During internal testing, we observed the following behavior and would appreciate clarification on whether it is expected and supported in production environments.
When generating an elliptic-curve cryptographic key pair using "kSecAttrTokenIDSecureEnclave", and explicitly specifying a "kSecAttrAccessGroup", we found that cryptographic operations (specifically encryption and decryption) could be successfully performed using this key pair from two distinct applications. Both applications had the Keychain Sharing capability enabled and were signed with the same provisioning profile identity.
Given the documented security properties of Secure Enclave, backed keys, namely that private key material is protected by hardware and access is strictly constrained by design, we would like to confirm whether the ability for multiple applications (sharing the same keychain access group and signing identity) to perform cryptographic operations with the same Secure Enclave–backed key is expected behavior on iOS.
Specifically, we are seeking confirmation on:
-
Whether this behavior is intentional and supported in production.
-
Whether the Secure Enclave enforces access control primarily at the application-identifier (App ID) level rather than the individual app bundle level in this scenario.
-
Whether there are any documented limitations or guarantees regarding cross-application usage of Secure Enclave keys when keychain sharing is configured.
Any guidance or references to official documentation clarifying this behavior would be greatly appreciated.
we would like to confirm whether [this] is expected behavior on iOS
It seems pretty reasonable to me. If this didn’t work I can imagine that many developers would be grumpy, because folks commonly want to share credentials between, say, their app and its embedded app extensions.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"