Keychain item shared when access group is not set

Hello,


My issue:

I have two applications using the same schema to store an kSecClassGenericPassword item protected by a biometric authentication.

After the initializations of the applications, I am not able to retrieve the content of the keychain item from one application (errSecInteractionNotAllowed = -25308) when all is good for the other.

The behaviour is as the keychain item is shared between the two applications even it any keychain access group is set.


I put a sample app and a video on this folder: https://www.dropbox.com/sh/lk5p1war4c4tids/AACbE-E-z7Pqjx9XHD92RJ6Sa?dl=0


Steps to Reproduce:

See the video as attachments

- Use the Keychain-Access project provided

- Set the bundle identifier: App1 -> ch.sysmosoft.debug.Keychain-Access.1

- Launch App1

- Close App1

- Launch App1

- Authenticate

- Protected element is presented

- Change the bundle identifier: App2 -> ch.sysmosoft.debug.Keychain-Access.2

- Launch App2

- Close App2

- Launch App2

- Protected element is presented

- Launch App1

- Protected element is not accessible (errSecInteractionNotAllowed)


Version/Build:

- Xcode -> Version 10.1 (10B61)

- iOS -> 12.1 (16B92)

- iPhone 6s (model MKQN2ZD/A)

- iPad mini (model ME276GP/A)


Other information:

This bug occurs even if the TeamId is different.

I use the keychain item unique identifier from this page https://stackoverflow.com/questions/11614047/what-makes-a-keychain-item-unique-in-ios


Thanks for your help

Up vote post of primomh Down vote post of primomh
816 views
Posted by
primomh
Reply
Add a Comment

Replies

I’m confused. In your code you have this:

SecAccessControlRef sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                                                kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
                                                                kSecAccessControlUserPresence,
                                                                &cfError);
…
(id)kSecAttrAccessControl:(__bridge_transfer id)sacObject,

This means that you can’t access the item without authenticating. You also have this:

(id)kSecUseAuthenticationUI:(__bridge_transfer id)kSecUseAuthenticationUIFail};

This prevents the subsequent 

SecItemCopyMatching
from presenting any UI. So you’ve set up an item that requires authentication to access and are then trying to access it without user authentication, at which point you get the expected 
errSecInteractionNotAllowed
.

What am I missing here?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hello,


I use kSecUseAuthenticationUIFail in the - (BOOL)hasItem: method to know if there is an item but in this case I don't want to present the UI authentication. I just need to know if the item is present.


With the - (NSData *)item: method, I want to get the protected item and, by convention, presenting the UI authentication to the user.


I get the errSecInteractionNotAllowed error when I call the - (NSData *)item: method

Posted by
primomh
Up vote reply of primomh Down vote reply of primomh
Add a Comment