Undocumented behavior with keychain sharing
| Originator: | SJ.Randazzo | ||
| Number: | rdar://20744541 | Date Originated: | 04/29/2015 |
| Status: | Open | Resolved: | |
| Product: | iOS | Product Version: | 8.0 |
| Classification: | Security Documentation | Reproducible: | Always |
Salvatore Randazzo29-Apr-2015 09:46 AM Summary: re: Apple Developer Technical Support incident/case/Follow-up: 621992615. "Starting with iOS 8, an app’s effective keychain access group list is formed by concatenating the values from the keychain-access-groups, application-identifier, and com.apple.security.application-groups entitlements, in that order. There's no documentation on this yet. Please file a bug report..." Keychain group sharing may fail when keychain access groups between apps and extensions are not identical. In our particular case, details from Apple Developer Support: <---Begin Quote---> "In the main iOS app: "keychain-access-groups" = ( "$(TeamIdentifier).com.paperless.paperlesspost" ); In your WatchKit extension: "keychain-access-groups" = ( "$(TeamIdentifier).com.paperless.paperlesspost.watchkitextension", "$(TeamIdentifier).com.paperless.paperlesspost" ); Normally one creates keychain items without setting the access group attribute kSecAttrAccessGroup. In that case, Keychain Services will automatically set that attribute to the default value. The default value is the value of the first array element in the effective keychain access groups list. That means your iOS app's default keychain access group is "$(TeamIdentifier).com.paperless.paperlesspost", but your WatchKit extension's default keychain access group is "$(TeamIdentifier).com.paperless.paperlesspost.watchkitextension". So if you create any keychain items in your WatchKit extension, you must set the kSecAttrAccessGroup attribute to "$(TeamIdentifier).com.paperless.paperlesspost" if you want your main iOS app to be able to access them too. <--- End Quote ---> Steps to Reproduce: - Create and iOS app and extension - Enable keychain sharing - For the extension, add a second keychain point to it's own bundle identifier - Sharing data between the two does not always work, which is OK so long as it's documented Expected Results: Keychain sharing should work OR this should be documented Actual Results: Keychain sharing does not work and this is not documented Version: iOS 8+ Notes: As per Apple Developer Support, I would like to request documentation on this issue Configuration: iPhone + Apple Watch Attachments:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!