SecureStore.WHEN_UNLOCKED maps to iOS kSecAttrAccessibleWhenUnlocked, which syncs to iCloud Keychain.
On Android, WHEN_UNLOCKED is eligible for Auto Backup.
If a user's iCloud/Google account is compromised, the MMKV encryption key is exposed.
File: state/encryption.ts:7-9
Fix
keychainAccessible: SecureStore.WHEN_UNLOCKED_THIS_DEVICE_ONLY,
Labels: security, bug
SecureStore.WHEN_UNLOCKEDmaps to iOSkSecAttrAccessibleWhenUnlocked, which syncs to iCloud Keychain.On Android,
WHEN_UNLOCKEDis eligible for Auto Backup.If a user's iCloud/Google account is compromised, the MMKV encryption key is exposed.
File:
state/encryption.ts:7-9Fix