Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What happens when you close a file using iOS 'Protected Unless Open' encryption?

Tags:

security

ios

Apple's Documentation says the following:

Protected Unless Open. Files are encrypted. A closed file is inaccessible when the device is locked. After the device is unlocked, your app can open and use the file. If the user has a file open and locks the device (for example, by pressing the sleep button), your app can continue to access the file.

Enabling Store Technologies

And also:

Complete unless already open. The file is encrypted. A closed file is inaccessible while the device is locked. After the user unlocks the device, your app can open the file and use it. If the user locks the device while the file is open, though, your app can continue to access it. Specify the NSDataWritingFileProtectionCompleteUnlessOpen option (NSData) or the NSFileProtectionCompleteUnlessOpen attribute (NSFileManager).

Protecting Data Using On-Disk Encryption

This seems like a great option for allowing me to finish up any remaining work on the file and then closing it myself. What the documentation doesn't say is what happens to the file when I close it. For instance what happens when:

  1. User opens app and opens file within app
  2. User locks device (file remains unprotected because it is open)
  3. App performs remaining operations on file
  4. App closes the file

Now, is the file protected since it is now closed? Or can it be reopened?

like image 592
Richard Venable Avatar asked Apr 24 '13 14:04

Richard Venable


People also ask

What does encrypted file mean on iPhone?

This means that only you can decrypt and access your information, and only on trusted devices where you're signed in with your Apple ID. No one else, not even Apple, can access your end-to-end encrypted data. End-to-end encryption requires two-factor authentication for your Apple ID and a passcode set on your devices.

Are iOS files encrypted?

iOS and iPadOS devices use a file encryption methodology called Data Protection, whereas the data on an Intel-based Mac is protected with a volume encryption technology called FileVault.

Does iOS encrypt data by default?

Yes. Apple's iPhone, iPod touch, and iPad smart devices all support basic built-in encryption while a passcode is enabled. Macs also support their own form of data encryption. The encryption on Apple's iOS and iPadOS devices, such as the iPhone, iPod touch, and iPad, is called Data Protection.

Is Apple encryption secure?

Apple makes use of AES 256-bit encryption for iPhone encryption. 256-bit AES encryption is considered a very strong encryption standard and can provide a great level of security for data stored in your iPhones. Similar to other full-disk encryptions, iPhone encryption also protects data that is at rest.


1 Answers

It uses public keys to ensure the file can't be opened until the device is unlocked.

Protected Unless Open
(NSFileProtectionCompleteUnlessOpen): Some files may need to be written while the device is locked. A good example of this is a mail attachment downloading in the background. This behavior is achieved by using asymmetric elliptic curve cryptography (ECDH over Curve25519). Along with the usual per-file key, Data Protection generates a file public/private key pair. A shared secret is computed using the file’s private key and the Protected Unless Open class public key, whose corresponding private key is protected with the user’s passcode and the device UID. The per-file key is wrapped with the hash of this shared secret and stored in the file’s metadata along with the file’s public key; the corresponding private key is then wiped from memory. As soon as the file is closed, the per-file key is also wiped from memory. To open the file again, the shared secret is re-created using the Protected Unless Open class’s private key and the file’s ephemeral public key; its hash is used to unwrap the per-file key, which is then used to decrypt the file.

from http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf (page 10)

like image 191
cobbal Avatar answered Oct 29 '22 22:10

cobbal