July 08 2026
Fixed
- Validate IV length and ciphertext block-alignment before decrypting.
- Return a uniform .decryptionFailure that never exposes the underlying CommonCrypto status.
- Guard LegacyCryptor random-IV path against payloads too short to contain an IV.
- Map encrypt-path errors to .encryptionFailure instead of .decryptionFailure .
- Redact authKey and authToken in instance logs instead of emitting them in cleartext.
- Use .none as the default log level for the PubNubLogger public initializer to avoid an insecure default.
- Make message action add/remove fire completion only once on error.
Modified
- Warn that verbose log levels may expose sensitive data and recommend long, high-entropy cipher keys.
- Make every PubNub instance manage its own presence-state container.