scotopic/ios_keychain_itunes_backup_and_icloud_sync.md

## ios_keychain_itunes_backup_and_icloud_sync.md

      
    Raw
  

              ios_keychain_itunes_backup_and_icloud_sync.md
            
          
    iOS Keychain - iTunes backup vs iCloud sync

Helper guide to help understand when data gets backedup/synced

My use case: Switching from [UIDevice uniqeIdentifier] to a UUID + Keychain approach.


Apple no longer supports [UIDevice uniqueIdentifier] and does not allow app submission to the App store. My requirements are 1) UUID is to persist on the device ONLY 2) UUID is not to be synced or backed up across devices. 3) Works on iOS6 and up


UDID alternative availability


Availability
iOS 2
iOS 3
iOS 4
iOS 5
iOS 6
iOS 7
iOS 8


CFUUID
√
√
√
√
√
√
√


NSUUID
x
x
x
x
√
√
√


OpenUUID
?
√
√
√
x*
x*
x*


IDFV
x
x
x
x
√
√
√


Ad ID
x
x
x
x
√
√
√


UDID
√
√
√
x**
x**
x**
x**


Keychain+CFUUID/NSUUID
√
√
√
√
√
√
√


* OpenUUID deprecated itself in favor of IDforVendor (IDFV) and Advertising Identifier
** UDID deprecated starting in iOS5


UDID replacement Persistance


Persists
AppLaunch
Return from background
Reset Advertising Identifier *
App Re-install **
System Reboot
System Reset
Useful for my use case


CFUUID
x
x
x
x
x
x
x


NSUUID
x
x
x
x
x
x
x


OpenUUID
√
√
√
√
√
x
x


IDFV
√
√
√
x
√
x
x


Ad ID
√
√
x
√
√
x
x


UDID
√
√
√
√
√***
√***
√***


Keychain+CFUUID/NSUUID
√
√
√
√
√
x
√


x - does not persist
√ - persists

* The app must be restarted in order to see the change

** All apps from that vendor must be deleted in order to change the value.

*** Unfortunately, it's also deprecated by Apple in favor of IDforVendor (IDFV) and Advertising Identifier


iTunes device/keychain

Using iTunes, when the device (+keychain) gets backed up, will the keychain items get backed up and restored on the same or different device?


iTunes keychain backup method
iOS 3
iOS 4
iOS 5
iOS 6
iOS 7
iOS 8


encrypted backup *
x
√
√
√
√
√


unencrypted backup *
x
x
x
x
x
x


encrypted backup + ...ThisDeviceOnly  **
x
x
x
x
x
x***


unencrypted backup + ...ThisDeviceOnly **
x
x
x
x
x
x***


x - will not backup
√ - will backup

* Migratable keychain items use - kSecAttrAccessibleWhenUnlocked | kSecAttrAccessibleAfterFirstUnlock | kSecAttrAccessibleAlways

** Non-migrateable keychain items use - kSecAttrAccessibleWhenUnlockedThisDeviceOnly | kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly | kSecAttrAccessibleAlwaysThisDeviceOnly
	https://devforums.apple.com/message/1089429#1089429
	http://useyourloaf.com/blog/2011/05/27/ios-keychain-migration-and-data-protection-part-1.html
	http://adcdownload.apple.com//videos/wwdc_2010__hd/session_209__securing_application_data.mov
 
*** kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly (iOS8 and up)- adds the requirement that a device passcode be set prior to enabling Touch ID (or PIN Code) and prevents the data from getting copied (even encrypted with a device dependent key) to iCloud backups.
	The device needs to be unlocked for it to be accessible
	The device must have a passcode set (if you turn off your device passcode the data is deleted)
	The data cannot be restored to a different device
	The data is not included in iCloud backups
	https://guides.agilebits.com/kb/security/en/topic/touch-id-pin-code-and-ios-keychain


iCloud vs iTunes backup


Backup method
iOS 6
iOS 7
iOS 8


iCloud keychain sync
x***
√****
√ (** and ****)


iTunes backup/restore
√*
√*
√(* and **)


* Backup is preventable when using the 'ThisDeviceOnly' classes (eg. WhenUnlockedThisDeviceOnly),

** kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly (iOS8 and up) - adds the requirement that a device passcode be set prior to enabling Touch ID (or PIN Code) and prevents the data from getting copied (even encrypted with a device dependent key) to iCloud backups.
	The device needs to be unlocked for it to be accessible
	The device must have a passcode set (if you turn off your device passcode the data is deleted)
	The data cannot be restored to a different device
	The data is not included in iCloud backups
	https://guides.agilebits.com/kb/security/en/topic/touch-id-pin-code-and-ios-keychain

*** iOS6 doesn't provide iCloud Keychain sync

**** iOS7 is when iCloud Keychain sync was introduced
		kSecAttrSynchronizable = kCFBooleanTRUE must be set for sync to iTunes to work, FALSE by default.
		limited to password only (kSecClassGenericPassword and )
		for shared, syncronized items, use the same kSecAttrAccessGroup name
		avoid persistent references to synchronizable items
		src: https://developer.apple.com/videos/ios/ -> 2013 -> Security and Privacy in iOS7


Notes:

Some items in the Keychain can be designated for synching via iCloud. But items which are not explicitly labeled as such will not synchronize.
The keychain password is not included in the backup. Therefore, passwords and other secrets stored in the keychain on the iPhone cannot be used by someone who gains access to an iPhone backup.For this reason, it is important to use the keychain on iPhone to store passwords and other data (such as cookies) that can be used to log into secure web sites.
https://developer.apple.com/library/mac/documentation/Security/Conceptual/keychainServConcepts/02concepts/concepts.html
https://developer.apple.com/library/ios/documentation/Security/Reference/keychainservices/index.html#//apple_ref/doc/uid/TP30000898
https://discussions.agilebits.com/discussion/21594/is-1password-data-stored-securely-on-the-iphone
Availability	iOS 2	iOS 3	iOS 4	iOS 5	iOS 6	iOS 7	iOS 8
CFUUID	√	√	√	√	√	√	√
NSUUID	x	x	x	x	√	√	√
OpenUUID	?	√	√	√	x*	x*	x*
IDFV	x	x	x	x	√	√	√
Ad ID	x	x	x	x	√	√	√
UDID	√	√	√	x**	x**	x**	x**
Keychain+CFUUID/NSUUID	√	√	√	√	√	√	√
iTunes keychain backup method	iOS 3	iOS 4	iOS 5	iOS 6	iOS 7	iOS 8
encrypted backup *	x	√	√	√	√	√
unencrypted backup *	x	x	x	x	x	x
encrypted backup + ...ThisDeviceOnly **	x	x	x	x	x	x***
unencrypted backup + ...ThisDeviceOnly **	x	x	x	x	x	x***
Backup method	iOS 6	iOS 7	iOS 8
iCloud keychain sync	x***	√****	√ ( and **)
iTunes backup/restore	√*	√*	√(* and **)