0

I am pretty new to implement biometric authentication for my application and for my shopping application I am using the following logic to implement the same. Please bear with me if this is not the correct place to post this question. I ask moderators to move to the appropriate forum . As per now we are storing only username as AES encrypted format (not even in keychain).

I am able to implement the same successfully , but I have a query if I uninstall the application will they remove the stored credentials in keychain. I have referred many SO questions but I cannot a particular answer. If it remains there still after uninstalling application, how to remove these?

User1075
  • 819
  • 15
  • 36
  • You can't. End of story. – Claus Jørgensen Oct 20 '20 at 14:09
  • 2
    Store it in the keychain like every other app in the world, and let iOS use TouchID/FaceID automatically. It's not your problem to solve. – Claus Jørgensen Oct 20 '20 at 14:14
  • So does it means its everything fine with my logic flow? can I proceed with the same? – User1075 Oct 20 '20 at 14:17
  • @ClausJørgensen please sir can you confirm on the same? – User1075 Oct 20 '20 at 14:32
  • What you really should do, is to have the server return a auth token (like OAuth flow), and store that one. That way you don't need to store neither the username nor the password. But it of course depends on the backend infrastructure... – Claus Jørgensen Oct 20 '20 at 14:37
  • before making assumptions that you could handle keychain stuff that is clearly admin-system and user business its wise to read more what triggers a system to set your app in a closed sandbox state where even the expected data transport to login to a server would fail. – Ol Sen Oct 20 '20 at 16:29

1 Answers1

1

There is a post about this on the Apple developer forums. It basically tells us that the KeyChain is persistent even after app removal and reinstall (meaning the application can technically use the old keys again). This behaviour is not really as intended (if you read the thread carefully).

To counter this behaviour, the forums provides a solution by setting a flag in the UserDefault storage (which is deleted when the app is uninstalled). When a user runs the app for the first time, clear the KeyChain and set the flag. That way, you can be almost certain that the keys were removed before first use.

To answer your question directly, there is no way (as of right now) to tell when an app was uninstalled and act upon that uninstall.

Bram
  • 2,718
  • 1
  • 22
  • 43