Private Keychain store

1
votes

We have an enterprise iOS SDK that uses Keychain to store highly sensitive information. These information are not available to the client's app.

I've always thought that you need a key to fetch the associated value from the Keychain. But recently, I found out you can ask Keychain to return all the stored keys in Keychain (IMHO, this is a bad design).

Since the client's app can easily fetch all the Keychain elements, I'd really like to create a separate Keychain store for the SDK only. I've looked over SO questions but never found an answer.

TL;DR: How to create a separate Keychain store in iOS?

1
ioskeychain

1 Answers

2
votes

You can't.

The security boundary for the KeyChain is the app (Or the KeyChain identifier across multiple apps from the same developer if you enable KeyChain sharing).

Once your framework is embedded in the client app, it is part of the client app. It doesn't have its own context or process space or anything to distinguish its code from the client code.

If code in your framework puts something in the KeyChain then, to iOS, it is the client app that has put something in the KeyChain, and there is no reason to keep a secret from itself.

Even if you could create a KeyChain just for your framework, presumably the code that puts the information in the KeyChain is in your framework, so an attacker could just decompile your framework to obtain the information.