Overview
Keychain accessibility determines when your app can read keychain items. This is a critical security feature that balances convenience with protection of sensitive data.Accessibility options are only available on iOS 4.0+, tvOS, and watchOS. They control when the keychain item can be decrypted and accessed by your app.
Setting Accessibility
SAMKeychain provides a global accessibility setting that applies to all future keychain items:Setting Accessibility
Accessibility Constants
Apple’s Security framework provides several accessibility constants. Choose based on your app’s requirements:Recommended Options
These options provide strong security and are suitable for most apps:kSecAttrAccessibleWhenUnlocked
kSecAttrAccessibleWhenUnlocked
When to use: Most applications that don’t need background accessBehavior:
- Accessible only while the device is unlocked
- Not accessible when device is locked
- Most secure option for items that don’t need background access
- User passwords
- Personal access tokens
- Credit card information
- Any sensitive data that’s only needed when user is actively using the app
This is the recommended default for most apps that don’t require background access to keychain data.
kSecAttrAccessibleAfterFirstUnlock
kSecAttrAccessibleAfterFirstUnlock
When to use: Background apps that need to access keychain itemsBehavior:
- Accessible after the device has been unlocked once after boot
- Remains accessible even if device is subsequently locked
- Protected until first unlock after device restart
- Background sync tokens
- VoIP credentials
- Location services that continue when device is locked
- Push notification handling
Additional Options
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly
When to use: Maximum security for device-specific sensitive dataBehavior:
- Only accessible when device is unlocked
- Only available when device has a passcode set
- Never migrated to new devices
- Not backed up
- Item is deleted if passcode is removed
- Extremely sensitive local data
- Device-specific encryption keys
- Items that should never leave the device
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
kSecAttrAccessibleWhenUnlockedThisDeviceOnly
When to use: Device-specific data that requires device to be unlockedBehavior:
- Accessible only while device is unlocked
- Never migrated to new devices
- Not backed up to iCloud or iTunes
- Not synchronized via iCloud Keychain
- Device-specific tokens
- Temporary session data
- Items that should not transfer to new devices
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
When to use: Background apps with device-specific credentialsBehavior:
- Accessible after first unlock following boot
- Remains accessible when device is locked
- Never migrated to new devices
- Not backed up or synchronized
- Background service tokens specific to this device
- Local server credentials
Legacy Options (Not Recommended)
kSecAttrAccessibleAlways- Deprecated; accessible at all times (very insecure)kSecAttrAccessibleAlwaysThisDeviceOnly- Deprecated; accessible at all times, device-only
Security Implications
Understanding the Trade-offs
Choosing the right accessibility option requires balancing security with functionality:| Accessibility | Security Level | Background Access | Survives Lock | Backed Up | Synchronized |
|---|---|---|---|---|---|
| WhenUnlocked | High | No | No | Yes | Yes |
| AfterFirstUnlock | Medium | Yes | Yes | Yes | Yes |
| WhenPasscodeSet | Very High | No | No | No | No |
| …ThisDeviceOnly variants | Medium-High | Varies | Varies | No | No |
Common Security Mistakes
Bad Practice
Good Practice
Recommended Practices
By App Type
Standard User-Facing AppsSetting Accessibility Early
Set accessibility during app initialization, before storing any keychain items:Application Initialization
Different Accessibility for Different Items
For more granular control, useSAMKeychainQuery to set different accessibility for specific items:
Per-Item Accessibility
SAMKeychain’s
setAccessibilityType: is global and applies to all future items. For fine-grained per-item control, you may need to work with Apple’s Security framework directly.Platform Availability
Accessibility options are only available on iOS 4.0 and later:Platform Check
Testing Accessibility
Test your accessibility settings to ensure they behave as expected:- Lock Device Test: Store an item, lock the device, and verify background access behavior
- Reboot Test: Restart the device and check accessibility before first unlock
- Passcode Removal Test: For
WhenPasscodeSetitems, verify deletion when passcode is removed - Background Task Test: Ensure background tasks can access items with appropriate accessibility
Next Steps
Error Handling
Learn how to handle errors when accessibility prevents access
Keychain Basics
Understand the fundamentals of keychain storage
iCloud Sync
Sync keychain items across user’s devices with iCloud
Background Tasks
Access keychain items from background tasks
