IOS – Can the macOS keychain generalize across all iOS apps

icloudioskeychainmacospassword

Why can't I access my keychain in iOS apps other than safari (or OSX apps, for that matter?). How can I access my passwords across the entire platform?

Best Answer

It's a design feature of the keychain system in macOS and iOS. Each keychain item is stored with a unique identifier that tells the system which application created it, and only that application is allowed to access it. There is also a concept of access groups, where a developer can allow access to a group of applications, for example so that Google only needs to store your credentials once to be used by all their apps.

In addition to globally locking and unlocking the entire keychain at appropriate times, the system also restricts which apps can access specific keychain items. By default, an app that creates an item, and only that app, can read it back or modify it. However, sometimes you want to share a secret among apps. How you do this depends on the situation.

...

From a high level perspective, Keychain Services uses an app’s code signature with its embedded entitlements to ensure that only an authorized app can access a particular keychain item. By default, only the app that created an item can access it in the future. But Keychain Services does more than simply check the identity of an app. Instead, it compares a keychain item’s access group, recorded as the kSecAttrAccessGroup attribute, with the list of access groups to which an app belongs. If one of the app’s access groups matches the keychain item’s group, access is granted. Similarly, Keychain Services allows an app to create keychain items with the kSecAttrAccessGroup attribute set to any of the app’s own access groups.

https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html

Related Question