Adding keychain sharing to production app that already has users

Asked 15/10, 2014 at 20:12 Answered 23/10, 2014 at 20:49

We have an iOS app that has been released. The IDE is XCode6. I want to add keychain sharing to access the sessionID that exists in the app from an iOS 8 share extension.

Problem is whenever keychain sharing is turned on, the sessionID that already exists can no longer be accessed.

It can be accessed whenever keychain sharing is turned off.

This dictionary is passed into SecItemCopyMatching, which always returns -25300 (not found) whenever keychain sharing is enabled, no matter what the "Keychain Groups:" is.

[0] (null)  @"svce" : @"SESSION_ID_KEY"   
[1] (null)  @"r_Data" : @"1"    
[2] (null)  @"m_Limit" : @"m_LimitOne"  
[3] (null)  @"class" : @"genp"  
[4] (null)  @"acct" : @"SESSION_ID_KEY"   
[5] (null)  @"pdmn" : @"ck"

Any idea why access to the key might not work? I tried setting kSecAttrAccessGroup with the bundle prefix and name and it still did not work on the simulator.

Trifle answered 15/10, 2014 at 20:12 Comment(0)

Hopefully I got your answer and the bounty :)

I had the same issue originally and came across this post, and I know you mentioned you tried with the bundle prefix and name. But let's run through a sanity check.

In the MyApp.entitlements and in MyApp Extension.entitlements I have the Keychain Access Groups set to $(AppIdentifierPrefix)com.company.MyApp (this is the default).

I accessed the value for ABCD1234 (aka AppIdentifierPrefix value) using this SO answer https://stackoverflow.com/a/20340883 however hardcoding may not be best practice here, so consider looking this a solution like this https://mcmap.net/q/206562/-access-app-identifier-prefix-programmatically

Then note in my app all I added to make my current code to work is the following: [keychainItem setObject:@"ABCD1234.com.company.MyApp" forKey:(__bridge id)kSecAttrAccessGroup]; before updating the item and I can now access the keychain item in my share extension.

Siouan answered 23/10, 2014 at 20:49 Comment(4)

This works for sharing new data in the keychain between the app and the extension, but the old data that used to exist in the app before adding the keychain sharing can no longer be accessed. When keychain sharing is disabled the old data can be accessed again. – Trifle 24/10, 2014 at 15:47

@Trifle I just verified that using the same default Keychain Access Group works to retrieve data from the non-shared Keychain after Keychain sharing is enabled. Also, make sure you are setting the same value for kSecAttrService in all the apps that will share Keychain access. To verify the entitlements of your app you can use this command from terminal $ codesign -d --entitlements :- /path/to/MyProject.app. It will help to make sure your Keychain Access Groups are correct. – Effie 24/10, 2014 at 19:1

Did you do anything special to retrieve the non-shared data? Which keys in the keychainItem dictionary did you set? Is the svce and acct a unique id for you? – Trifle 24/10, 2014 at 19:15

This is actually working on the device, the simulator is what was giving me the issue. Thanks guys! – Trifle 24/10, 2014 at 19:24

I had a similar issue when implementing inter-app communication in iOS 7 a couple of months ago. I found this remark on Apple's GenericKeyChain sample project:

        // Apps that are built for the simulator aren't signed, so there's no keychain access group
        // for the simulator to check. This means that all apps can see all keychain items when run
        // on the simulator.
        //
        // If a SecItem contains an access group attribute, SecItemAdd and SecItemUpdate on the
        // simulator will return -25243 (errSecNoAccessForItem).

So if you're testing on a Simulator you need to remove the "kSecAttrAccessGroup".

On a device it should work with this key.

Cristacristabel answered 22/10, 2014 at 12:35 Comment(1)

The issue happens even when running in a device. – Effie 22/10, 2014 at 14:39

Recommended topics

Hot tags