iOS autodelete Keychain items after uninstall?

It will survive an app delete.

Access to the keychain is tied to the provisioning profile used to sign the app. Consequently no other apps would be able to access that app's keychain info.

It will be deleted if the device is wiped.

Out of curiousity, does anyone have insight into the observed behavior?

Questions about this are usually asked from one of two perspectives:

• The developer wants the keychain item to persist and is seeking reassurance that things will continue to work that way.

• The developer wants the keychain item to be deleted and is grumpy that it doesn’t work that way.

If you fall into the first category, I can’t give you any reassurances. IMO it’s fine to use this feature for the moment but I strongly encourage you to write your app so that it acts reasonably if this behaviour changes.

If you fall into the second category, you can effectively implement an auto delete feature by entangling the secret you store in the keychain with a key that you store on disk. If the app gets deleted that on-disk key goes away and you effectively lose access to the keychain item.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Are you sure about this, as I don't see the KeyChain being deleted, although I am using a shared keychain between apps. Is this a documented change?

"If you fall into the second category, you can effectively implement an auto delete feature by entangling the secret you store in the keychain with a key that you store on disk. If the app gets deleted that on-disk key goes away and you effectively lose access to the keychain item."

My query is, are you suggesting to encrypt data which are stored in keychain ? In that case data will persist in the keychain but as the key is lost with disk data, data is considered also lost. Is this the idea ?

If you meant something else, please elaborate some more about it.

Thanks in advance.

In that case data will persist in the keychain but as the key is lost with disk data, data is considered also lost. Is this the idea ?

Right.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I have over 200 keychain simulations from iOS 10.3, 10.3..1, and the last 3 BETAS across all devices 5C onwards. I have complete logs from boot to system crash's etc. With and without accounts and third party apps. The security sysdiagnose is brilliant as well and gives you all the information you'll need.. If this will be any use too you I'll pop then into text files and Into a tempory iCloud Drive using a tempory none personal iCloud.. Cheers

Absolutely hit the nail on the head !

Hi eskimo,

I am doing some research on what happens to keychain items on iOS when an app is deleted today and came across this response. I understand what you're saying, but what I would like is a certain answer on what is expected to happen in this case. I'd be happy to modify my implementation to handle either case, but attempting to handle both due to uncertainty isn't ideal.

It looks like with the iOS 10.3 beta, keychain objects were intentionally being deleted on app delete. See: https://forums.developer.apple.com/message/210531#210531

(I would have replied to this thread instead of here, but it seems replies are disabled for it)

However, with iOS 11, I am seeing that this is no longer the case. It looks like others were seeing that this funcitonality was removed from 10.3 before it was finalized. That reply from gc is the closest thing I can find to documentation indicating how this should behave; everything else is ambiguous. Can you or anyone else provide clarity on this issue?

First, a timeline:

• All versions of iOS prior to 10.3 beta preserve keychain items when an app is deleted.

IMPORTANT This was most definitely an implementation detail of the original iOS keychain. Our keychain documentation has never specified what would happen in this case.

• 10.3 beta included a change that deleted such items.

• That caused compatibility problems (apps were relying on the existing behaviour, even though it wasn’t documented), so it was rolled back before 10.3 GM.

• iOS 11 introduced the DeviceCheck framework, which provides a forward path for one of the most common legitimate use cases of this behaviour. For more info on this, see WWDC 2017 Session 702 Privacy and Your Apps.

Second, preserving keychain items on delete is an obvious privacy concern. As far as I know Apple has not made any specific announcements as to how we intend to resolve this issue (1). However, I don’t think it would surprise anyone if the 10.3 behaviour returned at some point in the future. I would hope that we’d be more proactive about announcing such a change — for example, talking about it at WWDC — but, as always, I can’t make any promises about The Future™.

Third, my specific advice:

• If you want a keychain item to be deleted when your app is deleted, entangle it with a random key you store on disk, as described in my earlier post (11 Feb 2016). This is guaranteed to work regardless of how the OS behaves.

• If you want the item to be preserved, start by looking at the DeviceCheck framework. If that allows you to achieve your high-level goal, you can adopt it on iOS 11 and later and then stop worrying about this issue.

Note You can continue to use your existing techniques on earlier systems because they’re not going to change.

• If the DeviceCheck framework doesn’t meet your needs, please file an enhancement request explaining your situation and why DeviceCheck doesn’t work for you. I’d appreciate you posting your bug number here, just for the record.

• If you continue to rely on the current behaviour, I strongly encourage you to write your app so that it acts reasonably if that behaviour changes.

I realise that the above is still “ambiguous”. Alas, I can’t answer with 100% clarity until Apple formally announces our future plans here.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

(1) Although there was a slide in WWDC 2017 Session 702 Privacy and Your Apps with bullet points like:

• Will continue to remove entropy

• Will continue to provide user control of entropy sources

• Will continue to remove functionality that is being abused to uniquely identify users

which is a good overall summary of Apple’s position here.

Thanks for the answer, that's helpful.

This is good workaround. Any advice / example on how to perform the entanglement? PKI/random number generation is tricky and would like to do it the right way. thx.

I would just store bool flag to UserDefaults whenever you store data into Keychain. Then you can check it and when it is false, the app was reinstalled, because UserDefaults get deleted with application.

I am developing an iOS app, and I have to store a key to encrypt and decrypt data in the keychain. I am not sure if data that is stored in the keychain will be erased after a new release of the app. I need to keep data in the keychain each time that I submit a new version in the app store. Is it possible?

Did you open a DTS incident about this? An very similar question landed in my DTS queue yesterday (I’ll respond to it later today).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Dear eskimo,

Greetings from the Evergreen State. Has something changed as of iOS 14? It seems that the keychain is no longer deleted when an app is deleted. When the user reinstalls the app after the deletion (despite saying ok to the "everything will be deleted" prompt), it seems that everything is restored.

Respectfully,
Tim