iOS 钥匙串(keychain) - LAContext.setCredential(data, .applicationPassword) 在模拟器上返回 false

Question

我正在尝试使用“applicationPassword”来保护用户存储在钥匙串(keychain)中的数据。

一切在真实设备上都能完美运行，但不幸的是，在模拟器上根本无法运行。

为了开始，我有这个非常基本的代码来设置 applicationPassword。

let authenticationContext = LAContext()
let applicationPassword = "123".data(using: .utf8)
let result = authenticationContext.setCredential(applicationPassword, type: .applicationPassword)
print(result)

对 setCredential 的调用在真实设备上返回 true，但在模拟器上返回 false。

请帮忙:-)

如果模拟器不支持此功能，那么它实际上并不是一个可行的解决方案。

这里是Apple的文档，供引用:

https://developer.apple.com/documentation/localauthentication/lacontext/1514168-setcredential

Answer 1

applicationPassword 似乎与设备的系统密码 结合使用。

因此 applicationPassword 不起作用:

• 模拟器(无法设置系统密码)
• 未设置系统密码的真实设备

我从以下来源确定了此信息:

<小时/>

WWDC 2015 - Session 706 - Security & Your Apps (参见视频 43:23 左右)

文字记录:https://asciiwwdc.com/2015/sessions/706?q=applicationpassword

Now, let's look at an item protected with ApplicationPassword.

Just the device passcode is no longer sufficient.

Your application has also got to provide its own password.

Again, we derive a cryptographic key from it, and it's only when the device passcode and the app password are both present that access is granted to the Keychain item.

<小时/>

https://nabla-c0d3.github.io/blog/2015/06/16/ios9-security-privacy/

Keychain items can now be encrypted using both the device’s passcode and an “Application password”; both values are then needed to decrypt and retrieve the item. This allows Apps to control when the data is accessible/decrypted, instead of having the data decrypted as soon as the device is unlocked.

<小时/>

https://macbirdie.net/2016/03/app-pwd

The other interesting new feature is securing the keychain items using an application-provided password, which is an additional factor to device unlock PIN or passcode.

The password can either come from the user or, as the session 706’s presenter suggested, either can be an additional token sent by the server or a secret kept on a device connected to the phone.

This security scheme requires at least a device passcode to exist, since it works with it in tandem. As a result of that it’s not possible to test it on the iOS Simulator, which makes developing the support for it a little harder, because when you add a keychain item protected that way, no actual password is even required to retrieve it.

<小时/>

遗憾的是，Apple 自己的文档似乎都没有提到这一点:

• Apple - setCredential(_:type:)
• Apple - LACredentialType.applicationPassword
• Apple - applicationPassword
• Apple - Restricting Keychain Item Accessibility