Keychain on iOS: Howto?

I’m using MBS plugins and try to implement keychain access according to the MBS example “Keychain test iOS”

But when I try to access the keychain on my iPhone, from my own app, then I see this error:

I think I would have to set a key for an AccessGroup in my Apple developer account? Is this right?
Which are the steps to do so?

I tried to go to Certificates, Identifiers & Profiles → Keys and then chose “Create a key”.

And I guess that I would have to chose the option “Sign in with Apple”? But in my case this option is disabled (see screenshot)

Can I even use the keychain, for an app which is not distributed on the AppStore?

The MBS example code:

What are the correct entitlements to allow saving and retrieving login and password to keychain, on iOS?

I can see KeychainServices in iOSKit, but same thing: it does not work, something is restricted and I don’t know exactly on how to proceed. Any ideas?

I would like to change the title of this thread from “Keychain on iOS: AccessGroup howto?” to “Keychain on iOS: Howto?”

It looks like I cannot edit my own post now.

[Moderator edit: title updated as requested]

KeychainServices in iOSKit works – I’ve been using it in my app for years – but not on the iOS Simulator - you need to test it on a real device.

Are there any entitlements required for Keychain Services?

I replaced the MBS implementation of Keychain with the one from iOSKit. When I debug on my iPhone 12 Pro, then the code executes without throwing any error, but it is not saving anything to the keychain either.

Obviously I am missing something here?

Can we assume that in the MBS code that you replaced the bundle ID (kSecAttrService) with your app’s bundle ID?

If so, are you testing in a simulator or on a device (since that is so much easier in 2022r1)?

On that device/simulator, are you logged into an
Apple account?

NOTE: Just for clarity, I had an experience recently which reminded me why Apple suggests that you have a separate Apple ID just for testing where I accidentally but permanently deleted some personal data. Keychain is one of those areas that should cause you to do this.

  • yes, I did replace it with my app id
  • yes, I an testing on my device, using 2022r1
  • am I logged into the Apple account on my device: I am not sure what you mean with this?

For a different Apple ID, wouldn’t that mean to have different Apple account on developper.apple.com as well?

Why would that be necessary?

No, just another AppleID for testing. They do not have to match your developer account. You would never be able to do large scale testing of an app if you couldn’t give it to beta testers if they all had to have your ID

1 Like

It’s necessary because sometimes during testing you need to disconnect from the account, wipe the account, reset the account or try different configurations that would otherwise corrupt your personal acct. trust me, losing your entire keychain password list is very inconvenient.

1 Like

Please check the “KeyChain test iOS” example project coming with our MBS Plugins.

You need to run it on device (not simulator). Your provision profile should include keychain entry.
And if you use kSecAttrAccessGroup, you need to specify the right security group as you do in the entitlement file for code signing.

1 Like

and for the errors, please watch Console.app to see the detailed log messages for your application.
When you get an error reported in keychain, you usually find an error message in console.

2 Likes

The iOSKit KeychainServices does not require any entitlements. The MBS implementation is different and requires a provisioning profile change as Christian has noted.

Actually both should do the same/similar.
The question is whether you like to have the stuff in an access group, which can be shared by several applications.