Weak Keychain Accessibility Value
Description
A key stored in the Keychain is using a weak accessibility value. kSecAttrAccessibleAlways allows access to the keychain item at all times, even when the device is locked. Storing sensitive data with this accessibility option means that the data is accessible to anyone who gains physical access to the device, regardless of whether it's locked or not. kSecAttrAccessibleAfterFirstUnlock allows access to the keychain item only after the device has been unlocked once after a reboot. While this provides some level of protection, the data becomes accessible as soon as the device is unlocked for the first time after a reboot.
Examples
Insecure Code
kSecAttrAccessibleAlways or kSecAttrAccessibleAfterFirstUnlockSecure Code
kSecAttrAccessibleWhenUnlocked or kSecAttrAccessibleWhenUnlockedThisDeviceOnlyRemediation
Use the appropriate accessibility option based on the sensitivity of the data being stored. For sensitive data that should only be accessible when the device is unlocked, use the kSecAttrAccessibleWhenUnlocked or kSecAttrAccessibleWhenUnlockedThisDeviceOnly options.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0633 |
| Category | Secrets |
| Severity | MEDIUM |
| CWE | CWE-305 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | EASY |
| Tags | authentication, authorization |
| OWASP | A2:2017-Broken Authentication, A07:2021-Identification and Authentication Failures |