iOS Keychain.

Apple's encrypted credential store on iOS, iPadOS, and macOS, backed by the Secure Enclave and graded by per-item accessibility classes that bind decryption to device unlock, passcode, biometric, or hardware-bound state. It belongs to the Mobile Security category of cybersecurity.

Apple's encrypted credential store on iOS, iPadOS, and macOS, backed by the Secure Enclave and graded by per-item accessibility classes that bind decryption to device unlock, passcode, biometric, or hardware-bound state.

The iOS Keychain is the OS-level encrypted credential and secret store used by iOS, iPadOS, macOS, watchOS, and tvOS, accessed via the SecItem* APIs. Items are encrypted with keys ultimately rooted in the Secure Enclave's hardware key and tied to the device's UID, so a Keychain database extracted off the device cannot be decrypted on different hardware. Each Keychain item carries an accessibility class that controls when it can be unlocked: `kSecAttrAccessibleWhenUnlocked`, `kSecAttrAccessibleAfterFirstUnlock`, the more restrictive `*ThisDeviceOnly` variants, and biometric- or passcode-gated `kSecAccessControl` constraints that require Face ID/Touch ID or the device passcode for each read. Common pitfalls in mobile AppSec include using too-permissive accessibility (e.g. `WhenUnlocked` without `ThisDeviceOnly`, which lets the item iCloud-sync across devices), storing high-entropy bearer tokens that don't need device-bound protection, and skipping `SecAccessControl` for credentials worth biometric-gating. Frida-based attacks on jailbroken devices can dump the Keychain unless items also carry hardware-bound access control. OWASP MASVS controls MSTG-CRYPTO and MSTG-STORAGE map directly to correct Keychain usage.

Defences for iOS Keychain typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Apple Keychain, iOS Keychain Services.