Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[secure-store][ios] Fix incorrect security attribute #9264

Merged
merged 2 commits into from Jul 17, 2020

Conversation

cjthompson
Copy link
Contributor

This is a significant security bug. Someone using the flag WHEN_UNLOCKED_THIS_DEVICE_ONLY would actually get the iOS policy kSecAttrAccessibleAlwaysThisDeviceOnly, one of the least secure security attributes.

Why

Incorrect security attribute was applied

How

Changed it to the correct attribute

Test Plan

There are not any existing native tests that are verifying the attribute is correctly applied, and as far as I know there is no way to correctly verify it in an automated test.

This is a significant security bug. Someone using the flag
WHEN_UNLOCKED_THIS_DEVICE_ONLY would actually get the policy
'kSecAttrAccessibleAlwaysThisDeviceOnly', one of the least secure
options
@mczernek mczernek merged commit 1d82bf0 into expo:master Jul 17, 2020
@cjthompson cjthompson deleted the secure-store-fix-ios-attr branch July 17, 2020 16:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants