App Keychain will sync secitem from old device to new device

Keychain items stored using SecItem in your app will generally be migrated or synced to a new iPhone when a user transfers data from their old device, but the specifics depend on how the transfer is performed and the Keychain item attributes you’ve set. Here’s a concise explanation:

1. iCloud Keychain Syncing:

   • If iCloud Keychain is enabled on both devices, Keychain items with the kSecAttrSynchronizable attribute set to true are automatically synced to the new device via iCloud. This includes passwords, certificates, and other secure data stored in the Keychain.
   • Items without this attribute (i.e., non-syncable items) are not synced via iCloud and require a different transfer method.

2. Device-to-Device Transfer (Encrypted Backup or Direct Transfer):

   • When using iCloud Backup or iTunes/Finder encrypted backup, Keychain items (both syncable and non-syncable) are included in the encrypted backup. Restoring this backup to a new iPhone will transfer all Keychain items.
   • During a direct device-to-device transfer (e.g., using Quick Start), Keychain items are typically transferred securely as part of the process, provided the transfer is encrypted.

3. Non-Syncable Items:

   • If your app’s Keychain items are not marked as synchronizable (kSecAttrSynchronizable is false or not set), they will only transfer via encrypted backups or direct device transfers. Without an encrypted backup or direct transfer, these items will not migrate.

4. Edge Cases and Considerations:

   • Access Groups: If your app uses Keychain access groups (e.g., for sharing between apps), ensure the new device has the same app installed with the correct entitlements to access those items.
   • User Settings: If the user disables iCloud Keychain or does not use an encrypted backup, non-syncable items may not transfer.
   • iOS Version: Ensure both devices are running compatible iOS versions, as Keychain behavior may vary slightly with older systems.

Best Practices for Your App:

• If you want Keychain items to sync across devices, explicitly set kSecAttrSynchronizable to true when adding items with SecItemAdd.
• Inform users that enabling iCloud Keychain or using encrypted backups ensures their Keychain data is transferred.
• Test the migration process to confirm your app’s Keychain items behave as expected during device setup.

@kxdev Thanks for your reply and is very helpful for me.

Can I understand that my app has enabled Keychain sharing in "signing and capabilities" and my code does not set kSecAttrSynchronizable. So the data I added using SecItemAdd will not be migrate or sync during device to device transfer (e.g. using Quick Start)?

When using or …

That’s not right, or least it’s not the full story. For more on this topic, see the table in my post here.

Can I understand that my app has enabled Keychain sharing in "signing and capabilities" and my code does not set kSecAttrSynchronizable.

You are mixing up two things:

• The Keychain Sharing capability is about sharing keychain items between apps on one device.

• iCloud Keychain is about synching keychain items between the user’s various different devices.

If you don’t kSecAttrSynchronizable then it defaults to false, meaning that the item won’t be synched to other devices. However, it can still end up moving to a different device by:

• Encrypted backup and restore

• Quick Start

If you don’t want that, set kSecAttrAccessible to one of the ThisDeviceOnly values.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"