search

mogol / flutter_secure_storage

A Flutter plugin to store data in secure storage
https://pub.dartlang.org/packages/flutter_secure_storage
BSD 3-Clause "New" or "Revised" License
1.09k stars 340 forks source link

iOS: stored values are persisted even after app was removed #660

Open rexmihaela opened 6 months ago

rexmihaela commented 6 months ago

Repro steps:

1) Make sure you have only one bundle/flavor of the app on the device. 2) Store some key-value pair, like authToken 3) Remove the app 4) Install a fresh copy of the app 5) The stored value is somehow accessible

vicenterusso commented 6 months ago

Check here: https://github.com/mogol/flutter_secure_storage/issues/125

kevtechi commented 6 months ago

It's the expected behavior of iCloud Keychain. It's kind of like a password manager where each app has its own private space.

If you want to delete, you can run a delete function from the app which deletes everything.

lyio commented 1 week ago

Going by this StackOverflow answer https://stackoverflow.com/questions/42903633/store-item-in-ios-keychain-without-icloud-sync/42903918#42903918 and this block of code in the iOS plugin code: 

let update: [CFString: Any?] = [
  kSecValueData: value.data(using: String.Encoding.utf8),
  kSecAttrAccessible: attrAccessible,
  kSecAttrSynchronizable: synchronizable
]

anything stored via FlutterSecureStorage should not be synchronized with iCloud (by default). As the flag defaults to false.

Maybe I'm reading this wrong or maybe it't not working as intended. The "solution" to manually remove all keys depending on some arbitrary flag seems rather hacky.