Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: 25308 errSecInteractionNotAllowed When dumping with locked device #9

Closed
dmayer opened this issue Dec 26, 2015 · 4 comments
Closed

Error: 25308 errSecInteractionNotAllowed When dumping with locked device #9

dmayer opened this issue Dec 26, 2015 · 4 comments

Comments

@dmayer
Copy link
Contributor

dmayer commented Dec 26, 2015

When trying to dump the keychain when the device is locked, I receive:

Unhandled Error: Please contact developer to report this error. Error code: -25308

It would be nice to be able to dump whatever is accessible when the device is locked.
@dmayer dmayer mentioned this issue Dec 26, 2015
Open
@NitinJami
Copy link
Owner

This is now fixed 36f32e7. Closing the issue!

@senryxie
Copy link

senryxie commented Jul 26, 2016
edited
Loading

Hi @NitinJami,
Can you show some light on me about the commit 36f32e7 which part fixes the -25308 error?

Thanks in advance.

@NitinJami
Copy link
Owner

Hi @senryxie,
How good is your understanding with iOS Data Protection classes? Accessibility Constants. If you are familiar with it, ignore the next two paragraphs. If not, read on.

Essentially, each accessibility constant defines at which state of the phone a particular item is available. Such as an item with "WhenUnlocked" constant is only available when the device is unlocked whereas an item with "AccessibleAlways" constant is available irrespective of the phone is locked or not. The state of the phone and to enforce these constants, a special service is running is inside your phone which monitors the state of the device and provides authority over a requested item. It is either called a "Security Server" or "Security Daemon".

When the phone is locked or rebooted for the first time, the OS does not allow the applications to talk to this daemon. Since the application cannot get a response from the daemon, the application does not have the authority over the corresponding item. Hence, the error message -25308.

There is a crypto explanation of this, but I assume you are not going after this.

If I already knew this, why did the bug occur in the first place in my code?

Well, it has to do with the SecItemCopyMatching(). The function returns errSecSuccess, if all the query criteria is satisfied or fails with appropriate error even if one of the query criteria is not satisfied.

In my original code #380 , "query" was not limited by accessbility constant which means all the items are to be dumped with single call to SecItemCopyMatching(). If the phone is in the unlocked state, all the items were dumped. But, if the phone is locked and then you try to dump it, SecItemCopyMatching() fails because few constants (WhenUnlocked) are not accessible, in which case even the accessible items (AccessibleAlways) are not returned.

The work around for this is to obviously dump items by passing Accessibility Constants individually to SecItemCopyMatching() #390 and #409. Items that are available are appended into an finalResult Array and items that are not available are failed silently #424.

Hope that clarifies. Lemme know if you have any other questions.

Thanks,
Nitin Jami

@senryxie
Copy link

Hi Nitin,
Thanks for your detailed answer.
I learned some from your code, and applied into my project. Hope my changes will fix it in my next release :).

Senry

@robertbarclay robertbarclay mentioned this issue Nov 4, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dmayer @senryxie @NitinJami