CVE-2020-24653
Description
Expo secure-store on iOS incorrectly uses the insecure kSecAttrAccessibleAlwaysThisDeviceOnly policy when WHEN_UNLOCKED_THIS_DEVICE_ONLY is specified, exposing data even when device is locked.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Expo secure-store on iOS incorrectly uses the insecure kSecAttrAccessibleAlwaysThisDeviceOnly policy when WHEN_UNLOCKED_THIS_DEVICE_ONLY is specified, exposing data even when device is locked.
Vulnerability
Details
In Expo's secure-store module for iOS (versions through 2.16.1), a programming error causes the WHEN_UNLOCKED_THIS_DEVICE_ONLY accessibility option to be mapped to the insecure kSecAttrAccessibleAlwaysThisDeviceOnly Keychain attribute instead of the intended kSecAttrAccessibleWhenUnlockedThisDeviceOnly [3][4]. This means that data stored with the expectation of being accessible only when the device is unlocked is actually accessible even when the device is locked.
Exploitation
An attacker with physical access to a locked iOS device running an affected Expo app could read the stored secrets from the Keychain without needing to unlock the device. No additional authentication or network access is required; the vulnerability is triggered simply by the incorrect attribute mapping in the secure-store module [3].
Impact
Sensitive data such as authentication tokens, encryption keys, or other secrets stored via expo-secure-store with the WHEN_UNLOCKED_THIS_DEVICE_ONLY flag are exposed to anyone who gains physical possession of the device. This undermines the security guarantee that data would remain protected while the device is locked.
Mitigation
The issue was fixed in commit [4] and released in Expo SDK version 2.17.0 (see changelog [1]). Users should update to a patched version immediately. No workaround is available; the only remedy is to upgrade the Expo SDK.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
exponpm | < 9.1.0 | 9.1.0 |
Affected products
2- Expo/secure-storedescription
Patches
11d82bf07fae2[secure-store][ios] Fix incorrect security attribute (#9264)
2 files changed · +2 −1
packages/expo-secure-store/CHANGELOG.md+1 −0 modified@@ -7,6 +7,7 @@ ### 🎉 New features ### 🐛 Bug fixes +- Fix incorrect security attribute applied when using the flag WHEN_UNLOCKED_THIS_DEVICE_ONLY on iOS ([#9264](https://github.com/expo/expo/pull/9264) by [@cjthompson](https://github.com/cjthompson)) ## 9.0.1 — 2020-05-29
packages/expo-secure-store/ios/EXSecureStore/EXSecureStore.m+1 −1 modified@@ -132,7 +132,7 @@ - (CFStringRef)_accessibilityAttributeWithOptions:(NSDictionary *)options case EXSecureStoreAccessibleAlwaysThisDeviceOnly: return kSecAttrAccessibleAlwaysThisDeviceOnly; case EXSecureStoreAccessibleWhenUnlockedThisDeviceOnly: - return kSecAttrAccessibleAlwaysThisDeviceOnly; + return kSecAttrAccessibleWhenUnlockedThisDeviceOnly; default: return kSecAttrAccessibleWhenUnlocked; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-rwx9-wqj8-vr77ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-24653ghsaADVISORY
- github.com/expo/expo/blob/main/packages/expo-secure-store/CHANGELOG.mdghsaWEB
- github.com/expo/expo/commit/1d82bf07fae2c96273e9189997e521359cffc1a9ghsaWEB
- github.com/expo/expo/pull/9264ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.