Comments on: Is There Any Point To Using The Keychain API On iPhone?

By: Jens Alfke

Jens Alfke — Thu, 09 Jul 2009 20:27:54 +0000

Scott — I filed a Radar last month requesting that Apple post the source code to the iPhone security stack, just as they’ve long posted the Mac security code. That would help a lot in figuring out how the keychain actually works!

By: Scott Thompson

Scott Thompson — Thu, 09 Jul 2009 19:42:51 +0000

I agree that documentation is a major hurdle for the keychain API on the phone. It’s nice that you can query the keychain by putting together a fairly arbitrary set of properties, but it appears that only some of the properties are actually used when running the query. Figuring out which might be used and which are not is… a challenge.

Now that 3.0 has been released, it is the case that two applications can be set up to share their keychains, however, there is a bug that if you do that the two applications will not be able to participate in the notifications API.

By: Jens Alfke

Jens Alfke — Tue, 30 Jun 2009 16:07:28 +0000

Craig — Thanks for the link. I had not seen any explicit confirmation that the keychain file is in fact encrypted on the iPhone. That’s good to know — thanks!

By: Craig L. Ching

Craig L. Ching — Mon, 29 Jun 2009 18:23:21 +0000

Would you care to comment about why you think the keychain isn’t safe? According to this doc:

http://developer.apple.com/DOCUMENTATION/Security/Conceptual/keychainServConcepts/02concepts/concepts.html#//apple_ref/doc/uid/TP30000897-CH204-DontLinkElementID_3

it would appear that it is safe, even during app backup.

By: Jens Alfke

Jens Alfke — Thu, 18 Jun 2009 03:57:04 +0000

Yup — except that for some reason SQLCipher uses OpenSSL instead of the built-in crypto APIs, which makes your build process more complicated and your app bigger. Not sure why they did that (except maybe because it’s cross-platform.)

By: Dave Anderson

Dave Anderson — Thu, 18 Jun 2009 03:38:00 +0000

Such as this?

http://www.mobileorchard.com/tutorial-iphone-sqlite-encryption-with-sqlcipher/

By: Jens Alfke

Jens Alfke — Mon, 15 Jun 2009 14:36:39 +0000

Just occurred to me — A DIY key/password store could be made secure by using that recently-released sqlite encryption extension (I can’t remember what it’s called). The key for that file could be stored in the keychain; that way you only need two or three Keychain API calls to store and look up that key.

By: Michael Tsai

Michael Tsai — Mon, 15 Jun 2009 13:11:00 +0000

Peter: The backup should actually be more secure than the data on the phone (which only has the 4-digit unlock) because it's also encrypted with a (presumably longer) key that stays on the phone, according to Greg Parker.

By: Peter Hosey

Peter Hosey — Mon, 15 Jun 2009 04:27:21 +0000

If the keychain is unencrypted on the device, I’d assume it’s probably also unencrypted in the back-up on the user’s PC. That’s worse than unencrypted on the device, because the PC doesn’t have the iPhone’s security restrictions (Mac OS X’s sandboxing is voluntary, and I don’t know about Windows). Even in the possession of a thief, the back-up file is more exposed than the iPhone’s file-system.

Therefore, if Keychain does store data unencrypted on the device (assuming it doesn’t get encrypted on the way to the back-up), I say that that’s a bug worth filing.

Also, you should continue using and filing bugs against Keychain regardless of whether it’s encrypted. If it’s not, it’s no worse than anything else, but even then, Apple could start encrypting it in a future release—whereupon you should pick up that change for free.

By: Buzz Andersen

Buzz Andersen — Mon, 15 Jun 2009 02:57:03 +0000

I had someone who was using a jailbroken phone to get the keychain DB off the phone submit a bug for my iPhone keychain wrapper because he had noticed that the passwords were being stored in clear text. I made a fix assuming that the problem was that I was storing the passwords as “general” keychain objects, not as the special password type, but admittedly I’ve never been able to confirm that the fix was doing the right thing since I don’t want to jailbreak my phone.

I definitely agree with your criticisms of the keychain framework—it’s a complicated, poorly documented, confusing black box whose benefits are not at all well understood. I guess I started using it as a matter of course because I assumed it was the right, secure thing to do, but I would be curious to know the answers to your questions as well.