iOS 8 notification action: "Access to item attempted while keychain is locked" error when accessing keychain in "didFinishLaunchingWithOptions"

Question

I am observing a keychain error in the device console thrown by SecItemCopyMatching when acting on an iOS 8 push notification on a locked phone. The detailed repro steps are as follows:

1. Uninstall all previous versions of the app. Build an Appstore version of the app onto device. Force quit the app.
2. Increment build number, and build a newer version onto device. This simulates an app update flow. Force quit the app (In real life, the app might get killed by the OS due to memory pressure. Force quitting simulates this behavior).
3. Send a push notification to the app when the phone is locked.
4. With the phone locked, swipe left to see the action buttons and press one of the action buttons.
5. App gets woken up, didFinishLaunchingWithOptions gets called, which tries to access a keychain item. While running SecItemCopyMatching, an error Access to item attempted while keychain is locked shows up in the device console.

The complete error log is shown below. The last line gives the app specific error message.

ReportCrash[32481] <Error>: task_set_exception_ports(B07, 400, D03, 0, 0) failed with error (4: (os/kern) invalid argument)
ReportCrash[32481] <Notice>: ReportCrash acting against PID 31423
diagnosticd[32258] <Error>: error evaluating process info - pid: 31423, punique: 131317
ReportCrash[32481] <Notice>: Formulating crash report for process cfprefsd[31423]
com.apple.xpc.launchd[1] (com.apple.cfprefsd.xpc.daemon[31423]) <Notice>: Service exited due to signal: Bus error: 10
My App[32480] <Error>: assertion failed: 12F70: libxpc.dylib + 71768 [B870B51D-AA85-3686-A7D9-ACD48C5FE153]: 0x7d
Unknown[32480] <Error>: 
ReportCrash[32481] <Notice>: Saved report to /Library/Logs/CrashReporter/cfprefsd_2015-07-02-150139_Xianjing-Hus-iPhone.ips
securityd[32279] <Error>:  s3dl_query_row decode genp,rowid=8099 failed (-25308): The operation couldn’t be completed. (OSStatus error -25308 - ks_crypt: e00002e2 failed to     unwrap item (class 6, bag: 0) Access to item attempted while keychain is locked.)
securityd[32279] <Error>:  securityd_xpc_dictionary_handler Okta Verify[32480] copy_matching The operation couldn’t be completed. (OSStatus error -25308 - ks_crypt:     e00002e2 failed to unwrap item (class 6, bag: 0) Access to item attempted while keychain is locked.)
My App[32480] <Error>:  SecOSStatusWith error:[-25308] The operation couldn’t be completed. (OSStatus error -25308 - Remote error : The operation couldn't be completed. (OSStatus error -25308 - ks_crypt: e00002e2 failed to unwrap item (class 6, bag: 0) Access to item attempted while keychain is locked.))

A few things:

• The keychain item's accessibility is set to kSecAttrAccessibleAlways.
• As can be seen in the device log above, there is always a cfprefsd process crash prior to the issue.
• This issue only occurs on Appstore builds, not on debug builds.
• This issue only occurs when trying to act on notification on a locked phone.
• This issue only occurs when the app is newly updated, as described in the repro steps above.
• Because I force quit the app, when the push notification arrives and I pressed on the action button, my app will be launched in background. didFinishLaunchingWithOptions gets called, and inside this delegate method, I am doing my keychain access which throws the error.

Has anyone seen a similar error and if so, how did you resolve the issue? Any help is appreciated.

Update: Attaching cfprefsd crash log

Exception Type:  EXC_BAD_ACCESS (SIGBUS)
Exception Subtype: unknown at 0x00000001007d4000
Triggered by Thread:  2

Thread 0 name:  Dispatch queue: com.apple.libdispatch-manager
Thread 0:
0   libsystem_kernel.dylib          0x0000000197d88c24 kevent64 + 8
1   libdispatch.dylib               0x0000000197c6de6c _dispatch_mgr_invoke + 272
2   libdispatch.dylib               0x0000000197c5f998 _dispatch_mgr_thread + 48

Thread 1 name:  Dispatch queue: com.apple.root.default-qos.overcommit
Thread 1:
0   libsystem_kernel.dylib          0x0000000197da3984 __sigsuspend_nocancel + 8
1   libdispatch.dylib               0x0000000197c6921c _dispatch_sigsuspend + 24
2   libdispatch.dylib               0x0000000197c69200 _dispatch_sig_thread + 44

Thread 2 name:  Dispatch queue: src
Thread 2 Crashed:
0   libsystem_platform.dylib        0x0000000197e35300 _platform_memmove + 176
1   libxpc.dylib                    0x0000000197e6567c xpc_data_create + 84
2   CoreFoundation                  0x0000000185d5a9b8 -[CFPDSource acceptMessage:] + 1956
3   CoreFoundation                  0x0000000185dc0da8 __handle_synchronize_message_block_invoke103 + 172
4   CoreFoundation                  0x0000000185d57c58 __88+[CFPDSource withSourceForDomain:inContainer:user:byHost:managed:synchronously:perform:]_block_invoke_2 + 24
5   CoreFoundation                  0x0000000185d5955c __25-[CFPDSource lockedSync:]_block_invoke + 44
6   libdispatch.dylib               0x0000000197c5d950 _dispatch_client_callout + 12
7   libdispatch.dylib               0x0000000197c671e0 _dispatch_barrier_sync_f_invoke + 72
8   CoreFoundation                  0x0000000185d59520 -[CFPDSource lockedSync:] + 80
9   CoreFoundation                  0x0000000185d57c0c __88+[CFPDSource withSourceForDomain:inContainer:user:byHost:managed:synchronously:perform:]_block_invoke + 504
10  libdispatch.dylib               0x0000000197c5d950 _dispatch_client_callout + 12
11  libdispatch.dylib               0x0000000197c671e0 _dispatch_barrier_sync_f_invoke + 72
12  CoreFoundation                  0x0000000185d576fc +[CFPDSource withSourceForDomain:inContainer:user:byHost:managed:synchronously:perform:] + 364
13  CoreFoundation                  0x0000000185dc0508 handle_message + 1312
14  CoreFoundation                  0x0000000185dc081c __handle_multi_message_block_invoke_2 + 124
15  libxpc.dylib                    0x0000000197e657c0 xpc_array_apply + 76
16  CoreFoundation                  0x0000000185dc05f8 handle_message + 1552
17  CoreFoundation                  0x0000000185dbffd4 ____CFXPreferencesDaemon_main_block_invoke_5 + 132
18  libxpc.dylib                    0x0000000197e64cc8 _xpc_connection_call_event_handler + 64
19  libxpc.dylib                    0x0000000197e62bcc _xpc_connection_mach_event + 2156
20  libdispatch.dylib               0x0000000197c5da24 _dispatch_client_callout4 + 12
21  libdispatch.dylib               0x0000000197c6113c _dispatch_mach_msg_invoke + 488
22  libdispatch.dylib               0x0000000197c682d0 _dispatch_queue_drain + 2004
23  libdispatch.dylib               0x0000000197c60664 _dispatch_mach_invoke + 132
24  libdispatch.dylib               0x0000000197c6a314 _dispatch_root_queue_drain + 716
25  libdispatch.dylib               0x0000000197c6bc48 _dispatch_worker_thread3 + 104
26  libsystem_pthread.dylib         0x0000000197e3d228 _pthread_wqthread + 812
27  libsystem_pthread.dylib         0x0000000197e3ceec start_wqthread + 0

Answer 1

This error is definitely caused by trying to access an item that is kSecAttrAccessibleWhenUnlocked while device is still locked. You can tell this just by looking at the following line of the log you've provided:

securityd[32279] <Error>:  securityd_xpc_dictionary_handler Okta Verify[32480] copy_matching The operation couldn’t be completed. (OSStatus error -25308 - ks_crypt:     e00002e2 failed to unwrap item (class 6, bag: 0) Access to item attempted while keychain is locked.)

Class 6 is kSecAttrAccessibleWhenUnlocked (and kSecAttrAccessibleAlways is class 8) – see slide 15 of this deck for more details – so the behaviour you're seeing is expected.

The real question now is why the item ends up as kSecAttrAccessibleWhenUnlocked while you think it's kSecAttrAccessibleAlways. It is hard to tell without seeing more code and/or having more information, but here are few things to consider:

• Keychain items are not removed when app is uninstalled – they do survive app reinstallation/upgrade. So if an earlier version of the app created an item as kSecAttrAccessibleWhenUnlocked it could have just carried on. Try removing the item and creating it again (and check return values of SecItemDelete() and SecItemAdd() to be sure it's done).
• Double check that kSecAttrAccessibleAlways is passed to SecItemAdd() so that iOS doesn't apply any defaults on its own.
• Note that accessibility class must be passed when creating item (i.e. to SecItemAdd()) and not when retrieving it (i.e. not to SecItemCopyMatching()). This is kind of obvious but it never hurts to reiterate.

If none of the above helps please post relevant code showing how the item is created and then how it's read.