App Transfer Keychain Loss: Solutions to users logging out

Question

I transferred an app to a new developer account. When I upload a build from the new developer account and deploy it through Testflight, I encounter that my users logged out from the app.

I think this is due to the Keychain Loss, because the Team ID changed. So, I contacted Apple, and they said that there is no way to have access to the old Keychain in the new developer account, but that I could transfer the app back to my old developer account.

This is really bad for us, since we have user-created data in the device that gets lost on logout. We also have anonymous users, and they can't even regain access to their accounts because there are no credentials to login. This is not acceptable to us because we would be losing user data, but we also need to transfer the app to the new developer account... So we are trying to find possible solutions.

Possible Solution #1

Far from ideal: keep using the old developer account for a month, for example, and show an alert saying something like:

Please save/backup all your data and signup (if you have an anonymous account) because all unsaved data will be lost on the [todays date + 1 month] due to a migration. Sorry for the inconvenience.

After a month, we transfer again to the new developer account. Users that didn't see the message in that month or didn't save data, bye bye data… terrible.

Possible Solution #2

I'm not sure if Firebase Auth iOS SDK has the APIs to do something like this:

1. Transfer the app back again to the old developer account
2. Upload a new build from there that saves the Firebase Authentication State (eg the token) temporarily in a file (I know it's insecure... maybe I could encrypt it)
3. Transfer the app back again to the new developer account
4. Upload a new build that checks if that file exists, and copies the Auth State into the Firebase Auth SDK again. This way the user is still logged in as if nothing happened.

This second solution is kind of insecure, complicated and difficult to test, but from the user point of view, it would be more ideal than the first solution (if everything goes well).

So, specifically my questions are:

1. Would solution #2 be possible with Firebase Auth?
2. Does anyone have more ideas on how to approach this? I guess that transferring apps (with login) is a common use case!

We currently only use Anonymous & Email/Password authentication methods.

Thanks!

Answer 1

So, I didn't find an ideal solution.

I ended up doing a mix of solutions #1 and #2:

1. I transferred the app back to the old apple account

2. I uploaded a new build that:

    a. extracts keychain data (which has login credentials and other stuff) b. encrypts this data (I used CryptoSwift) c. saves it into a file in the documents directory

3. Waited 1-2 months so users can open the app to perform this first part of the migration

4. While waiting, we sent emails and push notifications asking users to backup their data, saying that a big migration was coming soon, with the excuse that we "grew" a lot lately and we were scaling stuff:P

5. Transferred the app to the new apple account

6. I uploaded a new build that:

    a. checks if the migration file exists (in the documents directory) b. if exists, read the migration file and decrypts data c. puts this data into the keychain (which is empty after app transfer) d. deletes the migration file from the documents directory

7. Left this migration code for some more months so people open the app and perform migration

8. Delete code, migration period is over.

I sent logs to the backend to see if migrations were successful or not. So far, users are all migrating correctly.

There are still cases where users could lose their data, for example, when anonymous users didn't perform the first part of the migration. But I can't think of a better solution... so far data loss is minimal. But it also took us some time to get things right and do all the proper testing.

If someone in the future has a better solution to this issue, please let me know.! I'm curious.

I hope the answer helps someone.

Answer 2

I think the Apple rep was wrong. Your keychain is tied to a bundle ID, not a Team ID.

Suppose for example that you transferred SomeApp from the original app owner, OldCo, to NewCo. The app comprises a custom keyboard, the actual SomeApp app, and an App Group. You have some Identifiers set up on developer.apple.com:

App ID:
   com.OldCo.SomeApp
   com.OldCo.SomeApp.keyboard
App Group ID:
   com.OldCo.SomeAppGroup

If you change these to start with com.NewCo. , users will lose their iCloud data. But if you leave them as com.OldCo. , all should be well. Note that for you to create these IDs in NewCo's developer.apple.com account, OldCo will have to remove them from their account. It feels weird to have NewCo owning IDs with OldCo in them, but life is weird.

If I'm missing some nuance whereby the change in TeamID affects the keychain, please let me know, and I'll do more research.