Got "Passwords not saved" after using SecRequestSharedWebCredential

Originator:karol
Number:rdar://25439039 Date Originated:30-Mar-2016 03:10 PM
Status:Open Resolved:
Product:iOS Product Version:iOS9
Classification:Security/Usability Reproducible:Failed to reproduce
 
Summary:
I have an iOS app that implements filling in a login form with Safari Saved Password using the `SecRequestSharedWebCredential` API.

SecRequestSharedWebCredential works most of the time, but I got a report from a user that got the Safari Saved Password pop-up with a "Passwords not saved" output. I've attached a screenshot of how this looks.

The documentation does not mention the possible "Passwords not saved" output of the Safari Saved Password dialog. It should.

Steps to Reproduce:
I've tried reproducing this issue by saving a login without a password to my iCloud keychain, but failed. The result I got is that the password was /empty/.

Expected Results:
If the user has their "passwords not saved", then the Safari Saved Password dialog should never pop-up. Instead the SecRequestSharedWebCredential API should return a relevant error that indicates this exact problem.

The documentation should be expanded to talk about why the "Passwords not saved" error can surface, and steps to take to remedy it.

Actual Results:
I saw "passwords not saved" in the Safari Saved Password pop-up on iOS. I've attached a screenshot of it.

Version:
iOS 9

Configuration:
iPhone 6

Comments

Noticed this as a result of telling a browser to "never save passwords" for a given site. After that, it returns "Passwords not saved" for the account and " " for the password. Still happening in 10.3.2, will probably dupe this.

Filed: http://www.openradar.me/32472903

By aaron at May 30, 2017, 9:32 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!