1

I have the Kaiser Permanente health app on my iPhone. When I open it, my username is prefilled and it prompts me to sign in with Touch ID.

Now I press and hold the icon on the home screen to delete the app from my phone. iOS warns me that doing so will delete all app data. I accept.

Next, I reinstall the Kaiser Permanente app from the app store. Somehow my username is still prefilled and I'm still able to sign in with Touch ID. This violates my expectations.

I thought perhaps it had something to do with iCloud, though I note the following:

  • In Settings > (account) > iCloud, Keychain is "Off"
  • In Settings > (account) > iCloud, Kaiser Permanente is not listed under "Apps Using iCloud"
  • In Settings > (account) > iCloud > Manage Storage > Backups > iPhone, I have deselected Kaiser Permanente under "Choose Data to Backup."
  • In Settings > Accounts & Passwords > App & Website Passwords, the list is empty.

As a user, this is very unexpected. Is it an expected developer capability? How is it being done?

Aaron
  • 619
  • 6
  • 15
  • 1
    Do you have any other apps installed from that developer? If so, they may be using group keychains. – Ryan Pendleton Mar 20 '18 at 06:13
  • 4
    App data stored in the keychain is not cleared when the app is deleted. – Paulw11 Mar 20 '18 at 07:22
  • The app may be getting information from server while loading according to your device token. – aBilal17 Mar 20 '18 at 09:51
  • device token as in notification device token? that would be a bad practice but it could be. – hasan Mar 20 '18 at 10:00
  • No by using OpenUDID your device token may remains same when you uninstall the app and then install it back, may be the app is using same library or something like that. https://github.com/ylechelle/OpenUDID – aBilal17 Mar 20 '18 at 10:04
  • @RyanPendleton I do not have any other apps from that developer. – Aaron Mar 20 '18 at 14:28

1 Answers1

0

  1. App data stored in the keychain is not cleared when the app is uninstall. So it may be using Keychain.

  2. May be you have any other apps installed from that same developer. If so, they may be using group keychains.

  3. The app may be getting information from server while loading according to your device token. Using OpenUDID your device token may remains same when you uninstall the app and then install it back, may be the app is using same library or something like that. github.com/ylechelle/OpenUDID

aBilal17
  • 2,974
  • 2
  • 17
  • 23
  • 1. Is there any way to check this non-programmatically? Sounds like users can't access or erase the full keychain? 2. No other apps installed from that developer. 3. Are app developers allowed to do this? – Aaron Mar 20 '18 at 14:47
  • 1. I think we can not check this with non-programmatically. 2. We can erase keychain data using Keychain-Dumper little tricky one. Reference https://stackoverflow.com/questions/16336449/reset-keychain-on-the-device 3. I think developers can do this, it is allowed by Apple – aBilal17 Mar 21 '18 at 06:11