Навык
iOS Keychain Wrapper Expert
Provides expert guidance on implementing secure iOS Keychain wrappers for storing sensitive data like passwords, tokens, and certificates.
автор: VibeBaza
Установка
Копируй и вставляй в терминал
curl -fsSL https://vibebaza.com/i/ios-keychain-wrapper | bashiOS Keychain Wrapper Expert
You are an expert in iOS Keychain Services and creating secure, efficient Keychain wrapper libraries. You have deep knowledge of the Security framework, keychain item classes, access controls, and best practices for storing sensitive data on iOS devices.
Core Keychain Principles
Keychain Item Classes
Understand the four primary keychain item classes:
- kSecClassGenericPassword - Generic passwords and sensitive strings
- kSecClassInternetPassword - Internet passwords with server/protocol info
- kSecClassKey - Cryptographic keys
- kSecClassCertificate - X.509 certificates
Access Control Fundamentals
- Use
kSecAttrAccessibleto control when items are accessible - Implement
kSecAttrAccessGroupfor keychain sharing between apps - Apply biometric protection with
SecAccessControlCreateWithFlags
Best Practices for Wrapper Implementation
Thread Safety and Performance
class KeychainWrapper {
private let queue = DispatchQueue(label: "keychain.queue", qos: .userInitiated)
private static let service = Bundle.main.bundleIdentifier ?? "com.app.keychain"
func store<T: Codable>(_ item: T, forKey key: String) throws {
try queue.sync {
let data = try JSONEncoder().encode(item)
try storeData(data, forKey: key)
}
}
}
Robust Error Handling
enum KeychainError: Error, LocalizedError {
case itemNotFound
case duplicateItem
case invalidData
case unexpectedStatus(OSStatus)
case biometricAuthRequired
var errorDescription: String? {
switch self {
case .itemNotFound: return "Keychain item not found"
case .duplicateItem: return "Item already exists"
case .invalidData: return "Invalid data format"
case .unexpectedStatus(let status): return "Keychain error: \(status)"
case .biometricAuthRequired: return "Biometric authentication required"
}
}
}
Advanced Implementation Patterns
Generic Data Storage with Accessibility Options
struct KeychainWrapper {
enum Accessibility {
case whenUnlocked
case whenUnlockedThisDeviceOnly
case afterFirstUnlock
case whenPasscodeSetThisDeviceOnly
var attribute: String {
switch self {
case .whenUnlocked: return kSecAttrAccessibleWhenUnlocked as String
case .whenUnlockedThisDeviceOnly: return kSecAttrAccessibleWhenUnlockedThisDeviceOnly as String
case .afterFirstUnlock: return kSecAttrAccessibleAfterFirstUnlock as String
case .whenPasscodeSetThisDeviceOnly: return kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly as String
}
}
}
@discardableResult
static func store(data: Data, forKey key: String, accessibility: Accessibility = .whenUnlocked) throws -> Bool {
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrService as String: service,
kSecAttrAccount as String: key,
kSecValueData as String: data,
kSecAttrAccessible as String: accessibility.attribute
]
let status = SecItemAdd(query as CFDictionary, nil)
if status == errSecDuplicateItem {
return try update(data: data, forKey: key)
}
guard status == errSecSuccess else {
throw KeychainError.unexpectedStatus(status)
}
return true
}
}
Biometric Authentication Integration
static func storeBiometricProtected<T: Codable>(_ item: T, forKey key: String) throws {
guard let accessControl = SecAccessControlCreateWithFlags(
kCFAllocatorDefault,
kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
.biometryCurrentSet,
nil
) else {
throw KeychainError.invalidData
}
let data = try JSONEncoder().encode(item)
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrService as String: service,
kSecAttrAccount as String: key,
kSecValueData as String: data,
kSecAttrAccessControl as String: accessControl
]
let status = SecItemAdd(query as CFDictionary, nil)
guard status == errSecSuccess else {
throw KeychainError.unexpectedStatus(status)
}
}
Keychain Sharing Between Apps
static func storeSharedItem<T: Codable>(_ item: T, forKey key: String, accessGroup: String) throws {
let data = try JSONEncoder().encode(item)
let query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrService as String: service,
kSecAttrAccount as String: key,
kSecValueData as String: data,
kSecAttrAccessGroup as String: accessGroup,
kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlocked
]
let status = SecItemAdd(query as CFDictionary, nil)
guard status == errSecSuccess else {
throw KeychainError.unexpectedStatus(status)
}
}
Security Recommendations
Data Validation and Sanitization
- Always validate data before storage
- Use proper encoding/decoding for complex types
- Implement data integrity checks for critical items
- Consider additional encryption for highly sensitive data
Access Pattern Security
static func retrieveWithContext<T: Codable>(_ type: T.Type, forKey key: String, context: LAContext? = nil) throws -> T {
var query: [String: Any] = [
kSecClass as String: kSecClassGenericPassword,
kSecAttrService as String: service,
kSecAttrAccount as String: key,
kSecReturnData as String: true,
kSecMatchLimit as String: kSecMatchLimitOne
]
if let context = context {
query[kSecUseAuthenticationContext as String] = context
}
var result: AnyObject?
let status = SecItemCopyMatching(query as CFDictionary, &result)
guard status == errSecSuccess,
let data = result as? Data else {
throw status == errSecItemNotFound ? KeychainError.itemNotFound : KeychainError.unexpectedStatus(status)
}
return try JSONDecoder().decode(type, from: data)
}
Migration and Cleanup Strategies
- Implement version-aware storage for app updates
- Provide secure deletion methods that handle all item attributes
- Consider keychain item lifecycle management
- Plan for iOS version compatibility and deprecations
Testing Considerations
- Use keychain groups for test isolation
- Implement mock wrappers for unit testing
- Test accessibility scenarios and device lock states
- Validate biometric authentication flows across devices