Can the user access the keychain on iOS?

Asked 30/12, 2013 at 21:39 Answered 31/12, 2020 at 12:32

We're looking at storing some information (think the equivalent of usernames, passwords, etc) in our app that we don't want the user to be able to meddle with. One (bad) way to do this would be to put them in an encrypted file somewhere in the app's folder, but if we did that the user would be able to take any iOS filesystem exploration tool and edit or replace that file, which we don't want.

If we stored the details in the keychain, is there any way the user could read or write those details, for example by running the keychain equivalent of a filesystem exploration tool? Or is there no way to get at the app's information in the keychain without running that app?

Obviously if the user hacks our app, or has a jailbroken device, or somehow man-in-the-middle the connection that sends the information to the device, or etc, they could access the keychain items. I'm not worried about that - just about whether a user with a regular, unhacked device and no weird apps on it could access the data in the keychain.

Thanks for your help.

Catinacation answered 30/12, 2013 at 21:39 Comment(0)

According to Apple docs:

Whereas in OS X any application can access any keychain item provided the user gives permission, in iOS an application can access only its own keychain items.

Note: On iPhone, Keychain rights depend on the provisioning profile used to sign your application. Be sure to consistently use the same provisioning profile across different versions of your application.

So, if you assume that your device is not jailbroken and the the keychain subsystem is working properly, only your app (identified through its provisioning profile) can access its own keychain items. If you have different apps sharing the same provisioning profile, then they can all access the same keychain items.

Helminth answered 30/12, 2013 at 21:46 Comment(5)

Your other apps can access it as well, so keep that in mind if you have more than one. – Faris 30/12, 2013 at 21:52

@jeffamaphone: thanks. That is right as long as those apps share the same provisioning profile, AFAIK. – Helminth 31/12, 2013 at 10:53

It is not different apps sharing the same provisioning profile that can access the same keychain items. It has to do with the entitlements in the provisioning profiles of the apps. The apps need to have entitlements to the same keychain access groups in their provisioning profiles but the profiles do not have to be the same. – Borderer 23/2, 2014 at 0:44

@Helminth Can a user access the contents of the keychain? I want to store API keys in keychain but I don't want a user to be able to see it. – Unmake 21/6, 2017 at 16:8

Please be advised, that with M1 Macs, this assumption no longer holds, as the App can be installed on a Mac, allowing normal Keychain manipulation. – Grilled 30/12, 2020 at 17:39

It is not possible to access outside the App on iOS devices, as noted in https://mcmap.net/q/734554/-can-the-user-access-the-keychain-on-ios.

However, the user can now install the App on macOS, which will provide regular macOS access to view and manipulate the keychain data.

Grilled answered 31/12, 2020 at 12:32 Comment(2)

So, if I have an iOS app that stores confidential data (some API key for example) in the keychain, the user will not be able to read it from an iPhone, but if he installs the app on a M1 mac he will? – Stypsis 9/11, 2021 at 14:42

@Stypsis Yes, the user can view it in the Keychain Access app on an M1 mac. – Grilled 10/11, 2021 at 15:28

Recommended topics

Hot tags