Fortify issues in KeychainItemWrapper

Hi Below are the fortify issues that are raise on the KeychainItemWrapper class.


1.Insecure Storage: Unspecified Keychain Access Policy

On line 282 of KeychainItemWrapper.m, the method writeToKeychain() stores data in the Keychain without specifying an accessibility level.


result = SecItemAdd((__bridge CFDictionaryRef)[self dictionaryToSecItemFormat:keychainItemData], NULL);



2.Insecure Storage: Externally Available Keychain

On line 282 of KeychainItemWrapper.m, the method writeToKeychain() stores data in the Keychain with an accessibility level that allows the item to be backed up to iCloud and unencrypted iTunes backups.

result = SecItemAdd((__bridge CFDictionaryRef)[self dictionaryToSecItemFormat:keychainItemData], NULL);



3.Insecure Storage: Passcode Policy Unenforced

On line 282 of KeychainItemWrapper.m, the method writeToKeychain() stores data in the Keychain without enforcing the user to set a passcode for his device.

result = SecItemAdd((__bridge CFDictionaryRef)[self dictionaryToSecItemFormat:keychainItemData], NULL);


Dead Code



4.Line 97 in KeychainItemWrapper.m will never be executed. It is dead code.

[genericPasswordQuery setObject:accessGroup forKey:(id)kSecAttrAccessGroup];


5.Dead Code Line 130 in KeychainItemWrapper.m will never be executed. It is dead code.

[keychainItemData setObject:accessGroup forKey:(id)kSecAttrAccessGroup];



Thanks and Regards,

Usman Ansari

Hi


Any update on above concerns? We are waiting for some security closures urgently.


Thanks and Regards,

Usman Ansari

Fortify issues in KeychainItemWrapper
 
 
Q