The application uses potentially unsafe settings control access to the keychain.

kSecAttrAccessible attribute indicates when your app needs access to the data in a keychain item. You should choose the most restrictive option that meets your app’s needs.

The possible values of kSecAttrAccessible:

kSecAttrAccessibleAfterFirstUnlock - The data in the keychain item cannot be accessed after a restart until the device has been unlocked once by the user. This is recommended for items that need to be accessed by background applications. Items with this attribute migrate to a new device when using encrypted backups.

kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly - The data in the keychain item cannot be accessed after a restart until the device has been unlocked once by the user. This is recommended for items that need to be accessed by background applications. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.

kSecAttrAccessibleAlways - The data in the keychain item can always be accessed regardless of whether the device is locked. This is not recommended for application use. Items with this attribute migrate to a new device when using encrypted backups.

kSecAttrAccessibleAlwaysThisDeviceOnly - The data in the keychain item can always be accessed regardless of whether the device is locked. This is not recommended for application use. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.

kSecAttrAccessibleWhenUnlocked - The data in the keychain item can be accessed only while the device is unlocked by the user. This is recommended for items that need to be accessible only while the application is in the foreground. Items with this attribute migrate to a new device when using encrypted backups. This is the default value for keychain items.

kSecAttrAccessibleWhenUnlockedThisDeviceOnly - The data in the keychain item can be accessed only while the device is unlocked by the user. This is recommended for items that need to be accessible only while the application is in the foreground. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.

kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly - The data in the keychain can only be accessed when the device is unlocked. Only available if a passcode is set on the device. Items with this attribute never migrate to a new device. After a backup is restored to a new device, these items are missing.

The application uses kSecAttrAccessibleAfterFirstUnlock[ThisDeviceOnly] or kSecAttrAccessibleAlways[ThisDeviceOnly] value. Make sure that such access settings are necessary to the functioning of the application.

Objective-C : Insufficient access control to the keychain

DerScanner Severity Score

Do you want to fix Objective-C : Insufficient access control to the keychain in your application?

See also