Sandboxed – iOS Security for Builders

Episode 2

Inside Keychain & Secure Enclave: Where Your Secrets Really Live

On iOS, your app's most sensitive data is supposed to live in the Keychain and, sometimes, the Secure Enclave. But what does that actually mean in practice?

Listen onSpotifyAppleAmazonYouTubeSubstack

On paper, iOS is “secure by default.” In practice, real apps still leak secrets, reuse keys, and leave long-lived tokens lying around like lost house keys under the doormat.

In this episode, we go deep into where your app's secrets actually live on iOS — and what it really means to “use Keychain” or “leverage the Secure Enclave” in a way that would make a red teamer sweat.

This episode: Where your secrets really live

If you build or ship iOS apps, you're sitting on a pile of secrets:

  • API keys and client secrets
  • OAuth tokens and refresh tokens
  • Private keys for signing or encryption
  • Session cookies and device bindings
  • Crypto seeds, recovery phrases, and more

In this episode, we break down:

  • What actually counts as a secret in a modern iOS app
  • What the iOS Keychain is (and what it isn't)
  • How the Secure Enclave fits into the picture
  • Where things go wrong in real production apps
  • Concrete ways to upgrade how you store and rotate secrets

You'll come away with a mental model you can explain to your team — not just “the OS encrypts it somehow.”

Keychain 101 (for people who already skimmed the docs)

Most people think of the Keychain as a magic encrypted dictionary.

In reality, it's:

  • A structured database per device, per user
  • Backed by hardware-backed encryption where possible
  • Controlled by entitlements, access groups, and accessibility classes

We talk about how this actually plays out:

  • Why kSecAttrAccessibleAfterFirstUnlock can be both convenient and risky
  • How Keychain access groups affect what your different apps and extensions can see
  • What happens to Keychain items across backups, restores, and device changes

You'll hear real-world examples where the right Keychain flags mattered more than any fancy crypto primitive.

Secure Enclave: more than a buzzword

“Uses the Secure Enclave” sounds impressive in a slide deck.

We unpack what that really means:

  • What the Secure Enclave actually is (and what runs on it)
  • The difference between keys stored in the Secure Enclave vs. keys merely protected by it
  • When you should reach for Secure Enclave–backed keys versus “just Keychain”
  • Why UX and key lifecycle often end up being the real constraints

We also talk about the kinds of attacks the Secure Enclave is meant to resist — and what it definitely doesn't save you from.

Common failure modes we see in the wild

Most production problems aren't exotic. They're boring, repeatable patterns:

  • Long-lived tokens with permissive accessibility
    Tokens stored with accessibility settings that expose them when the device is locked
  • No rotation plan
    Secrets that never rotate because “it's hard to migrate existing users”
  • Misconfigured access groups
    Multiple apps or extensions unexpectedly sharing secrets
  • Backup/restore confusion
    Orphaned secrets or stuck users after device changes
  • UserDefaults or file storage for sensitive data
    “Temporary” storage that quietly becomes permanent

We walk through how these missteps turn into real account takeover and data-exfiltration paths — and how attackers chain them with phishing or device theft.

Three things you can do this week

If you only do a small amount of work after this episode, make it count. Here are three concrete things you can do with your team this week:

1. Inventory your secrets

Make an explicit list of everything your iOS app treats as a secret today:

  • Tokens, keys, cookies, seeds, device identifiers
  • Where they are stored (Keychain? UserDefaults? Files? In memory?)
  • How long they live and when they are rotated

2. Audit your Keychain usage

For each Keychain item, document:

  • Which accessibility class you're using and why
  • What access groups and entitlements apply
  • What should happen on device change, backup restore, or logout

If you can't explain a particular flag or setting in plain language, schedule time to revisit it.

3. Define a rotation and incident plan

Answer these questions in writing:

  • If a secret is compromised tomorrow, how do we rotate it for all existing users?
  • How quickly can we invalidate tokens or keys without breaking everyone's sessions?
  • What telemetry would we look at to know something went wrong?

Small, deliberate improvements to how you store, classify, and rotate secrets are often worth more than another “advanced” crypto feature.

About Sandboxed

Sandboxed is a podcast for people who actually ship iOS apps and care about how secure they are in the real world.

Each episode, we take one practical security topic — like secrets, auth, or hardening your build chain — and walk through how it really works on iOS, what can go wrong, and what you can do about it this week.

If that sounds like your kind of thing, subscribe to stay ahead of the quiet, boring changes that add up to real security wins.

Ready to dive deeper?

Episode 3 continues the journey with a deep dive into how to choose between different storage options for your secrets: Keychain vs Files vs UserDefaults.

Coming soon — subscribe to the newsletter to get notified when it drops.

← Previous EpisodeAll EpisodesNext Episode →

Stay in the Loop

Get iOS security insights, new episode alerts, and exclusive content delivered to your inbox.

No spam. Unsubscribe anytime.

Inside Keychain & Secure Enclave: Where Your Secrets Really Live | Sandboxed Podcast