Is the iOS keychain encrypted without device passcode?

About

Asked 21/1, 2016 at 1:58 Answered 21/1, 2016 at 4:12

Up till now I believed the iOS keychain was the best way to store usernames and passwords. However, I came across this site that states that:

"without a passcode, all data on the device — including sensitive data stored in the Keychain — can be read by anyone with momentary access to the device"

I have gone through the relevant sections in apples documentation on iOS security and nothing explicitly states such?

Is this claim true or have I misunderstood something here?

Shrew answered 21/1, 2016 at 1:58 Comment(1)

App data can be encrypted and this also depends on whether the device has a passcode/pin-code. However the keychain, I believe is not affected by this. I have been confident until I came across the resource in my question. – Shrew 21/1, 2016 at 4:27

The keychain is implemented as a SQLite database stored on the file system. There is only one database; the securityd daemon determines which keychain items each process or app can access. Keychain access APIs result in calls to the daemon, which queries the app’s “keychain-access-groups,” “application-identifier,” and “applicationgroup” entitlements. Rather than limiting access to a single process, access groups allow keychain items to be shared between apps.

It means that the hacker can't access ur keychain data even there is no Passcode. It's under the control of Apple's the securityd daemon. You cant access the data of keychain without the securityd daemon.

Update:

Maybe that's what u want to know: Hacker vs Keychain

Asante answered 21/1, 2016 at 4:12 Comment(8)

Keychain items can only be shared between apps from the same developer with the securityd daemon. – Asante 21/1, 2016 at 4:14

If the device is Jailbreaking, nothing can be hidden. Then the best solution for your problem would be to manually implement encryption for app data, such as AES. – Asante 21/1, 2016 at 4:22

In such case how would you secure the encryption key? – Trophoblast 21/1, 2016 at 14:41

@Trophoblast maybe static var in memory is ok. – Asante 21/1, 2016 at 18:13

@Asante this security daemon only applies if you are using the official way of accessing the keychain. A hacker does not have to use the offical way. Its like saying you can't open a lock without its key, Of coarse you can't if you try to use another key. A bold cutter on the other hand will break that lock open. Or simply a skilled thief with a pin. – Shrew 21/1, 2016 at 22:32

A hacker will hack the system, thats why they are called hackers. They will not do things the official/legal way if they have to. Either way, the question is not whether a hacker can access the keychain or not. The question instead is: are the keychain contents encrypted depending on whether there is a passcode or not. Whether the hacker can't hack it in either cases is irrelevant. – Shrew 21/1, 2016 at 22:36

@Shrew Maybe that's what u want to know:https://mcmap.net/q/1019023/-ios-keychain-security – Asante 22/1, 2016 at 2:18

-1 as the answer does not answer the original question "Is the iOS keychain encrypted without device passcode?". Instead, the answer say how iOS manages accessing the keychain (without first hand knowledge how it it actually implemented), and also states that "hacker can't access ur keychain data even there is no Passcode," which is not true. – Genital 29/8, 2016 at 12:22

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags