Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the default file protection on iOS and how to change it

Reading here: (https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/AddingCapabilities/AddingCapabilities.html)

Enabling Data Protection (iOS, WatchKit Extension, tvOS)

Data protection adds a level of security to files stored on disk by your app in the app’s container. Data protection uses the built-in encryption hardware present on specific devices to store files in an encrypted format on disk. Your app needs to be provisioned to use data protection.

To enable data protection

In the Capabilities pane, if Data Protection isn’t enabled, click the switch in the Data Protection section.

The default level of protection is complete protection, in which files are encrypted and inaccessible when the device is locked. You can programmatically set the level of protection for files created by your app, as described in Protecting Data Using On-Disk Encryption in App Programming Guide for iOS. For files stored in shared containers (described in Configuring App Groups), set the level of protection programmatically.

It seems that the default protection is NSFileProtectionComplete, however I don think that is true, I think the default is NSFileProtectionCompleteUntilFirstUserAuthentication if you don't enable this.

Question #1: What is the default file protection for files written by the app?

Question #2:
Can I change the default for all files?

Does enabling 'Data Protection' and setting it to NSFileProtectionComplete in the entitlements file mean that all files created/stored in the application are encrypted with the NSFileProtectionComplete rule without doing anything else. IE do you need to enable this and also set the file protection for each file you want to be protected programmatically?

I have tried to test this. I have turned on Data Protection (entitlements) and provisioning/app. I deployed the app to a device via xcode and grabbed the database file to check its NSFileProtectionKey:

NSURL *database = [NSPersistentStore MR_urlForStoreName:@"app.sqlite"] id fileProtectionValue = [[[NSFileManager defaultManager] attributesOfItemAtPath:[database path] error:NULL] valueForKey:NSFileProtectionKey]; NSLog(@"file protection value: %@", fileProtectionValue);

However this still spits out 'NSFileProtectionCompleteUntilFirstUserAuthentication.

I have tried to delete the app and reinstall. Also verified all provisioning profiles were re-downloaded.

Does turning on Data Protection actually change the file protection key on all files within the app. IE is this a valid test?

If no, how do I test that the files are encrypted properly?

like image 702
lostintranslation Avatar asked Dec 07 '16 00:12

lostintranslation


1 Answers

Question #1: What is the default file protection for files written by the app?

Per Apple's docs (page 16), it is NSFileProtectionCompleteUntilFirstUserAuthentication (new docs here)

This is the default class for all third-party app data not otherwise assigned to a Data Protection class.

and

Question #2: Can I change the default for all files?

Yes, in the provisioning profile / app ID's entitlements in the Apple Developer center.

Remember that file protection is inherited at creation time, so if you want an entire file system hierarchy to use this mode you can set it on the root directory of that hierarchy when you created it and everything inside will pick it up from there.

via https://forums.developer.apple.com/thread/91557#276303

You can then specify file-specific attributes as well if needed.


Additional info on testing: https://stackoverflow.com/a/40044841/308315

like image 82
iwasrobbed Avatar answered Oct 14 '22 20:10

iwasrobbed