Keychain entries made by Firebase #13159
Unanswered
tay-j-kohn
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Got a pentest report back recently that called out 4 keychain "passwords" in our app that are ACL = none meaning any app can view them. They all seem to have firebase related Account/Service names and I didn't create them explicitly so I believe the firebase SDK does automatically:
I think these sound more like non sensitive identifiers and not passwords as ios keychain requires them to be classified as. I also think the ACL none is expected as some/all of these may need to be shared across the device to other possible apps with firebase bundled. Can someone from the Google contributors confirm this? Or is there documentation anywhere on these keychain entries? Couldn't find anything.
Beta Was this translation helpful? Give feedback.
All reactions