# 07. Keychain & Data Protection Audit

meta:
  id: ios-production-07
  feature: ios-production
  priority: P1
  depends_on: []
  tags: [security, data-protection, production]

objective:
- Audit and harden all keychain usage and data protection to ensure sensitive data is stored securely

deliverables:
- Keychain audit report
- Data protection class review
- Secure data deletion
- Encryption audit

steps:
1. Audit keychain usage:
   - Review iOS/Kordant/Services/KeychainService.swift
   - Verify all sensitive data stored in keychain (not UserDefaults)
   - Check keychain accessibility levels:
     - JWT tokens: kSecAttrAccessibleWhenUnlockedThisDeviceOnly
     - Refresh tokens: kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
     - Biometric flag: kSecAttrAccessibleWhenUnlockedThisDeviceOnly
   - Verify keychain items migrated to correct accessibility
2. Audit data storage:
   - Review CacheManager.swift — should not store sensitive data
   - Review UserDefaults usage — only non-sensitive preferences
   - Verify no sensitive data in app sandbox documents
   - Check Core Data or SQLite encryption if used
3. Implement secure deletion:
   - Overwrite sensitive data before deletion
   - Clear clipboard after password copy (if applicable)
   - Auto-lock app after backgrounding (optional)
4. Review data protection classes:
   - File protection: NSFileProtectionComplete for sensitive files
   - Keychain: appropriate accessibility per item type
   - Backup: exclude sensitive items from iCloud backup
5. Add encryption for local data:
   - Encrypt cached API responses containing PII
   - Use AES-256 with key from Secure Enclave
   - Implement secure key rotation
6. Test data protection:
   - Device locked → keychain items inaccessible
   - Device backup → sensitive items excluded
   - App deletion → all sensitive data removed

tests:
- Unit: Test keychain store/retrieve/delete
- Security: Verify data inaccessible when device locked
- Integration: Test backup exclusion

acceptance_criteria:
- All sensitive data (tokens, passwords) stored in keychain
- Keychain accessibility set to ThisDeviceOnly where possible
- No sensitive data in UserDefaults or app documents
- Cached data encrypted at rest
- Sensitive items excluded from iCloud backup
- Secure deletion overwriting data before removal
- Data inaccessible when device locked (if applicable)
- All keychain operations have error handling

validation:
- Inspect keychain → JWT stored with correct accessibility
- Check UserDefaults → no sensitive data found
- Lock device → keychain items inaccessible
- Backup device → sensitive items not in backup
- Delete app → reinstall → no previous data accessible

notes:
- Keychain persists across app reinstalls — consider this in design
- kSecAttrAccessibleWhenUnlockedThisDeviceOnly is most secure
- Use Data Protection API for file-level encryption
- Consider using CryptoKit for data encryption