AFNetworking vulnerability

[chandra.s...@okta.com]

RestKit depends on very old version of AFNetworking. Is there a play to switch to the latest version any time soon?

See this: http://arstechnica.com/security/2015/04/24/critical-https-bug-may-open-25000-ios-apps-to-eavesdropping-attacks/

[chandra.s...@okta.com]

Anybody? When can we expect a version of RestKit that will work with latest version of AFNetworking?

[Dan Morrow]

There's been discussion about moving RestKit to AFNetworking 2.x, and about how that would be an enormous undertaking. Some people have argued that RestKit would be better off using the new NSURLSession stuff, and dropping AFNetworking altogether. There may be someone working on an AFNetworking 2.x branch, but I'm not sure about that.

That said, is it known that this vuln is found in AFNetworking 1.x? Is it possible that it's just part of the 2.x line? I've been poking around, but haven't found anything definitive yet. 

[PT]

See issue #2209 now closed. Vulnerability in AF 2.x not in 1.x so Restkit or other products using AF 1.x are fine. There has been some good progress on a Restkit version that can run either without AF or optionally alongside AF 2.x, some way to go as yet including review by the RK team, but very promising. The AF 2.x Restkit branch is not being worked on.

[Chandra Shirashyad]

Thanks Dan and PT!

Is it possible to use just the mapping portion of Restkit? Essentially detach the networking layer so we can use anything to fetch the JSON object use RestKit for object mapping.

Thanks,

Chandra