Reputation: 20590
iOS Keychain - LAContext.setCredential(data, .applicationPassword) returns false on Simulator
I am trying to use an "applicationPassword" to protect the data that a user stores in the Keychain.
Everything works perfectly on a real device but unfortunately things don't work at all on the simulator.
In order to get started I have this very basic code to set the applicationPassword.
let authenticationContext = LAContext()
let applicationPassword = "123".data(using: .utf8)
let result = authenticationContext.setCredential(applicationPassword, type: .applicationPassword)
print(result)
The call to setCredential returns true on a real device but false on the simulator.
Please help :-)
If this isn't supported on the Simulator then it isn't really a feasible solution.
Here is Apple's documentation, for reference:
https://developer.apple.com/documentation/localauthentication/lacontext/1514168-setcredential
Upvotes: 0
Views: 1762
Answers (1)
Reputation: 20590
It would seem that applicationPassword works in conjunction with the device's system passcode.
And therefore an applicationPassword will NOT work on:
- The simulator (where its not possible to set a system passcode)
- A real device without a system passcode set
I have ascertained this information from the below souces:
WWDC 2015 - Session 706 - Security & Your Apps (see around 43:23 of video)
Transcript: https://asciiwwdc.com/2015/sessions/706?q=applicationpassword
Now, let's look at an item protected with ApplicationPassword.
Just the device passcode is no longer sufficient.
Your application has also got to provide its own password.
Again, we derive a cryptographic key from it, and it's only when the device passcode and the app password are both present that access is granted to the Keychain item.
https://nabla-c0d3.github.io/blog/2015/06/16/ios9-security-privacy/
Keychain items can now be encrypted using both the device’s passcode and an “Application password”; both values are then needed to decrypt and retrieve the item. This allows Apps to control when the data is accessible/decrypted, instead of having the data decrypted as soon as the device is unlocked.
https://macbirdie.net/2016/03/app-pwd
The other interesting new feature is securing the keychain items using an application-provided password, which is an additional factor to device unlock PIN or passcode.
The password can either come from the user or, as the session 706’s presenter suggested, either can be an additional token sent by the server or a secret kept on a device connected to the phone.
This security scheme requires at least a device passcode to exist, since it works with it in tandem. As a result of that it’s not possible to test it on the iOS Simulator, which makes developing the support for it a little harder, because when you add a keychain item protected that way, no actual password is even required to retrieve it.
Its a shame that none of Apple's own documention seems to make a mention of this:
- Apple - setCredential(_:type:)
- Apple - LACredentialType.applicationPassword
- Apple - applicationPassword
- Apple - Restricting Keychain Item Accessibility
Upvotes: 4
Related Questions
- Keychain API is looking only into system keychain not in login keychain Mac OS Swift
- Get keychain item with LAContext and touchIDAuthenticationAllowableReuseDuration
- Adding auth credentials to Keychain on iOS with Swift
- Reading from Keychain Xcode 9 simulators returns nothing
- Keychain Not Working - Inside Pod Tests
- Saving a password in keychain on simulator
- Two applications sharing keychain data works fine in iOS simulator but not in device
- iOS Keychain Value Nil
- SSKeychain credential store not being set properly?
- SecKeychainFindInternetPassword is not working