Just to add some more color:
I'm storing oauth2 creds in the keychain. From a fresh start, the following work:
* Accessing an existing credential
* Deleting a credential and storing a new one.
Where I run into problems is in resuming app after being previously logged in, stepping out to settings, and returning. One feature of the internal build is that the identifier for the service to be used is stored in NSUserDefaults, so the user can go to iOS Settings and toggle their service endpoint. When the app resumes after this happends, I check to see if the service changed, and if it did, I force a logout and ask the user to sign in again.
It is at this point I run into problems. After having previously been able to read/write the keychain, I get a -34018 for every keychain access. While the deletes happen almost immediately after the app resumes, the adds typically happen quite a while afterwards, since the user has to enter a name and password.
I'm using accessibility specifier kSecAttrAccessibleAfterFirstUnlock. I have app groups enabled, and an entitlements file in place. Codesign output is as expected.
This is happening on iOS9b5 / 13A4325c on an iPhone6+. It does not happen on my iPhone5 running iOS 8.4./12H143.