Consider a scenario:
There are two iOS apps,
App1: com.example.app1
App2: com.example.app2
App1 has no keychain access groups, other than its default group that is .com.example.app1
However, App2 has keychain access groups added which is bundle identifier of App1 i.e. .com.example.app1, So App2 access groups are as follows: [.com.example.app1, .com.example.app2]
This way App2 has access to App1’s private access group. Which means App2 can Create, Read, Update and Delete ALL the keychain items inside App1’s private group.
But, Apple’s Developer documentation says otherwise.
Referring to this document: https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps
In section “Establish your app’s private access group” (https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps#2974916), it says that “Because app IDs are unique across all apps, and because the app ID is stored in an entitlement protected by code signing, no other app can use it, therefore no other app is in this group”.
Focus on “therefore no other app is in this group”. But as proved from above scenario, App2 can be part of App1’s private access group.
Post
Replies
Boosts
Views
Activity
just upgraded my local iPhone 15 to iOS 18 Beta 3, and I enrolled the device to MDM server.
Then ran EraseDevice command with ReturnToService as enabled. https://developer.apple.com/documentation/devicemanagement/erasedevicecommand/command/returntoservice
MDM command request body:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Command</key>
<dict>
<key>DisallowProximitySetup</key>
<false/>
<key>PreserveDataPlan</key>
<true/>
<key>RequestType</key>
<string>EraseDevice</string>
<key>ReturnToService</key>
<dict>
<key>Enabled</key>
<true/>
<key>WiFiProfileData</key>
<data>WiFi Profile Base64</data>
<key>MDMProfileData</key>
<data>MDM Profile Base64</data>
</dict>
</dict>
<key>CommandUUID</key>
<string>0001_EraseDevice</string>
</dict>
</plist>
MDM executed the command successfully.
The device erased itself, and opened Hello Screen after few secs, but device did not went to the Home Screen, however same works fine on iOS 17.