SecItemDelete requires kSecUseAuthenticationContext?

Hello,


We are developing an iOS app that stores password protected data in the keychain. Recently we integrated the SDK for an MDM (Citrix) into the app. After integrating the SDK our calls to `SecItemDelete` have started failing - they are now returning `errSecInteractionNotAllowed` where previously they succeeded.


We have followed up with the SDK developers, but I am stumped as to how this can be happening.


Here is how we delete keychain entries (where `service` and `account` are strings we generate in our app):


NSDictionary *query = @{
    (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
    (__bridge id)kSecAttrService: service,
    (__bridge id)kSecAttrAccount: account
};

OSStatus status = SecItemDelete((__bridge CFDictionaryRef)query);


After investigation we have found that if we pass in `kSecUseAuthenticationContext` (along with the password protecting the keychain entry) then the call succeeds:


LAContext *context = [[LAContext alloc] init];
NSData *password = [@"foobar" dataUsingEncoding:NSUTF8StringEncoding];
[context setCredential:password type:LACredentialTypeApplicationPassword];

NSDictionary *query = @{
    (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
    (__bridge id)kSecAttrService: service,
    (__bridge id)kSecAttrAccount: account,
    (__bridge id)kSecUseAuthenticationContext: context
};

OSStatus status = SecItemDelete((__bridge CFDictionaryRef)query);


My questions are:


  1. I thought `kSecUseAuthenticationContext` was only necessary when retrieving data from the keychain? In this case we just want to clear the keychain, not retrieve any data from it. Should this work the way we expect, or is needing to provide the password to delete password protected items from the keychain expected?
  2. Do you have any idea how the SDK could possibly be causing this to happen?


My only lead at the moment is that the SDK requires the use of Keychain Access Groups. However, we have already successfully integrated a separate SDK (Microsoft Auth) that also used access groups, and I have confirmed that our private access group (of the form $(AppIdentifierPrefix)<BUNDLE ID HERE>) is at the top of our entitlements access groups list. I have tested explicitly specifying our private access group when creating/deleting keychain items, but it didn't seem to help.


Any help would be greatly appreciated!


Thanks,

Joel

Hmmm, that’s a bit of a mystery. If you dump all the attributes of the keychain item (using

kSecReturnAttributes
), what do you see?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
SecItemDelete requires kSecUseAuthenticationContext?
 
 
Q