How can I detect changes to iCloud keychain

Question

Is there a way to get notified when the iCloud (or any) keychain is changed (items get added/deleted/changed)?

Something similar to the NSUbiquitousKeyValueStoreDidChangeExternallyNotification in KVS.

I suppose I could just file-watch the $HOME/Library/Keychains folder on OSX, but is there a better option? (would that even work on iOS?)

Answer 1

AFAIK the keychain service, no matter if the keychain is only local or an iCloud keychain, never announces changes. The way how you should be using the keychain also makes it quite questionable to do so.

Password data stored in the keychain is protected because it is encrypted at all times. Only when you request that data, it is temporarily decrypted, just for you, and a decrypted copy is passed to your app and then discarded. You should use that decrypted copy for whatever task you needed it and then discard it as well.

Why should you discard it? Because it is not secure when you keep it around in your application. A root process can dump all memory of your application and this dump will then contain also all cached passwords in plain text. And using a security flaw in iOS, maybe one we don't even know yet, an attacker may be able to run code with root privileges (after all, all the jail breaks base on such a flaw, so you see, they do exist).

And when you need it again? Then you fetch it again from keychain. You shall fetch the password from keychain every time you need it. So why do you need to detect changes? When you fetch it, you either will get a result and in that case you always have the latest password that was stored to keychain, no matter how often that was update the last couple of minutes, or you get no result and thus know there is no such password in keychain, as either there never was one or it has been deleted. You need to handle the "there never was a password" case anyway in your app, and usually you can handle the "the password was deleted" case just identical.