Keychain data seems to be disappearing

[abc2mit]

SSKeychain has been working well for almost a year while I'm developing my app. I've run into a problem recently though that I haven't seem to be able to trace. Once in a while (and it seems random at times), the data I store in the keychain will now disappear. I'm not doing anything differently than before, so I'm not sure why the data isn't persisting.

I'm currently on iOS 7.1.1 on an iPhone 5S. Using Xcode6-beta6 and AppCode 3.0.4.

When I check [SSKeychain allAccounts] in debug, the array is empty.

Here's my code to create a new device ID, for example:

+ (NSUUID *)getDeviceID:(BOOL)refresh {
    NSError *error;
    NSString *deviceKey = [self getAppConfiguration:refresh][DEVICE_KEY];
    NSString *deviceUUID = [SSKeychain passwordForService:KEYCHAIN_SERVICE_IDENTIFIER account:deviceKey error:&error];
    if (deviceUUID) {
        return [[NSUUID UUID] initWithUUIDString:deviceUUID];
    }

    if (error) {
        NSLog(@"Unable to retrieve the device ID because of an error: %@", [error localizedDescription]);
    }

    // one does not exist, so create one
    NSUUID *newUUID = [NSUUID UUID];
    deviceUUID = [newUUID UUIDString];
    [SSKeychain setPassword:deviceUUID forService:KEYCHAIN_SERVICE_IDENTIFIER account:deviceKey];
    return newUUID;
}

Anyone else see this happening or have some ideas on what might be causing the issue?

[abc2mit]

Also, not sure if this is related to the issue: http://www.coderexception.com/C6bmuz36PXiQixJi/ios-keychain-data-lost-upon-iphone-memory-pressure

@soffes: do you store the password in memory?

[ay8s]

I've been having similar issues with SSKeychain under iOS 7 and now 8. I log out the keychain item and it returns null causing the login screen to be revealed again. Wonder if anyone else has seen a similar issue?

[calebd]

I have never had this problem. Have you tried logging errors on save to see if the save is unsuccessful? SSKeychain does not persist any data in memory. It goes directly to and from the keychain and the caller.

[ay8s]

The keychain item seems to be saving correctly as within my app the keychain is used straight away to call our API. It seems to happen after a few uses of the app which is entirely intermittent.

[abc2mit]

I sent an email, but it didn't seem to attach to this chain.

I'm still having the problem and the behavior is the same as Andrew's. It saves and can be recalled, but intermittently, I will get an errSecItemNotFound and then have to regenerate the NSUUID.

[calebd]

I don't think this is an issue with SSKeychain.

[abc2mit]

I'm currently working on something else, but I'll try to test by reverting to the last version of SSKeychain and also trying out a different keychain library.

[abc2mit]

I'm still having the problem and the behavior is the same as Andrew's. It saves and can be recalled, but every once in a while I get the errSecItemNotFound, even though the last attempt was just fine. 

Thanks!
Mike

Sent from my iPhone 5s
(Please excuse any typos or seemingly curt replies!)

mikeho // eecs bme 2004
650 815 5688 // proverbs 3:5-6

On Fri, Sep 5, 2014 at 12:34 PM, Andrew Yates [email protected]
wrote:

The keychain item seems to be saving correctly as within my app the keychain is used straight away to call our API. It seems to happen after a few uses of the app which is entirely intermittent.

Reply to this email directly or view it on GitHub:
#75 (comment)

[ay8s]

Digging into this more I am wondering if @abc2mit is doing background fetch anywhere? Wondering if the issue is anyway related to... https://blog.loom.com/how-we-fixed-the-ios7-forced-logout-bug-thats-been-plaguing-so-many-apps/

[abc2mit]

@ay8s Hmm... that's an interesting find! Thank you! Yes, I do use background fetch and location updates. But I never would've thought that would be the issue.

From what I can tell in the SSKeychain code, all I need to do is do this on launch:

- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
    [SSKeychain setAccessibilityType:kSecAttrAccessibleAlways];
...
}

Now for some reason, I'm always getting an OSStatus of -34018 when I try to save. Not sure if it's related to #52. Oddly enough, I am using iCloud sync, but iCloud is returning the correct information for me.

[abc2mit]

Okay, then, I decided to clean my build, delete the app from the phone and re-install. Seems to be ok so far. I will let this thread know if that solved the problem.

@ay8s thanks for the find!

[abc2mit]

I'll still keep this open for a little while longer, but I haven't hit any of my breakpoints that indicate that the data is now lost. It seems like it is now persistent between app reinstalls as well as restarts. Thanks again to @ay8s for finding that bug. It's so odd that it's not really well-documented. I hope that others find this discovery useful.

[Mallox51]

Hi,
Same problem for me here : i use SSKeyChain to store authentication info and sometimes (every 100-150 calls) data is lost, auth_token and auth_id are nil, so the user is sent back to the login screen.
I also use background refresh since it was introduced in iOS7

[TomLiu]

Hi,

we also put our deviceID in keychain and find our user fetch a nil sometimes. The error code is always errSecInteractionNotAllowed. I think a screen locker may cause the problem. As a data mentioned in this answer http://stackoverflow.com/questions/5392988/default-ksecattraccessible-value-for-keychain-items, the default value of kSecAttrAccessible is kSecAttrAccessibleWhenUnlocked after iOS5.1, I think @abc2mit 's answer is the right way to fix this.

[TomLiu]

@hewigovens

[abc2mit]

The change seems to be working. One note is that the documentation (https://developer.apple.com/library/ios/documentation/security/reference/keychainservices/index.html#//apple_ref/doc/constant_group/Keychain_Item_Accessibility_Constants) recommends using kSecAttrAccessibleAfterFirstUnlock instead of kSecAttrAccessibleAlways. It makes sense that you would want the user to unlock the device on restart first. Even with a restart, your app won't be running again until they open it, right?

[abc2mit]

After a while of testing the app, the fix in this thread fixed the issue. I'm closing this.

[dismory]

@abc2mit is right, kSecAttrAccessibleAlways is a better and more secure choice for most scenario.

Even apps with background mode enabled will not be launched after a restart. http://stackoverflow.com/questions/20682909/does-ios-start-app-in-background-after-reboot-if-remote-notification-defined-in

And as the doc says:

kSecAttrAccessibleAfterFirstUnlock: After the first unlock, the data remains accessible until the next restart. This is recommended for items that need to be accessed by background applications. Items with this attribute migrate to a new device when using encrypted backups.

[diegopizzocaro]

So even after having introduced the kSecAttrAccebleAlways in appDidFinishLaunching I am still experience the issue with iOS 8.1.2
I've now tried to include the same instruction into the methods appDidEnterBackground and also in appDidBecomeActive
Going a little blind here due to the intermittency of the issue...

[melochale]

I have the same issue here with ios 8.4.x and ios 9, I use SSkeychain to store the cipher key of AES, the code almost likes @abc2mit ’s. it's normal at the first beginning, but after a while (maybe ten minutes or longer，could be random time) it's lost and I can not decrypt the data any more. This situation occurred recently and App didn't change anything, how strange it is!

[rashidasgari]

Hi everyone, i am using UICKeychainStore (another key chain wrapper) and guess what, i am having the same problem on ios9. I think this problem is related to the way keychain is working on iphone. Sometimes keychain returns nil and i cannot seem to simulate it at all. sometimes it works fine for a few runs and then starts returning nil.

[soffes]

As @rashidasgari points out, this is not an issue with SSKeychain, but an issue with the system Keychain.