I have an app that creates a private key in the secure enclave with a unique alias. It is created with the kSecAttrTokenIDSecureEnclave
flag.
According to the docs, such private keys should never leave the enclave under any circumstances and definitely not restored on new devices.
After migrating to a new iPhone 15 the app does not offer to create a new private key in the enclave, but rather it is able to find the unique alias of the private key in the new phone. i.e. as if it found the private key on the new phone's secure enclave
I believe (/hope) that in practice the object I get in the new iPhone from SecItemCopyMatching
is not usable.
- I assume this is a bug that should be fixed by apple?
- How can I detect that this
SecItemCopyMatching
result is stale so I can ignore it and prompt the user to create a new keypair on the secure enclave?
Thanks