Reputation: 741
Preserving Keychain data during developer account migration
I am migrating our organisation's app to a new developer account, for internal reasons. I've learned that upon transferring the app to the new account, and after we release an update for the app from the new developer account, we will incur a one time loss of keychain data. My concern is, that we cannot afford this loss of data. Due to security reasons and nature of the type of clients using the app.
So my question is 2 part;
1) Is there any way that I can prevent this keychain data loss?
2) If not, what are the alternate strategies I can use to prevent the users from getting logged out during this transition?
Upvotes: 0
Views: 1565
Answers (2)
Reputation: 1949
1) There is no way your can prevent data loss, since the App ID Prefix has changed during app transfer TN2311 > A one-time loss in keychain data will occur if you switch your App ID prefix
2) If you application utilizes Push Notification, you can use the APNs device tokens to remap the user account.
Once the new app is launched:
- Send the device token to server
- Find the username from your database
- Generate a session token (add your own security design here)
- Save username + the token in your new Keychain
For those who doesn't allow notification, just force them to relogin
Upvotes: 0
Reputation: 4434
Assuming you're talking about a real, full App Transfer I don't think this is possible. Keychains are not just differentiated via the app ID, but also the organization's ID (or more precisely the organization's ID is part of an app ID). Since the app's ID de facto changes with a transfer, iOS will prevent it to look up its old keychain. Not even app groups get around this, as a group cannot consist of apps by different organizations AFAIK. Apple would need to implement a kind of exception to this for at least a certain "migration period", but I doubt that will ever happen (for security considerations).
The only way to circumvent a re-login so that the transferred app can save the credentials in its "new" keychain would be to first have an update for the old, not-yet transferred app and have it save the credentials elsewhere, then have the transferred app look them up from there. I'd strongly recommend against this for security reasons, but if you absolutely must do that, you could upload the credentials somewhere secure (via an encrypted connection, obviously, i.e. SSL). You might even be able to use shared web credentials for this, but I haven't looked into that too deeply, so I am not sure whether both apps can be configured to be associated with that website (they're coming from two different teams, after all, but it might be allowed).
Even then, some users might "miss" the update of the older app before the transfer (and update to the "new" one), then they would have to re-login anyways.
If you follow this idea, be aware that you're "moving around" users' private data in a new way! Considering the recent GDPR fuzz this might even have string legal implications, so check with your company's legal advisors about this, too!
Upvotes: 1
Related Questions
- Keychain doesn't retain the data after app gets update from iTunes
- Data associated with iCloud account when switching from development to production
- App Transfer Keychain Loss: Solutions to users logging out
- Keychain data lost after updating the app on iOS
- Transferring Keychain for iOS Apps to new Machine
- Potential Loss of Keychain Access Issue After Application Move Account A To B in iOS
- How to import keychain from one development machine to another
- Remove private (keychain) data when iOS app is removed
- KeychainItemWrapper migrating data throws error
- iOS Distribution: Migrating private key/certs to new machine