@Engineer Thank you very much for your response — we will continue monitoring this issue. Currently, a major challenge is that many different types of logs are mixed together in Sentry, so we are working on separating and clarifying these logs by type and status in order to better track the issue. Regarding the invalidKey error (Error Code 3): In approximately 99% of cases where this error occurs on a device, it does not recover. This means that attestKey() fails permanently on those devices. In the remaining ~1% of cases, attestKey() continues to fail but then inexplicably succeeds at certain moments. We’re trying to understand why these permanent failures happen, especially considering that we are following Apple’s recommended implementation guidelines. Have you observed similar device-specific issues on your end?

Keychain items stored using SecItem in your app will generally be migrated or synced to a new iPhone when a user transfers data from their old device, but the specifics depend on how the transfer is performed and the Keychain item attributes you’ve set. Here’s a concise explanation: iCloud Keychain Syncing: If iCloud Keychain is enabled on both devices, Keychain items with the kSecAttrSynchronizable attribute set to true are automatically synced to the new device via iCloud. This includes passwords, certificates, and other secure data stored in the Keychain. Items without this attribute (i.e., non-syncable items) are not synced via iCloud and require a different transfer method. Device-to-Device Transfer (Encrypted Backup or Direct Transfer): When using iCloud Backup or iTunes/Finder encrypted backup, Keychain items (both syncable and non-syncable) are included in the encrypted backup. Restoring this backup to a new iPhone will transfer all Keychain items. During a direct device-to-device transfer (e.g., using Quick Start), Keychain items are typically transferred securely as part of the process, provided the transfer is encrypted. Non-Syncable Items: If your app’s Keychain items are not marked as synchronizable (kSecAttrSynchronizable is false or not set), they will only transfer via encrypted backups or direct device transfers. Without an encrypted backup or direct transfer, these items will not migrate. Edge Cases and Considerations: Access Groups: If your app uses Keychain access groups (e.g., for sharing between apps), ensure the new device has the same app installed with the correct entitlements to access those items. User Settings: If the user disables iCloud Keychain or does not use an encrypted backup, non-syncable items may not transfer. iOS Version: Ensure both devices are running compatible iOS versions, as Keychain behavior may vary slightly with older systems. Best Practices for Your App: If you want Keychain items to sync across devices, explicitly set kSecAttrSynchronizable to true when adding items with SecItemAdd. Inform users that enabling iCloud Keychain or using encrypted backups ensures their Keychain data is transferred. Test the migration process to confirm your app’s Keychain items behave as expected during device setup.