS6, Apple introduced a new protocol built on top of NSCoding called NSSecureCoding. NSSecureCoding is identical to NSCoding, except that when decoding objects you specify both the key and class of the object you are decoding, and if the expected class doesn’t match the class of the object decoded from the file, the NSCoder will throw an exception to tell you that the data has been tampered with.
Most of the system objects that support NSCoding have been upgraded to support NSSecureCoding, so by enabling secure coding on your NSKeyedUnarchiver, you can make sure that the data file you are loading is safe. You would do that like this:
// Set up NSKeyedUnarchiver to use secure coding |
Note that if you enable secure coding on your NSKeyedUnarchiver, every object stored in the file must conform to NSSecureCoding, otherwise you will get an exception. To tell the framework that your own classes support NSSecureCoding, you have to implement the new decoding logic in your initWithCoder: method, and return YES from the supportsSecureCoding method. There are no changes to the encodeWithCoder: method needed, as the security concerns are around loading, not saving.
@interface Foo : NSObject @property (nonatomic, strong) NSNumber *property1; |
A few weeks ago, I wrote about how to implement NSCoding automatically by using introspection to determine the properties of your class at runtime.
This is a great way to add NSCoding support to all of your model objects without having to write repetitive and error-prone initWithCoder:/encodeWithCoder: methods. But the approach we used would not support NSSecureCoding because we do not attempt to validate the types of the objects being loaded.
So how can we enhance our automatic NSCoding system to support NSSecureCoding right out of the box?
If you recall, the original implementation worked by using the class_copyPropertyList() and property_getName() runtime functions to generate a list of property names, which we stored in an array:
// Import the Objective-C runtime headers |
Using KVC (Key-Value Coding), we were then able to set and get all the properties of an object by name and encode/decode them in an NSCoder object.
To implement NSSecureCoding, we’ll follow the same principle, but instead of just getting the property names, we’ll also need to get their types. Fortunately, the objective C runtime stores detailed information about the types of class properties, so we can easily extract this data along with the names.
Properties of a class can be either primitive types (such as integers, BOOLs and structs) or objects (such as NSString, NSArray, etc). The KVC valueForKey: and setValue:forKey: methods implement automatic “boxing” of primitive types, meaning that they will turn integers, BOOLs and structs into NSNumber and NSValue objects, respectively. That makes things a bit easier for us because we only have to deal with boxed types (objects), so we can represent all of our property types as classes, instead of having to call different decoding methods for different property types.
The runtime methods don’t give us the boxed class name for each property though, instead they give us the type encoding – a specially formatted C-string containing the type information (this is the same format returned by the @encode(var); syntax). There’s no automatic way to get the equivalent boxed class for a primitive type, so we’ll need to parse this string and then specify the appropriate class ourselves.
The format of a type encoding string is documented here.
The first character represents the primitive type. Objective C uses a unique character for each supported primitive, for example ‘i’ represents an integer, ‘f’ a float, ‘d’ a double, and so on. Objects are represented by ‘@’ (followed by the class name) and then there are other more obscure types such as ‘:’ for selectors, or ‘#’ for classes.
Struct and union types are represented by expressions wrapped in {…} brackets. Only some of these types are supported by the KVC mechanism, but the ones that are supported are always boxed as NSValue objects, so we can treat any value starting with ‘{‘ the same way.
If we switch based on the first character of the string, we can handle all the known types:
Class propertyClass = nil; |
To handle ‘@’ types, we need to extract the class name. The class name may include protocols (which we don’t really need to worry about), so we’ll split the string to extract just the class name, and then use NSClassFromString to get the class:
case '@': |
Finally, we can combine this parsing logic with the propertyNames method logic from our previous implementation to create a method that returns a dictionary of property classes, keyed by property name. Here is the complete implementation:
- (NSDictionary *)propertyClassesByName |
That’s the hard part done. Now, to implement NSSecureCoding, we’ll just modify the initWithCoder: method from our previous automatic coding implementation to take the property class into account when parsing. We’ll also need to return YES from the supportsSecureCoding method:
+ (BOOL)supportsSecureCoding |
And there you have it: A simple base class for your models that supports NSSecureCoding out of the box. Alternatively, you can use my AutoCoding category that uses this approach to add automatic NSCoding and NSSecureCoding support to any object that doesn’t already implement it.
![]() |
Nick Lockwood is the author of iOS Core Animation: Advanced Techniques. Nick also wrote iCarousel, iRate and other Mac and iOS open source projects.
|
ios Object Encoding and Decoding with NSSecureCoding Protocol的更多相关文章
- Direct Access to Video Encoding and Decoding
来源:http://asciiwwdc.com/2014/sessions/513 Direct Access to Video Encoding and Decoding Session 5 ...
- Redis 数据结构与编码技术 (Object Encoding)
数据结构实现 相信大家对 redis 的数据结构都比较熟悉: string:字符串(可以表示字符串.整数.位图) list:列表(可以表示线性表.栈.双端队列.阻塞队列) hash:哈希表 set:集 ...
- Node.js Base64 Encoding和Decoding
如何在Node.js中encode一个字符串呢?是否也像在PHP中使用base64_encode()一样简单? 在Node.js中有许多encoding字符串的方法,而不用像在JavaScript中那 ...
- Object C学习笔记15-协议(protocol)
在.NET中有接口的概念,接口主要用于定义规范,定义一个接口关键字使用interface.而在Object C 中@interface是用于定义一个类的,这个和.NET中有点差别.在Object C中 ...
- IOS Object和javaScript相互调用
在IOS开发中有时会用到Object和javaScript相互调用,详细过程例如以下: 1. Object中运行javascript代码,这个比較简单,苹果提供了非常好的方法 - (NSString ...
- Thinking in file encoding and decoding?
> General file encoding ways We most know, computer stores files with binary coding like abc\xe4\ ...
- ios回调函数的标准实现:protocol+delegate
一.项目结构
- IOS开发之----协议与委托(Protocol and Delegate) 实例解析
1 协议: 协议,类似于Java或C#语言中的接口,它限制了实现类必须拥有哪些方法. 它是对对象行为的定义,也是对功能的规范. 在写示例之前我给大家说下@required和@optional这两个关键 ...
- 【iOS】Swift扩展extension和协议protocol
加上几个关节前Playground摘要码进入github在,凝视写了非常多,主要是为了方便自己的未来可以Fanfankan. Swift语法的主要部分几乎相同的. 当然也有通用的.运算符重载.ARC. ...
随机推荐
- Visual Studio 2015 下载地址
Visual Studio 2015 发行说明: https://visualstudio.com/zh-cn/news/vs2015-vs.aspx Visual Studio 2015 特性简 ...
- Error -26359: Function not allowed within a concurrent group
Error -26359: Function not allowed within a concurrent group 疑问: 基于url录制的脚步能用检查点么? 疑问: web_set_max ...
- git高级应用
高级应用之一: 二分法查找错误版本: 当前日志 $ git log --oneline ccda9d2 added test1 dd518f7 test zu 88095f9 dasfdasf 3 ...
- (原)Struts 相关资源下载
官网:http://struts.apache.org 点击[Download],进入页面如下,可以看到下载的资源: 点击[struts-2.3.20-all.zip],就能获取Struts2项目所有 ...
- HDU4417 - Super Mario(主席树)
题目大意 给定一个数列,每次要求你查询区间[L,R]内不超过K的数的数量 题解 和静态的区间第K大差不多,这题是<=K,先建立好n颗主席树,然后用第R颗主席树区间[1,K]内数的数量减去第L-1 ...
- CF_402D Upgrading Array 因式分解
题目链接:http://codeforces.com/problemset/problem/402/D /**算法分析: */ #include<bits/stdc++.h> #defin ...
- 大型网站应用中MySQL的架构演变史
没有什么东西是一成不变的,包含我们的理想和生活!MySQL作为一个免费的开源的关系型数据库,深受大家喜爱,从最初的无人问津到当下的去IOE,都体现出了MySQL举足轻重的作用.今天我们就从淘宝的发展来 ...
- 问题-[ACCESS2007]怎么显示MsysObjects
office 2007设置:单击左上角图标 -> Access选项 -> 当前数据库 -> 导航 -> 导航选项 -> 勾选显示隐藏对象,显示系统对象.数据库工具选项卡 ...
- Robotium学习笔记三
以下是从网络上抄录的一些Robotium注意事项 1)有些button没有string,没有text,只能通过index来click这样很不直观,而且button的index并不是固定的,有可能随着控 ...
- 发布ASP(非.Net)网站
1.安装IIS 2.设置网址.端口 3.设置文档(默认访问的文档,比如index.asp,index.htm等) 4.双击asp - 展开行为 - 启用父路径:true - 允许访问父目录 5.应用程 ...