[REQUIRED] Step 1: Describe your environment

• Xcode version: 11.3.1
• Firebase SDK version: 6.15.0
• Firebase Component: Analytics
• Component version: 6.2.1 (for Analytics),
• Installation method: CocoaPods

[REQUIRED] Step 2: Describe the problem

The GoogleAppMeasurement.framework is misusing the system Keychain APIs.

The documentation for kSecAttrAccount constant says:

The corresponding value is of type CFString and contains an account name

(emphasis mine)

Firebase / GoogleAppMeasurement misuses this API and sends along value of type CFData / NSData.

Steps to reproduce:

1. Integrate FirebaseAnalytics.
2. Explore keychain (either via code, or using a library like FLEX)
3. Notice an item that has account name that's not a string, but a NSData object.

I figured it's coming from y'alls by running:

$ grep -R _pfo .
Binary file ./Pods/GoogleAppMeasurement/Frameworks/GoogleAppMeasurement.framework/GoogleAppMeasurement matches

Relevant Code:

Here's an easy way to reproduce it by just throwing this bit of Swift code into an existing application (it's pretty horrible, but for the purposes of illustration, etc)

var query = [kSecClass: kSecClassGenericPassword,
                     kSecReturnAttributes: true,
                     kSecMatchLimit: kSecMatchLimitAll] as [CFString : Any]

var result: AnyObject? = nil

_ = SecItemCopyMatching(query as! CFDictionary, &result)

let dict = result as! [[String: AnyObject]]

dump(dict.map { return "kSecAttrAccount value: \($0[kSecAttrAccount as String]!), type: \(type(of: $0[kSecAttrAccount as String]!))" })
dump(String(data: dict.first![kSecAttrAccount as String] as! Data, encoding: .utf8)!)

On my machine/app it prints the following:

▿ 2 elements
  - "kSecAttrAccount value: {length = 4, bytes = 0x5f70666f}, type: __NSCFData"
  - "kSecAttrAccount value: SOME_SORT_OF_IDENTIFIER_THAT_I'M_NOT_SURE-IF_ITS-PRIVATE__FIRAPP_DEFAULT, type: __NSCFString"
- "_pfo"