App delete does not clear tokens in iOS when SSO is enabled

book

Article ID: 129848

calendar_today

Updated On:

Products

CA Rapid App Security CA Mobile - APP Services CA Mobile API Gateway CA API Gateway

Issue/Introduction



App delete does not clear tokens in iOS when SSO is enabled

The user is logged in even if he re-installs the application. 

The use case is as follows: 
1. download app 
2. open app and login 
3. minimize app / close app 
4. delete app 
5. reinstall the same app 
6. open app 
the user is logged in without prompting for credentials 

It is reproducible successfully in the sample app, following this guide: 
http://mas.ca.com/docs/cordova/1.7.10/guides/ 

reproduction steps (configure SSO) 
1. install app 
2. MAS init 
3. MAS start with default 
4. MAS User login with username and password 
5. MAS User getCurrentUser - gets the user details 
6. Delete app without logout (minimize/close app) 
7. reinstall app 
8. MAS Init 
9. MAS Start with default 
10. MAS User getCurrentUser - gets the user details (same as before deletion) 
11. MAS get protected URL - no authentication required and data is returned 

The customer has tested it on iOS 12.1 iPhone 8 Plus device and also emulator 

Environment

MAS SDK 1.7.10 
MAG 9.3 CR01 

Resolution

This is a limitation on Apple's iOS Security Framework. 
All credentials that MAG SDK persists are being stored into Keychain Service that Apple provides for secure storage to secure, and get the most benefit out of iOS environment. 

Please refer to 
https://forums.developer.apple.com/thread/36442#thread-post-281900 for more details. This is an official answer from Apple related to this issue. 

Bottom line is that anything stored in Keychain Service will be persisted after deleting, and re-installing the application, same as user logged-in status. 
However, as we already acknowledge this concern, we have implemented our internal logic to detect whether the SDK can safely delete the data or not upon fresh new/re- installation. 

Meaning that upon installing the app, MAG SDK will be responsible to delete all credentials as long as if that will not affect other application's status. 
So, if the company has only a single application signed and published through Apple's Developer Program, and does not has same Keychain Sharing identifier with any other application, MAG SDK will delete the data upon reinstallation. 
However, this will only work for following cases: 
1. MAG SDK 1.9 version or above 
2. Only if the customer has a single application for the Keychain Share identifier 

If the customer has multiple applications signed, and published with the same Apple Developer Program, and same Keychain Sharing identifier (meaning that customer would expect SSO for other applications), this auto delete from MAG SDK will not be triggered as deleting those credentials will impact other applications from particular app's reinstallation.