Security Framework hangs for AppReview (including SecItemCopyMatching and SecItemDelete)

Number:rdar://49801952 Date Originated:04/10/2019
Status: Resolved:
Product:Security Framework Product Version:12.2
Classification:Bug Reproducible:Unable
Security Framework

App Review has rejected my app, Sweet Pea, because of a hang on launch.  I symbolicated the crashlogs by downloading the DSYMs and using atos as described in this technote:

$ atos -arch arm64 -o d183863e-1907-3788-995b-74b727353969.dSYM/Contents/Resources/DWARF/FBSDKCoreKit -l 0x101614000 0x0000000101650bd8
-[FBSDKKeychainStore setData:forKey:accessibility:] (in FBSDKCoreKit) (FBSDKKeychainStore.m:112)

That line reads:
        status = fbsdkdfl_SecItemDelete((__bridge CFDictionaryRef)query);
Facebook SDK does some stuff with macros, but I looked and it is indeed calling the system call SecItemDelete

There are also discussions of other products seeing the same issue, e.g.

They "fixed" this problem for firebase by moving all access to Security FWK onto a background thread

Another crashlog shows the hang-on-launch happens in a different place in my code, but also leading to Security FWK:

Thread 0 Crashed:
0   libsystem_kernel.dylib        	0x000000019d7720f4 0x19d75a000 + 98548
1   libsystem_kernel.dylib        	0x000000019d7715a0 0x19d75a000 + 95648
2   libdispatch.dylib             	0x000000019d5d7880 0x19d5c0000 + 96384
3   libdispatch.dylib             	0x000000019d5d7d10 0x19d5c0000 + 97552
4   libxpc.dylib                  	0x000000019d836a04 0x19d82c000 + 43524
5   Security                      	0x000000019e847edc 0x19e81c000 + 179932
6   Security                      	0x000000019e84845c 0x19e81c000 + 181340
7   Security                      	0x000000019e89db90 0x19e81c000 + 531344
8   Security                      	0x000000019e89d2f4 0x19e81c000 + 529140
9   Security                      	0x000000019e89bc60 0x19e81c000 + 523360
10  Security                      	0x000000019e89c5f4 0x19e81c000 + 525812
11  Security                      	0x000000019e89a284 0x19e81c000 + 516740
12  Security                      	0x000000019e89cbe0 0x19e81c000 + 527328
13  FBSDKCoreKit                  	0x0000000101058bd8 0x10101c000 + 248792
14  FBSDKCoreKit                  	0x0000000101058888 0x10101c000 + 247944

$ atos -arch arm64 -o 69d0c92d-588a-302c-8f96-bd41d0c78a48.dSYM/Contents/Resources/DWARF/AWSCore -l 0x101758000 0x00000001017c16f0
-[AWSUICKeyChainStore dataForKey:error:] (in AWSCore) (AWSUICKeyChainStore.m:457)
That line reads:
    OSStatus status = SecItemCopyMatching((__bridge CFDictionaryRef)query, &data);

Steps to Reproduce:
Build an app that uses Security framework on the main thread on launch
Extensively test it on multiple devices
Submit to app review

Expected Results:
App is approved

Actual Results:
App is rejected because something about app review test hardware causes security framework to deadlock.

iPhone OS 12.2 (16E227)


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!