Reputation: 669
Relevance of kSecAttrIsInvisible in iOS
The Keychain item attribute key kSecAttrIsInvisible is described as:
A key whose value is a Boolean indicating the item's visibility.
This has been available in the iOS SDK since iOS 2.0+.
I assume that this may hide the Keychain item from appearing on a macOS system where the user can view the Keychain items via the Keychain Access app.
My question is, what does enabling this attribute key do on an iOS device, if anything?
Upvotes: 2
Views: 358
Answers (2)
Reputation: 1027
I just posted this followup on the Apple dev forum thread:
BEWARE anyway :
I recently added this attribute to hide some items from my iOS application when the iCloud keychain is active and can be seen on a Mac, also because the MacOS version of our app is now almost ready.
And we faced critical situation where iOS users where unable to store their purchases in the Keychain because of this obscure and undocumented behaviour :
- If you setup a dictionary to delete and rewrite an item in the KC, adding the kSecAttrIsInvisible attribute, then the delete will FAIL if the previous write was done without the invisible attribute. The error is errSecItemNotFound. Because the item is not deleted, it can't be stored again.
- On the contrary, an item stored with the invisible attribute can be deleted with a query dictionary including or not including the attribute.
So to correctly migrate to using this attribute one should :
- Delete an item with a query without the kSecAttrIsInvisible attribute.
- If the delete fails, redo the delete with the attribute. We did not see that situation but it should be planned in the code.
- Then write the item with the attribute.
Future delete can succeed with the attribute, but the previous steps work with only one attempt to delete in any case we tested.
Upvotes: 1
Reputation: 669
I received a response to this on the Apple Developer forums:
I assume that this may hide the Keychain item from appearing on a macOS system where the user can view the Keychain items via the Keychain Access app.
Correct.
My question is, what does enabling this attribute key do on an iOS device, if anything?
Not much. Given that iOS does not have a general-purpose way to view keychain items, the only specific effect I can think of relates to iCloud Keychain. If the item gets sync’d over to a Mac via iCloud Keychain, you might want to make it invisible there.
Upvotes: 1
Related Questions
- iOS Keychain - what is the difference between kSecClassGenericPassword and kSecClassInternetPassword?
- kSecAttrAccount and kSecAttrGeneric
- Default kSecAttrAccessible value for keychain items?
- SecItemCopyMatching and kSecAttrAccessible in Keychain
- kSecAttrAccessibleAlways deprecated in ios 9
- understanding kSecAttrAccessGroup
- Why is the Keychain accessible when the device is locked when using kSecAttrAccessibleWhenUnlocked?
- What would happen if kSecAttrIsPermanent is set to NO?
- What is the Purpose of Adding a Keychain Wrapper to my iOS app?
- What does kSecReturnPersistentRef do?