My software makes use of expo SecureStore to retailer secrets and techniques akin to person access_token and refresh_token. SecureStore makes use of ios keychain underneath the hood:
On iOS, values are saved utilizing the keychain companies as
kSecClassGenericPassword. iOS has the extra choice of having the ability
to set the worth’s kSecAttrAccessible attribute, which controls when
the worth is obtainable to be fetched.
I am to know if an attacker (a thief) may learn the secrets and techniques.
For that, I’m contemplating the next assertions to carry true:
- Utility can solely be put in on iPhones
- Attacker is aware of sufferer PIN code
- Attacker has entry to sufferer iCloud
- iPhone is on the final IOS model and no jailbreak exists for this model
- secrets and techniques are saved in keychain with
kSecAttrAccessibleset tokSecAttrAccessibleWhenUnlockedThisDeviceOnly(but in addition to know solutions forkSecAttrAccessibleWhenUnlocked)
Is it doable for an attacker to get well access_token and refresh_token ?
