Adding keychain sharing to production app that already has users

Question

We have an iOS app that has been released. The IDE is XCode6. I want to add keychain sharing to access the sessionID that exists in the app from an iOS 8 share extension.

Problem is whenever keychain sharing is turned on, the sessionID that already exists can no longer be accessed.

It can be accessed whenever keychain sharing is turned off.

This dictionary is passed into SecItemCopyMatching, which always returns -25300 (not found) whenever keychain sharing is enabled, no matter what the "Keychain Groups:" is.

[0] (null)  @"svce" : @"SESSION_ID_KEY"   
[1] (null)  @"r_Data" : @"1"    
[2] (null)  @"m_Limit" : @"m_LimitOne"  
[3] (null)  @"class" : @"genp"  
[4] (null)  @"acct" : @"SESSION_ID_KEY"   
[5] (null)  @"pdmn" : @"ck" 

Any idea why access to the key might not work? I tried setting kSecAttrAccessGroup with the bundle prefix and name and it still did not work on the simulator.

Answer 1

Hopefully I got your answer and the bounty :)

I had the same issue originally and came across this post, and I know you mentioned you tried with the bundle prefix and name. But let's run through a sanity check.

In the MyApp.entitlements and in MyApp Extension.entitlements I have the Keychain Access Groups set to $(AppIdentifierPrefix)com.company.MyApp (this is the default).

I accessed the value for ABCD1234 (aka AppIdentifierPrefix value) using this SO answer https://stackoverflow.com/a/20340883 however hardcoding may not be best practice here, so consider looking this a solution like this https://stackoverflow.com/a/11841898/2588957

Then note in my app all I added to make my current code to work is the following: [keychainItem setObject:@"ABCD1234.com.company.MyApp" forKey:(__bridge id)kSecAttrAccessGroup]; before updating the item and I can now access the keychain item in my share extension.

Answer 2

I had a similar issue when implementing inter-app communication in iOS 7 a couple of months ago. I found this remark on Apple's GenericKeyChain sample project:

        // Apps that are built for the simulator aren't signed, so there's no keychain access group
        // for the simulator to check. This means that all apps can see all keychain items when run
        // on the simulator.
        //
        // If a SecItem contains an access group attribute, SecItemAdd and SecItemUpdate on the
        // simulator will return -25243 (errSecNoAccessForItem).

So if you're testing on a Simulator you need to remove the "kSecAttrAccessGroup".

On a device it should work with this key.