OAuth issue when using multiple apps on the same device

[lingjunjiang]

Hi,

We have one OAuth issue when using multiple mobile sdk apps on the same device.

Test apps & environment:

• Apps are using Mobile SDK cordova plugin 4.1.1.
• The file bootconfig.json - isLocal is true.
• App1 and App2 link to different connected apps configured in different orgs. And using different users to login as well.
• Tested on iPhone 6s iOS 9.3 simulator.

Reproduce steps:

1. Install and login App1 successfully.
2. Install and login App2 successfully.
3. Quit App1 completely and re-open it. Then the oauth login is requested again with the following error. However, the access token is not revoked because the user is still listed in Connected App User's Usage page.

2016-05-11 16:18:33:588 App1[13854:2338042] ERROR|SFUserAccountManager|Error deserializing the user account data: Error Domain=SFUserAccountManager Code=10002 "User account data could not be decrypted. Can't load account." UserInfo={NSLocalizedDescription=User account data could not be decrypted. Can't load account.} 2016-05-11 16:18:33:659 App1[13854:2338042] INFO|SalesforceSDKManagerWithSmartStore|Launching the Salesforce SDK. 2016-05-11 16:18:33:662 App1[13854:2338042] INFO|SFSecurityLockout|Skipping 'lock' since not authenticated 2016-05-11 16:18:33:662 App1[13854:2338042] INFO|SalesforceSDKManagerWithSmartStore|Passcode verified, or not configured. Proceeding with authentication validation. 2016-05-11 16:18:33:663 App1[13854:2338042] INFO|SalesforceSDKManagerWithSmartStore|No valid credentials found. Proceeding with authentication. 2016-05-11 16:18:33:663 App1[13854:2338042] INFO|SFAuthenticationManager|No current user account, so creating a new one.

4, App1 does not start properly if login again. It seems there are SmartStore errors as well.

2016-05-11 16:19:17:385 App1[13854:2338042] ERROR|SF_FMDatabase|DB Error: 26 "file is encrypted or is not a database" 2016-05-11 16:19:17:457 App1[13854:2338042] ERROR|SF_FMDatabase|DB Error: 26 "file is encrypted or is not a database" 2016-05-11 16:19:17:458 App1[13854:2338042] ERROR|SFSmartStore|Error opening store 'defaultStore': out of memory 2016-05-11 16:19:17:463 App1[13854:2338042] ERROR|SF_FMDatabase|DB Error: 26 "file is encrypted or is not a database" 2016-05-11 16:19:17:529 App1[13854:2338042] ERROR|SF_FMDatabase|DB Error: 26 "file is encrypted or is not a database" 2016-05-11 16:19:17:529 App1[13854:2338042] ERROR|SFSmartStore|Error opening store 'defaultStore': out of memory 2016-05-11 16:19:17:536 App1[13854:2338583] ERROR|SF_FMDatabase|DB Error: 26 "file is encrypted or is not a database" 2016-05-11 16:19:17:603 App1[13854:2338583] ERROR|SF_FMDatabase|DB Error: 26 "file is encrypted or is not a database" 2016-05-11 16:19:17:603 App1[13854:2338583] ERROR|SFSmartStore|Error opening store 'defaultStore': out of memory

Thanks.

[sevem]

same problem with version 4.1.2

[wmathurin]

Can you check the value for account_type in res/values/strings.xml. Are your two apps using different value for the account_type?

[lingjunjiang]

@wmathurin The error occurs in iOS, I didn't test it in Android. But I also checked the Android build (just build it, not have enough time to run it in Android yet), the account_type values in res/values/strings.xml are different in the 2 apps.

[sevem]

@wmathurin I've tested this problem with two native iOS apps. No problem here. But same problem exists with a combination of hybrid and native iOS apps. Seems that the UserAccount.plist can't encrypted and is removed

[niou-ns]

I have similar issue - users have custom hybrid app and SF1 (iOS devices). User is logged in the custom app, goes to SF1, clicks one action which is passing parameter and opening the custom app - app is asking to login again. I wasn't happening on SDK 3.

[sevem]

Yes, same problem with SF1 and the current Mobile SDK. So this problem is getting bigger

[sevem]

@huminzhi any updates here? Can you estimate until when a solution will be available? We have currently a lot of customer projects which are depending on this issue

[bhariharan]

@sevem Unfortunately, we don't have an ETA at this time.

[niou-ns]

@bhariharan any ETA ?

[sevem]

@bhariharan go live for our app is getting closer. This is really a huge problem. I don't think that we can argue to uninstall Salesforce 1 to avoid problems with the app. If there still is no ETA, how can be addressed to push this issue? @kchitalia

[huminzhi]

@lingjunjiang @sevem @niou-ns All, I am able to reproduce this on simulator exactly as @lingjunjiang mentioned, however, doing same steps on a real iphone device, I cannot reproduce this issue..Thus it seems to me an "Apple"'s bug with simulator...

@niou-ns Are you seeing this on a real device? It could be something different..

[niou-ns]

@huminzhi our app is already on production, I know that the steps to reproduce was:

1. logout from sf1 and custom app
2. log in to custom app first
3. log in to sf1
4. make some actions on sf1 which will redirect user to custom app
5. custom app was asking for login again.

It wasn't happening on ver 3 of SDK. And yeah - it happened on real devices for real users ;-)

[huminzhi]

@niou-ns I am not able to reproduce this if I just bring up the customer app by the root url... It really depends on what's in step 4 and what's the implementation of handleURL? Not sure if you have more debug info to see why the app logout the current user? Also is the custom app native or hybrid?

[niou-ns]

@huminzhi I'm sorry but I can't help you - I'm not on this project anymore and I can't log in. Everything was set up correctly (urls, handleurl functions etc) - it was working fine on previous SDK. I'm talking about the hybrid app - which currently is released for iOS only.

Edit: maybe try to log in into SF1 first, then to custom app, back to SF1 and try to redirect from SF1 to custom app?

[huminzhi]

The issue is fixed or solved in latest build.

[sevem]

@huminzhi Still have the same problem with the latest unstable branch of version 4.2

I have two iOS apps with the same SalesforceMobileSDK-CordovaPlugin (latest unstable branch of 4.2). I install the first app and login into Salesforce. I install the second app, open it and also login into Salesforce.

If I now start the first app again, the Salesforce login appears again. And if I login again, the app is not running proper because there is a problem with the smartstore

Attached is the stacktrace of the first app during the second start. As you can see, there seems to be a problem with the database

stacktrace.txt

[wmathurin]

To try Mobile SDK 4.2 plugin, you can't simply point to the unstable repo. We don't update the binaries in there until the day we ship the release (to prevent the repo from becoming too large). You need to clone that repo, checkout the right branch, run the tools/update.sh script. Then cordova plugin add path_to_clone. Let us know how that goes.

[sevem]

@wmathurin ah good to know. I didn't knew that. So I have to checkout the unstable branch of the SalesforceMobileSDK-CordovaPlugin and than run

./update.sh -b unstable

correct? Can I also us a local cloned and modified SalesforceMobileSDK-iOS in this way?

[wmathurin]

You could fork the plugin repo and when you update it will get the iOS repo from your fork as well. Or even easier you could locally edit update.sh to get the iOS repo of your choice. The part of the script to change is after https://github.com/forcedotcom/SalesforceMobileSDK-CordovaPlugin/blob/master/tools/update.sh#L107

[sevem]

@wmathurin cool. Thank you. I will test again and give you here an update

[sevem]

@wmathurin @huminzhi Unfortunately this problem still exists also when I use the now (really) the latest unstable branch

"User account data could not be decrypted. Can't load account." UserInfo={NSLocalizedDescription=User account data could not be decrypted. Can't load account."

Here is the corresponding stacktrace of the first app. Same procedure as described above

stacktrace_4_2.txt

[sevem]

@wmathurin @huminzhi still have the same issue. Were you able to take a look on that once again?

[sevem]

@bhariharan this is a really serious problem. I'm still able to reproduce that in an easy was. Perhaps someone on your side could verify that once again?

@lingjunjiang fyi

[kchitalia]

@sevem Let me try and reproduce this on my side.

[sevem]

@kchitalia were you able to test again that already?

[sevem]

@kchitalia @bhariharan sorry guys. Also in the brand new 4.3 SalesforceMobileSDK Plugin this problem exists. Again. This is a serious problem. And to be honest. I don't think that our customers or Salesforce is happy about fact that only one MobileSDK based app can be installed on the same device (iOS) at the same time.

I've checkt that once again with the new 4.3.0 version and I have the same problems as I mentioned in my comment from 8. July (https://github.com/forcedotcom/SalesforceMobileSDK-CordovaPlugin/issues/190#issuecomment-231378866) and please take a look in the attached stacktrace

Please, if I do something wrong tell my what. If not, please fix this problem. I can't imagine that I'm the only person who has these problems. And the problem is pretty simple to reproduce. Two app, two logins that's it

@lingjunjiang

[niou-ns]

@sevem don't worry, you're not the only one who was facing that problem. Like I've mentioned before - I'm not on the project anymore so I can't do anything about it, but I had same issue.

[Jeremywhiteley]

This is a huge issue! So if we have a customer that installs our app and they install another app that uses the MobileSDK from another company, they can't have both apps installed?

[sevem]

@Jeremywhiteley yes. But the question is which features of the Mobile SDK you are using. Problem is, that you can't open the smartstore anymore in the first app. So if you do not use smartstore is must not an issue for you. And I've not tested this issue on Android.

If you are using smartstore, you will have the same problem. My problem is, our customer uses Salesforce 1 and we have several app for the same customer. And we can't tell him to install just one app or to reinstall the corrupt apps.

We reported this issues at start of some projects in May. Until them nothing happens but the issue is closed. In a few weeks is go live. And to be honest. With this issue we can't go live.

[sevem]

The most critical point is, how it is possible that one app can have influence to another app? Are all Mobile SDK apps using the same keychain on iOS with the same key? So that the second app overwrites the key for the first app's smartstore?

[Jeremywhiteley]

@sevem Eeks, this is going to be a major problem for us too. Have you talked to anyone at salesforce about this? Can you email me, jeremy @ medtexter dot com?

[sevem]

@Jeremywhiteley yes, we were in contact with Salesforce e.g. with @bhariharan and @kchitalia

[urthakkar]

@sevem @Jeremywhiteley - we are looking into this internally and will get back to you

[sevem]

@urthakkar I'm really appreciated. And believe me also my customer. And the whole Salesforce Mobile Community

[huminzhi]

@Jeremywhiteley We can install both S1 and Wave (both these salesforce apps are using mobilesSDK) on same device.. There must be some special setting causing this.. I am wondering if in your appA, it somehow revoke/logout the user during background?

[sevem]

@huminzhi no. no revoke no logout. Perhaps you should use custom build apps. Just create two hybrid apps with two different app id's and try to reproduce the issue with them. I have no special setting or customization. Just a hybrid app and the mobile sdk

[urthakkar]

We have not been able to reproduce this internally with our apps (signed with same signature and differently) in combination with Salesforce1. And given there is more than one app that ran into this, we need more details.

@sevem : can you please confirm

• sdk version you tried - 4.2 and 4.3
• your app is hybrid and you are seeing this issue only when both Salesforce1 and your app are installed and used. However, if only one of them is installed then it works fine.
• are you seeing this issue on the iphone? or simulator?
• how did you use forceios to generate your app and if so did you upgrade from a previous version?

@Jeremywhiteley : can you please share if

• your sdk version
• are you seeing this issue across 2 custom apps or Salesforce1 and your custom app
• are you seeing this issue on the iphone? or simulator?

@niou-ns :

• do you happen to remember what version of the sdk you upgraded to (from 3) when you started seeing this?

[sevem]

@urthakkar

1. yes problem in both version 4.2 and 4.3
2. yes, I have more hybrid apps. Salesforce 1 is just a example to show you that also here is a problem. Main problem are my own customer apps. So I have two hybrid mobile apps with the same MobileSDK version, different App Id's using different Salesforce orgs
3. yes stand alone no problems
4. iOS Simulator and on the device
5. I build a template some month ago bases on a forceios version. This template is updated with the latest SalesforceMobileSDK-Cordova Plugin version

If I remember correctly first time I had this issue was version 4.1.1

[sevem]

@urthakkar did you saw my comment on May 8th https://github.com/forcedotcom/SalesforceMobileSDK-CordovaPlugin/issues/190#issuecomment-231378866 and the attached stacktrace?

[huminzhi]

@sevem will you please send me the logs for both apps (app A and app B) (you can send them to mhu@salesforce.com), also just curious if passcode is enabled in these 2 orgs.. thanks! Also @sevem wondering if those 2 hybrid apps are hybrid_local or hybrid_remote?

[sevem]

@huminzhi unfortunately I have not both logfiles at the moment. I will send you them tomorrow. But the most important logfile is this https://github.com/forcedotcom/SalesforceMobileSDK-CordovaPlugin/files/354470/stacktrace_4_2.txt

For some reason it seem's that the smartstore can't be opened. The database file can't be decrypted. Is it possible that you store the password informations for the sqlite in the iOS keychain? And that you are using for each app the same keychain key? There must be a reason that the database can't be decrypted. And the only think I can imagine ist the password for the database decryption

... and no no passcode. Just normal OAuth Salesforce login

[huminzhi]

@sevem , just to be clear, this issue is known to be happening on simulations (it's apple's bug), so we will need the logs from real device to trouble shooting.. somehow I think the logs you sent me is from simulation?

[lingjunjiang]

@huminzhi The 2 hybrid apps are hybrid_local and using Smartstore to save data in the device. I have the same issue as Jens and I feel the same way that may the Mobile SDK use the same keychain in different apps?

[niou-ns]

@urthakkar 4.1.1

[sevem]

@huminzhi I will send you the log files from iOS Simulator and from real device.

My environment:

• Mobile SDK Version 4.2 / 4.3
• iOS Simulator with iOS 9.3
• iPhone with iOS 9.3.4
• hybrid_local apps using smartstore
• cordova 6.3.1
• cordova platform ios 4.2.0

[sevem]

@huminzhi ok. with the new 4.3 version it seems that this problem only exists on iOS Simulator. But was reproducable with 4.2.

You mentioned a Apple bug here. Do you have more informations about this bug? Links, a more detailed description where is the problem here, ..... For a problem with this massive impact I don't want to release a app with just ... this is an apple bug. In this case I have to understand where the problem is to ensure that this does not appear in a released production app. Also my customer wants to ensure that there are no problems

[huminzhi]

Thank you @sevem to confirm it's only on simulator! @lingjunjiang We are NOT using same keychain in different apps (it depends on bundleID and different apps must have different bundleID), the only possibility is on simulator because Apple shares the same keychain partition across the entire device in simulator... I am sorry I don't think there is a bug/radar filed against Apple for this yet as we are pretty sure Apple usually don't fix simulator only issues... But we can definitely file one and pray for it..

[huminzhi]

Thanks to @khawkins , we found some info about this: Apps that are built for the simulator aren't signed, so there's no keychain access group for the simulator to check. This means that all keychain items are in the same default access group and all apps can see all keychain items when run on the simulator. FYI @sevem

[khawkins]

Yes, the simulator adds some limitations on our keychain storage and how it works in practice, unfortunately. We can take a look at our underlying keychain access and see if there's a way around it in the long term, but it doesn't surprise me to see this behavior on the simulator.

Conversely, I can say with near certainty that, whatever issue is being seen on device, it's not the result of "inadvertent" keychain sharing between apps. Keychain sharing between apps is not something you stumble into—it takes a fair amount of developer configuration, both in bundle ID groups/teams in the Apple Dev Portal, associated configuration in entitlements files, and keychain access code changes. Keychain sharing between apps is actually (intentionally) fairly difficult to set up and get working correctly.

As I said, we'll see if we can alleviate the keychain issues on the simulator, perhaps introducing some artificial partitioning of the data...as long as we can determine that it won't jeopardize the integrity of the keychain data in our customers' apps, since—as the commentary on this bug demonstrates—it's a vital component to the data integrity of Mobile SDK apps.

[sevem]

@urthakkar @huminzhi Thank you for your support here. @khawkins Thank you for the good description