11 Replies
      Latest reply: Dec 12, 2017 7:54 AM by rdselle RSS
      eddiekim Level 1 Level 1 (10 points)

        Will iOS clear an application's Keychain after the app is uninstalled? I seem to recall that an app's keychain items would be deleted by iOS some X days/hours/minutes after an app is deleted, however I can't find any reference to this behavior.

         

        Edit:

         

        So based on the thread below, it seems that the keychain survives an app uninstallation as a side effect of implementation. If so, it would seem that auto-deleting keychain items after app removal wouldn't be documented.

         

        Re: iOS Keychain values survive to app uninstall

         

        Out of curiousity, does anyone have insight into the observed behavior?

        • Re: iOS autodelete Keychain items after uninstall?
          KMT Level 9 Level 9 (10,425 points)

          It will survive an app delete.

           

          Access to the keychain is tied to the provisioning profile used to sign the app. Consequently no other apps would be able to access that app's keychain info.

           

          It will be deleted if the device is wiped.

          • Re: iOS autodelete Keychain items after uninstall?
            eskimo Apple Staff Apple Staff (8,150 points)

            Out of curiousity, does anyone have insight into the observed behavior?

            Questions about this are usually asked from one of two perspectives:

            • The developer wants the keychain item to persist and is seeking reassurance that things will continue to work that way.

            • The developer wants the keychain item to be deleted and is grumpy that it doesn’t work that way.

            If you fall into the first category, I can’t give you any reassurances.  IMO it’s fine to use this feature for the moment but I strongly encourage you to write your app so that it acts reasonably if this behaviour changes.

            If you fall into the second category, you can effectively implement an auto delete feature by entangling the secret you store in the keychain with a key that you store on disk.  If the app gets deleted that on-disk key goes away and you effectively lose access to the keychain item.

            Share and Enjoy

            Quinn “The Eskimo!”
            Apple Developer Relations, Developer Technical Support, Core OS/Hardware
            let myEmail = "eskimo" + "1" + "@apple.com"

              • Re: iOS autodelete Keychain items after uninstall?
                sharker_ratul Level 1 Level 1 (0 points)

                "If you fall into the second category, you can effectively implement an auto delete feature by entangling the secret you store in the keychain with a key that you store on disk.  If the app gets deleted that on-disk key goes away and you effectively lose access to the keychain item."

                 

                My query is, are you suggesting to encrypt data which are stored in keychain ? In that case data will persist in the keychain but as the key is lost with disk data, data is considered also lost. Is this the idea ?

                 

                If you meant something else, please elaborate some more about it.

                 

                Thanks in advance.

                • Re: iOS autodelete Keychain items after uninstall?
                  Ash_Day Level 1 Level 1 (0 points)

                  I have over 200 keychain simulations from iOS 10.3, 10.3..1,  and the last 3 BETAS across all devices 5C onwards. I have complete logs from boot to system crash's etc. With and without accounts and third party apps. The security sysdiagnose is brilliant as well and gives you all the information you'll need.. If this will be any use too you I'll pop then into text files and Into a tempory iCloud Drive using a tempory none personal iCloud.. Cheers

                  • Re: iOS autodelete Keychain items after uninstall?
                    rdselle Level 1 Level 1 (0 points)

                    Hi eskimo,

                     

                    I am doing some research on what happens to keychain items on iOS when an app is deleted today and came across this response.  I understand what you're saying, but what I would like is a certain answer on what is expected to happen in this case.  I'd be happy to modify my implementation to handle either case, but attempting to handle both due to uncertainty isn't ideal.

                     

                    It looks like with the iOS 10.3 beta, keychain objects were intentionally being deleted on app delete.  See: https://forums.developer.apple.com/message/210531#210531

                    (I would have replied to this thread instead of here, but it seems replies are disabled for it)

                     

                    However, with iOS 11, I am seeing that this is no longer the case.  It looks like others were seeing that this funcitonality was removed from 10.3 before it was finalized.  That reply from gc is the closest thing I can find to documentation indicating how this should behave; everything else is ambiguous.  Can you or anyone else provide clarity on this issue?

                      • Re: iOS autodelete Keychain items after uninstall?
                        eskimo Apple Staff Apple Staff (8,150 points)

                        First, a timeline:

                        • All versions of iOS prior to 10.3 beta preserve keychain items when an app is deleted.

                          IMPORTANT This was most definitely an implementation detail of the original iOS keychain.  Our keychain documentation has never specified what would happen in this case.

                        • 10.3 beta included a change that deleted such items.

                        • That caused compatibility problems (apps were relying on the existing behaviour, even though it wasn’t documented), so it was rolled back before 10.3 GM.

                        • iOS 11 introduced the DeviceCheck framework, which provides a forward path for one of the most common legitimate use cases of this behaviour.  For more info on this, see WWDC 2017 Session 702 Privacy and Your Apps.

                        Second, preserving keychain items on delete is an obvious privacy concern.  As far as I know Apple has not made any specific announcements as to how we intend to resolve this issue [1].  However, I don’t think it would surprise anyone if the 10.3 behaviour returned at some point in the future.  I would hope that we’d be more proactive about announcing such a change — for example, talking about it at WWDC — but, as always, I can’t make any promises about The Future™.

                        Third, my specific advice:

                        • If you want a keychain item to be deleted when your app is deleted, entangle it with a random key you store on disk, as described in my earlier post (11 Feb 2016).  This is guaranteed to work regardless of how the OS behaves.

                        • If you want the item to be preserved, start by looking at the DeviceCheck framework.  If that allows you to achieve your high-level goal, you can adopt it on iOS 11 and later and then stop worrying about this issue.

                          Note You can continue to use your existing techniques on earlier systems because they’re not going to change.

                        • If the DeviceCheck framework doesn’t meet your needs, please file an enhancement request explaining your situation and why DeviceCheck doesn’t work for you.  I’d appreciate you posting your bug number here, just for the record.

                        • If you continue to rely on the current behaviour, I strongly encourage you to write your app so that it acts reasonably if that behaviour changes.

                        I realise that the above is still “ambiguous”.  Alas, I can’t answer with 100% clarity until Apple formally announces our future plans here.

                        Share and Enjoy

                        Quinn “The Eskimo!”
                        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                        let myEmail = "eskimo" + "1" + "@apple.com"

                        [1] Although there was a slide in WWDC 2017 Session 702 Privacy and Your Apps with bullet points like:

                        • Will continue to remove entropy

                        • Will continue to provide user control of entropy sources

                        • Will continue to remove functionality that is being abused to uniquely identify users

                        which is a good overall summary of Apple’s position here.