Shared secrets

Keychain sharing and App Groups App Review checklist

Shared credentials can make app extensions and companion apps work smoothly, but the entitlement boundary must be intentional and testable.

Quick answer

Share Keychain items only across targets that genuinely need the same secret, and document what is shared, with whom, and how it is removed. Apple documentation says apps can share keychain items by adding them to the same access group. AppReviewReady interpretation: create a secret-scope map before enabling keychain sharing or app-group storage.

01

List every target that can read the secret

Include the main app, widgets, intents, watch app, extensions, companion apps, enterprise variants, and future targets. A shared token used by one extension may become reachable from another target later.

Write the purpose of each shared item: session token, refresh token, device key, encryption key, account ID, entitlement cache, or preference. Avoid using app-group storage for sensitive values that belong in Keychain.

02

Match entitlements to the minimum sharing need

  • Keychain access groups should be as narrow as the product allows.
  • App Groups should not become a dumping ground for private account data.
  • Extensions should fail gracefully when the shared item is missing or expired.
  • A logout from one surface should clear or invalidate the right shared items.
  • Account deletion should remove server sessions and local shared secrets where promised.
03

Treat shared secrets as privacy architecture

Shared credentials affect privacy because they decide which app surfaces can act as the user. A widget, Siri intent, or extension should not be able to expose private data simply because a token is available.

AppReviewReady interpretation: test every shared-secret consumer as if it were a separate app. The main app's auth checks do not automatically protect an extension UI.

04

Test lifecycle and revocation

  1. Install, sign in, use every extension or companion app, then sign out.
  2. Delete the account, uninstall the main app, reinstall, and verify shared items do not resurrect access.
  3. Rotate tokens, expire sessions, revoke server access, and test offline behavior.
  4. Switch accounts and verify no extension shows data from the previous account.
  5. Review crash logs and analytics to ensure secrets are not logged.
05

Document shared-secret boundaries

This record helps security review and App Review readiness even when the user never sees the underlying keychain architecture.

Review the map after adding any extension, widget, watch app, App Intent, or background agent. New targets can inherit access patterns that were safe for the main app but unsafe for a smaller surface.

If multiple apps share a keychain group, document whether uninstalling one app should leave secrets for the others. Users often expect logout and deletion semantics to be consistent across the suite.

Account switching should clear cached extension state before showing new data.

Copy-ready frameworkAdapt every bracketed field
Keychain/App Group review map:
Shared items: [token, key]
Targets with access: [main app, widget]
Purpose: [why shared]
Logout behavior: [what clears]
Account deletion behavior: [what clears]
Extension denied state: [message]
Sensitive logging check: [date]
Sources

Primary references checked for this guide

Policy statements above are grounded in the linked Apple documentation. Operational recommendations are AppReviewReady's interpretation and should be tested against your app and the current guideline text.

Put it to work

Check shared-secret readiness

Review keychain groups, app extensions, logout, deletion, and privacy boundaries.

Open the tool