3Haz
Keychain iOS: info on other users
I am analyzing an iOS mobile application. I discovered that the app saves all logged-in users in the keychain, specifically saving their first name, last name, email, and id_token. This id_token, related to a JWT Token, cannot be used to impersonate the user even if it is still valid. Is this behavior valid in terms of security? Is it correct to save this information for all the different users who log in on a specific device? Shouldn't they be removed?
