iOS Keychain
The iOS Keychain is Apple's secure credential storage system that encrypts and stores sensitive data such as passwords, cryptographic keys, certificates, and tokens in a hardware-protected container accessible only to authorised applications through controlled API access.
Every iOS application runs inside a sandbox that prevents it from accessing another application's files. The Keychain extends this isolation to sensitive credentials by storing them in an encrypted database managed by the operating system. Items in the Keychain are encrypted with a key derived from the device's unique hardware identifier and the user's passcode, making offline extraction extremely difficult even with physical access to the device.
Each Keychain item is assigned an access control policy that determines when it can be read. The most secure option, kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly, ensures the item is only available when the device has a passcode set and is currently unlocked, and that it is never included in backups or migrated to a new device. Developers can additionally require biometric authentication for each access by attaching a SecAccessControl object with the .biometryCurrentSet flag.
On devices equipped with a Secure Enclave, which includes all modern iPhones and iPads, certain Keychain operations are performed inside the dedicated security coprocessor. Elliptic curve keys generated within the Secure Enclave never leave the hardware, providing protection comparable to a hardware security module.
Applications that store tokens or keys in UserDefaults, plist files, or the application sandbox rather than the Keychain are commonly cited for insecure data storage during penetration tests. Using the Keychain with appropriate access controls is a baseline expectation in the OWASP MASVS data storage category.