iOS autodelete Keychain items after uninstall?

Privacy & Security General Security

Created Feb ’16

Replies 18

Boosts 0

Views 83k

Participants 13

Will iOS clear an application's Keychain after the app is uninstalled? I seem to recall that an app's keychain items would be deleted by iOS some X days/hours/minutes after an app is deleted, however I can't find any reference to this behavior.

Edit:

So based on the thread below, it seems that the keychain survives an app uninstallation as a side effect of implementation. If so, it would seem that auto-deleting keychain items after app removal wouldn't be documented.

Re: iOS Keychain values survive to app uninstall

Out of curiousity, does anyone have insight into the observed behavior?

Answered by DTS Engineer in 281900022

First, a timeline:

All versions of iOS prior to 10.3 beta preserve keychain items when an app is deleted.

IMPORTANT This was most definitely an implementation detail of the original iOS keychain. Our keychain documentation has never specified what would happen in this case.

10.3 beta included a change that deleted such items.
That caused compatibility problems (apps were relying on the existing behaviour, even though it wasn’t documented), so it was rolled back before 10.3 GM.
iOS 11 introduced the DeviceCheck framework, which provides a forward path for one of the most common legitimate use cases of this behaviour. For more info on this, see WWDC 2017 Session 702 Privacy and Your Apps.

Second, preserving keychain items on delete is an obvious privacy concern. As far as I know Apple has not made any specific announcements as to how we intend to resolve this issue (1). However, I don’t think it would surprise anyone if the 10.3 behaviour returned at some point in the future. I would hope that we’d be more proactive about announcing such a change — for example, talking about it at WWDC — but, as always, I can’t make any promises about The Future™.

Third, my specific advice:

If you want a keychain item to be deleted when your app is deleted, entangle it with a random key you store on disk, as described in my earlier post (11 Feb 2016). This is guaranteed to work regardless of how the OS behaves.
If you want the item to be preserved, start by looking at the DeviceCheck framework. If that allows you to achieve your high-level goal, you can adopt it on iOS 11 and later and then stop worrying about this issue.

Note You can continue to use your existing techniques on earlier systems because they’re not going to change.

If the DeviceCheck framework doesn’t meet your needs, please file an enhancement request explaining your situation and why DeviceCheck doesn’t work for you. I’d appreciate you posting your bug number here, just for the record.
If you continue to rely on the current behaviour, I strongly encourage you to write your app so that it acts reasonably if that behaviour changes.

I realise that the above is still “ambiguous”. Alas, I can’t answer with 100% clarity until Apple formally announces our future plans here.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

(1) Although there was a slide in WWDC 2017 Session 702 Privacy and Your Apps with bullet points like:

Will continue to remove entropy
Will continue to provide user control of entropy sources
Will continue to remove functionality that is being abused to uniquely identify users

which is a good overall summary of Apple’s position here.

Boost

DTS Engineer OP

Apple

Mar ’21

It seems that the keychain is [not] deleted when an app is deleted.

That’s expected behaviour (except in some beta releases of 10.3). See my post upthread for the gory details.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

southbayjt OP

Jun ’24

Still the case with iOS 17.5 as of June 2024. The keychain is definitely preserved even after app uninstall/reinstall. Quinn's suggestion about implementing some kind of entanglement (or even stembermichal's suggestion of a Bool flag in UserDefaults) appears necessary. Basically you have to implement your own test to determine if the keychain item is a holdover from a previous install.

douginoz OP

Apr ’25

I have a bigger concern that an app can store confidential data in the keychain that will never ever get deleted. Ever. There isn't any way to completely delete a keychain tied to an account.
If you reset your iphone and set it up with the same apple account, Apple downloads the stored icloud keychain to the phone before you get a chance to tell it not to. If you disable keychain sync at that point, the phone doe NOT prompt you to delete the existing keychain data despite documentation online saying that it does. If you log out of icloud on the phone, you get the option of removing the local copy. But the moment you sign in again, it comes back.

Deleting all the passwords in Safari or the password app does not delete all keychain data

If an app is designed to use a keychain access group, deleting that app will not delete the keychain data, yet that data or app is not listed anywhere in the Passwords app or anything else purporting to show keychain data.

That leaves trying to delete the keychain for an account on another device. MacOS provides only the Password app to view keychain data and the ability to enable or disable syncing. Disabling it does nothing to the copy stored on iCloud.

account.apple.com provides no access to keychain management other than indirectly e.g. changing your password, app-specific passwords, etc.

So if there's no way to view and / or delete / wipe the keychain data stored on icloud, and there's no way to prevent that data from being downloaded automatically to any device you sign in to using that account, and removing the keychain data on any given device does not modify the copy stored on the cloud,

How do I ensure that any rogue apps that maliciously stored data in the keychain can not access that same data in the future, either once the app is re-installed or via a different app configured with the same keychain access group?

How can there be any real security of confidential data if someone can write an app that does this, and then provides another party with the keychain access group keys?

It makes no difference if Apple claims that their phone is secure with such an obvious and gaping back door available. Enabling Advanced Data Protection doesnt list keychain data or the keychain in the list of types of data that are securely encrypted. And while the keychain data is encrypted, all it takes is for the user to install App A at some point, which stores unknown data in the keychain, then the user deletes App A and later on installs App B. And App B immediately gains access to that confidential data.

I don't want to get into some debate about why an app would do this, or caveat emptor; the point is that it's possible and would be an obvious method for malicious actors to use.

All because Apple doesn't provide a method for a user (NOT an app dev) to clear out their keychain.