7

We have an iOS app that has been released. The IDE is XCode6. I want to add keychain sharing to access the sessionID that exists in the app from an iOS 8 share extension.

Problem is whenever keychain sharing is turned on, the sessionID that already exists can no longer be accessed.

It can be accessed whenever keychain sharing is turned off.

This dictionary is passed into SecItemCopyMatching, which always returns -25300 (not found) whenever keychain sharing is enabled, no matter what the "Keychain Groups:" is.

[0] (null)  @"svce" : @"SESSION_ID_KEY"   
[1] (null)  @"r_Data" : @"1"    
[2] (null)  @"m_Limit" : @"m_LimitOne"  
[3] (null)  @"class" : @"genp"  
[4] (null)  @"acct" : @"SESSION_ID_KEY"   
[5] (null)  @"pdmn" : @"ck"

Any idea why access to the key might not work? I tried setting kSecAttrAccessGroup with the bundle prefix and name and it still did not work on the simulator.

hellolight
  • 91
  • 1
  • 4

2 Answers2

7

Hopefully I got your answer and the bounty :)

I had the same issue originally and came across this post, and I know you mentioned you tried with the bundle prefix and name. But let's run through a sanity check.

In the MyApp.entitlements and in MyApp Extension.entitlements I have the Keychain Access Groups set to $(AppIdentifierPrefix)com.company.MyApp (this is the default).

I accessed the value for ABCD1234 (aka AppIdentifierPrefix value) using this SO answer https://stackoverflow.com/a/20340883 however hardcoding may not be best practice here, so consider looking this a solution like this https://stackoverflow.com/a/11841898/2588957

Then note in my app all I added to make my current code to work is the following: [keychainItem setObject:@"ABCD1234.com.company.MyApp" forKey:(__bridge id)kSecAttrAccessGroup]; before updating the item and I can now access the keychain item in my share extension.

Community
  • 1
  • 1
Drmorgan
  • 529
  • 4
  • 10
  • 3
    This works for sharing new data in the keychain between the app and the extension, but the old data that used to exist in the app before adding the keychain sharing can no longer be accessed. When keychain sharing is disabled the old data can be accessed again. – hellolight Oct 24 '14 at 15:47
  • 2
    @hellolight I just verified that using the same default Keychain Access Group works to retrieve data from the non-shared Keychain after Keychain sharing is enabled. Also, make sure you are setting the same value for kSecAttrService in all the apps that will share Keychain access. To verify the entitlements of your app you can use this command from terminal `$ codesign -d --entitlements :- /path/to/MyProject.app`. It will help to make sure your Keychain Access Groups are correct. – FernandoEscher Oct 24 '14 at 19:01
  • Did you do anything special to retrieve the non-shared data? Which keys in the keychainItem dictionary did you set? Is the svce and acct a unique id for you? – hellolight Oct 24 '14 at 19:15
  • This is actually working on the device, the simulator is what was giving me the issue. Thanks guys! – hellolight Oct 24 '14 at 19:24
1

I had a similar issue when implementing inter-app communication in iOS 7 a couple of months ago. I found this remark on Apple's GenericKeyChain sample project:

        // Apps that are built for the simulator aren't signed, so there's no keychain access group
        // for the simulator to check. This means that all apps can see all keychain items when run
        // on the simulator.
        //
        // If a SecItem contains an access group attribute, SecItemAdd and SecItemUpdate on the
        // simulator will return -25243 (errSecNoAccessForItem).

So if you're testing on a Simulator you need to remove the "kSecAttrAccessGroup".

On a device it should work with this key.

Yoshkebab
  • 770
  • 1
  • 7
  • 14