Swift/iOS - Use Strong Password not being saved to keychain - ios

I am attempting to implement the autofill feature for iOS. I have followed all the steps from https://developer.apple.com/documentation/security/password_autofill. I have an associated domain, a valid apple app association file, and I have set the text content types correctly. My issue is, when I am prompted to "use strong password" by the native iOS dialog, my username/password never gets saved to the keychain. I have also validated that I have autofill on and my icloud keychain enabled. Ive also followed https://medium.com/developerinsider/ios12-password-autofill-automatic-strong-password-and-security-code-autofill-6e7db8da1810 , but still not seeing the expected behavior. By clicking use strong password, is the username/pw automatically sent to keychain or do I need to manually do something. Thanks in advance.

actually watched developer.apple.com/videos/play/wwdc2018/204/?time=31 . Turns out the issue is not removing the user/pw/confirmPw from the view hierarchy. So on my "viewWillDisappear" I am removing the fields from the hierarchy, this triggers the save to keychain.

Related

iOS app will save password but will not autofill

I have associated domains set up with my app & api, so apple is asking to save my passwords, but they will not autofill.
Here is my AD:
Here is XCode where I set the content type:
NOTE: The text field input placeholder is "Email", because we use the email as the username.
I even set them programmatically as well. I have tried deleting the app, restarting my phone and deleting the app, deleting the text fields and recreating them, all to no avail.
What is really weird is that autofill for email does not work in my signup form either, but only for that text field. So, I have a first name text field - that will autofill my name, but if i switch that to "Email", then it will autofill email successfully. Then, I copy that text field, move it into position, delete the old one, change one of them back to "first name" and now it doesn't work. This is so weird, it makes 0 sense.
Once I log in, it asks to "Save Password", no matter how many times I log in. It does not ask to "Update Password". When I sign in the second time, I click on "Passwords" and it shows the password I created, attached to my associated domain, under suggested passwords. If I click here, it will load the password. But why is it not autofilling? What am I doing wrong?
I have verified that it autofills in other apps, I just tried w/ CapitalOne
The issue was the path of the associated domain. This is an apple bug. For the associated domain, I was using webcredentials:api.companyname.com/v1. The "v1" was the issue. It compiles, runs, and saves the domains with the v1. It appears that about half of the associated domains functionality still works if you include a path, but half doesn't, with no indication of the error. However, when you prepare for submission to the app store by archiving the app, it will fail. When I removed the path, it started to work 100%.

Why is my iOS App Associated Domain endpoint not being called by Apple?

Following Apple's Password autofill guidelines with App Associated Domains here, I added the apple-app-site-association json file.
My app has that site listed as webcredentials:example.com. My app's bundle id is com.app.App which is listed as one of the apps under webcredentials.apps. The site has an SSL certificate.
In my iOS app I have an email text field with a content type of email (I've also tried username) and I have a password text field with new password (I've also tried password). When I select the email text field I get suggested emails. But when I select the password text field I get the same email QuickType suggestions and I get an error in the console:
Cannot show Automatic Strong Passwords for app bundleID: com.app.App due to error: Cannot save passwords for this app. Make sure you have set up Associated Domains for your app and AutoFill Passwords is enabled in Settings
I have AutoFill Passwords enabled on my device and I've proved that it does work on other apps.
I also never see in the logs that apple is calling my endpoint I provided above.
I verified that my Apple team ID is correct.
I've run out of ideas. Can someone else see what I'm doing wrong? Thanks!
Update:
It works fine on the simulator. The request goes out and the server gets it and it works. On the device it does NOT work.
I turned off the phone and turned it back on and it's working just fine... Really frustrating, I have no idea why it wasn't working, but I do know it was NOT making the network request from the device at all.
I turned off the phone I was testing with and turned it back on and that somehow fixed it... I have no idea why it wasn't working, but I do know it was NOT making the network request from the device at all.

Can I use iOS AutoFill feature only in app without associated domain?

I am wondering if I can use AutoFill without implementing the Associated Domains?
So this means for example that when the user register in my app that I save the credentials.
And then when he tries to login offer this credentials as AutoFill option.
Is something like that even possible to achieve?
As far as I can tell, you can take advantage of AutoFill without setting up associated domains. The part you'll miss out on is that iCloud/1Password/etc. won't be able to suggest the right log in details for your app without the associated domains set up. Instead, it'll prompt the user to choose/search for the matching log in details and select them from a list. But it should fill it in for you fine, especially if you add the extra details like setting textContentType on your text fields so iOS knows what's a log in form in your app.
ETA: Actually, I ended up having issues with AutoFill in my app that seemed to be fixed by setting up associated domains. The documentation makes it seem like that step is optional, but I had trouble where 1Password would let me choose the log in details but not fill them into the text fields until I had associated domains set up, whereas iCloud seemed to work fine mostly.

iOS fingerprint device PIN Prompt while kSecAccessControlBiometryCurrentSet flag is set

I'm working on a fingerprint Authentication using the keychain methods from iOS and can't manage to not show the pin proposal to be displayed after an error.
I'm using the flag kSecAccessControlBiometryCurrentSet which should only allow biometrics authentication.
So for the first prompt it works well and I didn't get the possibility to enter the passphrase but as soon as an authentication fails, the prompt changes and allow the user to enter his code. I would like to block this and only allow fingerprint authentification through that prompt.
There's the code I'm using: https://github.com/xavistas/cordova-plugin-touch-id/blob/noPinCode/src/ios/TouchID.m
If you have any idea, feel free to share :) !
I finally found the solution but it isn't really trivial.
You have to know that the keychain is never cleared for your application, even if you uninstall it.
So basically, if you tried one time to with a flag, let's say kSecAccessControlUserPresence, until you manually specify that you want to clear the keychain entry, this flag will stay stored.
And basically, even you if you "create the keychain token" each time the user connects to the app, it will not replace the keychain entry.
I hope it will help some of you !

How Do I Force An iOS TouchID To Re-Authorize After Each Access, or Check If It is Unlocked?

OK. I suspect I just need to be directed to the appropriate "M" for "RTFM." I'm not new to iOS, but fairly new to keychain use. I am using a good keychain wrapper called "FXKeychain."
I have an app that includes a login, with a password stored in the default keychain.
I use TouchID to validate the user and fill in the password.
In order to do this, I display a "thumbprint" button, with an IBAction handler that runs the standard code:
self.s_authenticationContext.evaluatePolicy(LAPolicy.DeviceOwnerAuthenticationWithBiometrics, localizedReason: "Yo. Gimmie ur thumb.", reply: self.touchIDCallback)
The issue is, that once it is unlocked, subsequent touches of the button, using the above, skip the alert, and simply fall through.
This is an issue because the same button is displayed, even after the user is validated. I'd like to either:
Re-lock after entering the password, so the user must re-authenticate each time (preferred), or
Display a different button image that indicates the thumbprint is no longer necessary.
That means that I need to:
Find a way to re-lock the TouchID, or
Find out if the user is unlocked.
Any ideas?
Thanks!
It is your authentication context rather than the keychain that is 'unlocked'. If you allocate a new authentication context before calling evaluatePolicy then the touchID dialog will be shown again.
You can, however, actually use touchID to authenticate access to a keychain item directly. The Apple sample code demonstrates how to do this - https://developer.apple.com/library/ios/samplecode/KeychainTouchID/Introduction/Intro.html#//apple_ref/doc/uid/TP40014530-Intro-DontLinkElementID_2

Resources