App Clips and Keychain

Question

Created Jun ’20

Replies 7

Boosts 0

Views 2.9k

Participants 7

Do App Clips have access to the Keychain? My clip would need to create and use cryptographic keys I would like to store in the Keychain for proper security.

According to the session, alls frameworks can be used in a Clip. However, if the App Clip is able to write its data to the Keychain, can the full app later on read that data (like from any other extension)? What happens to the data written when an App Clip is deleted?

Boost

Answer 1

Engineer OP

Apple

Jun ’20

App Clips have access to the local Keychain and are a great way to store secure information. These Keychain items cannot be read by the full app later. The Keychain items are deleted when the App Clip is deleted. App Clips separately can have a Secure App Group that they share with the full app upon migration. For more info, please see Making Data Available to the App Clip’s Corresponding App and watch Streamline your app clip

1

Answer 2

Creedence OP

Jun ’20

Note that Making Data Available to the App Clip’s Corresponding App currently says:

Important Never store sensitive user information, such as passwords, in a shared app container or user defaults.

If we need to transfer a private key generated by the App Clip to the Full App, would it be considered best practice to write it into the shared container, and let the Full App move it to its Keychain when (if) it starts up?

0

Answer 3

Documentation Engineer OP

Apple

Jun ’20

I'm not sure I understand your question right because I don't know what you exactly mean by "private key". If you're thinking of a non-revocable private key, that may not be a good idea. However, if you're talking about an authentication token, for example, like the auth token mentioned in the last paragraph of Making Data Available to the App Clip's Corresponding App, you could store that auth token in shared user defaults.

0

Answer 4

arikays OP

Jun ’20

In Making Data Available to the App Clip’s Corresponding App, there is a caveat saying:

In addition, you can’t make information the app clip stores in the keychain accessible to its corresponding full app.

Does that mean, even if we add the app clip to same app group with its full app, the app clip's keychain items can't be shared to the full app via Keychain Access Groups?

0

Answer 5

Documentation Engineer OP

Apple

Jun ’20

Yes, this isn't possible.

1

Answer 6

rob_weston OP

Nov ’20

A couple follow up questions:

Is there any way to securely share sensitive data between the App Clip and full app? There isn't shared Keychain access, and though there can be a shared container, Making Data Available to the App Clip’s Corresponding App says, "Never store sensitive user information, such as passwords, in a shared app container or user defaults." So it would seem this isn't a secure option.
Related: Can an App Clip create keys in the Secure Enclave? Can the full app access them?
My understanding is that an App Clip is deleted after 30 days. Is all data deleted, including what's in Keychain/Secure Enclave? For example, if an App Clip writes to Keychain, is deleted after 30 days, and is reinstalled, can it still access what it originally wrote to Keychain?

Thanks!

0

Answer 7

shadone OP

Feb ’24

It is now possible to share keychain data from App Clip with the full app:

Starting with iOS 15.4, information that the App Clip stores in the keychain is accessible to its corresponding full app. To make sure only the corresponding full app receives access to keychain items stored by the App Clip, the system uses the com.apple.developer.associated-appclip-app-identifiers and Parent Application Identifiers Entitlement entitlements. When you create an App Clip with Xcode, it adds the Parent Application Identifiers Entitlement. It automatically adds the com.apple.developer.associated-appclip-app-identifiers entitlement when you archive the app that contains the App Clip.

https://developer.apple.com/documentation/app_clips/sharing_data_between_your_app_clip_and_your_full_app

0