App delete does not clear tokens in iOS when SSO is enabled
The user is logged in even if he re-installs the application.
The use case is as follows:
1. download app
2. open app and login
3. minimize app / close app
4. delete app
5. reinstall the same app
6. open app
the user is logged in without prompting for credentials
It is reproducible successfully in the sample app, following this guide:
reproduction steps (configure SSO)
1. install app
2. MAS init
3. MAS start with default
4. MAS User login with username and password
5. MAS User getCurrentUser - gets the user details
6. Delete app without logout (minimize/close app)
7. reinstall app
8. MAS Init
9. MAS Start with default
10. MAS User getCurrentUser - gets the user details (same as before deletion)
11. MAS get protected URL - no authentication required and data is returned
The customer has tested it on iOS 12.1 iPhone 8 Plus device and also emulator
MAS SDK 1.7.10
MAG 9.3 CR01
This is a limitation on Apple's iOS Security Framework.
All credentials that MAG SDK persists are being stored into Keychain Service that Apple provides for secure storage to secure, and get the most benefit out of iOS environment.
Please refer to
https://forums.developer.apple.com/thread/36442#thread-post-281900 for more details. This is an official answer from Apple related to this issue.
Bottom line is that anything stored in Keychain Service will be persisted after deleting, and re-installing the application, same as user logged-in status.
However, as we already acknowledge this concern, we have implemented our internal logic to detect whether the SDK can safely delete the data or not upon fresh new/re- installation.
Meaning that upon installing the app, MAG SDK will be responsible to delete all credentials as long as if that will not affect other application's status.
So, if the company has only a single application signed and published through Apple's Developer Program, and does not has same Keychain Sharing identifier with any other application, MAG SDK will delete the data upon reinstallation.
However, this will only work for following cases:
1. MAG SDK 1.9 version or above
2. Only if the customer has a single application for the Keychain Share identifier
If the customer has multiple applications signed, and published with the same Apple Developer Program, and same Keychain Sharing identifier (meaning that customer would expect SSO for other applications), this auto delete from MAG SDK will not be triggered as deleting those credentials will impact other applications from particular app's reinstallation.