Ios Security

1---2name: ios-security3description: "Secure iOS apps with Keychain Services, CryptoKit encryption, biometric authentication (Face ID, Touch ID), Secure Enclave key storage, LAContext, App Transport Security (ATS), certificate pinning, data protection classes, and secure coding patterns. Use when implementing app security features, auditing privacy manifests, configuring App Transport Security, securing keychain access, adding biometric authentication, or encrypting sensitive data with CryptoKit."4---5 6# iOS Security7 8Guidance for handling sensitive data, authenticating users, encrypting9correctly, and following Apple's security best practices on iOS.10 11## Contents12 13- [Keychain Services](#keychain-services)14- [Data Protection](#data-protection)15- [CryptoKit](#cryptokit)16- [Secure Enclave](#secure-enclave)17- [Biometric Authentication](#biometric-authentication)18- [App Transport Security (ATS)](#app-transport-security-ats)19- [Certificate Pinning](#certificate-pinning)20- [Secure Coding Patterns](#secure-coding-patterns)21- [Privacy Manifests](#privacy-manifests)22- [Common Mistakes](#common-mistakes)23- [Review Checklist](#review-checklist)24- [References](#references)25 26## Keychain Services27 28The Keychain is the ONLY correct place to store sensitive data. Never store29passwords, tokens, API keys, or secrets in UserDefaults, files, or Core Data.30 31### Storing Credentials32 33```swift34func saveToKeychain(account: String, data: Data, service: String) throws {35    let query: [String: Any] = [36        kSecClass as String: kSecClassGenericPassword,37        kSecAttrAccount as String: account,38        kSecAttrService as String: service,39        kSecValueData as String: data,40        kSecAttrAccessible as String: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly41    ]42 43    let status = SecItemAdd(query as CFDictionary, nil)44 45    if status == errSecDuplicateItem {46        let updateQuery: [String: Any] = [47            kSecClass as String: kSecClassGenericPassword,48            kSecAttrAccount as String: account,49            kSecAttrService as String: service50        ]51        let updates: [String: Any] = [kSecValueData as String: data]52        let updateStatus = SecItemUpdate(updateQuery as CFDictionary, updates as CFDictionary)53        guard updateStatus == errSecSuccess else {54            throw KeychainError.updateFailed(updateStatus)55        }56    } else if status != errSecSuccess {57        throw KeychainError.saveFailed(status)58    }59}60```61 62### Reading Credentials63 64```swift65func readFromKeychain(account: String, service: String) throws -> Data {66    let query: [String: Any] = [67        kSecClass as String: kSecClassGenericPassword,68        kSecAttrAccount as String: account,69        kSecAttrService as String: service,70        kSecReturnData as String: true,71        kSecMatchLimit as String: kSecMatchLimitOne72    ]73 74    var result: AnyObject?75    let status = SecItemCopyMatching(query as CFDictionary, &result)76 77    guard status == errSecSuccess, let data = result as? Data else {78        throw KeychainError.readFailed(status)79    }80    return data81}82```83 84### Deleting Credentials85 86```swift87func deleteFromKeychain(account: String, service: String) throws {88    let query: [String: Any] = [89        kSecClass as String: kSecClassGenericPassword,90        kSecAttrAccount as String: account,91        kSecAttrService as String: service92    ]93 94    let status = SecItemDelete(query as CFDictionary)95    guard status == errSecSuccess || status == errSecItemNotFound else {96        throw KeychainError.deleteFailed(status)97    }98}99```100 101### kSecAttrAccessible Values102 103| Value | When Available | Device-Only | Use For |104|---|---|---|---|105| `kSecAttrAccessibleWhenUnlocked` | Device unlocked | No | General credentials |106| `kSecAttrAccessibleWhenUnlockedThisDeviceOnly` | Device unlocked | Yes | Sensitive credentials |107| `kSecAttrAccessibleAfterFirstUnlock` | After first unlock | No | Background-accessible tokens |108| `kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly` | After first unlock | Yes | Background tokens, no backup |109| `kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly` | Passcode set + unlocked | Yes | Highest security |110 111Rules:112- Use `ThisDeviceOnly` variants for sensitive data. Prevents backup/restore to other devices.113- Use `AfterFirstUnlock` for tokens needed by background operations.114- Use `WhenPasscodeSetThisDeviceOnly` for most sensitive data. Item is deleted if passcode is removed.115- NEVER use `kSecAttrAccessibleAlways` (deprecated and insecure).116 117### Keychain Access Groups118 119Share keychain items across apps from the same team:120 121```swift122let query: [String: Any] = [123    kSecClass as String: kSecClassGenericPassword,124    kSecAttrAccount as String: "shared-token",125    kSecAttrAccessGroup as String: "TEAMID.com.company.shared"126]127```128 129### @AppStorage vs Keychain130 131| Storage | Use For | Security |132|---------|---------|----------|133| `@AppStorage` / `UserDefaults` | Non-sensitive preferences (theme, onboarding state, feature flags) | Not encrypted at rest |134| Keychain | Passwords, tokens, API keys, secrets | Hardware-encrypted, access-controlled |135 136**Rule:** If the data would be embarrassing or dangerous if exposed, it goes in Keychain. Everything else can use `@AppStorage`.137 138```swift139// Non-sensitive preference -- @AppStorage is fine140@AppStorage("hasCompletedOnboarding") private var hasOnboarded = false141 142// Sensitive credential -- MUST use Keychain143// WRONG: @AppStorage("authToken") private var token = ""144// CORRECT: Use saveToKeychain(account:data:service:)145```146 147## Data Protection148 149iOS encrypts files based on their protection class:150 151| Class | When Available | Use For |152|---|---|---|153| `.complete` | Only when unlocked | Sensitive user data |154| `.completeUnlessOpen` | Open handles survive lock | Active downloads, recordings |155| `.completeUntilFirstUserAuthentication` | After first unlock (default) | Most app data |156| `.none` | Always | Non-sensitive, system-needed data |157 158```swift159// Set file protection160try data.write(to: url, options: .completeFileProtection)161 162// Check protection level163let attributes = try FileManager.default.attributesOfItem(atPath: path)164let protection = attributes[.protectionKey] as? FileProtectionType165```166 167Use `.complete` for any file containing user-sensitive data. The default168`.completeUntilFirstUserAuthentication` is acceptable for general app data.169 170## CryptoKit171 172Use CryptoKit for all cryptographic operations. Do not use CommonCrypto or the173raw Security framework for new code.174 175### Symmetric Encryption (AES-GCM)176 177```swift178import CryptoKit179 180let key = SymmetricKey(size: .bits256)181 182func encrypt(_ data: Data, using key: SymmetricKey) throws -> Data {183    let sealed = try AES.GCM.seal(data, using: key)184    guard let combined = sealed.combined else {185        throw CryptoError.sealFailed186    }187    return combined188}189 190func decrypt(_ data: Data, using key: SymmetricKey) throws -> Data {191    let box = try AES.GCM.SealedBox(combined: data)192    return try AES.GCM.open(box, using: key)193}194```195 196### Hashing197 198```swift199let hash = SHA256.hash(data: data)200let hashString = hash.compactMap { String(format: "%02x", $0) }.joined()201 202// Also available: SHA384, SHA512203```204 205### HMAC (Message Authentication)206 207```swift208let key = SymmetricKey(size: .bits256)209 210// Sign211let signature = HMAC<SHA256>.authenticationCode(for: data, using: key)212 213// Verify214let isValid = HMAC<SHA256>.isValidAuthenticationCode(signature, authenticating: data, using: key)215```216 217For digital signatures (P256/ECDSA), key agreement (Curve25519), ChaChaPoly,218and HKDF key derivation, see [references/cryptokit-advanced.md](references/cryptokit-advanced.md).219 220## Secure Enclave221 222For the highest security, store keys in the Secure Enclave. Keys never leave223the hardware. Only P256 is supported.224 225```swift226guard SecureEnclave.isAvailable else { return }227 228let accessControl = SecAccessControlCreateWithFlags(229    nil, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,230    [.privateKeyUsage, .biometryCurrentSet], nil231)!232let privateKey = try SecureEnclave.P256.Signing.PrivateKey(accessControl: accessControl)233 234let signature = try privateKey.signature(for: data)  // May trigger biometric prompt235let isValid = privateKey.publicKey.isValidSignature(signature, for: data)236 237// Persist: store dataRepresentation in Keychain, restore with:238let restored = try SecureEnclave.P256.Signing.PrivateKey(239    dataRepresentation: privateKey.dataRepresentation240)241```242 243## Biometric Authentication244 245This section covers biometric protection for Keychain items and data246access. For user-facing biometric sign-in flows (`LAContext.evaluatePolicy`247as a login mechanism), see the `authentication` skill.248 249### LocalAuthentication (Face ID / Touch ID)250 251```swift252import LocalAuthentication253 254func authenticateWithBiometrics() async throws -> Bool {255    let context = LAContext()256    var error: NSError?257 258    guard context.canEvaluatePolicy(259        .deviceOwnerAuthenticationWithBiometrics, error: &error260    ) else {261        // Biometrics not available -- fall back to passcode262        if context.canEvaluatePolicy(.deviceOwnerAuthentication, error: &error) {263            return try await context.evaluatePolicy(264                .deviceOwnerAuthentication,265                localizedReason: "Authenticate to access your account"266            )267        }268        throw AuthError.biometricsUnavailable269    }270 271    return try await context.evaluatePolicy(272        .deviceOwnerAuthenticationWithBiometrics,273        localizedReason: "Authenticate to access your account"274    )275}276```277 278### Info.plist Requirement279 280You MUST include `NSFaceIDUsageDescription` in Info.plist:281 282```xml283<key>NSFaceIDUsageDescription</key>284<string>Authenticate to access your secure data</string>285```286 287Missing this key causes a crash on Face ID devices.288 289### LAContext Configuration290 291```swift292let context = LAContext()293context.localizedFallbackTitle = "Use Passcode"294context.touchIDAuthenticationAllowableReuseDuration = 30295let currentState = context.evaluatedPolicyDomainState // Compare to detect enrollment changes296```297 298### Biometric + Keychain299 300Protect keychain items with biometric access:301 302```swift303let access = SecAccessControlCreateWithFlags(304    nil,305    kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,306    .biometryCurrentSet,307    nil308)!309 310let query: [String: Any] = [311    kSecClass as String: kSecClassGenericPassword,312    kSecAttrAccount as String: "auth-token",313    kSecValueData as String: tokenData,314    kSecAttrAccessControl as String: access,315    kSecUseAuthenticationContext as String: LAContext()316]317```318 319SecAccessControl flags:320- `.biometryCurrentSet` -- Requires biometry, invalidated if enrollment changes. Most secure.321- `.biometryAny` -- Requires biometry, survives enrollment changes.322- `.userPresence` -- Biometry or passcode. Most flexible.323 324## App Transport Security (ATS)325 326ATS enforces HTTPS by default. Do NOT disable it.327 328### What ATS Requires329 330- TLS 1.2 or later331- Forward secrecy cipher suites332- SHA-256 or better certificates333- 2048-bit or greater RSA keys (or 256-bit ECC)334 335### Exception Domains (Last Resort)336 337```xml338<!-- Only for legacy servers you cannot upgrade -->339<key>NSAppTransportSecurity</key>340<dict>341    <key>NSExceptionDomains</key>342    <dict>343        <key>legacy-api.example.com</key>344        <dict>345            <key>NSExceptionAllowsInsecureHTTPLoads</key>346            <true/>347            <key>NSExceptionMinimumTLSVersion</key>348            <string>TLSv1.2</string>349        </dict>350    </dict>351</dict>352```353 354Rules:355- NEVER set `NSAllowsArbitraryLoads` to true. Apple will reject the app.356- Exception domains require justification in App Review notes.357- Use exception domains only for third-party servers you cannot control.358 359## Certificate Pinning360 361Pin certificates for sensitive API connections to prevent MITM attacks.362 363### URLSession Delegate Pinning364 365```swift366import CryptoKit367 368class PinnedSessionDelegate: NSObject, URLSessionDelegate {369    // SHA-256 hash of the certificate's Subject Public Key Info370    private let pinnedHashes: Set<String> = [371        "base64EncodedSHA256HashOfSPKI=="372    ]373 374    func urlSession(375        _ session: URLSession,376        didReceive challenge: URLAuthenticationChallenge377    ) async -> (URLSession.AuthChallengeDisposition, URLCredential?) {378        guard let trust = challenge.protectionSpace.serverTrust,379              let chain = SecTrustCopyCertificateChain(trust) as? [SecCertificate],380              let certificate = chain.first else {381            return (.cancelAuthenticationChallenge, nil)382        }383 384        guard let publicKey = SecCertificateCopyKey(certificate),385              let publicKeyData = SecKeyCopyExternalRepresentation(386                  publicKey, nil387              ) as Data? else {388            return (.cancelAuthenticationChallenge, nil)389        }390 391        let hash = SHA256.hash(data: publicKeyData)392        let hashString = Data(hash).base64EncodedString()393 394        if pinnedHashes.contains(hashString) {395            return (.useCredential, URLCredential(trust: trust))396        }397 398        return (.cancelAuthenticationChallenge, nil)399    }400}401```402 403Rules:404- Pin the public key hash, not the certificate. Certificates rotate; public keys are more stable.405- Always include at least one backup pin.406- Have a rotation plan. If all pinned keys expire, the app cannot connect.407- Consider a kill switch (remote config to disable pinning in emergency).408 409## Secure Coding Patterns410 411### Never Log Sensitive Data412 413```swift414// WRONG415logger.debug("User logged in with token: \(token)")416 417// CORRECT418logger.debug("User logged in successfully")419```420 421### Clear Sensitive Data From Memory422 423```swift424var sensitiveData = Data(/* ... */)425defer {426    sensitiveData.resetBytes(in: 0..<sensitiveData.count)427}428```429 430### Validate All Input431 432```swift433guard let url = URL(string: input),434      ["https"].contains(url.scheme?.lowercased()) else {435    throw SecurityError.invalidURL436}437let resolved = url.standardized.path438guard resolved.hasPrefix(allowedDirectory.path) else {439    throw SecurityError.pathTraversal440}441```442 443### API Key Placeholder Pattern444 445Use `#error` to prevent accidental commits of placeholder API keys:446 447```swift448// Forces a build error until the real key is configured449#error("Add your API key to Secrets.plist -- see README for setup")450private let apiKey = Secrets.value(for: "API_KEY")451```452 453### Jailbreak Detection454 455Check for known jailbreak file paths (`/Applications/Cydia.app`, `/usr/sbin/sshd`, etc.) and sandbox escape. Jailbreak detection is not foolproof -- use it as one layer, not the only layer. See [references/cryptokit-advanced.md](references/cryptokit-advanced.md) for full implementation.456 457## Privacy Manifests458 459Apps and SDKs must declare data access in `PrivacyInfo.xcprivacy`. See460[references/privacy-manifest.md](references/privacy-manifest.md) for required-reason API declarations and461security-related data collection details. For submission requirements and462compliance checklists, see [references/app-review-guidelines.md](references/app-review-guidelines.md).463 464## Common Mistakes465 4661. **Storing secrets in UserDefaults.** Tokens, passwords, API keys must go in Keychain.4672. **Hardcoded secrets in source.** No API keys or credentials in Swift files.4683. **Disabling ATS globally.** `NSAllowsArbitraryLoads = true` is a rejection risk.4694. **Logging sensitive data.** Never log tokens, passwords, or API keys.4705. **Missing PrivacyInfo.xcprivacy.** Required for all apps using required-reason APIs.4716. **Using CommonCrypto instead of CryptoKit.** CryptoKit is safer and modern.4727. **Missing NSFaceIDUsageDescription.** Crashes on Face ID devices.4738. **Using `.biometryAny` when `.biometryCurrentSet` is needed.** The former survives enrollment changes, which may be undesirable for high-security items.4749. **Path traversal vulnerabilities.** Always resolve and validate paths.47510. **Missing concurrency annotations.** Ensure Keychain wrapper types are Sendable; isolate UI-facing security prompts to `@MainActor`.476 477## Review Checklist478 479- [ ] Secrets in Keychain, not UserDefaults or files; no hardcoded credentials480- [ ] Correct `kSecAttrAccessible` value; `ThisDeviceOnly` for non-backup data481- [ ] File protection class set for sensitive files (`.complete`)482- [ ] CryptoKit for encryption (not CommonCrypto); 256-bit symmetric keys483- [ ] Keys stored in Keychain or Secure Enclave484- [ ] Biometric auth with fallback; `NSFaceIDUsageDescription` in Info.plist485- [ ] Correct `SecAccessControl` flags; `LAContext` configured486- [ ] HTTPS enforced; no `NSAllowsArbitraryLoads`; cert pinning for sensitive APIs487- [ ] PrivacyInfo.xcprivacy present; all required-reason APIs declared488- [ ] No sensitive data in logs; Data cleared after use; URLs/paths validated489 490## References491 492- CryptoKit advanced patterns: [references/cryptokit-advanced.md](references/cryptokit-advanced.md)493- Privacy manifest guide: [references/privacy-manifest.md](references/privacy-manifest.md)494- App Review security guidelines: [references/app-review-guidelines.md](references/app-review-guidelines.md)495- File storage directory guide and protection: [references/file-storage-patterns.md](references/file-storage-patterns.md)