My application uses expo SecureStore
to store secrets such as user access_token
and refresh_token
. SecureStore
uses ios keychain under the hood:
On iOS, values are stored using the keychain services as
kSecClassGenericPassword. iOS has the additional option of being able
to set the value’s kSecAttrAccessible attribute, which controls when
the value is available to be fetched.
I’m interested to know if an attacker (a thief) could read the secrets.
For that, I am considering the following assertions to hold true:
- Application can only be installed on iPhones
- Attacker knows victim PIN code
- Attacker has access to victim iCloud
- iPhone is on the last IOS version and no jailbreak exists for this version
- secrets are stored in keychain with
kSecAttrAccessible
set tokSecAttrAccessibleWhenUnlockedThisDeviceOnly
(but also interested to know answers forkSecAttrAccessibleWhenUnlocked
)
Is it possible for an attacker to recover access_token
and refresh_token
?