By default, Flutter apps only do default AppKit app serialisation of Window location etc. and by default, state serialisation in AppKit apps is compatible with NSSecureCoding. AppKit apps generated since Xcode 13.2 include this method in the app delegate generated by the default app template.

Background

This method was added to opt into having [de]serialization require a coder implementing the NSSecureCoding protocol. Apple wasn't able to force this across the board, because NSSecureCoding limits certain behaviours during deserialisation, which some third-party apps have have previously relied on.

Specific background on the sorts of vulnerabilities that NSSecureCoding was designed to prevent are described in the NSSecureCoding documentation:
https://developer.apple.com/documentation/foundation/nssecurecoding?language=objc

A demonstration of a root privilege escalation and SIP bypass vulnerability is described in the following blog post: https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability/

Fixes: #150062

Pre-launch Checklist

• I read the Contributor Guide and followed the process outlined there for submitting PRs.
• I read the Tree Hygiene wiki page, which explains my responsibilities.
• I read and followed the Flutter Style Guide, including Features we expect every widget to implement.
• I signed the CLA.
• I listed at least one issue that this PR fixes in the description above.
• I updated/added relevant documentation (doc comments with ///).
• I added new tests to check the change I am making, or this PR is test-exempt.
• I followed the breaking change policy and added Data Driven Fixes where supported.
• All existing and new tests are passing.

If you need help, consider asking for advice on the #hackers-new channel on Discord.