3 Replies
      Latest reply: Dec 15, 2016 1:54 AM by eskimo RSS
      heath Level 1 Level 1 (0 points)

        I have an ordinary iOS app that uses keychain SecItemCopyMatching and SecItemUpdate with kSecClassInternetPassword to fetch/store its oauth access tokens. This works fine in the ordinary iOS app. In iOS 10.1, I added an iMessage App that reads oauth tokens using the same code as the ordinary app with a shared keychain group. Starting in iOS 10.2, my keychain group started returning old data. My iMessage App receives an expired oauth access token, even after my main app updates the keychain and I kill and restart iMessage. I've verified in the debugger that I'm getting the wrong value.

         

        I plan to file a DTS, but I'm filing this publicly so others are aware of the problem.

        • Re: iOS 10.2 Keychain SecItemCopyMatching returns old data in iMessage App
          eskimo Apple Staff Apple Staff (7,960 points)

          Can you reproduce this in the simulator?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: iOS 10.2 Keychain SecItemCopyMatching returns old data in iMessage App
              heath Level 1 Level 1 (0 points)

              I was able to reproduce this in the simulator.

               

              However, I'm pretty sure I found the root cause. We maintain two targets (one for internal beta testing, and one we submit to the app store). Someone changed the app store's keychain group to the beta group. The app was released right before 10.2 was released, so 10.2 was a red herring.

               

              I appologize for the misinformation. Should I delete this thread?

                • Re: iOS 10.2 Keychain SecItemCopyMatching returns old data in iMessage App
                  eskimo Apple Staff Apple Staff (7,960 points)

                  However, I'm pretty sure I found the root cause.

                  Excellent news.

                  Just FYI, the SecItem APIs all involve an IPC to the security daemon, which then does the work via a database transaction.  AFAIK there’s no caching in the higher layers (that is, there’s a cache at the database layer but no caching above that), so the results should always be consistent.

                  Should I delete this thread?

                  Only if you’re embarrassed by it (-:

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"