Can I delete keychain content when User uninstall App?

Question

sho@jp OP

Created Mar ’18

Replies 3

Boosts 0

Views 5.9k

Participants 3

I store certificate (as SecIdentity ) in keychain because my application needs clientCertficate.

I know when a User uninstall application, keychian content still exist.

But in My application, I manage userInformation client certificate and CoreData.

So, I want to delete keychain content when user uninstall application for not occering mismatch between Keychain and CoreData.

Is it possible to do above ?

Or should I delete keychain content when the app re-installed ?

Answered by DTS Engineer in 299604022

Can I delete keychain content when User uninstall App?

Not directly.

I know when a User uninstall application, keychian content still exist.

FYI, that’s an implementation detail that could change in the future. There’s a long backstory to this issue; see this post for details.

So, I want to delete keychain content when user uninstall application for not occering mismatch between Keychain and CoreData.

What’s the specific concern here?

Are you worried about the security aspects of this, that is, you’re ‘leaking’ credentials into the keychain?
Or are you worried about the correct aspect of this, that is, your code might fail if Core Data says there’s a keychain item and there isn’t, or vice versa?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’18

Accepted Answer

Can I delete keychain content when User uninstall App?

Not directly.

I know when a User uninstall application, keychian content still exist.

FYI, that’s an implementation detail that could change in the future. There’s a long backstory to this issue; see this post for details.

So, I want to delete keychain content when user uninstall application for not occering mismatch between Keychain and CoreData.

What’s the specific concern here?

Are you worried about the security aspects of this, that is, you’re ‘leaking’ credentials into the keychain?
Or are you worried about the correct aspect of this, that is, your code might fail if Core Data says there’s a keychain item and there isn’t, or vice versa?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

kGuptaJi OP

Aug ’23

Hi, I am worried about the security aspects of this, that is, you’re ‘leaking’ credentials into the keychain?

So can you guide me how would I remove my keychain content after delete the app

0

Answer 3

DTS Engineer OP

Apple

Aug ’23

I am worried about the security aspects of this

In that case the trick is to entangle your credential with a value that’s deleted when the app is deleted. I mentioned that in the post I referenced above but let’s explore a concrete example:

Let’s say the user’s password is opendoor, or 6F70656E646F6F72 as UTF-8 encoded bytes. Generate a random sequence of bytes of the same length, like 1B6067C70711D099 and store that in a file in your app’s container. Now XOR the password with the random bytes and store that in the keychain. There are now four interesting cases:

In the normal case, when you go to read the password, read the value from the keychain and the random bytes from the file, XOR them, and you have the original password.
If the user deletes your app, the file is removed and the item in the keychain becomes useless.
If the user deletes your app and re-installs it, the keychain item will be there but the file won’t be. In that case the password is lost.
It’s also possible that the user might have managed to migrate your app such that the file is present but the keychain item isn’t. In the case the password is lost as well.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1