How to delete all keychain items accessible to an app?

Question

I have stray keychain items on iOS (probably written by old version of app) that I need to delete. Is there an easy way to achieve this?

Answer 1

Do it for all classes

Objective-C:

NSArray *secItemClasses = @[(__bridge id)kSecClassGenericPassword,
                       (__bridge id)kSecClassInternetPassword,
                       (__bridge id)kSecClassCertificate,
                       (__bridge id)kSecClassKey,
                       (__bridge id)kSecClassIdentity];
for (id secItemClass in secItemClasses) {
    NSDictionary *spec = @{(__bridge id)kSecClass: secItemClass};
    SecItemDelete((__bridge CFDictionaryRef)spec);
}

Swift:

      [kSecClassGenericPassword, kSecClassInternetPassword, kSecClassCertificate, kSecClassKey, kSecClassIdentity].forEach {
        let status = SecItemDelete([
          kSecClass: $0,
          kSecAttrSynchronizable: kSecAttrSynchronizableAny
        ] as CFDictionary)
        if status != errSecSuccess && status != errSecItemNotFound {
            //Error while removing class $0
        }
      }

Answer 2

Unfortunately all answers of this question seem to be outdated (since iOS 7.0+) as they do not delete keychain entries that have the kSecAttrSynchronizable flag set (allow synchronization to other devices through iCloud).

To delete such entries it is crucible to add an entry to the delete query specifying kSecAttrSynchronizable: kSecAttrSynchronizableAny:

Swift version:

let secItemClasses = [kSecClassGenericPassword,
    kSecClassInternetPassword,
    kSecClassCertificate,
    kSecClassKey,
    kSecClassIdentity]
for secItemClass in secItemClasses {
    let query: NSDictionary = [
        kSecClass as String: secItemClass,
        kSecAttrSynchronizable as String: kSecAttrSynchronizableAny
    ]
    SecItemDelete(query)
}

Answer 3

Be cautious on using kSecClassCertificate to clear out all when you're unit testing using a Mac as a target as this will clear your development certificate. You can simply revoke the existing but in a CI/CD pipeline this won't work.

Answer 4

Swift version

import Foundation
import Security


public class Keychain: NSObject {
  public class func logout()  {
    let secItemClasses =  [
      kSecClassGenericPassword,
      kSecClassInternetPassword,
      kSecClassCertificate,
      kSecClassKey,
      kSecClassIdentity,
    ]
    for itemClass in secItemClasses {
      let spec: NSDictionary = [kSecClass: itemClass]
      SecItemDelete(spec)
    }
  }
}

usage:

Keychain.logout()

Answer 5

I rewrote Daij-Djan's answer in Swift:

let secItemClasses = [kSecClassGenericPassword,
    kSecClassInternetPassword,
    kSecClassCertificate,
    kSecClassKey,
    kSecClassIdentity]
for secItemClass in secItemClasses {
    let dictionary = [kSecClass as String:secItemClass]
    SecItemDelete(dictionary as CFDictionary)
}

Answer 6

Xamarin iOS version (MonoTouch) of accepted answer on How to delete all keychain items accessible to an app is below:

foreach (var recordKind in new []{
                SecKind.GenericPassword,
                SecKind.Certificate,
                SecKind.Identity,
                SecKind.InternetPassword,
                SecKind.Key,
            })
    {
          SecRecord query = new SecRecord(recordKind);
          SecKeyChain.Remove(query);
    }

If you want to make sure you indeed delete the records, you may during development check number of items in KeyChain of specific kind before and after with this code:

SecStatusCode scc;
var records = SecKeyChain.QueryAsRecord(new SecRecord(SecKind.GenericPassword), 1000, out scc);

Answer 7

Thanks to Daij-Djan I got to this solution:

for (id secclass in @[
     (__bridge id)kSecClassGenericPassword,
     (__bridge id)kSecClassInternetPassword,
     (__bridge id)kSecClassCertificate,
     (__bridge id)kSecClassKey,
     (__bridge id)kSecClassIdentity]) {
    NSMutableDictionary *query = [NSMutableDictionary dictionaryWithObjectsAndKeys:
                                  secclass, (__bridge id)kSecClass,
                                  nil];

    SecItemDelete((__bridge CFDictionaryRef)query);        
}

Answer 8

You could take a look at the KeyChain Access application found in the Utilities folder. If you launch the application and click on "All Items," it should display all the items you have created with this specific computer. The developer ones usually start with com.