Is a keychain password backed up by iTunes/iCloud?

I have been unable to find an explicit answer to this in the official documentation.


Does the kSecAttrAccessible affect the behavior of how a keychain item of class kSecClassGenericPassword is backed up or not?


Only kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly explicitly states that the item is not backed up.

AFAICS, the only reason why kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly makes it explicit is because it's by design.


Does this mean that whether a kSecClassGenericPassword is backed up or not is an implementation detail and as such subject to change?


References


iPhone Keychain Backups

In iOS, an application always has access to its own keychain items and does not have access to any other application’s items. The system generates its own password for the keychain, and stores the key on the device in such a way that it is not accessible to any application. When a user backs up iPhone data, the keychain data is backed up but the secrets in the keychain remain encrypted in the backup. The keychain password is not included in the backup. Therefore, passwords and other secrets stored in the keychain on the iPhone cannot be used by someone who gains access to an iPhone backup. For this reason, it is important to use the keychain on iPhone to store passwords and other data (such as cookies) that can be used to log into secure web sites.

https://developer.apple.com/library/ios/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html

About encrypted backups in iTunes

To protect backups of your iPhone, iPad, or iPod touch in iTunes, you can use password protection and encryption.

The Encrypt Backup feature in iTunes locks and encodes your data. An encrypted iTunes backup includes certain information that other backups don't:

  • Your saved passwords
  • Wi-Fi settings
  • Website history
  • Health data

https://support.apple.com/en-gb/HT205220


Edit

How to back up your devices using iCloud or iTunes

Make a backup using iTunes

If you want to save Health and Activity data from your iOS device or Apple Watch, you’ll need to encrypt your backup: Select the box called Encrypt [device] backup and make a memorable password.

https://support.apple.com/en-us/HT203977


About backups in iCloud and iTunes

iTunes backups

An iTunes backup includes nearly all of your device's data and settings. An iTunes backup doesn't include:

Activity, Health, and Keychain data (To back up this content, you'll need to use Encrypted Backup in iTunes.)

https://support.apple.com/en-gb/HT204136


iOS Security

iOS 9.0 or later

September 2015

iCloud Backup

While the user’s keychain database is backed up to iCloud, it remains protected by a UID-tangled key. This allows the keychain to be restored only to the same device from which it originated, and it means no one else, including Apple, can read the user’s keychain items.

PDF iOS Security - Apple


Keychain Data Protection

Other keychain classes have a “This device only” counterpart, which is always protected with the UID when being copied from the device during a backup, rendering it useless if restored to a di erent device.


Up vote post of qnoid Down vote post of qnoid
8.5k views
Posted by
qnoid
Reply
Add a Comment

Accepted Reply

Does the 

kSecAttrAccessible
affect the behavior of how a keychain item of class 
kSecClassGenericPassword
is backed up or not?

Yes.

I don’t see any significant contradictions in the various quotes you posted. Regardless, in situations like this I recommend you base your decisions on the statements in the iOS Security document.

Does this mean that whether a 

kSecClassGenericPassword
is backed up or not is an implementation detail and as such subject to change?

I think it’s safe to say that the exact mechanics of backup are subject to change. However, I expect that any such changes would continue to honour the 

xxxThisDeviceOnly
flag.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Does the 

kSecAttrAccessible
affect the behavior of how a keychain item of class 
kSecClassGenericPassword
is backed up or not?

Yes.

I don’t see any significant contradictions in the various quotes you posted. Regardless, in situations like this I recommend you base your decisions on the statements in the iOS Security document.

Does this mean that whether a 

kSecClassGenericPassword
is backed up or not is an implementation detail and as such subject to change?

I think it’s safe to say that the exact mechanics of backup are subject to change. However, I expect that any such changes would continue to honour the 

xxxThisDeviceOnly
flag.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thank you for the official answer eskimo!

It does help and is greatly appreciated.


No outright contradictions, merely not explicit. Eventually, I was able to infer some from the iOS Security document.

e.g. from the iOS Security document, the sentence "when being copied from the device during a backup" suggests that items can "potentially" be backed up.


Have learned by now to treat any observations that aren't documented as implementation details and thus subject to change. 🙂

Posted by
qnoid
Up vote reply of qnoid Down vote reply of qnoid
Add a Comment

Have learned by now to treat any observations that aren't documented as implementation details and thus subject to change.

Well, that’s definitely a good approach (-:

No outright contradictions, merely not explicit.

If you do find anything that’s either wrong or overly confusing, feel free to file a bug against the offending doc (or docs).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

For clarity - isn't it true that all entries in the keychain are backed up and restored to the original device?


The OP stated:

>Only kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly explicitly states that the item is not backed up.


I don't think that is correct. It is backed up and is restored but only to the original device - not to a new device.

Posted by
PBK
Up vote reply of PBK Down vote reply of PBK
Add a Comment

FYI, I used the iOS Security Guide, iOS 9.0 or later, September 2015as a reference.


"This class exists only in the system keybag they do not sync to iCloud Keychain, are not backed up, and are not included in escrow keybags. If the passcode is removed or reset, the items are rendered useless by discarding the class keys."

Posted by
qnoid
Up vote reply of qnoid Down vote reply of qnoid
Add a Comment

Sorry, the website is refusing to allow me to send this message because of invalid characters so I am going to send it and edit it line by line to find the "invalid character"


edit - {the illegal item was the explicit k sec item: k Sec ..... This Device Only}


I believe that documentation is overstating the term "not backed up" - it only means that it is not backed up to a different device.

Note that the specific documentation on that k sec item is:

"After a backup is restored to a new device, these items are missing."

The inclusion of the phrase "to a new device" would not be necessary if it were "not backed up".


I would love to hear back from someone who actually knew!!


This is actually quite important. If I were wrong this would be an excellent anti-hack tool to prevent a user from purchasing a consumable IAP, backing up, using or transfering the consumable IAP to another device, restoring from backup (and repeat).

Posted by
PBK
Up vote reply of PBK Down vote reply of PBK
Add a Comment

Answering for completeness.


> For clarity - isn't it true that all entries in the keychain are backed up and restored to the original device?


It is true. Every keychain item is backed up in iTunes/iCloud, regardless of what the value of kSecAttrAccessible is.


"iCloud Backup acts like an iTunes backup without a password: the keychain items are included in the backup but they are wrapped with a device-specific key. Thus, they can only be restored to the device that originally backed them up, which means that they get lost when you restore the backup to a different device", https://forums.developer.apple.com/message/282490#282490


In the same thread, there is also another post by eskimo that confirms that with some tests.


Posted by
qnoid
Up vote reply of qnoid Down vote reply of qnoid
Add a Comment