Keychain entries made by Firebase

[tay-j-kohn]

Got a pentest report back recently that called out 4 keychain "passwords" in our app that are ACL = none meaning any app can view them. They all seem to have firebase related Account/Service names and I didn't create them explicitly so I believe the firebase SDK does automatically:

• com.google.iid.checkin
• com.firebase.FIRInstallations
• {{firebase app id}}:*
• _pfo (tied this to firebase via [Keychain] Service name collision #6582)

I think these sound more like non sensitive identifiers and not passwords as ios keychain requires them to be classified as. I also think the ACL none is expected as some/all of these may need to be shared across the device to other possible apps with firebase bundled. Can someone from the Google contributors confirm this? Or is there documentation anywhere on these keychain entries? Couldn't find anything.

[tay-j-kohn]

I've been doing some more research into this and I think our pentesting company misunderstood the ACL property from the tool they used (https://github.com/sensepost/objection) Looking at the source for this tool it seems the ACL is derived from the kSecAttrAccessControl attribute of the keychain entry. As far as I can tell this has nothing to do with sharing the keychain across different apps and only has to do with adding passcode/password/biometric prompts before the owning application can read the keychain entry. The way to share across apps is a totally separate functionality which requires very deliberate configuration and only allows you to share across apps from the same development team. https://developer.apple.com/documentation/security/keychain_services/keychain_items/sharing_access_to_keychain_items_among_a_collection_of_apps?language=objc