expo-secure-store 12.5.0 → 12.7.0

package/CHANGELOG.md

@@ -10,6 +10,27 @@
 
 ### 💡 Others
 
+## 12.7.0 — 2023-11-14
+
+### 🛠 Breaking changes
+
+- Bumped iOS deployment target to 13.4. ([#25063](https://github.com/expo/expo/pull/25063) by [@gabrieldonadel](https://github.com/gabrieldonadel))
+- On `Android` bump `compileSdkVersion` and `targetSdkVersion` to `34`. ([#24708](https://github.com/expo/expo/pull/24708) by [@alanjhughes](https://github.com/alanjhughes))
+
+### 💡 Others
+
+- [Android] Enforce minimum authentication tag length for the `AESEncryptor` for improved security. ([#25294](https://github.com/expo/expo/pull/25294) by [@behenate](https://github.com/behenate))
+
+## 12.6.0 — 2023-10-17
+
+### 🛠 Breaking changes
+
+- Dropped support for Android SDK 21 and 22. ([#24201](https://github.com/expo/expo/pull/24201) by [@behenate](https://github.com/behenate))
+
+### 🐛 Bug fixes
+
+- Fixed the 'WHEN_UNLOCKED_THIS_DEVICE_ONLY' constraint being incorrectly mapped to wrong secure store accessible ([#24831](https://github.com/expo/expo/pull/24831) by [@mmmguitar](https://github.com/mmmguitar))
+
 ## 12.5.0 — 2023-09-04
 
 ### 🎉 New features

package/android/build.gradle

@@ -3,15 +3,20 @@ apply plugin: 'kotlin-android'
 apply plugin: 'maven-publish'
 
 group = 'host.exp.exponent'
-version = '12.5.0'
+version = '12.7.0'
 
-buildscript {
-  def expoModulesCorePlugin = new File(project(":expo-modules-core").projectDir.absolutePath, "ExpoModulesCorePlugin.gradle")
-  if (expoModulesCorePlugin.exists()) {
-    apply from: expoModulesCorePlugin
-    applyKotlinExpoModulesCorePlugin()
+def expoModulesCorePlugin = new File(project(":expo-modules-core").projectDir.absolutePath, "ExpoModulesCorePlugin.gradle")
+if (expoModulesCorePlugin.exists()) {
+  apply from: expoModulesCorePlugin
+  applyKotlinExpoModulesCorePlugin()
+  // Remove this check, but keep the contents after SDK49 support is dropped
+  if (safeExtGet("expoProvidesDefaultConfig", false)) {
+    useExpoPublishing()
+    useCoreDependencies()
   }
+}
 
+buildscript {
   // Simple helper that allows the root project to override versions declared by this library.
   ext.safeExtGet = { prop, fallback ->
     rootProject.ext.has(prop) ? rootProject.ext.get(prop) : fallback
@@ -35,23 +40,44 @@ buildscript {
   }
 }
 
-afterEvaluate {
-  publishing {
-    publications {
-      release(MavenPublication) {
-        from components.release
+// Remove this if and it's contents, when support for SDK49 is dropped
+if (!safeExtGet("expoProvidesDefaultConfig", false)) {
+  afterEvaluate {
+    publishing {
+      publications {
+        release(MavenPublication) {
+          from components.release
+        }
       }
-    }
-    repositories {
-      maven {
-        url = mavenLocal().url
+      repositories {
+        maven {
+          url = mavenLocal().url
+        }
       }
     }
   }
 }
 
 android {
-  compileSdkVersion safeExtGet("compileSdkVersion", 33)
+  // Remove this if and it's contents, when support for SDK49 is dropped
+  if (!safeExtGet("expoProvidesDefaultConfig", false)) {
+    compileSdkVersion safeExtGet("compileSdkVersion", 34)
+
+    defaultConfig {
+      minSdkVersion safeExtGet("minSdkVersion", 23)
+      targetSdkVersion safeExtGet("targetSdkVersion", 34)
+    }
+
+    publishing {
+      singleVariant("release") {
+        withSourcesJar()
+      }
+    }
+
+    lintOptions {
+      abortOnError false
+    }
+  }
 
   def agpVersion = com.android.Version.ANDROID_GRADLE_PLUGIN_VERSION
   if (agpVersion.tokenize('.')[0].toInteger() < 8) {
@@ -67,25 +93,18 @@ android {
 
   namespace "expo.modules.securestore"
   defaultConfig {
-    minSdkVersion safeExtGet("minSdkVersion", 21)
-    targetSdkVersion safeExtGet("targetSdkVersion", 33)
     versionCode 17
-    versionName '12.5.0'
-  }
-  lintOptions {
-    abortOnError false
-  }
-  publishing {
-    singleVariant("release") {
-      withSourcesJar()
-    }
+    versionName '12.7.0'
   }
 }
 
 dependencies {
-  implementation project(':expo-modules-core')
+  // Remove this if and it's contents, when support for SDK49 is dropped
+  if (!safeExtGet("expoProvidesDefaultConfig", false)) {
+    implementation project(':expo-modules-core')
+    implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:${getKotlinVersion()}"
+  }
 
   api "androidx.biometric:biometric:1.1.0"
 
-  implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk7:${getKotlinVersion()}"
 }

package/android/src/main/java/expo/modules/securestore/SecureStoreModule.kt

@@ -2,7 +2,6 @@ package expo.modules.securestore
 
 import android.content.Context
 import android.content.SharedPreferences
-import android.os.Build
 import android.preference.PreferenceManager
 import android.security.keystore.KeyPermanentlyInvalidatedException
 import android.util.Log
@@ -105,7 +104,9 @@ open class SecureStoreModule : Module() {
         "but it might be raised because the keychain used to decrypt this key has been invalidated and deleted." +
         " If you are confident that the keychain you provided is correct and want to avoid this error in the " +
         "future you should save a new value under this key or use `deleteItemImpl()` and remove the existing one."
-    } else { "" }
+    } else {
+      ""
+    }
 
     encryptedItemString ?: return null
 
@@ -125,24 +126,23 @@ open class SecureStoreModule : Module() {
         AESEncryptor.NAME -> {
           val secretKeyEntry = getPreferredKeyEntry(SecretKeyEntry::class.java, mAESEncryptor, options, requireAuthentication, usesKeystoreSuffix)
             ?: throw DecryptException("Could not find a keychain for key $key$legacyReadFailedWarning", key, options.keychainService)
-          return mAESEncryptor.decryptItem(encryptedItem, secretKeyEntry, options, authenticationHelper)
+          return mAESEncryptor.decryptItem(key, encryptedItem, secretKeyEntry, options, authenticationHelper)
         }
         HybridAESEncryptor.NAME -> {
           val privateKeyEntry = getPreferredKeyEntry(PrivateKeyEntry::class.java, hybridAESEncryptor, options, requireAuthentication, usesKeystoreSuffix)
             ?: throw DecryptException("Could not find a keychain for key $key$legacyReadFailedWarning", key, options.keychainService)
-          return hybridAESEncryptor.decryptItem(encryptedItem, privateKeyEntry, options, authenticationHelper)
+          return hybridAESEncryptor.decryptItem(key, encryptedItem, privateKeyEntry, options, authenticationHelper)
         }
         else -> {
           throw DecryptException("The item for key $key in SecureStore has an unknown encoding scheme $scheme)", key, options.keychainService)
         }
       }
+    } catch (e: KeyPermanentlyInvalidatedException) {
+      Log.w(TAG, "The requested key has been permanently invalidated. Returning null")
+      return null
+    } catch (e: BadPaddingException) {
+      throw (DecryptException("Could not decrypt the value with provided keychain $legacyReadFailedWarning", key, options.keychainService, e))
     } catch (e: GeneralSecurityException) {
-      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M && e is KeyPermanentlyInvalidatedException) {
-        Log.w(TAG, "The requested key has been permanently invalidated. Returning null")
-        return null
-      } else if (e is BadPaddingException) {
-        throw (DecryptException("Could not decrypt the value with provided keychain $legacyReadFailedWarning", key, options.keychainService, e))
-      }
       throw (DecryptException(e.message, key, options.keychainService, e))
     } catch (e: CodedException) {
       throw e
@@ -176,35 +176,23 @@ open class SecureStoreModule : Module() {
        use in the encrypted JSON item so that we know how to decode and decrypt it when reading
        back a value.
       */
-      if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.M) {
-        val secretKeyEntry: SecretKeyEntry = getKeyEntry(SecretKeyEntry::class.java, mAESEncryptor, options, options.requireAuthentication)
-        val encryptedItem = mAESEncryptor.createEncryptedItem(value, secretKeyEntry, options.requireAuthentication, options.authenticationPrompt, authenticationHelper)
-        encryptedItem.put(SCHEME_PROPERTY, AESEncryptor.NAME)
-        saveEncryptedItem(encryptedItem, prefs, keychainAwareKey, options.requireAuthentication, options.keychainService)
-      } else {
-        val privateKeyEntry: PrivateKeyEntry = getKeyEntry(PrivateKeyEntry::class.java, hybridAESEncryptor, options, options.requireAuthentication)
-        val encryptedItem = hybridAESEncryptor.createEncryptedItem(value, privateKeyEntry, options.requireAuthentication, options.authenticationPrompt, authenticationHelper)
-        encryptedItem.put(SCHEME_PROPERTY, HybridAESEncryptor.NAME)
-        saveEncryptedItem(encryptedItem, prefs, keychainAwareKey, options.requireAuthentication, options.keychainService)
-      }
+      val secretKeyEntry: SecretKeyEntry = getKeyEntry(SecretKeyEntry::class.java, mAESEncryptor, options, options.requireAuthentication)
+      val encryptedItem = mAESEncryptor.createEncryptedItem(value, secretKeyEntry, options.requireAuthentication, options.authenticationPrompt, authenticationHelper)
+      encryptedItem.put(SCHEME_PROPERTY, AESEncryptor.NAME)
+      saveEncryptedItem(encryptedItem, prefs, keychainAwareKey, options.requireAuthentication, options.keychainService)
 
       // If a legacy value exists under this key we remove it to avoid unexpected errors in the future
       if (prefs.contains(key)) {
         prefs.edit().remove(key).apply()
       }
-    } catch (e: GeneralSecurityException) {
-      val isInvalidationException = Build.VERSION.SDK_INT >= Build.VERSION_CODES.M && e is KeyPermanentlyInvalidatedException
-
-      if (isInvalidationException && !keyIsInvalidated) {
-        // If the key has been invalidated by the OS we try to reinitialize it in the save retry.
+    } catch (e: KeyPermanentlyInvalidatedException) {
+      if (!keyIsInvalidated) {
         Log.w(TAG, "Key has been invalidated, retrying with the key deleted")
-        setItemImpl(key, value, options, true)
-      } else if (isInvalidationException) {
-        // If reinitialization of the key fails, reject the promise
-        throw EncryptException("Encryption Failed. The key $key has been permanently invalidated and cannot be reinitialized", key, options.keychainService, e)
-      } else {
-        throw EncryptException(e.message, key, options.keychainService, e)
+        return setItemImpl(key, value, options, true)
       }
+      throw EncryptException("Encryption Failed. The key $key has been permanently invalidated and cannot be reinitialized", key, options.keychainService, e)
+    } catch (e: GeneralSecurityException) {
+      throw EncryptException(e.message, key, options.keychainService, e)
     } catch (e: CodedException) {
       throw e
     } catch (e: Exception) {

package/android/src/main/java/expo/modules/securestore/encryptors/AESEncryptor.kt

@@ -5,6 +5,7 @@ import android.security.keystore.KeyGenParameterSpec
 import android.security.keystore.KeyProperties
 import android.util.Base64
 import expo.modules.securestore.AuthenticationHelper
+import expo.modules.securestore.DecryptException
 import expo.modules.securestore.SecureStoreModule
 import expo.modules.securestore.SecureStoreOptions
 import org.json.JSONException
@@ -108,6 +109,7 @@ class AESEncryptor : KeyBasedEncryptor<KeyStore.SecretKeyEntry> {
 
   @Throws(GeneralSecurityException::class, JSONException::class)
   override suspend fun decryptItem(
+    key: String,
     encryptedItem: JSONObject,
     keyStoreEntry: KeyStore.SecretKeyEntry,
     options: SecureStoreOptions,
@@ -122,6 +124,9 @@ class AESEncryptor : KeyBasedEncryptor<KeyStore.SecretKeyEntry> {
     val cipher = Cipher.getInstance(AES_CIPHER)
     val requiresAuthentication = encryptedItem.optBoolean(AuthenticationHelper.REQUIRE_AUTHENTICATION_PROPERTY)
 
+    if (authenticationTagLength < MIN_GCM_AUTHENTICATION_TAG_LENGTH) {
+      throw DecryptException("Authentication tag length must be at least $MIN_GCM_AUTHENTICATION_TAG_LENGTH bits long", key, options.keychainService)
+    }
     cipher.init(Cipher.DECRYPT_MODE, keyStoreEntry.secretKey, gcmSpec)
     val unlockedCipher = authenticationHelper.authenticateCipher(cipher, requiresAuthentication, options.authenticationPrompt)
     return String(unlockedCipher.doFinal(ciphertextBytes), StandardCharsets.UTF_8)
@@ -134,5 +139,6 @@ class AESEncryptor : KeyBasedEncryptor<KeyStore.SecretKeyEntry> {
     private const val CIPHERTEXT_PROPERTY = "ct"
     const val IV_PROPERTY = "iv"
     private const val GCM_AUTHENTICATION_TAG_LENGTH_PROPERTY = "tlen"
+    private const val MIN_GCM_AUTHENTICATION_TAG_LENGTH = 96
   }
 }

package/android/src/main/java/expo/modules/securestore/encryptors/HybridAESEncryptor.kt

@@ -2,35 +2,25 @@ package expo.modules.securestore.encryptors
 
 import android.annotation.SuppressLint
 import android.content.Context
-import android.os.Build
-import android.security.KeyPairGeneratorSpec
 import android.security.keystore.KeyProperties
 import android.util.Base64
-import android.util.Log
 import expo.modules.securestore.AuthenticationHelper
+import expo.modules.securestore.EncryptException
+import expo.modules.securestore.KeyStoreException
 import expo.modules.securestore.SecureStoreModule
 import expo.modules.securestore.SecureStoreOptions
 import org.json.JSONException
 import org.json.JSONObject
-import java.math.BigInteger
 import java.security.GeneralSecurityException
-import java.security.InvalidAlgorithmParameterException
-import java.security.KeyPairGenerator
 import java.security.KeyStore
 import java.security.NoSuchAlgorithmException
 import java.security.NoSuchProviderException
 import java.security.SecureRandom
-import java.security.UnrecoverableEntryException
-import java.security.spec.AlgorithmParameterSpec
-import java.security.spec.InvalidParameterSpecException
 import java.util.*
 import javax.crypto.Cipher
-import javax.crypto.KeyGenerator
 import javax.crypto.NoSuchPaddingException
 import javax.crypto.SecretKey
-import javax.crypto.spec.GCMParameterSpec
 import javax.crypto.spec.SecretKeySpec
-import javax.security.auth.x500.X500Principal
 
 /**
  * An AES encryptor that works with Android L (API 22) and below, which cannot store symmetric
@@ -66,26 +56,11 @@ class HybridAESEncryptor(private var mContext: Context, private val mAESEncrypto
 
   @Throws(GeneralSecurityException::class)
   override fun initializeKeyStoreEntry(keyStore: KeyStore, options: SecureStoreOptions): KeyStore.PrivateKeyEntry {
-    val keystoreAlias = getExtendedKeyStoreAlias(options, options.requireAuthentication)
-    // See https://tools.ietf.org/html/rfc1779#section-2.3 for the DN grammar
-    val escapedCommonName = '"'.toString() + keystoreAlias.replace("\\", "\\\\").replace("\"", "\\\"") + '"'
-
-    @Suppress("DEPRECATION") // This will only be called on API level < 23
-    val algorithmSpec: AlgorithmParameterSpec = KeyPairGeneratorSpec.Builder(mContext)
-      .setAlias(keystoreAlias)
-      .setSubject(X500Principal("CN=$escapedCommonName, OU=SecureStore"))
-      .setSerialNumber(BigInteger(X509_SERIAL_NUMBER_LENGTH_BITS, mSecureRandom))
-      .setStartDate(Date(0))
-      .setEndDate(Date(Long.MAX_VALUE))
-      .build()
-
-    @SuppressLint("InlinedApi") // constant value will be copied
-    val keyPairGenerator = KeyPairGenerator.getInstance(KeyProperties.KEY_ALGORITHM_RSA, keyStore.provider)
-
-    keyPairGenerator.initialize(algorithmSpec)
-    keyPairGenerator.generateKeyPair()
-    return keyStore.getEntry(keystoreAlias, null) as? KeyStore.PrivateKeyEntry
-      ?: throw UnrecoverableEntryException("Could not retrieve the newly generated private key entry")
+    // This should never be called after we dropped Android SDK 22 support.
+    throw KeyStoreException(
+      "Tried to initialize HybridAESEncryptor key store entry on Android SDK >= 23. This shouldn't happen. " +
+        "If you see this message report an issue at https://github.com/expo/expo."
+    )
   }
 
   @Throws(GeneralSecurityException::class, JSONException::class)
@@ -96,60 +71,22 @@ class HybridAESEncryptor(private var mContext: Context, private val mAESEncrypto
     authenticationPrompt: String,
     authenticationHelper: AuthenticationHelper
   ): JSONObject {
-    // Generate the IV and symmetric key with which we encrypt the value
-    val ivBytes = ByteArray(GCM_IV_LENGTH_BYTES)
-    mSecureRandom.nextBytes(ivBytes)
-
-    // constant value will be copied
-    @SuppressLint("InlinedApi") val keyGenerator = KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES)
-    keyGenerator.init(AESEncryptor.AES_KEY_SIZE_BITS)
-    val secretKey = keyGenerator.generateKey()
-
-    // Encrypt the value with the symmetric key. We need to specify the GCM parameters since the
-    // our secret key isn't tied to the keystore and the cipher can't use the secret key to
-    // generate the parameters.
-    val gcmSpec = GCMParameterSpec(GCM_AUTHENTICATION_TAG_LENGTH_BITS, ivBytes)
-    val aesCipher = Cipher.getInstance(AESEncryptor.AES_CIPHER)
-
-    aesCipher.init(Cipher.ENCRYPT_MODE, secretKey, gcmSpec)
-    val chosenSpec = try {
-      aesCipher.parameters.getParameterSpec(GCMParameterSpec::class.java)
-    } catch (e: InvalidParameterSpecException) {
-      // BouncyCastle tried to instantiate GCMParameterSpec using invalid constructor
-      // https://github.com/bcgit/bc-java/commit/507c3917c0c469d10b9f033ad641c1da195e2039#diff-c90a59e823805b6c0dcfeaf7bae65f53
-
-      // Let's do some sanity checks and use the spec we've initialized the cipher with.
-      if ("GCM" != aesCipher.parameters.algorithm) {
-        throw InvalidAlgorithmParameterException("Algorithm chosen by the cipher (" + aesCipher.parameters.algorithm + ") doesn't match requested (GCM).")
-      }
-      gcmSpec
-    }
-
-    val authenticatedCipher = authenticationHelper.authenticateCipher(aesCipher, requireAuthentication, authenticationPrompt)
-
-    val aesResult = mAESEncryptor.createEncryptedItemWithCipher(plaintextValue, authenticatedCipher, chosenSpec)
-
-    // Ensure the IV in the encrypted item matches our generated IV
-    val ivString = aesResult.getString(AESEncryptor.IV_PROPERTY)
-    val expectedIVString = Base64.encodeToString(ivBytes, Base64.NO_WRAP)
-    if (ivString != expectedIVString) {
-      Log.e(SecureStoreModule.TAG, String.format("HybridAESEncrypter generated two different IVs: %s and %s", expectedIVString, ivString))
-      throw IllegalStateException("HybridAESEncryptor must store the same IV as the one used to parameterize the secret key")
-    }
-
-    // Encrypt the symmetric key with the asymmetric public key
-    val secretKeyBytes = secretKey.encoded
-    val cipher: Cipher = rSACipher
-    cipher.init(Cipher.ENCRYPT_MODE, keyStoreEntry.certificate)
-    val encryptedSecretKeyBytes = cipher.doFinal(secretKeyBytes)
-    val encryptedSecretKeyString = Base64.encodeToString(encryptedSecretKeyBytes, Base64.NO_WRAP)
-    aesResult.put(ENCRYPTED_SECRET_KEY_PROPERTY, encryptedSecretKeyString)
-
-    return aesResult
+    // This should never be called after we dropped Android SDK 22 support.
+    throw EncryptException(
+      "HybridAESEncryption should not be used on Android SDK >= 23. This shouldn't happen. " +
+        "If you see this message report an issue at https://github.com/expo/expo.",
+      "unknown", "unknown"
+    )
   }
 
   @Throws(GeneralSecurityException::class, JSONException::class)
-  override suspend fun decryptItem(encryptedItem: JSONObject, keyStoreEntry: KeyStore.PrivateKeyEntry, options: SecureStoreOptions, authenticationHelper: AuthenticationHelper): String {
+  override suspend fun decryptItem(
+    key: String,
+    encryptedItem: JSONObject,
+    keyStoreEntry: KeyStore.PrivateKeyEntry,
+    options: SecureStoreOptions,
+    authenticationHelper: AuthenticationHelper
+  ): String {
     // Decrypt the encrypted symmetric key
     val encryptedSecretKeyString = encryptedItem.getString(ENCRYPTED_SECRET_KEY_PROPERTY)
     val encryptedSecretKeyBytes = Base64.decode(encryptedSecretKeyString, Base64.DEFAULT)
@@ -161,20 +98,16 @@ class HybridAESEncryptor(private var mContext: Context, private val mAESEncrypto
 
     // Decrypt the value with the symmetric key
     val secretKeyEntry = KeyStore.SecretKeyEntry(secretKey)
-    return mAESEncryptor.decryptItem(encryptedItem, secretKeyEntry, options, authenticationHelper)
+    return mAESEncryptor.decryptItem(key, encryptedItem, secretKeyEntry, options, authenticationHelper)
   }
 
   @get:Throws(NoSuchAlgorithmException::class, NoSuchProviderException::class, NoSuchPaddingException::class)
   private val rSACipher: Cipher
-    get() = if (Build.VERSION.SDK_INT < Build.VERSION_CODES.M) Cipher.getInstance(RSA_CIPHER, RSA_CIPHER_LEGACY_PROVIDER) else Cipher.getInstance(RSA_CIPHER)
+    get() = Cipher.getInstance(RSA_CIPHER)
 
   companion object {
     const val NAME = "hybrid"
     private const val RSA_CIPHER = "RSA/None/PKCS1Padding"
-    private const val RSA_CIPHER_LEGACY_PROVIDER = "AndroidOpenSSL"
-    private const val X509_SERIAL_NUMBER_LENGTH_BITS = 20 * 8
-    private const val GCM_IV_LENGTH_BYTES = 12
-    private const val GCM_AUTHENTICATION_TAG_LENGTH_BITS = 128
     private const val ENCRYPTED_SECRET_KEY_PROPERTY = "esk"
   }
 }

package/android/src/main/java/expo/modules/securestore/encryptors/KeyBasedEncryptor.kt

@@ -30,6 +30,7 @@ interface KeyBasedEncryptor<E : KeyStore.Entry> {
 
   @Throws(GeneralSecurityException::class, JSONException::class)
   suspend fun decryptItem(
+    key: String,
     encryptedItem: JSONObject,
     keyStoreEntry: E,
     options: SecureStoreOptions,

package/ios/ExpoSecureStore.podspec

@@ -10,7 +10,7 @@ Pod::Spec.new do |s|
   s.license        = package['license']
   s.author         = package['author']
   s.homepage       = package['homepage']
-  s.platform       = :ios, '13.0'
+  s.platform       = :ios, '13.4'
   s.swift_version  = '5.4'
   s.source         = { git: 'https://github.com/expo/expo.git' }
   s.static_framework = true
@@ -22,7 +22,7 @@ Pod::Spec.new do |s|
     'DEFINES_MODULE' => 'YES',
     'SWIFT_COMPILATION_MODE' => 'wholemodule'
   }
-  
+
   if !$ExpoUseSources&.include?(package['name']) && ENV['EXPO_USE_SOURCE'].to_i == 0 && File.exist?("#{s.name}.xcframework") && Gem::Version.new(Pod::VERSION) >= Gem::Version.new('1.10.0')
     s.source_files = "**/*.h"
     s.vendored_frameworks = "#{s.name}.xcframework"

package/ios/SecureStoreModule.swift

@@ -13,7 +13,7 @@ public final class SecureStoreModule: Module {
       "WHEN_PASSCODE_SET_THIS_DEVICE_ONLY": SecureStoreAccessible.whenPasscodeSetThisDeviceOnly.rawValue,
       "ALWAYS_THIS_DEVICE_ONLY": SecureStoreAccessible.alwaysThisDeviceOnly.rawValue,
       "WHEN_UNLOCKED": SecureStoreAccessible.whenUnlocked.rawValue,
-      "WHEN_UNLOCKED_THIS_DEVICE_ONLY": SecureStoreAccessible.whenPasscodeSetThisDeviceOnly.rawValue
+      "WHEN_UNLOCKED_THIS_DEVICE_ONLY": SecureStoreAccessible.whenUnlockedThisDeviceOnly.rawValue
     ])
 
     AsyncFunction("getValueWithKeyAsync") { (key: String, options: SecureStoreOptions) -> String? in

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "expo-secure-store",
-  "version": "12.5.0",
+  "version": "12.7.0",
   "description": "Provides a way to encrypt and securely store key–value pairs locally on the device.",
   "main": "build/SecureStore.js",
   "types": "build/SecureStore.d.ts",
@@ -42,5 +42,5 @@
   "peerDependencies": {
     "expo": "*"
   },
-  "gitHead": "79607a7325f47aa17c36d266100d09a4ff2cc544"
+  "gitHead": "3142a086578deffd8704a8f1b6f0f661527d836c"
 }