Original and upgrade iOS apps have same keychain and application identities, but upgrade app cannot decrypt passwords encrypted by original app

Question

We have a version of an app in the App Store at 1.2.0 whose entitlements look like this (names changed to protect the innocent). This information came from iTunes Connect app details (app > View Details > Binary Details).

Bundle Identifier : com.ourco.xxx-app
[...]
Bundle Short Version String : 1.2.0
Bundle Version : 1.2.0.66338
[...]
Entitlements : Faspex.app/Faspex 
    get-task-allow: false 
    keychain-access-groups: ( 8xxxxxxxxE.com.ourco.xxx-app ) 
    application-identifier: 8xxxxxxxxE.com.ourco.xxx-app

We have a Release build of version 2.0.0 built from Xcode and signed with our distribution profile whose entitlements look like this (gotten by changing .ipa to .zip, unzipping it and the running codesign against the unzipped app).

$ codesign --display --entitlements - Payload/Xxx.app
[...]<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
    "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>8xxxxxxxxE.com.asperasoft.xxx-app</string>
    <key>get-task-allow</key>
    <false/>
    <key>keychain-access-groups</key>
    <array>
        <string>8xxxxxxxxE.com.asperasoft.xxx-app</string>
    </array>
</dict>
</plist>

When we conduct upgrade testing from the App Store version to our new version we are unable to retrieve previously stored passwords (stored by the 1.2.0 version) from the keychain.

By "upgrade testing" I mean we are installing the App Store version from the App Store itself, making an app account and saving that account's password in the keychain, then using the Xcode Organizer to install the Release build of 2.0.0 over top of the App Store (1.2.0) version. When we try to access the password from the keychain with the "upgraded" 2.0.0 version, we are unable to access the password.

It's been a while since we upgraded this app, but last time we did I don't recall having this kind of issue during upgrade testing like this.

Some of my team think this will magically fix itself when users install the real 2.0.0 upgrade from the App Store, but I am skeptical.

I will add any necessary details to this question if needed to help get a solid answer. Thanks in advance!

Answer 1

Turns out this was a logic error introduced in the code where we weren't using a key stored in the keychain (as I thought) but instead were using a different key. Since the key in the keychain was used to encrypt the password, but that different key not in the keychain was used to decrypt the password, we were never going to get a password match.

We changed the erroneous logic so that we went to the keychain for the encrypt/decrypt key and now are able to decrypt passwords after an upgrade.