-
Notifications
You must be signed in to change notification settings - Fork 348
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential solution to the background access problem #78
Comments
Thanks, @RamblinWreck77. I can see that the the accepted answer suggests using
However, another answer recommends
I think |
Thanks for the quick reply @evgenyneu ! I am indeed using .accessibleAlways to store these values (they aren't "secrets" so i'm not worried). digging into the code, I noticed:
I'm just spitballing here, but is it possible kSecClassGenericPassword is a culprit here? Maybe password-types get treated differently no matter the accessibility settings? Again this only occurs in the background (after a significant location wakeup event) and for 5-10% of sessions. |
@RamblinWreck77, no idea to be honest. I could not find anything specific about the password item type rather than this from the docs:
If you are adventurous you can try forking the library and using other class types instead to see if it makes any difference. :) |
@evgenyneu this is interesting, this guy: kishikawakatsumi/KeychainAccess#342 claims his problem was a naming issue, where iOS was using the preferences of a previous keychain. That would certainly effect me, since most of my users first interaction with keychain would have had the default (while unlocked) setting... and might explain why chaining it has had no effect. |
@evgenyneu do you think the query generated by keychain.clear() would be enough to nuke the keychain and any preferences/settings, or should I explore an alternative approach? I'm thinking: |
Sorry, I don't understand what you mean. What is "previous keychain"? Is the the item you saved to keychain previously that for the same key?
I don't understand what you mean, sorry.
I think
Again, sorry, I don't understand what you are doing here. What do you want to achieve? |
I’m having the same issue where in background sometimes fails to get access to the keychain. Was there a solution? |
@dmavromatis, no there is no reliable solution unfortunately. It is a mess. |
@yoavziv, thanks for the workaround. TLDR:
Please feel free to report here if this workaround works for you. |
@evgenyneu We're going to push a fix to an app we have on the AppStore with this workaround soon. Will reply back with our findings. |
@grEvenX what did it do in the end? |
@evgenyneu @enoelboostmi We have had the fix out for roughly three weeks now and we have not seen any issues after implementing the workaround 👍 |
@grEvenX thanks for letting us know, this is good news! |
@grEvenX Just to be sure to understand, you are verifying that if
What about the |
I recently ran into this myself. I store information that must be accessed promptly upon the loading of the application from background during a VOIP pushkit event, so i cannot wait until the isProtectedDataAvailable method returns (new rules on iOS 13). Whenever the application launched while the screen was locked, it would not get the value from the SecItemCopyMatching and would return with a -25308. We are storing a public/private keypair generated for ECDH encryption into the keychain. As we were investigating this issue i came across this tidbit of info:
if you tail the console logs for the device you see
We also discovered that when querying the keychain item, if you do not specify in the query the accessibility level, it defaults to "whenUnlocked" behind the scenes. So i had created my record with a weaker level then my query was allowing for, since it defaulted, and was not available. the when when unlocked is the most secure, and apple is defaulting to the most secure. You need a good reason to use it outside of that. In my case it's a public key, and it's in the public domain, so i do not need it when unlocked. my private key is in the secure enclave and i cannot even read the bytes. So what we did to fix this in our custom keychain implementation was to (since we are specifying I'm needing a quick library to do some keychain stuff and do not want to rewrite yet another keychain wrapper in this other project, and you guys seem to have this bug with the background/locked, this might fix your problems. While beginning implementing this pod in a project, i noticed the methods for setting a value had accessibility levels, but the ones for getting values do not, so i can only assume then that it is defaulting to the |
Thank you for your detailed explanation, @robertbarclay. Can you confirm one thing based on your findings? If using |
Hello! So I'm seeing anywhere from 5-10% of background wakeup sessions fail to recover a user's information stored in their keychain.
This SO post appears to have solved the issue, could this be implemented in keychain-swift?
https://stackoverflow.com/questions/10536859/ios-keychain-not-retrieving-values-from-background
Thanks for a great library!
The text was updated successfully, but these errors were encountered: