Username/Password isn't encrypted. Saved as plaintext

[CaptainJeff]

We had a security audit of our app done and they were able to retrieve the username/password in the keychain

"The application stores sensitive information i.e. username and password in clear text in the keychain file. Secret stored in Keychain file is encrypted using hardware encryption. An attacker can use this technique to get access to user authentication details." Location: Keychain.xml

Does anyone understand how this would be possible and how to prevent this? I thought it would be encrypted https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web

[118118denis]

as far as i understand, the keychain 'as a whole' is encrypted, so it needs to be opened (decrypted) for the app to have access to the data within it. in theory, only the app would have access to said data, but a security auditor told me that you can 'inspect data from outside' while the app had it opened (no idea how, if it needs to be jailbroken, etc). so, as far as i understand, you would need/want to encrypt your data first, and then save it in the keychain.

mind: i'm not a security expert, but that's what i know. 🤓

[blixit]

We had a security audit of our app done and they were able to retrieve the username/password in the keychain

We are facing the same issue after a security audit.

An attacker can read these locations if he has a physical access to the phone and after a jailbreak: Android: /data/data/BUNDLE_ID/shared_prefs/shared_preferences.xml Android: /data/user/0/BUNDLE_ID/shared_prefs/shared_preferences.xml iOS: Library/Caches/BUNDLE_ID/fsCachedData/CACHE_KEY

[anhquan291]

Hi guys, I'm facing the same issue. Any update on this topic? Thanks a lot.

[darrylyoung]

Has anyone else come across this issue, or does anyone here have an update on their situation? Thanks.