Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to use Touch-ID Authentication AND Keychain sharing in an iOS app?

I’ve been successfully able to implement TouchID with keychain as well as Keychain Sharing (syncing keychain items between multiple devices) separately. When I try to do them both, I get an error “-50“ which is invalid parameters. From the below code, removing either kSecAttrAccessControl or kSecAttrSynchronizable works as expected.

Based on my experience (read - a few days of frustration) so far, and based on the capabilities of some keychain API simplification tools like UICKeychainStore, it seems like if I use Touch ID Authentication, Keychain Sharing wouldn’t work and vice versa. I’m looking for an Apple documentation that would state that, but unable to find it.

I’ve gone through Apple’s SecItem.h page, and a useful info I found states the following about kSecAttrAccessible and kSecAttrSynchronizable: “If both attributes are specified on either OS X or iOS, the value for the kSecAttrAccessible key may only be one whose name does not end with “ThisDeviceOnly", as those cannot sync to another device.” However, I'm not using "ThisDeviceOnly" (I'm currently using kSecAttrAccessibleAlways for testing purposes)

Can you help in pointing out if and where Apple has documented this limitation? That would help me document it for the records, and move on. Thanks.

- (void)addKeychainItemWithIdentifier:(NSString *)identifier andData:(NSData *)data {

    CFErrorRef error = NULL;
    SecAccessControlRef sacObject;
    sacObject = SecAccessControlCreateWithFlags(kCFAllocatorDefault,
                                            kSecAttrAccessibleAlways,
                                            kSecAccessControlUserPresence, &error);
    if(sacObject == NULL || error != NULL)
    {
    NSString *msg0 = [NSString stringWithFormat:NSLocalizedString(@"SEC_ITEM_ADD_CAN_CREATE_OBJECT", nil), error];
    [self printResultWithMessage:msg0];
    return;
    }

    NSDictionary *attributes = @{
                             (__bridge id)kSecClass: (__bridge id)kSecClassGenericPassword,
                             (__bridge id)kSecValueData: data,
                             (__bridge id)kSecAttrAccessible:(__bridge id)kSecAttrAccessibleAlways,
                             (__bridge id)kSecAttrService: identifier,
                             (__bridge id)kSecAttrSynchronizable:(__bridge id)kCFBooleanTrue,
                             (__bridge id)kSecAttrAccessControl: (__bridge_transfer id)sacObject
                             };

    dispatch_async(dispatch_get_global_queue( DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{
    OSStatus status =  SecItemAdd((__bridge CFDictionaryRef)attributes, nil);
    NSError *statuserror = [NSError errorWithDomain:NSOSStatusErrorDomain code:status userInfo:nil];
    [self printResultWithMessage:[self keychainErrorToString:status]];
    });
}
like image 620
SuPotter Avatar asked Apr 21 '15 22:04

SuPotter


People also ask

How do I add fingerprint authentication to my iOS app?

Tap Settings > Touch ID & Passcode, then enter your passcode. Tap Add a Fingerprint and hold your device as you normally would when touching the Touch ID sensor. Touch the Touch ID sensor with your finger—but don't press—so the device can begin recognizing your fingerprint.

Can I use Touch ID and Face ID?

The user can also use Face ID and Touch ID with Apple Pay to make easy and secure purchases in stores, apps, and on the web: Using Face ID in stores: To authorize an in-store payment with Face ID, the user must first confirm intent to pay by double-clicking the side button.


2 Answers

I think I may have found the answer to this

In WWDC 2014 video 711, the following is mentioned at 31:48

ACL Protected Items - No Synchronization, No Back up

Thus Touch ID authentication cannot be used for Keychain Sharing between devices as those items are Device-Only

like image 172
SuPotter Avatar answered Oct 17 '22 19:10

SuPotter


This example project might help, the title is KeychainTouchID: Using Touch ID with Keychain and LocalAuthentication:

https://developer.apple.com/library/ios/samplecode/KeychainTouchID/Introduction/Intro.html

This might be limited to local though, no sharing.

like image 1
LunaCodeGirl Avatar answered Oct 17 '22 21:10

LunaCodeGirl