App password saved with Keychain SecItemAdd() can be viewed in iPhone/iPad?

We are using Keychain Services and saving password using SecItemAdd() with kSecClassGenericPassword in our App.

We know using the Keychain Access on Mac, we can see Keychain Items for MacOS Apps by the admin of Mac PC.

Is there a way exist to view keychain items for iOS(iPhone/iPad).?

My use case is, iPad(company device, not MDM) is shared between two or more persons.Each time app-user logs in to the same app using their own respective passwords(stored in keychain) .

Security Concern is, such keychain items(passwords) will be able to see by others(including the owner of iPad/iPhone)? Ex: connecting to another Mac PC or some tool exist like Keychain Access present in MacOS or case when current local keychain is sync'd to iCloud Keychain.

We don't want users of iPad/iPhone to see other users password.

Is there any other solution exists other than Keychain?

Up vote post of AThomas Down vote post of AThomas
563 views
Posted by
AThomas
Reply

  • Apple Security, Hello , Anyone on developer forums?

    AThomas
Add a Comment

Accepted Reply

Thanks Quinn for your response.

Summarising my understanding, keychain service is at per user level and even with keychain access, the keychain password can only be viewed by the user who set that kv pair. Admin user can only see the admin set keychain passwords via keychain access(I have not verified any other programmatic access exists for root user possible to see all users keychain passwords, which is at a different api scope level).

I waited for the comments from community, as well as, I couldn't myself find any alternative solutions do this job, hence shamefully I'm marking this answer myself and closing, though welcome any further comments incase anyone finds any better updates than this.

Thank you.

Posted by
AThomas
Up vote reply of AThomas Down vote reply of AThomas
Post marked as solved
Add a Comment

Replies

I’m pretty sure that no one from “Apple Security” participates on DevForums. That’s in line with the main goal of DevForums, which is to help folks with code-level questions, not security reviews.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks Quinn for your response.

Summarising my understanding, keychain service is at per user level and even with keychain access, the keychain password can only be viewed by the user who set that kv pair. Admin user can only see the admin set keychain passwords via keychain access(I have not verified any other programmatic access exists for root user possible to see all users keychain passwords, which is at a different api scope level).

I waited for the comments from community, as well as, I couldn't myself find any alternative solutions do this job, hence shamefully I'm marking this answer myself and closing, though welcome any further comments incase anyone finds any better updates than this.

Thank you.

Posted by
AThomas
Up vote reply of AThomas Down vote reply of AThomas
Post marked as solved
Add a Comment