The final few paragraphs touch upon how expansive the attack surface can be due to this serialization code. So, yes the libraries are terrible.
Asking the HN audience: Is there a set of design principles that the iMessage team can follow to make these more resilient to such attacks while retaining their usability? As a non-Apple employee whose globally dispersed family relies on iMessage to stay in touch, I have a vested interest in the security of my family’s iPhones. I know it’s rare for Apple employees to comment, but it would be great if someone from Apple can comment on whether these libraries are being re-architected in some way. This will cut through any FUD that arises from this disclosure / discussion.
Asking the HN audience: Is there a set of design principles that the iMessage team can follow to make these more resilient to such attacks while retaining their usability? As a non-Apple employee whose globally dispersed family relies on iMessage to stay in touch, I have a vested interest in the security of my family’s iPhones. I know it’s rare for Apple employees to comment, but it would be great if someone from Apple can comment on whether these libraries are being re-architected in some way. This will cut through any FUD that arises from this disclosure / discussion.