Forum Archive

Is there any way to get an overview of all services and accounts for which there are keys stored via Pythonisat?

No, that's currently not possible.

Thanks for the info. Am I worrying too much about possible overload of keys in the keychain? Will the keys be deleted, when Pythonista is uninstalled?

The keys are actually persistent, i.e. they "survive" uninstalling Pythonista. You probably shouldn't worry too much about it though, unless you're storing really large amounts of data...

Well, I know I will eventually start to dump anything in there. So I guess I'll write some sort of wrapper for the keychain to keep track of what services and accounts I'm storing in there. Might be a security risk, but since you won't get to the keychain's data of Pythonista without having physical access to my device, I won't care about it that much.

I'll add a get_services() function in the next update. That'll allow you to get a list of all accounts you've stored in the keychain.

Awesome, thanks!

I don't think the keychain is so secure being you can "print" any password that is in there. Is there a way to disable Pythonista from printing passwords or variables that were assigned a password?

Seems like the "secure storage" of passwords is out the door with anybody who has the tiniest bit of programming knowledge to just print them.

If someone has physical access to your device, all bets are off anyway (e.g. someone could reset your passwords and check your email etc., and if you don't use a passcode, they could also read Safari passwords in plain text from the Settings app). Still, I'm considering to add support for a "master" password that would be requested when you call get_password...

Thanks. That is true. Having access to email means resetting passwords. Just hate having passwords out in the open and easy to access like that. I was thinking about what way you can make it better too and I think your idea is a pretty good one. If they don't have a master password, then they can't run the get_password command. Would love to see this.

Can a different app have access to the Pyhtonista keychain (if it uses the proper bundle id etc.)?

I'm thinking of a scenario where someone has physical access to your device, they can install an app to access Pythonista's keychain. Even if there's a set_master_password()....

The keychain is a standard iOS feature and deeply integrated into the system, as far as I know it's not stored in the app bundle. Apple's app sandboxing also prevents apps from reading files outside their own bundle, except for a few essential ones. Even if someone got access to the keychain database using a jailbreak, it would still be encrypted. I don't know what kind of encryption is used and how secure it actually is, but point is that accessing the keychain is not easy.

Another app might not be able to read Pythonista's keychain, but any script within Pythonista can.

So if you download and run untrusted scripts, and have valuable passwords in Pythonista, it might be a good idea to use a master password.

Hmmmm, I was wondering because Google's apps all have access to the keychain (and can therefore share login state). Though from this answer on Stack Overflow, it seems that it's only if the app shares the same Bundle Seed ID - I'm guessing that it is not possible to access normally. If the phone is jailbroken maybe you could view the bundle seed id and then install another app with the same bundle seed ID?

Really need an iOS dev to chime in on this....

As long as your device is not jailbroken you are right, only apps with the same Bundle Seed ID have access.

If you jailbreak your device you loose all security features and apps that did not went through review and automatic checks at apple can use internal functions to receive any data stored in the keychain.

@dafire Aha thanks for the clarification