How to bypass Keychain Access "username and password" modal window to access the password?

Question

Created Apr ’20

Replies 3

Boosts 0

Views 1.2k

Participants 3

I am trying to get the connected wifi password from keychain access in one of the macOS application and am able to get the password using the following code:

There are two ways to get the wifi password:

1. Via Security Framework Api SecItemCopyMatching(_:_:)

let query = [
            kSecClass as String: kSecClassGenericPassword as String,
            kSecAttrAccount as String: accountName,
            kSecReturnData as String: kCFBooleanTrue as Any,
            kSecMatchLimit as String: kSecMatchLimitOne
            ] as [String : Any]
       
        var dataTypeRef: AnyObject?
       
        let status: OSStatus = SecItemCopyMatching(query as CFDictionary, &dataTypeRef)
        var data: Data?
        if status == noErr{
            data = dataTypeRef as? Data
            print(data!)
            print(String(decoding: data!, as: UTF8.self))
        }
        return data != nil ? NSString(data: data!, encoding: String.Encoding.utf8.rawValue)! as String : ""

2. Via CoreWLAN Framework Api CWKeychainFindWiFiPassword(_:_:_:), By passing the SSID data, we can get the wifi password.

func getPassword(data:Data) -> String {
        var responseData:NSString? = nil
        var thePassword:String = ""
        var status:OSStatus?
        if data.count > 0
        {
            status = CWKeychainFindWiFiPassword(CWKeychainDomain.system, data, &responseData)
            if status == noErr {
                thePassword = responseData! as String
            }
        }
        return thePassword
    }

Query:

Everytime while executing the either way keychain access is poping the modal window to provide admin credentials to acess the password.

Let me know if there is any way to bypass the above modal window by supplying the username and passoword in the code (background).

Boost

Answer 1

DTS Engineer OP

Apple

Apr ’20

Everytime while executing the either way keychain access is poping the modal window to provide admin credentials to acess the password.

Right. In recent releases of macOS (10.12 perhaps?) we added partitioning to the traditional file-based keychain. This means there’s no way to create a keychain item that can be silently accessed by other apps, or the system, or vice versa. You may be able to modifying the ACL for the item to prevent future access, but the act of modifying the ACL will itself require user approval.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

MohmadVasim OP

Apr ’20

I am facing same behavior however I can see Apple allows to unlock the keychain login without modal window by using below API from Security framework:

let theResult1 = SecKeychainSetUserInteractionAllowed(false)
let theResult2 = SecKeychainUnlock(theChain, 10, "password", true)

so can we do something like above API to silently supply the admin username and password to by pass the modal window(without requiring same user approval everytime) to fetch the WiFi Password?

...

Thanks & Regards,

Mohmad Vasim

0

Answer 3

DTS Engineer OP

Apple

Apr ’20

so can we do something like above API to silently supply the admin username and password

No. These are two very different security prompts. There is no equivalent to

SecKeychainUnlock

for this case because the entire goal of this keychain partitioning features is for the user to confirm the cross-security-context access.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0