55

I am describing a problem for which it took me quite some time to learn the answer.

The "GenericKeychain" example is a good start at providing a wrapper for sharing keychain data between applications when using the accessGroup in the init.

However, implementing this in my app yielded an obscure error code (which took forever to locate) -25243, which means: No access control.

I ran Apple's example app (GenericKeychain) on my iPad only to get the same error. Huh?

Does Apple's documentation fail to deliver on what is necessary to accomplish this?

Ondrej Skalicka
  • 3,046
  • 9
  • 32
  • 53
GtotheB
  • 2,727
  • 4
  • 21
  • 17
  • @GtotheB, nice answer! If you want, separate your answer from the question and post it as an "answer" to this question. – Jesse Beder Nov 10 '10 at 02:54
  • @GtotheB: What happened when you tried to post an answer? There might be a minimum reputation required, but if so, I wasn't aware of it. If that's the case, it'd be worth it to come back to this question and post an answer once you've earned more rep. – outis Nov 10 '10 at 09:09
  • @GtotheB: Could you answer your own question now? – kennytm Nov 14 '10 at 09:30
  • Clicking "Answer" resulted in nothing. However, it does seem it was reputation-related. I had cleared all of my cookies and lost all of my previous rep, so I started from scratch it seems. Now the answer is separated. Cheers. – GtotheB Nov 15 '10 at 21:50
  • Is it necessary for the apps to be uploaded to the app store for sharing data through keychain between the apps.How can we check this for our development purpose. – Imran Jan 09 '15 at 09:32
  • See http://shaune.com.au/ios-keychain-sharing-data-between-apps/ – onmyway133 Aug 14 '15 at 05:00

2 Answers2

53

After some (a lot of) digging throughout the web, I found the answer. The access Group that you use when constructing your KeychainItemWrapper class must ALSO be specified in each of your application's Entitlements.plist file in the "keychain-access-groups" section.

It seems almost obvious now that I see "keychain-access-groups". However, I had no idea to even look there. Hope this helps others.

GtotheB
  • 2,727
  • 4
  • 21
  • 17
  • 3
    I found the following link quite useful for giving more details. http://useyourloaf.com/blog/2010/04/03/keychain-group-access.html – DBD Aug 16 '12 at 19:35
  • 4
    Be careful, in new XCode (4.5.2), there is a setting for keychain groups in app summary tab in settings. You can set the group name there, but smart XCode prepends $(AppIdentifierPrefix) but does not show it in the summary. You can see it in actual plist file and edit there. In short, if you are setting keychain group from summary page, do NOT write bundle seed ID, XCode adds it automatically. And hides it in the summary page, because it is, well, apple software. – mentat Jan 22 '13 at 15:26
  • I have a follow up question: Do your apps have the same bundle/developer seed ID? Or you just used the Entitlements.plist to share the data between keychain groups? – radj Apr 16 '13 at 10:44
  • 2
    Is it possible to share keychain-access-groups with another company ? Let's say I create an app with and access group, but I want an app from another company to be able to share informations as well ? – Redwarp May 06 '13 at 13:01
  • 1
    If anyone still has a problem with error -25243 and trying to share same keychain between several apps, what worked for me is to set the keychain seed id hardcoded in the entitlements plist file instead of $(AppIdentifierPrefix) being automatically appended by XCode [url=http://postimg.org/image/52m2p4aor/][img=http://s9.postimg.org/52m2p4aor/Screen_Shot_2013_11_14_at_12_12_11_PM.jpg][/url] – Gal Blank Nov 14 '13 at 17:14
  • Also, be sure to use the `AppIdentifierPrefix` in the `accessGroup`, if you just use the bundle identifier is won't work. – Edgar Oct 26 '14 at 15:18
  • Is it necessary for the apps to be uploaded to the app store for sharing data through keychain between the apps.How can we check this for our development purpose. – Imran Jan 09 '15 at 09:32
  • @Imran Keychain is at the device level, so the app store is irrelevant. However, Apple has added the "Keychain Sharing" capability to projects since this topic was created, so you can review that on Apple's website. – GtotheB Sep 29 '15 at 17:50
  • Just a note for those looking for keychain sharing between iOS and watchOS 2+. Keychain sharing is NOT available between the WatchKit extension (on watchOS 2+) and its companion iOS app, so you will need to use another way to transfer data between those devices, like the new [WatchConnectivity](https://developer.apple.com/library/watchos/documentation/WatchConnectivity/Reference/WatchConnectivity_framework/index.html) framework. https://forums.developer.apple.com/thread/5938 – Alexandre OS Oct 22 '15 at 14:44
14

Actually it's not hard to do. Please follow the steps.

App1:

  1. Open your App's target Capabilities and enable KeyChain Sharing.
  2. Add a identifier. (eg : com.example.sharedaccess)
  3. Add "UICKeyChainStore" to your project.
  4. Be sure you have a team id added to your App1 project.
  5. Add Security.framework to your App1 project.

  6. And add these codes to somewhere you need.

    [UICKeyChainStore setString:@"someValue" forKey:@"someKey" service:@"someService"];

App2:

  • Open your App's target Capabilities and enable KeyChain Sharing.
  • Add a identifier. (eg : com.example.sharedaccess)
  • Add "UICKeyChainStore" to your project.
  • Be sure you have a team id added to your App2 project.
  • Add Security.framework to your App2 project.

  • And add these codes to somewhere you need.

    NSString *string = [UICKeyChainStore stringForKey:@"someKey" service:@"someService"];

  • Your TeamIDs should be same for both projects.

  • I tried these steps on a real iPhone device.
  • I also tried these steps with Automatic and iOs Development provisioning profile.
  • My apps' bundle identifiers were like that : com.example.app1, com.example.app2.
alicanbatur
  • 2,172
  • 1
  • 28
  • 36
  • 2
    Note that "As you can see we are not specifying the accessGroup. By default it will pick the first access-group specified in your Entitlements.plist when writing and will search across all access-groups when none is specified." – onmyway133 Aug 14 '15 at 05:00
  • @alicanbatur, great ! One thing to notice, above process didn't work if "service" was not specified. – sabiland Oct 07 '15 at 07:07
  • you save me alot @alicabatur. Thanks. – Sanju Jun 24 '16 at 11:51
  • not work for my I did same steps but [UICKeyChainStore stringForKey:@"someKey" service:@"someService"] return nil – Fadi Abuzant Mar 30 '18 at 13:27