Skip to content

Keychain entries made by Firebase #13159

Closed Answered by tay-j-kohn
tay-j-kohn asked this question in Q&A
Discussion options

You must be logged in to vote

I've been doing some more research into this and I think our pentesting company misunderstood the ACL property from the tool they used (https://github.com/sensepost/objection) Looking at the source for this tool it seems the ACL is derived from the kSecAttrAccessControl attribute of the keychain entry. As far as I can tell this has nothing to do with sharing the keychain across different apps and only has to do with adding passcode/password/biometric prompts before the owning application can read the keychain entry. The way to share across apps is a totally separate functionality which requires very deliberate configuration and only allows you to share across apps from the same developmen…

Replies: 1 comment

Comment options

You must be logged in to vote
0 replies
Answer selected by tay-j-kohn
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
1 participant