Various Firebase types does not conform to NSSecureCoding

[clausjoergensen]

[READ] Step 1: Are you in the right place?

Yes

[REQUIRED] Step 2: Describe your environment

• Xcode version: 10.3
• Firebase SDK version: 5.16
• Firebase Component: Core, Messaging
• Component version: 5.16

[REQUIRED] Step 3: Describe the problem

Our security team scanned our code and dependencies for vulnerabilities and found that the following classes did not conform to NSSecureCoding making them vulnerable to object substitution attacks:

FIRMessagingTopicBatch, FIRInstanceIDAPNSInfo, FIRInstanceIDTokenInfo and FIRMessagingPendingTopicsList

Steps to reproduce:

Open up the header files, note that they conform to NSCoding, and not NSSecureCoding.

Relevant Code:

• https://github.com/firebase/firebase-ios-sdk/blob/master/Firebase/Messaging/FIRMessagingPendingTopicsList.h
• https://github.com/firebase/firebase-ios-sdk/blob/master/Firebase/InstanceID/FIRInstanceIDAPNSInfo.h
• https://github.com/firebase/firebase-ios-sdk/blob/master/Firebase/InstanceID/FIRInstanceIDTokenInfo.h

[charlotteliang]

We removed NSCoding from Messaging but not InstanceID yet. InstanceID is deprecated and will be removed from Messaging soon. We will keep this open for now.