Which keychain attributes are inaccessible when the keychain is locked?

Question

There are 5 types of keys that can be stored in the iOS keychain

• kSecClassGenericPassword
• kSecClassInternetPassword
• kSecClassCertificate
• kSecClassKey
• kSecClassIdentity

Each of those key types support a different attribute set. It's unclear which attributes are "public" and exposed to a locked keychain, and which are not.

Should I assume that a locked keychain can expose all of the following?

Can applications without my app-group entitlement view the attributes of my keychain items?

Answer 1

All attributes are considered public. The only secret in the keychain is the data (i.e. the thing you retrieve using attributes). See Keychain Services Programming Guide: Structure of a Keychain:

Note: Unlike data, an item’s attributes are not considered secret, and thus never encrypted. They can be read at any time, even when the keychain is locked.

As a practical matter, I believe there are times in iOS (as opposed to macOS) when even the attributes (all the attributes) wind up being encrypted (such as before first unlock), but you should not rely on this. If the data is a secret, it should be keychain data, not an attribute. But remember, you cannot search on data.... since it's encrypted.... you can only search on attributes. iOS does not decrypt the entire keychain all at once. It generally just decrypts the portions it needs. For all the gory details on this, see the iOS Security Guide.