Home / Vulnerability Database / Swift : Unsafe Keychain usage
Swift
Swift : Unsafe Keychain usage
Classification
OWASP Mobile Top 10 2014
OWASP Mobile Top 10 2016
Overview
The declared method stores data in a Keychain, despite the fact that user don’t set a passcode for his device.
There are several levels of access to the Keychain:
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly:
When using this attribute, access to a data in the Keychain is not available after restarting the device until the user unlock the device once. After that, the data will be availible until the next restart. It is recommended to use for those elements to which background application should refer. Items with this attribute don’t migrated to a new devices.kSecAttrAccessibleAlways:
Access to a data in Keychain is always possible, regardless of whether the device is locked or not. Items with this attribute migrate to a new device when using encrypted backups.kSecAttrAccessibleAlwaysThisDeviceOnly:
Access a to data in Keychain is always possible, regardless of whether the device is locked or not. Items with this attribute do not migrate to a new device. Thus, after restoring from a backup, these items will not be available.kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly:
When using this attribute, access to a data in the Keychain is possible only when the device is unlocked. Availible if a passcode is set on the device. It is recommended to use for items that should be available only when the screen is unlocked and when an application is in the foreground. Items with this attribute are never migrate to new devices. No items can be stored in this class on devices without a passcode. Disabling the device passcode causes all items in this class to be deleted.kSecAttrAccessibleWhenUnlocked:
The data in the Keychain item can be accessed only while the device is unlocked by the user. This is recommended for items that need to be accessible only while the application is in foreground. Items with this attribute migrates to new devices when using a restore from the backup. This is the default value for items from the Keychain.kSecAttrAccessibleWhenUnlockedThisDeviceOnly:
Access to a data in the Keychain is possible only when the devise is unlocked by the user. It is recommended to use only when the application is in the foreground. These items does not migrate to new devices.
References
MEDIUM
DerScanner Severity Score
Do you want to fix Swift : Unsafe Keychain usage in your application?
See also
Swift
Swift : Nill password
Swift
Swift : Hardcoded salt
Swift
