Pixel Envy

Written by Nick Heer.

How Loom Fixed the iOS 7 Forced Logout Bug

Mang-Git Ng of Loom:

When the Loom app is launched in background mode and the phone is not authenticated past the login screen, the keychain file for Loom was returning an empty string for both the login email and password. Thus the Loom app thought that the user had never previously authenticated and presents a login screen for the user upon return to the app, despite the user having previously authenticated and that all application-specific information was intact.

To solve our problem we set the access level of our keychain wrapper to “kSecAttrAccessibleAlways” for the key “kSecAttrAccessible”.

Interesting choice. Apple recommends against using kSecAttrAccessibleAlways because it’s inherently insecure.

But this attribute was (ostensibly) not updated with iOS 7. Apple’s recommendation, kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly, was updated with iOS 7. I’ve asked Loom if they considered using this attribute instead; if they were using it prior to the app’s update, there might be a bug in this attribute.