Passkeys Lost After App Uninstallation Despite Secure Storage Usage

[LDiaks01]

I am encountering an issue where, after uninstalling the app created with passkeys, the passkeys themselves are lost. However, the passkeys are also stored on the server.

Issue: Upon uninstalling the app, the passkeys stored in secure storage are deleted. Despite these being stored in the phone's secure part (Keychain/Keystore), they are not retained

I got the error GetAssertionException Error : No credentials exist for rpId AAAAA after reinstalling the App and trying to login.

[killermonk]

This is the expected behavior for how I built the library. The metadata for the passkey is stored in an sqlite database that is deleted when the app is uninstalled. The private key for the passkey is stored in secure storage, but the key for referencing that value in secure storage is stored in the sqlite database, so the library would have no way of looking up the key once the sqlite database was deleted.

I'd have to do some digging into the secure storage handling, because my assumption was that any items associated with an app are also deleted from secure storage when the app is uninstalled, but I'll need to validate that to ensure that this library isn't leaving behind potential dangling keys.

If you delete the app, you will need to re-create the passkeys for a given account on the server.

[LDiaks01]

Hello ! Thanks In the context of secure storage, is the credential_id used as the key to reference the stored value in the SQLite database? If not, I’m interested in knowing whether it’s possible to retrieve the contents of that SQLite database (e.g., are there existing functions for this?). My plan is to save the keys, uninstall the app, and then check if the secure storage system properly deletes the keys after uninstallation. Currently, there’s no way to view the actual passkeys created on Android.

[killermonk]

The alias used as the key in secure storage is "webauthn-prefix-" followed by 32 random bytes and is generated here: https://github.com/flutter-institute/webauthn/blob/master/lib/src/db/credential.dart#L87

The keypairAlias is currently only used internally and is not exposed through the APIs at any point, so you'd need to clone the source code directly and possibly add in some debug statements to log the alias for your use case.