Potential Security Risk - Update BTClientToken in BraintreeCore to use NSSecureCoding protocol

[samfriedmanfuji]

Is your feature request related to a problem? Please describe.

The BTClientToken class in BraintreeCore conforms to the NSCoding protocol, and its init method uses the function decodeObject(forKey:) (in Braintree 6.x in Swift; the same function decodeObjectForKey: is used in Braintree 5.x in Objective-C). This is a potential security issue as it is vulnerable to object substitution attacks. The NSSecureCoding protocol should be used instead to protect against such attacks.

Describe the solution you'd like.

From Apple Documentation for NSSecureCoding:

An object that does override init(coder:) must decode any enclosed objects using the decodeObjectOfClass:forKey: method. For example:

let obj = decoder.decodeObject(of:MyClass.self, forKey: "myKey")

In addition, the class must override the getter for its supportsSecureCoding property to return true.

Please update BTClientToken in both Braintree 5 and 6 with these changes to protect against object substitution attacks.

[jaxdesmarais]

Hey @samfriedmanfuji -

Thanks for bringing this to our attention! We will work to get this updated for v6 of the SDK. I will update here once we have put up and merged a PR for this work.

We will not be updating v5 as that SDK is deprecated as of June 2024 as listed here. Per our documentation we do not make updates to deprecated versions of our SDKs. It's also worth noting v5 will be fully unsupported starting June 2025 and at that point processing for these SDKs can be suspended at any time. We highly recommend that merchants migrate to v6 before this date.

[jaxdesmarais]

This change was released in version 6.28.0 of the SDK. Please reach back out if you continue to run into issues once updating the SDK.