Which keychain attributes are inaccessible when the keychain is locked?
Question
There are 5 types of keys that can be stored in the iOS keychain
- kSecClassGenericPassword
- kSecClassInternetPassword
- kSecClassCertificate
- kSecClassKey
- kSecClassIdentity
Each of those key types support a different attribute set. It's unclear which attributes are "public" and exposed to a locked keychain, and which are not.
Should I assume that a locked keychain can expose all of the following?
Can applications without my app-group entitlement view the attributes of my keychain items?
1 answers
solution1
1 2016-09-25 19:33:44
All attributes are considered public. The only secret in the keychain is the data (ie the thing you retrieve using attributes). See Keychain Services Programming Guide: Structure of a Keychain :
Note: Unlike data, an item's attributes are not considered secret, and thus never encrypted. They can be read at any time, even when the keychain is locked.
As a practical matter, I believe there are times in iOS (as opposed to macOS) when even the attributes (all the attributes) wind up being encrypted (such as before first unlock), but you should not rely on this. If the data is a secret, it should be keychain data, not an attribute. But remember, you cannot search on data.... since it's encrypted.... you can only search on attributes. iOS does not decrypt the entire keychain all at once. It generally just decrypts the portions it needs. For all the gory details on this, see the iOS Security Guide .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.