1 Introduction
In iOS development, we will use more or less Keychain
service to store the user's account password, certificate, or other important information.
According to Apple's introduction, iOS devices
Keychain
is a secure storage container (encrypted database), can be used for different App save account passwords, certificates or authentication tokens, and so on.
Keychain
It is a system-level service, even if App
the uninstall before App
saving in Keychain
the project will not be cleared unless the device Brush. It is particularly used in identifierForVendor+Keychain
place of solutions device ID. In addition Keychain
also supports App
shared between saved in Keychain
the project, but only shared the same developer account App
shared between. The article will introduce me to Keychian
share relevant experience.
2, Keychain substantially using
For Keychain
basic use introduction I will not do, a lot of online tutorials. It can be combined with official GenericKeychain sample project learning.
Since the native Keychain
API to use more complicated, so I recommend using a combination of third-party framework to simplify Keychain
the process.
Recommended Keychain
Framework:
In addition, attach official on Keychain
a number of Demo, facilitate learning:
3, Keychain share
3.1 understand the form of data organization Keychain
First you need to understand, Keychain
the Item
are in accordance with Keychain Access Group
(access group) to group access, isolated from each other between the different groups. Figure 3-1 shows two App: AppOne and AppTwo, AppOne only one access group $(teamID).com.example.AppOne
, and AppTwo only one access group $(teamID).com.example.AppTwo
, access group they belong to different so isolated from each other.
3.2, Keychain Access Group specification
Format as access group: $(teamID).$(组名)
group name written preferably in the form of reverse DNS
example:
Suppose team ID is: S5VDKE9N8V
, a group named: com.example.AppOne
the access group is written as:S5VDKE9N8V.com.example.AppOne
Question: Where do you see the team ID?
- Open https://developer.apple.com
- Select
Account
and log in account - Select the
Membership
tab to view account information, shown in Figure 3-2, which is the team ID Team ID
3.3, App default access group
Each App can have multiple access groups, and has its own default access group.
In the period before the application distribution code signing application, Xcode will automatically prefixed with your team ID and composite applications Bundle Identifier
(for example: com.example.AppOne
) is stored as a string app ID
. This system will be app ID
used as the application name and private access group included in the group access to an array of application. The following form:
[$(teamID).com.example.AppOne]
Since the application ID in all applications is unique, and because the application is stored in the ID code signing entitlement protected, so no other application can use it, so no other application in the group. This access and storage group together any keychain items
are AppOne specific. Similarly, if you have a second application, it Bundle Identifier
is com.example.AppTwo
, it automatically has their own private group.
[$(teamID).com.example.AppTwo]
Therefore, by default, each application keychain items
is still isolated from each other and other applications. As described above in Figure 3-1.
3.3, open Keychain share
As the default, each application keychain items
with other applications isolated from each other, so if you want two applications to share keychain items, you can add both to the same Keychain
access group. By enabling each application in Xcode Keychain Sharing
to do this function, and in each case a group name to add public access to your keychain group list. For example, using a common access group name: com.example.SharedItems
. Figure 3-3:
After the above function is enabled AppOne, an array of applications that access group will become:
[$(teamID).com.example.SharedItems,
$(teamID).com.example.AppOne]
If you have access to the same group will also add to AppTwo, its access group becomes an array of applications:
[$(teamID).com.example.SharedItems,
$(teamID).com.example.AppTwo]
Thus, AppOne and AppTwo will overlap region shared project, as shown in FIG 3-4
note:
AppOne and AppTwo must belong to the same developer, how can not or can not share
AppOne not explicitly in
Keychain Sharing
added to the list of access groupscom.example.AppOne
, because if not open Keychain Sharing function also automatically add a signature before Xcode package, AppTwo as well. (Application has its own default private access in each group)If AppTwo in
Keychain Sharing
the list of access groups are addedcom.example.AppOne
, even if AppOne not open in XcodeKeychain Sharing
function, AppTwo would still be able to read AppOne use the default private group (com.example.AppOne
) keychain items stored, and vice versa. So there is no concept of absolute private keychain Sharing in the Keychain .-
Do not go out to modify the $ entitlements file access group (AppIdentifierPrefix) for their own team ID, because Xcode will automatically handle package before signing
In addition, you must use the Keychain in real machine environment, the problem will somehow appear in the simulator environment.
Incidentally attach their KeychainSharing Demo , only to learn reference.
Q: What $ (AppIdentifierPrefix) yes?
A: Actually $ (AppIdentifierPrefix) is the team ID, such as a registration in time will find the App ID App ID Prefix is the team ID, as shown below