ACSimpleKeychain icon indicating copy to clipboard operation
ACSimpleKeychain copied to clipboard

Published 20 hours ago verified publisher icon alexchugunov

Security issue: Keychain Item Accessibility Constants missing

Open KaiOelfke opened this issue 13 years ago • 3 comments

Hi,

you should add the kSecAttrAccessibleWhenUnlocked value for the kSecAttrAccessible key. If you don't do that the keychain information can be hacked easily.

More information: http://stackoverflow.com/questions/3558252/ios-keychain-security

https://developer.apple.com/library/ios/#documentation/Security/Reference/keychainservices/Reference/reference.html#//apple_ref/doc/constant_group/Keychain_Item_Accessibility_Constants

Thank you =)

KaiOelfke avatar Aug 07 '12 09:08 KaiOelfke

+1 to this.

mattgreen avatar Feb 14 '13 19:02 mattgreen

Yes, I'd like to be able to set kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly

Anyone care to show where the easiest place to put this would be?

d0n13 avatar Apr 29 '15 17:04 d0n13

From line 90 in ACSimpleKeychain.m

- (BOOL)storeUsername:(NSString *)username password:(NSString *)password identifier:(NSString *)identifier info:(NSDictionary *)info forService:(NSString *)service
{
    if ([self deleteCredentialsForUsername:username service:service] &&
        [self deleteCredentialsForIdentifier:identifier service:service])
    {
        NSMutableDictionary *dictionary = [NSMutableDictionary dictionaryWithObjectsAndKeys:
                                           (__bridge id)(kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly), (__bridge id)kSecAttrAccessible,
                                           (__bridge id)kSecClassGenericPassword, (__bridge id)kSecClass,
                                           [username dataUsingEncoding:NSUTF8StringEncoding], (__bridge id)kSecAttrAccount,
                                           [identifier dataUsingEncoding:NSUTF8StringEncoding], (__bridge id)kSecAttrGeneric,
                                           [service dataUsingEncoding:NSUTF8StringEncoding], (__bridge id)kSecAttrService, nil];
        [dictionary setValue:[password dataUsingEncoding:NSUTF8StringEncoding] forKey:(__bridge id)kSecValueData];
        NSMutableData *miscData = [NSMutableData data];
        NSKeyedArchiver *archiver = [[NSKeyedArchiver alloc] initForWritingWithMutableData:miscData];
        [archiver encodeObject:info forKey:ACKeychainInfo];
        [archiver finishEncoding];
        [dictionary setValue:miscData forKey:(__bridge id)kSecAttrComment];
        OSStatus status = SecItemAdd((__bridge CFDictionaryRef)dictionary, NULL);
        return (status == errSecSuccess);
    }
    return NO;
}

Hope that helps. Donie

d0n13 avatar May 01 '15 11:05 d0n13