AndreasGassmann
commented
2 years ago This applies only to iOS:
The secret is encrypted with a public key that was generated inside the SecureEnclave of the device. The private key is held by the SecureEnclave and can never be extracted. So to decrypt your secret, we pass the encrypted data to the SecureEnclave, which will give us back the secret. If a passphrase is set, it is also needed to decrypt. Although I'm not sure how Apple does that internally, if they just use the passphrase as access control or if it's actually part of the encryption. Most likely it's just access control.
When you delete the app, the local storage is removed, but the encrypted data stays in the keychain. When you re-install the app, you will not be able to see your secret but it's still in the keychain, just not accessible. The problem here is that we cannot control what happens after the user uninstalls the app. So it's best to use the "reset" feature in the settings to be sure everything is wiped.
Originalimoc
And is keychain data encrypted by the passphrase when creating/importing secret. Or is it just a app level protection. Please write these properties into a FAQ or something?