Error accessing keychain items in background task

microsoftconnect / ms-intune-app-sdk-ios

Intune App SDK for iOS enables data protection and mobile app management features in iOS mobile apps with Microsoft Intune

92 stars 27 forks source link

Error accessing keychain items in background task #478

Open paul-turner opened 2 weeks ago

paul-turner commented 2 weeks ago

Describe the bug: We're seeing errors when accessing a keychain item from within a background task, which carries over to the next foreground launch. The error code given is OSStatus -25308 which we've mapped to https://developer.apple.com/documentation/security/errsecinteractionnotallowed

To Reproduce We haven't been able to reproduce it internally, but have had multiple customer reports of the issue.

Smartphone (please complete the following information):

Device: [e.g. iPhone6]
OS: Have seen this on iOS 18.1, 18.0, 17.7

Intune App SDK for iOS: On the latesst intune SDK version 20.1.2, native app, we don't see the error happen on our app builds that don't have the intune SDK integrated. No other trends identfied yet.

One additional question I have is if you could expand a bit more on what the FinishLaunchingAtStartup setting changes for the app?

kanishkaBagga commented 1 week ago

@paul-turner I am looking into this

paul-turner commented 1 week ago

Thanks @kanishkaBagga some additional information on the issues we are seeing:

Our keychain requests fail with error code OSStatus -25308

In intune logs we see errors such as:


MAM611 Config file not found: Config.plist
MAM611 Is first launch
MAM611 Config file not found: NBUConfig.plist

CMARKeychainUtils: Keychain utils was accessed before app was fully initialized


Let me know if there's additional information that would help.

kanishkaBagga commented 1 week ago

@paul-turner - I need a few details to further investigate - 1) Can you share the API that you are using to access the keychain? 2) Can you share the MAM logs as mentioned here - https://learn.microsoft.com/en-us/mem/intune/developer/app-sdk-ios-appendix#how-can-i-troubleshoot-my-app 3) Based on your email - how did you establish that this app prompts users to sign-in (closing/re-opening the app resolves the issue without requiring the user to actually sign in). is related to OSStatus -25308

paul-turner commented 1 week ago

@kanishkaBagga Is there an email we can share the MAM logs to instead of sharing here? RE: 3 -- We've determined these are related because the inability to access our stored data in the keychain prevents us from resuming properly in a signed in state (note this is separate from intune registration etc, our own app state). And once the app is reopened we no longer see the errors in both the mam logs and our own logs. And that the issue does not occur in non-intune sdk integrated builds.

paul-turner commented 4 days ago

@kanishkaBagga I've emailed the logs to wangxiao@microsoft.com @wangxiaoms since I saw their email in previous issues, let me know what email to send it to you. As for our usage, we are calling SecItemCopyMatching.

Also worth noting that we recently switched from the default value of MaxFileProtectionLevel (which was NSFileProtectionComplete since we had no value set) to NSFileProtectionCompleteUntilFirstUserAuthentication in case that affects any keychain items.

kanishkaBagga commented 3 days ago

@paul-turner - I have received the logs.I am looking into it.

kanishkaBagga commented 2 days ago

@paul-turner could you please check whether the issue is triggered by either of the following scenarios: 1.) When the device is locked 2.) When the device is booted up for the first time and NOT yet unlocked. I think this may be caused by an incorrect value being set for the kSecAttrAccessible attribute key on the keychain item their app is attempting to access: https://developer.apple.com/documentation/security/item-attribute-keys-and-values#Accessibility-Values

elmoeleven commented 1 day ago

Hey @kanishkaBagga! I work with @paul-turner!

We think the issue is triggered when the device is locked.

This may be related. A few months ago we were navigating many EXC_BAD_ACCESS errors that we traced back to being related to MaxFileProtectionLevel. Our value being unset means it defaulted to NSFileProtectionComplete, which we in our testing was the cause of the crashes. We changed that to NSFileProtectionCompleteUntilFirstUserAuthentication as the documentation suggested as we present lock screen UI elements (widgets).

In working with our partners, we heard apparently we need to set MaxFileProtectionLevel to NSFileProtectionComplete to access keychain items in the background task. Is there any documentation around this?