iOS Keychain -25300 errSecItemNotFound sporadically for items that exist

Originator:rob
Number:rdar://24956853 Date Originated:03-Mar-2016
Status:Open Resolved:
Product:iOS Product Version:iOS 9.1.0, iOS 9.2, iOS 9.2.1
Classification: Reproducible:Sometimes
 
Summary:
Related to the Apple Dev Forums thread: https://forums.developer.apple.com/thread/26168

Retrieving items from the iOS Keychain sometimes results in a -25300 errSecItemNotFound result despite the keychain items existing.

I'm fairly confident that the keychain items are configured properly since they can be read back without issue the vast majority of the time and they are only set once on the first run of the app (and are never deleted by the application).

The problem does seem to resolve itself after a period of time (on the order of hours, according to affected users) which also seems to suggest the keychain item configuration is not the problem. Dumping the keychain when experiencing this issue shows none of the expected keychain entries.
 
We have only experienced this issue with iOS 9 devices, and approximately 3% of our users have experienced it at least once. It seems like some users are much more likely to experience it than others but we haven't identified any unique characteristics that might point to a reason.

The attached device log captures some information just prior to an app launch where keychain access failed with an unexpected -25300.

There are a bunch of securityd errors in there that might shed a little light. These each were logged before the application launched (launch is on line 496):
 
securityd[83] <Error>:  SecDbRecordChange db <SecDbConnection rw open> changed outside txn
securityd[83] <Error>: __SOSUpdateKeyInterest_block_invoke_2 Error getting ring interests (null)
securityd[83] <Error>: SecOCSPSingleResponseCalculateValidity OCSPSingleResponse: nextUpdate 0.73 days ago
securityd[83] <Error>:  securityd_xpc_dictionary_handler cloudd[166] copy_matching Error Domain=NSOSStatusErrorDomain Code=-50 "query missing class name" UserInfo={NSDescription=query missing class name}
securityd[83] <Error>: secTaskDiagnoseEntitlements MISSING keychain entitlements: no stored taskRef found

Notes:
- The keychain items are accessed in application:didFinishLaunchingWithOptions:
- We use a library to do the actual keychain access: https://github.com/kishikawakatsumi/KeychainAccess 
- The issue has occurred on App Store distributed builds, enterprise distributed builds, and debug builds – but I don't know of any reliable reproduction steps
- Keychain sharing is not enabled
- The app makes frequent use of silent push notifications (content-available flag).
- Failures have been observed while the app is in UIApplicationStateInactive and UIApplicationStateBackground
- All keychain items use the kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly accessibility setting
- Having the user force close & re-open the app doesn't seem to resolve the problem.
- Known iOS versions with this issue: 9.2.1, 9.2.0, 9.1.0

Steps to Reproduce:
Unfortunately I don't know of a reliable way to reproduce this error. The setup we have is basically:

- Set keychain items on first launch & never remove them
- Retrieve keychain items on future app launches

We make use of silent push notifications (content-available flag) to wake the app up at regular intervals which does increase the frequency of experiencing this issue (since the app is launched much more frequently than it otherwise would be) so that may be one approach to take when attempting to reproduce.

Expected Results:
Keychain items that are set & never deleted should never fail with -25300 errSecItemNotFound when fetched.

Actual Results:
Keychain item fetch occasionally fails with -25300 errSecItemNotFound even though item exists and becomes available on future launches.

Version:
iOS 9.1.0, iOS 9.2, iOS 9.2.1

Notes:
Not reliably reproducible.

Our app also makes use of a background NSURLSession.

Configuration:
iPhone 5, 6, 6 Plus

Comments

Did you ever find a solution to this or get an update from Apple? We are seeing similar issues.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!