Security review issue (Weak Keychain Protection class - AccessibleAlways)
Closed this issue · 2 comments
Hi!
Thanks a lot for help with the previous issue (AzureAD/microsoft-authentication-library-for-objc#1834), but there is another one from security review. It is about Keychain protection class (kSecAttrAccessibleAlways) used here:
It is marked as a security issue (the following is a quote from the security report):
When adding these items to the Keychain, the App sets the items' Keychain protection class to kSecAttrAccessibleAlways, which is not only the weakest accessibility class but also results in the items being always decrypted and accessible, regardless of whether the device is locked.
Consequently, an attacker with physical access to the device may be able to extract this data from the device while it is locked and without access to the user's passcode. The attacker would have to compromise the device by exploiting a vulnerability to gain code execution (such as a buffer overflow in a driver) or within the App. After code execution, Keychain items protected with kSecAttrAccessibleAlways could be recovered even if the device is locked.
Additionally, the Apple documentation for the kSecAttrAccessibleAlways protection class specifies that it is "not recommended for App use."
I could not find a similar issue description here, sorry if I missed it.
Thanks a lot!
Hi @sme-bock030 thank you for reporting it. Let me take a look and see what action we can take on our side. Will update back.
@sme-bock030 We are not storing anything sensitive to keychain when we use kSecAttrAccessibleAlways . We only use it for meta data to help us decide the keychain access group. After internal review, we decided to not to change it. Therefore I close the issue for now.