iOS again talk about Keychain keychain, app data sharing create a family bucket on iOS

I know no demo to see the blog is very painful, so the demo first: Https://github.com/rayshen/GIKeychainGroupDemo

The demo has 2 projects, you run any one will store a value, then run another will access the value of the previous app store, and modify.

Official: https://developer.apple.com/library/ios/samplecode/GenericKeychain/Introduction/Intro.html

Before the blog used keychain, the implementation of the data Delete app can also save, but did not realize the sharing between apps.

The realization of data sharing between apps relies primarily on the use of the same keychain entry when the data is stored in a keychain.

Mainly divided into two parts:

1. Give the app access to a keychain entry.

2. Configure the Keychain entry on write, and set the value of the Ksecattraccessgroup.

One, the app access to keychain:

(1) When the app's entitlement (license) is not configured, the app is stored by default under its own Bundleid entry when using keychain storage.

(2) After configuring the app's Entitlement (authorization), it indicates that the app has access to an entry.

The visualization of the keychain can be found on the Mac's app-keychain access.

How to configure the app keychain access permissions:

1. Create a new plist file, add the names of the entries that can be accessed in the array in the plist (for example, Keychainaccessgroups.plist), with the following structure:

Plist Code:

<?XML version= "1.0" encoding= "UTF-8"?><!DOCTYPE plist Public "-//apple//dtd plist 1.0//en" "Http://www.apple.com/DTDs/PropertyList-1.0.dtd "><plistversion= "1.0"><Dict>    <Key>Keychain-access-groups</Key>    <Array>        <string>Xxxxx. Grassinfoappfamily</string>    </Array></Dict></plist>

2. Configure in build-setting, search for entitlement, and note the path configuration error:

Second, the app's operation on the keychain:

The operating interface of the keychain is located in the Security.framework framework, which is a SQLite database, located in/private/var/keychains/keychain-2.db, where all the data stored is encrypted.

The process can be summarized as:

1. Configure the query dictionary, the format is nsmutabledictionary, need to configure the content of the next analysis, the function is equivalent to write a sentence of SQL.

2. Increase (Secitemadd), delete (Secitemdelete), change (secitemupdate), check (secitemcopymatching).

Code demo inside, here to increase for example, there are 2 statements, one is added to its own Bundleid keychain entries, one is added to the shared entry.

//Create a basic query dictionary+ (Nsmutabledictionary *) Getkeychainquery: (NSString *) Service {return[nsmutabledictionary Dictionarywithobjectsandkeys: (__bridgeID) Ksecclassgenericpassword, (__bridgeID) Ksecclass, service, (__bridgeID) Ksecattrservice, service, (__bridgeID) Ksecattraccount, (__bridgeID) Ksecattraccessibleafterfirstunlock, (__bridgeID) ksecattraccessible, nil];}+ (void) Addkeychaindata: (ID) Data forkey: (NSString *) key{//Get Search DictionaryNsmutabledictionary *keychainquery =[self getkeychainquery:key]; //Delete old item before add New itemSecitemdelete ((__bridge cfdictionaryref) keychainquery); //Add New object to search dictionary (attention:the data format)[Keychainquery setobject:[nskeyedarchiver Archiveddatawithrootobject:data] Forkey: (__bridgeID) Ksecvaluedata]; //ADD item to keychain with the search dictionarySecitemadd ((__bridge cfdictionaryref) keychainquery, NULL);}+(void) Addsharekeychaindata: (ID) Data forkey: (NSString *) key{//Get Search DictionaryNsmutabledictionary *keychainquery =[self getkeychainquery:key]; [Keychainquery setobject:accessgroupitem Forkey: (ID) Ksecattraccessgroup]; //Delete old item before add New itemSecitemdelete ((__bridge cfdictionaryref) keychainquery); //Add New object to search dictionary (attention:the data format)[Keychainquery setobject:[nskeyedarchiver Archiveddatawithrootobject:data] Forkey: (__bridgeID) Ksecvaluedata]; //ADD item to keychain with the search dictionarySecitemadd ((__bridge cfdictionaryref) keychainquery, NULL);}

The function [Keychainquery setobject:accessgroupitem forkey: (ID) Ksecattraccessgroup] is configured to specify the key string entry for this write, Write-on-Bundleid entries are written by default

In the query, you can also configure the keychain sandbox of the query, which will be searched by default for all privileged entries .

Third, the composition of keychain:

Reference Blog: http://my.oschina.net/w11h22j33/blog/206713

The composition of each keychain, the whole is a dictionary structure.
1.kSecClass key definition belongs to that type of keychain
2. Different types contain different attributes, these attributes define the specific information of this item
3. Each item can contain a password entry to store the corresponding password

For the most common password types, we should configure the following

[Wrapper Setobject:ksecclassgenericpassword Forkey: (ID) ksecclass];//class

[Wrapper setobject:@ "username" Forkey: (ID) ksecattraccount];//key

[Wrapper setobject:@ "Password" Forkey: (ID) ksecvaluedata];//value

[Wrapper setobject: (ID) ksecattraccessiblealwaysthisdeviceonly Forkey: (ID) ksecattraccessible];

The Ksecattraccessiblein variable is used to specify that the application needs to access this data appropriately. We need to pay special attention to this option and use the most restrictive options. You can set 6 values for this key (key).

You can refer to the following:

Iv. Security

Finally, a big trick ...

As mentioned earlier, the keychain data that the app can access is specified by its entitlements file.

But!!! If you use a entitlments with a * wildcard, it is able to access all the entries in the keychain ...

Or, if you use a entitlements file that contains all access groups, you can also access all the keychain data. For example, if you declare someone else's Bundleid in your plist file, then that person's default keychain entry will be accessible to you. (I was frightened.) ）

But if your application with the * wildcard entitlments can not be listed on the shelves is unclear ...

Because of the description, this keychain is not safe, to save the keychain, but also to encrypt AH students.

iOS again talk about Keychain keychain, app data sharing create a family bucket on iOS