Woes of KeychainWrapper and NSAssert

Thoughts By 6 years ago

If you have ever needed to store a password or other sensitive data in an iPhone app, you have probably used Keychain Access, Apple’s solution to storing data securely. You have also probably used Apple’s KeychainWrapper class, offering a very easy wrapper to storing info in the keychain.

The KeychainWrapper worked well in debug mode, but when building for release it didn’t seem to be writing objects to the keychain. I was fumbling around with this for hours, going over my own code thinking I had made a mistake somewhere. In the end I figured out what the problem was, in Apple’s code for KeychainWrapper the actual line that executed the commit to the keychain was inside an NSAssert, which is used for development, but as soon as you build for release or distribution every NSAssert is nullified, giving the same effect of commenting out anything on that line, removing the keychain commit code.

I used the contact form on Apple’s site and they have since fixed it, but there are still many copies of this dodgy version floating around the web.

If you do have a dodgy version I recommend getting the newest version from Apple’s site, otherwise you can fix it yourself by moving code out of the NSAssert and evaluating the result instead, like so

// Change lines that look like this
NSAssert(SecItemUpdate((CFDictionaryRef)updateItem, (CFDictionaryRef)tempCheck), @"Couldn't update the Keychain Item." );

// To something that looks like this
OSStatus status = SecItemUpdate((CFDictionaryRef)updateItem, (CFDictionaryRef)tempCheck);
NSAssert(status == noErr, @"Couldn't update the Keychain Item." );

I remembered one of our clients that brought an iPhone app to us for improving mentioned one of the problems they had with it was it wasn’t remembering user’s usernames and passwords. I took a peak at the KeychainWrapper they were using, and sure enough it was the dodgy version, a good example to remind us to always test both debug and release versions!