For my iOS 6+-only app, I would like to enable the On-Disk Encryption offered from iOS.
I read this guide and I saw the "Protecting the User's Data" video of the WWDC 2012 (Session 714). However, I could not make it work.
Here are the steps I followed:
1- In the iOS Dev Center, I created a new App ID with:
2- In Xcode, I added an Entitlements file with the key:
3- On the device, I activated a passcode lock.
If I'm not wrong, this should be all. I now expect that while the device (in my case: an iPhone 5) is locked, protected files are inaccessible. But... if I use iExplorer, I can easily access the files created by my app, even when the device is locked. But this is exactly what I want to avoid. Did I forgot something?
To enable iPhone encryption, open Settings, tap Face ID & Passcode, and make sure passcode is enabled. Data protection is enabled should be displayed at the bottom of the Face ID & Passcode screen. iPhone's data encryption does not prevent authorities from accessing your backup on Apple's servers.
On your Mac, choose Apple menu > System Preferences, click Security & Privacy , then click FileVault. If the lock at the bottom left is locked , click it to unlock the preference pane. Click Turn On FileVault. You might be asked to enter your password.
Full disk encryption is a great way to protect sensitive customer data. In addition, today's companies need to adhere to data protection regulations and policies, such as GDPR, HIPAA, and CJIS, and full disk encryption is a great way to protect sensitive customer data.
iOS and iPadOS devices use a file encryption methodology called Data Protection, whereas the data on an Intel-based Mac is protected with a volume encryption technology called FileVault.
The reason you can access files without unlocking your device is that an escrow keybag has been created. This is explained in Apple's iOS Security Guide (pdf):
Escrow keybag is used for iTunes syncing and Mobile Device Management (MDM). This keybag allows iTunes to back up and sync without requiring the user to enter a passcode, and it allows an MDM server to remotely clear a user’s passcode. It is stored on the computer that’s used to sync with iTunes, or on the MDM server that manages the device.
The Escrow keybag improves the user experience during device synchronization, which potentially requires access to all classes of data. When a passcode-locked device is first connected to iTunes, the user is prompted to enter a passcode. The device then creates an Escrow keybag and passes it to the host. The Escrow keybag contains exactly the same class keys used on the device, protected by a newly generated key. This key is needed to unlock the Escrow keybag, and is stored on the device in the Protected Until First User Authentication class. This is why the device passcode must be entered before backing up with iTunes for the first time after a reboot.
If you reboot your phone, you will not be able to access files without unlocking it once.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With