Keychain Accessibility Hardening
| Plan | Platforms | MASVS |
|---|---|---|
| Team | iOS | MASVS-STORAGE-1, MASVS-STORAGE-2, MASVS-CRYPTO-2 |
Overview
Keychain Accessibility Hardening automatically strengthens the security posture of all keychain items stored by your application. It enforces device-only storage policies and removes cloud synchronization flags, reducing the attack surface for credential theft across multiple vectors.
When enabled, all keychain operations (adding or updating items) are transparently hardened to prevent:
- Cross-device synchronization of sensitive credentials via iCloud Keychain
- Backup restoration of keychain items to unauthorized devices
- Lock-state vulnerabilities where items are accessible when the device is locked
This is a prevention control that operates transparently at runtime without requiring code changes in your application.
How It Works
When your app writes to the keychain (using SecItemAdd or SecItemUpdate), the control automatically:
- Rewrites accessibility class — Converts accessibility attributes to their device-only equivalents:
- Items that would be accessible when unlocked → restricted to unlocked state, device-only
- Items that would be accessible after first unlock → restricted to after first unlock, device-only
- Background-accessible items → preserved for background compatibility but still device-only
- Strips iCloud synchronization — Removes
kSecAttrSynchronizable=trueflags to prevent credentials from being synced to iCloud Keychain
- Preserves secure storage — Items using Secure Enclave or biometric-protected access controls pass through unchanged (already maximally secure)
The hardening happens automatically for all keychain operations. Your application code requires no changes.
Threats Mitigated
| Threat | Mitigation |
|---|---|
| Cross-device credential theft | Prevents attacker from accessing credentials on Device B after compromising Device A's iCloud account |
| Backup restoration attacks | Prevents keychain items from being restored to an attacker's device via iTunes/Finder backup |
| Lock-state exposure | Reduces window when credentials are accessible while device is locked or powered off |
| iCloud Keychain exfiltration | Eliminates cloud-synced copies of credentials that could be targeted in iCloud account compromise |
How to Enable the Control
Navigate to Preventative Controls from the AppTego portal, and expand the Data at Rest Protection section. Under this section you will find the Keychain Accessibility Hardening control. Click Enable to enable it for the next build or for it to be applied with a live push (if enabled).
API Configuration Example
{
"KeychainAccessibilityPrevention": {
"protection": true
}
}| Field | Purpose |
|---|---|
protection | Enables keychain accessibility hardening for protected apps. |
Configuration
{
"protection": true,
"migrate_existing": false
}Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
protection | boolean | true | Enable keychain hardening |
migrate_existing | boolean | false | Opt-in only: Migrate pre-existing keychain items to hardened accessibility classes. See Existing Items Migration below. |
Existing Items Migration
By default, only new keychain items written after enabling the control are hardened. Pre-existing items remain unchanged.
Set "migrate_existing": true to trigger a one-time background migration that:
- Scans all keychain items in the app's default access group
- Updates accessibility classes to device-only variants
- Removes synchronization flags
- Skips Secure Enclave items and items with biometric access controls
Important: Migration is a one-time operation (tracked by NSUserDefaults flag). Subsequent launches skip migration even if you toggle the control off and back on. Migration runs asynchronously and does not block app launch.
Caution: If your app uses shared keychain access groups or stores keychain items that are intentionally meant to sync across devices, carefully test migration behavior in a staging environment first.
Defaults
When your application does not specify an accessibility class for a keychain item, this control uses:
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnlyas the default
This preserves compatibility with background URL sessions, background app refresh, and other background tasks that may need to read keychain items before the user unlocks the device.
If your application explicitly requests foreground-only access, the control preserves that intent while applying device-bound storage behavior where supported.
Caveats and Limitations
Secure Enclave and Biometric Items
Items that use:
- Secure Enclave protections
- Biometric access controls
are already maximally secure and pass through unchanged. The control does not attempt to rewrite these items.
Shared Keychain Access Groups
If your app shares keychain items with other apps or extensions via access groups, all members of the access group must have the control enabled for consistent behavior. Otherwise, one app may write items with default accessibility while another hardens them.
Background Compatibility
The control defaults to AfterFirstUnlockThisDeviceOnly (not WhenUnlockedThisDeviceOnly) to preserve compatibility with:
- Background URL sessions
- Background app refresh
- Silent push notification handlers
- VoIP push handlers
These background contexts may need to read keychain items before the user unlocks the device. If you are certain your app does not require background keychain access, you can manually specify kSecAttrAccessibleWhenUnlockedThisDeviceOnly in your code and the control will preserve that stricter policy.
Support Matrix
| Platform | Minimum Version | Availability |
|---|---|---|
| iOS | iOS 12.0+ | ✅ Team, Enterprise |
| Android | — | ❌ Not applicable |
Plan Requirement
| Plan | Available |
|---|---|
| Free | ❌ |
| Team | ✅ |
| Enterprise | ✅ |
Related Controls
- Backup Protection — Prevents device backups from containing sensitive app data (iOS/Android)
- Clipboard Protection — Blocks protected content from being copied to the clipboard (iOS/Android)