Touch ID and Keychain for sensitive/financial data and related WatchKit app

Hi,


let's say I am involved in a very secured environment application, say for example a banking/insurance/investment app dealing with financial and sensitive data.


Then I have two main questions:

  • To enable Touch ID login for viewing accounts and transactions data, is it safe to implement it simply by adding the credentials combo to the keychain and retrieving it via the iOS Keychain API available in iOS 8? What are other secured data apps with this feature doing? Do I need to encrypt something (Keychain already does that in my knowledge)?
  • If I develop a WatchKit app, how could I authenticate the Apple Watch app to view secured data? Could I simply retrieve said keychain item from the paired iPhone app or via shared group? What about ACL for this keychain item? I watched session 706 "Security and your apps" of WWDC 2015: they said it is better to let the server send the cookie or token to enable that particular features you need. But this imply that I need to write new services api for those calls.


Any ideas or suggestions folks?


Thanks.

Up vote post of ema78 Down vote post of ema78
2.5k views
Posted by
ema78
Reply
Add a Comment

Replies

Anyone? Apple staff? 😉

Posted by
ema78
Up vote reply of ema78 Down vote reply of ema78
Add a Comment

You would not want to store transaction data on the device in general. The keychain is not for storing large data sets, it is intended to store things like passwords and encryption keys or certificates.


If you are trying to have the user view secure data you should probably just do it through a web service unless you are wanting the user to view it offline. This allows you to avoid storing the data on the client. If you are going to store the data you should encrypt it in code which you could do using the keychain and creating a key through that. Using encryption here would cause overhead when accesing the stored data which is why I would recomend just using a web service.


Sharing keychains bettwen your app and watch kit app can be done using keychain shairing with is enabled through the developer portal and keychain groups. You can also use app groups to share data such as a core data store between apps if you are wanting to store data.

Posted by
loosegoose
Up vote reply of loosegoose Down vote reply of loosegoose
Add a Comment

I understand the keychain is made to store credentials, so I asked if it is safe to store user credentials only. I don't want to store other data, I only need to remember the login information to implement Touch ID access securely. All the other data would be retrieved via web services.

Posted by
ema78
Up vote reply of ema78 Down vote reply of ema78
Add a Comment

If that is all you are wanting from the keychain then that will work perfectly. The keychain is secured by a special chip on the device so you will not need to add any encryption to it.

Posted by
loosegoose
Up vote reply of loosegoose Down vote reply of loosegoose
Add a Comment

Keychain sharing is no longer available with watchOS 2.0 (accessGroup). Have you come up with another way to share a log in securely? We are trying to determine the best practice for this with our phone and companion watch app. Any suggestions?

Posted by
rp1230
Up vote reply of rp1230 Down vote reply of rp1230
Add a Comment

It's true that watchOS 2.0 does not allow keychain sharing via an app group, but that's simply because your app and extension are running on separate devices now. [comment about syncing deleted; see my 22 Sep post for the reason why]

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks Eskimo for the clarification. However I need to know if my suggested workflow is the best for maximum security purpose. Could you please answer my two points in the first post? Thanks again.

Posted by
ema78
Up vote reply of ema78 Down vote reply of ema78
Add a Comment

Can you elaborate on your comment "However, watchOS 2.0 will sync the keychain between those two devices, so you can still use a shared credential in the keychain." Are you refering to iCloud keychain, SharedWebCredential or something else?
Posted by
rp1230
Up vote reply of rp1230 Down vote reply of rp1230
Add a Comment

Can you elaborate on your comment "However, watchOS 2.0 will sync the keychain between those two devices, so you can still use a shared credential in the keychain." Are you refering to iCloud keychain, SharedWebCredential or something else?

I don't know what underlying mechanism is used.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Sorry, I'm confused by you reply.😕 I was asking if you could elaborate our your comment about shared credentials in the keychain. This would be regarding the syncing of a user name and password between an iPhone app and its companion watch app. You stated: "However, watchOS 2.0 will sync the keychain between those two devices, so you can still use a shared credential in the keychain." So I want to know if you are refering to using iCloud keychain, SharedWebCredential or something else to do the sync? I hope this make sense. Thanks!

Posted by
rp1230
Up vote reply of rp1230 Down vote reply of rp1230
Add a Comment

Sorry, I'm confused by you reply.

You're asking how the sync is done, and I don't know how it's done. All I know is that it is done.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I'm just tring to understand what you are refering to when you stated "...so you can still use a shared credential in the keychain." What are you refering to?

Posted by
rp1230
Up vote reply of rp1230 Down vote reply of rp1230
Add a Comment

Do you need to do anything specific to get the keychain items to sync? I am using both the iOS 9 and watchOS 2 GM versions and the keychain item on my iPhone is not synced to my watch.

Posted by
Reid
Up vote reply of Reid Down vote reply of Reid
Add a Comment

Do you need to do anything specific to get the keychain items to sync?

OK, I’m going to retract all the statements I made above about phone/watch keychain syncing. I tried to track down the reference I had to that feature and I was unable to. I may have just imagined it, or it may be real and I can’t find a reference to it, but either way it’s clear that I don’t have enough concrete info to answer questions about it.

Sorry for the confusion.

Share and Enjoy

Quinn "The Eskimo!"
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Perhaps you are thinking about the kSecAttrSynchronizable attribute for the keychain?


My only concern about it was that it would require iCloud Keychain to turned on which you cannot guarantee. It feels like in the end you need to rely on your WatchKit app using WCSession and requesting the keychain item from the iPhone app.

Posted by
Reid
Post not yet marked as solved Up vote reply of Reid Down vote reply of Reid
Add a Comment